A developer is integrating an App Engine standard environment app with Cloud Storage. The app needs to read objects from a bucket that is in a different project. The developer has granted the App Engine service account the Storage Object Viewer role on the bucket. However, the app still gets a 403 error when trying to read objects. What is the most likely cause?
Cross-project IAM requires adding the service account from the source project to the bucket's IAM policy in the destination project.
Why this answer
Option A is correct because cross-project access requires the service account to be granted access at the bucket level in the source project, but the App Engine service account is in the same project as the app; the bucket is in another project, so the role must be assigned in the bucket's project. The error might persist if the bucket's IAM policy doesn't include the service account. Option B is wrong as no need for service account key.
Option C is wrong because VPC-SC could block, but that would be a different error. Option D is wrong because public access disabled is fine for explicit IAM.