GCS 'Storage Object Viewer' role cannot view objects

Asked 29/3, 2022 at 11:3 Answered 2/10 at 17:18

Solved google-cloud-platform google-cloud-storage google-iam google-cloud-console

I am trying to give a user read access to a Google Cloud Storage bucket. The user has the "Storage Object Viewer" role

but the user cannot see the items in the bucket:

The project ID is valid and ~~according to the docs the "Storage Object Viewer" role includes the storage.buckets.list permission~~ (EDIT: This is incorrect, see https://cloud.google.com/storage/docs/access-control/iam-roles#standard-roles).

The user can access the bucket if I give him the "Storage Object Admin" role, but then he also has write access. How do I just grant read access?

Polio answered 29/3, 2022 at 11:3 Comment(1)

You can only VIEW the object (data and metadata) but you haven't permission on the bucket to list the object. Add another role or create a custom role with the appropriate permissions. – Chilcote 29/3, 2022 at 14:7

According to docs, Storage Object Viewer does not have storage.buckets.list permission! it only contains the following 4 permissions (see the screenshot).

This means that the identity that has this role can only list/view objects inside a bucket and will not be allowed to list buckets and/or view bucket details.

if you need the identity to also list/view buckets, there is another predefined legacy role that you can use, named Storage Legacy Bucket Reader. See here

Dictograph answered 29/3, 2022 at 11:45 Comment(3)

It seems that Google might be in the process of retiring Storage Legacy Bucket Reader, at least based on the fact that I can't find it to grant it any more. This leaves no good way to grant this permission, from what I can see, other than granting the Viewer basic role or creating a custom role. – Abstractionist 19/9, 2022 at 20:31

I don't really understand why they're making it so hard. The use case is pretty common: Say you want to let people see buckets, and create/view objects in those buckets, but not grant delete permissions on those objects. Since you don't want to grant delete you shouldn't grant Storage Admin at the project level, but then how do you let people see buckets? The only option other than a custom role seems to be the Viewer basic role, but I'd like to move away from basic roles because they grant too many permissions. – Abstractionist 19/9, 2022 at 20:45

@Abstractionist Hmm I am able to find the role and use it (just tried). anyways, custom role is the only other solution. maybe they will simplify things in future! – Dictograph 20/9, 2022 at 11:48

It looks like "Storage Insights Collector Service" has the storage.buckets.get privilege. https://cloud.google.com/storage/docs/access-control/iam-roles

Use that.

Coady answered 2/10 at 17:18 Comment(0)

Recommended topics

Hot tags