I have created a service account with a roles/storage.admin role on it with the following condition:
resource.name.startsWith(
"//storage.googleapis.com/projects/_/buckets/rakibs-new-bucket"
)
However, when this service account tries to query anything in the bucket it says the following:
Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403: my-new-service-account@my-project.iam.gserviceaccount.com does not have storage.objects.list access to rakibs-new-bucket., forbidden
For reference: I followed this gcloud doc link to construct the resource name of the GCS bucket in the role condition.
Learned that the domain part was not necessary. Just ommitting the //storage.googleapis.com/ part worked.
resource.name.startsWith(
"projects/_/buckets/rakibs-new-bucket"
)