Introduction A 401 Unauthenticated error from Cloud Storage means the request lacks valid authentication. This occurs when credentials are missing, expired, or the caller has no identity associated with the request.

Symptoms - gsutil returns: "AccessDeniedException: 401 Anonymous requests" - Client library: "DefaultCredentialsError: Could not automatically determine credentials" - curl to GCS: "Anonymous caller does not have storage.objects.get access"

Common Causes - GOOGLE_APPLICATION_CREDENTIALS not set or points to invalid file - Service account key file expired or deleted - VM created without cloud-platform scope - Workload identity not configured on GKE

Step-by-Step Fix 1. **Check current credentials**: ```bash gcloud auth list gcloud config list account ```

  1. 1.Set up service account credentials:
  2. 2.```bash
  3. 3.gcloud iam service-accounts create gcs-app --display-name="GCS App"
  4. 4.gcloud iam service-accounts keys create key.json --iam-account=gcs-app@<project>.iam.gserviceaccount.com
  5. 5.export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/key.json"
  6. 6.gsutil iam ch serviceAccount:gcs-app@<project>.iam.gserviceaccount.com:objectViewer gs://my-bucket
  7. 7.`
  8. 8.Configure Workload Identity for GKE:
  9. 9.```bash
  10. 10.gcloud iam service-accounts add-iam-policy-binding gcs-app@<project>.iam.gserviceaccount.com \
  11. 11.--role roles/iam.workloadIdentityUser \
  12. 12.--member "serviceAccount:<project>.svc.id.goog[<namespace>/<ksa>]"
  13. 13.kubectl annotate serviceaccount <ksa> --namespace <namespace> \
  14. 14.iam.gke.io/gcp-service-account=gcs-app@<project>.iam.gserviceaccount.com
  15. 15.`

Prevention - Use Workload Identity instead of service account keys on GKE - Rotate service account keys every 90 days - Use ADC in application code - Monitor service account key expiration with alerts