Skip to content

Failure to force_destroy bucket unless there is storage.anywhereCaches.list permission #25343

New issue
New issue
Closed
Closed
Failure to force_destroy bucket unless there is storage.anywhereCaches.list permission#25343
#25655 (+3)
Assignees
rileykarson
Labels
bugforward/linkedservice/storage
@sjiekak

Description

@sjiekak
sjiekak
opened on Dec 1, 2025

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.13.3
on linux_amd64

  • provider registry.terraform.io/hashicorp/google v7.12.0

Affected Resource(s)

google_storage_bucket

Terraform Configuration

provider "google" {
  project = "demo-project"

  impersonate_service_account = "[email protected]"
}

resource "google_storage_bucket" "test" {
  name          = "test-jballet-och3rae6dadu"
  location      = "europe-west1"
  force_destroy = true

  uniform_bucket_level_access = true

  soft_delete_policy {
    retention_duration_seconds = 604800
  }
}

Debug Output

https://gist.github.com/sjiekak/d184583bea84fa96d29020aa45af0d0e

Expected Behavior

The bucket is not empty. We expect force_destroy to be applied:

  • bucket objects are deleted
  • bucket is deleted

Actual Behavior

The bucket deletion fails with

2025-12-01T12:09:02.604+0100 [ERROR] vertex "google_storage_bucket.test (destroy)" error: googleapi: Error 409: The bucket you tried to delete is not empty., conflict
╷
│ Error: googleapi: Error 409: The bucket you tried to delete is not empty., conflict

Steps to reproduce

  1. terraform apply
  2. upload any document in the bucket (eg the terraform gsutil cp test.tf gs://test-jballet-och3rae6dadu/test.tf)
  3. terraform destroy

Important Factoids

  • Authenticating as a service account (impersonating a service account) with custom permissions
resource "google_project_iam_custom_role" "test_permission" {
  role_id = "sjiekak.demo.gcs.editor"
  title   = "Permissions for theTest"
  stage   = "GA"
  permissions = [
    # GCS Bucket permissions
    # https://cloud.google.com/storage/docs/access-control/iam-permissions#buckets
    "storage.buckets.create",
    "storage.buckets.delete",
    "storage.buckets.get",
    "storage.buckets.list",
    "storage.buckets.update",
    "storage.buckets.enableObjectRetention",
    "storage.buckets.setIamPolicy",
    "storage.buckets.getIamPolicy",

    # Required for the Crossplane GCS provider to delete objects in the bucket.
    # GCS Object permissions
    # https://cloud.google.com/storage/docs/access-control/iam-permissions#objects
    "storage.objects.list",
    "storage.objects.delete",
  ]
}

References

possibly caused by #22438 resolving #13724

b/471006177

Metadata

Metadata

Assignees

Labels

bugforward/linkedservice/storage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions