How do I give a GCP service account storage.buckets.list access with read only access?

Asked 14/11, 2019 at 20:34 Answered 15/2, 2023 at 8:48

Solved google-cloud-platform google-cloud-iam

I'm trying to do gsutil ls however that results in:

ubuntu@ip:~$ gsutil ls
AccessDeniedException: 403 [email protected] does not have storage.buckets.list access to project xxxxxxxxxxxxxxx.

Can I give this permission with only read / viewer access IAM roles?

Homozygous answered 14/11, 2019 at 20:34 Comment(0)

You certainly can. At a minimum, you can always create a custom role with exactly the permissions you want. You do this by clicking the Create Role button at the top of the roles tab. Then, once it is created, apply that role to your service account on the IAM page, like any other role.

Alternatively, you can use the same roles tab in the cloud console to search for that permission explicitly to see which roles contain it and see if any would work for you.

In this case, I don't see an obvious default one that is limited, however. That said,you could look at Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) as a starting point for a custom role in this case -- if you select this role on the roles tab, you can 'Create Role from Selection' to use it as a starting point).

Culliton answered 14/11, 2019 at 20:45 Comment(1)

Thanks, yes I just had to create a custom role with a specific permission. – Homozygous 14/11, 2019 at 23:53

The command gsutil ls lists the buckets in your project.

To list buckets you need the permission storage.buckets.list.

To list the objects in a bucket you need the permission storage.objects.list.

Neither of those permissions allows you to read an object. To read an object you need the permission storage.objects.get.

To only read an object, you do not need the list permissions. However, since you are using the gsutil command, you do.

There are several predefined roles that you can attach to your service account to grant the necessary permissions for gsutil.

Recommended:

roles/storage.objectViewer

Or the following two roles:

roles/storage.legacyObjectReader
roles/storage.legacyBucketReader

If you ONLY want to assign a role to read an object but not list them:

roles/storage.legacyObjectReader

Ehudd answered 14/11, 2019 at 22:10 Comment(2)

-1 after I tested roles/storage.objectViewer predictably results in does not have storage.buckets.list access to the Google Cloud project – Litho 6/11, 2020 at 8:29

@Litho - Thank you, you are correct. In the first part of my answer I provided the role to access objects. In the second part I answered to list buckets. I oversimplified the problem to the point that part of my answer is wrong. – Ehudd 6/11, 2020 at 9:34

Read only permissions for a GCP GCS bucket as of January 2022:

storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list

Judo answered 29/1, 2022 at 14:13 Comment(0)

The "Viewer" role for the project is probably what you are looking for to view all the buckets in a project.

Otherwise, by giving only the "storage object viewer" role, you can only view the content INSIDE the bucket, by going to the correct URL of the bucket.

Rovner answered 15/2, 2023 at 8:48 Comment(0)

Recommended topics

Hot tags