Cloud Service Cloud Service Contact Us

GCP Fully Verified Account Fix: GCP Storage Transfer Service Job Failed Troubleshooting

GCP Account / 2026-07-10 21:23:46

If you landed on this page, you probably already have a Storage Transfer Service (STS) job in GCP that shows Failed—and you need the fastest path to get it running again without tripping GCP’s permissions, billing, or risk controls. This guide is written for the exact situation behind the search query: “my STS job failed, what do I check next?”

What users usually want to know (so we’ll answer them in the order you’ll need)

  • “My job failed—where do I look first in GCP logs and job details?”
  • “Is it an IAM issue (permissions) or a source/destination auth issue (keys/service accounts)?”
  • “Does the failure relate to billing / Cloud Storage costs / egress?”
  • “How do I avoid repeated failures caused by partial runs, retries, and overwrite/ignore settings?”
  • “I’m blocked—could this be a policy restriction, organization policy, or compliance/risk control?”
  • “If I’m setting up a new GCP billing account, what KYC/payment issues can break jobs later?”
  • “Should I use STS service account, my own SA, or workload identity—and which one fails less?”
  • “Are there cost-effective ways to re-run only what failed?”

Step 1: Confirm the failure category (don’t guess—classify)

The biggest time sink is treating every “Failed” the same. Start by determining what kind of failure it is:

  • Auth/permission failure: typically errors about permission denied, access denied, unauthorized, missing roles, or credential failures.
  • GCP Fully Verified Account Connectivity or endpoint issue: TLS errors, DNS errors, firewall/VPC egress restrictions, proxy problems.
  • Object-level problems: file format/size issues, too many objects in a request, invalid URI, “not found” in source, or ACL/retention conflicts.
  • Quota/billing-related shutdown: job stops after billing account issues, “disabled billing account”, or “not authorized to bill”.
  • Policy/organization constraints: Organization Policy blocks, constraint violations, or restrictions on external data sources.
  • Rate limiting / transient backend errors: retryable errors, 429/503 patterns.

GCP Fully Verified Account Where to check first: open the STS job → look for Job history / Details → review the specific error message and the “source/destination” section. Then confirm in Cloud Logging if available. The fastest path is: job error textwhich identity was usedwhat resource it was denied on.

Common “category fingerprints” you can use immediately

  • “Permission ‘storage.objects.get’ denied” → IAM role missing on the source bucket or wrong service account.
  • “Permission ‘storage.objects.create’ denied” → destination bucket write permissions missing; might also be uniform bucket-level access constraints.
  • “Invalid argument” / “cannot parse” → transfer spec issue (URIs, object prefix, file pattern, or schedule).
  • “Job failed due to billing” → billing account status or payment method problem (yes, operational failures can originate from payment/KYC gating).

Step 2: Validate the identities used by STS (this is where most failures hide)

In real projects, the job fails because the service account in the transfer config is not the one you think—or it has access on the wrong project/bucket.

Checklist: identity alignment

  1. Confirm the STS job uses the correct service account (not the default Compute Engine SA unless you intended that).
  2. If source and destination are in different projects, ensure the SA has roles in both projects.
  3. If using Uniform bucket-level access, confirm you’re granting bucket-level roles; object ACL grants won’t apply as you expect.

Minimal IAM roles that usually solve STS bucket-to-bucket

Exact roles depend on whether you transfer from/to GCS, AWS S3, or other sources. But the most frequent pattern is:

  • Source bucket needs at least read permissions (commonly: roles/storage.objectViewer or equivalent).
  • Destination bucket needs write permissions (commonly: roles/storage.objectAdmin or narrower if you know your needs).

Operational tip: don’t just add roles broadly. If your org uses risk control reviews or restricted access patterns, a broad role change can be blocked by policy. Prefer targeted bucket permissions.

Real-world scenario (permission drift)

I’ve seen teams copy a working STS job, then change only the destination bucket. The job failed with storage.objects.create denied because the service account still had access to the old destination bucket only. The job history looked like a random failure, but the identity mismatch was deterministic.

Fix: grant destination write roles to the exact SA used by the job in the destination project, then rerun with a narrow prefix.


Step 3: If you use an external source (S3, HTTP, etc.), check authentication + network controls

When STS pulls from non-GCS sources, failures often show up as “cannot authenticate” or “cannot reach endpoint”. If you’re also using VPC-SC / restricted networking, the fix can be non-obvious.

External credential problems

  • Wrong region/endpoint (especially with S3-compatible systems).
  • Expired keys or rotated credentials not updated in STS source config.
  • Missing permissions in the external system: the credential may list buckets but not read specific objects.

Network + egress restrictions

If your org locks down egress, STS can fail even when IAM is correct. Look for:

  • Organization policy restrictions affecting external access.
  • Firewall rules or proxy requirements for outbound traffic.
  • VPC-SC perimeter or service controls that unintentionally block the transfer workflow.

Fix pattern: confirm whether STS runs within a restricted network context in your org; temporarily test by transferring from a smaller set to/from a simpler bucket/prefix.


Step 4: Handle “retries, partial transfers, and overwrite behavior” so you don’t burn money

STS jobs don’t just fail; they can fail after transferring a subset of objects. When you re-run without understanding overlap settings, you can cause:

  • Duplicate writes (extra storage + request costs)
  • Repeated downloads from the source (extra egress / read request costs)
  • Conflicts with object retention policies

How to rerun safely

  1. Restrict the transfer scope: narrow prefix or a time window.
  2. Use a test job that transfers a few objects first.
  3. Decide overwrite/ignore behavior consciously:
    • If the destination already has many objects, choose an option that avoids re-downloading or re-uploading unchanged data.
    • If consistency is critical, overwrite can be correct—but do it only after fixing IAM/auth first.
  4. Use a deterministic prefix (e.g., date-based folder) so reruns are predictable.

Cost impact example

GCP Fully Verified Account Even if you’re transferring “within GCP”, you can still incur request and possibly egress costs depending on bucket location and transfer direction. A bad rerun strategy can double-read from the source. If your transfer size is large, use the smallest failing prefix to debug—then scale.


Step 5: Billing and payment issues can surface as job failures (and they’re easy to miss)

This is the part many people don’t connect to STS. But I’ve seen STS jobs fail after billing configuration changes, payment failures, or risk control review outcomes.

What to check in the billing account

  • GCP Fully Verified Account Billing account status: active vs. suspended.
  • Budget alerts / billing export misconfig: not always the cause, but can coincide with disabled billing.
  • Payment method validity: expired card, failed payment retry, unsupported payment route for your region.
  • KYC / verification status: if you recently registered or changed account details, the billing enablement can be gated.

Identity verification (KYC) and “risk control review” effects

When a billing account is created or updated, the platform may trigger an identity verification / risk review. If that review is pending or fails, certain services can’t start charging or can behave as if they’re blocked.

Practical signs you’ll see:

  • Jobs start but fail quickly with billing/authorization language.
  • New projects can’t fully access paid resources.
  • Web console shows billing enabled inconsistently across projects.

GCP Fully Verified Account Payment method differences that matter operationally

GCP Fully Verified Account Different payment methods can create different “failure modes”:

Payment method (typical) What goes wrong in practice How it affects STS jobs
Credit/debit card Expired card, bank blocks international charges, insufficient funds Billing may suspend after a failed charge; STS job fails during/after start
Bank transfer / invoice-based Settlement delays, incorrect reference, incomplete company verification Service may be blocked until payment is confirmed
Third-party reseller / consolidated billing (varies by setup) Provisioning mismatch, contract delays Some projects work, others fail due to billing scope mismatch

Actionable fix: before reworking IAM, verify billing account is active and linked to the project that owns the STS job. If billing recently changed, resolve payment/KYC first, then rerun a small test prefix.


Step 6: Organization policy and compliance restrictions (how to tell quickly)

In enterprise setups, STS can fail due to org constraints rather than “classic IAM”. Look for messages referencing:

  • Constraints like “restricted domains”, “allowed locations”, “data access restrictions”.
  • Service Control / VPC Service Controls violations.
  • Prohibited use of external connections or unapproved regions.

Common org-policy failure story

GCP Fully Verified Account A team attempted cross-region transfers and got failures only in one environment. Their dev project allowed the transfer, but staging/prod had stricter org policy. The fix wasn’t changing roles—it was aligning bucket locations and transfer configuration to allowed constraints.

Fast triage method

  1. Create a temporary test STS job targeting a small set of objects in an allowed region.
  2. If it succeeds, the problem is likely auth/credentials or object-level permissions.
  3. If it still fails, check org constraints, billing, and service perimeter policies.

Step 7: Cost comparisons—what’s cheaper when the job is failing?

When your first run fails, you’re forced to choose between “fix and retry” vs. “rebuild transfer pipeline”. For cost control, optimize for fewer retries.

Cost levers you can actually control

  • Scope: transfer only failing prefixes first (reduces requests + data transfer).
  • Retry strategy: fix the root cause before scaling, so you don’t repeatedly re-copy large datasets.
  • Destination overwrite policy: prevents repeated writes and storage churn.
  • Bucket location alignment: reduces unnecessary cross-region transfer costs.

When to pause and re-architect

If failures persist due to policy constraints (VPC-SC/perimeter, org data restrictions), repeatedly retrying can keep you paying for failed attempts and partial transfers. In that case, it’s usually cheaper in ops time to:

  • request a policy exception for the service account or perimeter rules, or
  • adjust transfer paths to stay within allowed boundaries.

Frequently Asked Questions (FAQ) users ask when STS says “Job Failed”

1) “Where do I find the exact error for the failed job?”

Open the STS job → review job history/details. Then cross-check with Cloud Logging if error details aren’t visible in the UI. The key is the “error code/message” plus which resource (bucket/object/source system) it references.

2) “I granted Storage permissions but it still fails—what else could be missing?”

Two common misses: (1) the correct `serviceAccount` wasn’t used in the job, or (2) roles were granted in the wrong project (source vs destination). Also verify bucket-level access mode (uniform vs fine-grained) matches how you granted permissions.

3) “Does KYC/payment verification affect Storage Transfer jobs?”

Yes, indirectly. If billing account is not active due to KYC pending, payment failure, or risk review outcome, STS can fail when it attempts to start charging or validate billing eligibility. Always confirm billing status before assuming IAM.

4) “Which payment method is safest to avoid sudden service interruptions?”

From operational experience: ensure the payment method has reliable renewal and fewer settlement delays. For cards, confirm international/billing blocks are resolved and the billing profile is updated before expiry. For bank transfers/invoice, confirm reference numbers and settlement timing.

5) “Why does rerunning cause more failures?”

Most of the time it’s because your rerun overlaps with already transferred objects or conflicts with destination rules (retention policies, overwrite settings, or object ACL expectations). Rerun with a narrow prefix and a predictable object set after IAM/auth fixes.

6) “Can org policies block STS even if IAM is correct?”

GCP Fully Verified Account Yes. Service Control / VPC-SC perimeters and org constraints can block the workflow irrespective of IAM. If you suspect policy issues, test with a minimal job in an allowed bucket/region and compare behavior across projects.

7) “How do I reduce the chance of failure next time?”

Use a dedicated service account for STS, grant only the required bucket roles, verify billing is active before scheduling, and run a small canary transfer before scaling up.


Practical “fix plan” you can follow tonight (lowest risk sequence)

  1. Read the exact error message and identify the category (auth vs network vs billing vs policy vs object-level).
  2. Verify the STS job service account and confirm it has needed roles in both source and destination projects/buckets.
  3. Test with a tiny prefix (a canary set of objects) to avoid burning costs during debugging.
  4. Check billing account status: active, not suspended; payment method valid; KYC/risk review complete if recently changed.
  5. If enterprise restrictions apply, test in an allowed region/perimeter or request the minimum policy adjustment rather than repeatedly retrying.
  6. Only after success, widen scope and schedule the full job.

If you want a faster diagnosis, send these 6 details

If you reply with the following, I can help pinpoint the likely root cause:

  • STS job type (GCS→GCS, S3→GCS, GCS→S3, HTTP, etc.)
  • Exact error message/code from job history
  • Source and destination projects (and whether cross-project)
  • Service account used by the job (email) and whether uniform bucket-level access is enabled
  • Whether billing account was recently created/changed and its current status
  • Any org policy / VPC-SC perimeter involvement
TelegramContact Us
CS ID
@cloudcup
TelegramSupport
CS ID
@yanhuacloud