I am using the spring-cloud-gcp library running in the google kubernetes engine for the access of google cloud storage buckets. It should be using the default credentials of the kubernetes engine service account. The access of creation of buckets or files inside existing buckets fails with 403 Access denied. forbidden.
The storage access works fine when run locally with a different user account, by specific access credentials pointed to by spring.cloud.gcp.credentials.location. Both compute engine as well as the user account have editor permissions.
As the documentation explains, the spring cloud GCP starter should auto-configure the credentials - by default the compute engine service account should be used.
Workload-identity of the cluster does not change anything.
So how could I debug this? In the process I would also like to verify, which account is used for the storage access.