storage.objects.get / list denied for service account on Google Play `pubsite_prod_rev_*` bucket despite "download bulk reports" permission

[dealqudaimi]

Determine this is the right repository

• I determined this is the correct repository in which to report this bug.

Summary of the issue

Environment

• Library: google-cloud-storage (Python)
• Runtime: Python 3.12 (Google Colab)
• Auth: service account via service_account.Credentials.from_service_account_info(..., scopes=["https://www.googleapis.com/auth/devstorage.read_only"])

What I'm trying to do

Download Google Play Console statistics reports programmatically from the Play-managed Cloud Storage bucket (gs://pubsite_prod_rev_XXXXXXXXXXXX/stats/installs/...), using a service account, for an unattended reporting pipeline.

Setup

• The service account email has been invited in Play Console → Users and permissions with "View app information and download bulk reports" (granted at account level).
• The target object exists — I can download the exact same file manually from the Play Console "Download reports" UI.
• The bucket is Google/Play-managed, not in my GCP project.
• I instantiate the client with the explicit devstorage.read_only scope (the workaround suggested in storage.objects.get permission denied when accessing Google Play Console stats bucket (pubsite_prod_rev_*) nodejs-storage#2688).

Minimal repro

from google.oauth2 import service_account
from google.cloud import storage

creds = service_account.Credentials.from_service_account_file(
    "key.json", scopes=["https://www.googleapis.com/auth/devstorage.read_only"])
client = storage.Client(credentials=creds, project="my-project")

blob = client.bucket("pubsite_prod_rev_XXXXXXXXXXXX").blob(
    "stats/installs/installs_my.app.package_202606_overview.csv")
blob.download_as_bytes()   # 403

Result

Both object download and bucket listing are denied:

403 GET .../o/stats%2Finstalls%2Finstalls_my.app.package_202606_overview.csv?alt=media:
<service-account>@<project>.iam.gserviceaccount.com does not have storage.objects.get
access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on
resource '.../objects/stats/installs/installs_my.app.package_202606_overview.csv'
(or it may not exist).

What I've already ruled out

• Wrong path — the failing object path matches the file I can download manually byte-for-byte.
• Missing month — fails on a month I've confirmed exists.
• Missing scope — explicit devstorage.read_only scope set (per nodejs-storage#2688); no change.
• Project IAM roles — adding Storage roles in my project has no effect (the bucket isn't in my project).
• The IAM Policy Troubleshooter can't evaluate it ("failed to load") because the bucket lives outside my project.

Questions

1. Is service-account access to Play-managed pubsite_prod_rev_* buckets supported at all, or is the "download bulk reports" Play Console permission only honored for end-user/OAuth credentials (e.g. gsutil as a user), not service accounts?
2. If supported, what exact configuration makes storage.objects.get/list succeed?
3. If not supported, could the docs state this explicitly? The Play Console export docs imply programmatic service-account access works.

Related

• storage.objects.get permission denied when accessing Google Play Console stats bucket (pubsite_prod_rev_*) nodejs-storage#2688 (same symptom, Node)
• Multiple older forum reports of the same 403 with service accounts on this bucket