Error 403: [account] does not have storage.objects.list to Google Cloud Storage bucket

updated:
I tried to run the same command as in Jenkins Pipeline terraform init -backend-config="bucket=terraform-state-bucket-project-data-sharing-prod" -migrate-stat on cloud shell using the same service account. It worked successfully.

copy/remove text file to the backend bucket of terraform also worked

I think there is something in Jenkins that I have set it up incorrectly.

As follow up of my previous question
403 forbidden with service account from GCP

What I am trying to do:
Now I am trying to add parameters to decide which branch on Github to deploy: dev or main, each with corresponding GCP project, service account, backend bucket etc.
(Is there a better way to achieve this?)

Problems:
When I set parameter to dev, the pipeline works well. But when I set it to main. The error shown at Terraform Init stage The error is:

+ terraform init -backend-config=bucket=terraform-state-bucket-project-data-sharing-prod -migrate-state
e[0me[1mInitializing the backend...e[0m
e[0me[0me[1mBackend configuration changed!e[0m

Terraform has detected that the configuration specified for the backend
has changed. Terraform will now check for existing state in the backends.
e[0m
e[31m╷e[0me[0m
e[31m│e[0m e[0me[1me[31mError: e[0me[0me[1mError inspecting states in the "gcs" backend:
e[31m│e[0m e[0m    querying Cloud Storage failed: googleapi: Error 403: jenkins-tf-prod@open-data-v2-cicd-prod.iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist)., forbidden
e[31m│e[0m e[0m
e[31m│e[0m e[0mPrior to changing backends, Terraform inspects the source and destination
e[31m│e[0m e[0mstates to determine what kind of migration steps need to be taken, if any.
e[31m│e[0m e[0mTerraform failed to load the states. The data in both the source and the
e[31m│e[0m e[0mdestination remain unmodified. Please resolve the above error and try again.e[0m
e[31m│e[0m e[0m
e[31m│e[0m e[0me[0m
e[31m╵e[0me[0m

What I have tried:

  • I set the permission of service account in main project same as in dev (both given Owner already)
  • I tried to create a new bucket and list them out on cloud shell using the same service account authenticated and success, so the account itself should be fine.
  • Run same command on Cloud Shell as on Jenkins, it worked successfully on cloud shell.

here is my code: GitHub - ShihWen/data-sharing

Jenkins setup:

  • Jenkins 2.492.3