We’re experiencing AccessDenied errors when our IoT devices attempt to ingest sensor data into Cloud Object Storage buckets. The pipeline was working fine until we added new device types last week.
Error from device logs:
HTTP 403: Access Denied
Bucket: iot-telemetry-prod
Operation: PutObject
Our IAM policy seems correct for the service ID, and we’ve verified the bucket exists. The event triggers for data processing are configured but never fire because data never arrives. We’re also concerned about CORS settings since devices connect from various edge locations. Has anyone dealt with similar access issues when scaling IoT ingestion?
This sounds like a combination of IAM policy scope and CORS misconfiguration. When you added new device types, did you update the IAM policy conditions? Sometimes policies are scoped to specific prefixes or resource attributes. The fact that old devices work suggests your policy might have conditions that exclude the new devices. Also verify the service ID hasn’t hit any rate limits.
Thanks Maria. The service ID has Writer and Reader roles on the bucket. I double-checked and the credentials are correctly configured in our device firmware. What’s strange is that older devices still work fine, only the newly registered device types fail. Could this be related to how we’re handling CORS for the new edge locations?
Another thing to verify - are your event triggers properly configured for the new device data format? I’ve seen cases where trigger filters were too specific and blocked new data patterns. The AccessDenied might be a red herring if the real issue is at the trigger level. Check if the bucket has any object lifecycle policies that could interfere with writes from certain sources.