I have a bucket whose contents I want to be publicly readable. However, I do not want the users to be able to list all of the contents by removing the keyname from the URL.

For the sake of simplicity, please assume that I am setting these permissions via the console.

1. Setting Storage Object Viewer for allUsers allows me to access the objects as well as list the contents.
2. Setttings Storage Legacy Object Reader for allusers allows me to access the objects but not list the contents.

This seems odd to me, why is the permission a "Legacy" permission? Does that mean it will be removed in future? This is a very important functionality for me.

Additionally, if it is not going to be removed, how can I ensure all future content published to this bucket inherits the bucket's permission?

Thank you in advance.

It is 'Legacy' because it exactly matches the pre-IAM permissions granted via the legacy READER role on an Object.

I can't say for certain what the plans are for those legacy roles (there are 5 of them), but if they are deprecated there would definitely need to be a deprecation period and an announcement.

If you are uncomfortable using a 'Legacy' role (or in any case where there is no curated role that exactly fits your use case) you can always create a custom role with exactly the set of permissions you need. https://cloud.google.com/iam/docs/creating-custom-roles

As for 'how can I ensure all future content published to this bucket inherits the bucket's permission'. The bucket IAM policy is always inherited by all objects in the bucket. As you have a role granting the 'storage.objects.get' to allUsers on the bucket policy it will be applied to all objects in the bucket.

I also thought not just "Storage Legacy Object Reader" but also "Storage Legacy Bucket Owner", "Storage Legacy Bucket Reader", "Storage Legacy Bucket Writer" and "Storage Legacy Object Owner" were deprecated because they have the word "Legacy".

But as long as I researched, they are not deprecated even now "Apr, 2022" which is about 5 years after you asked this question. I think they are kind of stable roles which are not easily and immediately deprecated.

If you are worried that they are deprecated sooner or later, you can create a custom role following this instruction "Creating a custom role".