6

I'm currently using web UI to browse the files in one of the buckets and I happen to be the project owner as well. However I get a permission error

You need the storage.objects.list permission to list objects in this bucket. Ask a project or bucket owner to give you this permission, then try again.

I'm completely stumped as I'm project owner. Any ideas?

opensourcegeek
  • 5,552
  • 7
  • 43
  • 64

4 Answers4

4

The role roles/owner doesn't grant access to data within buckets.

The best resource to figure out which built-in IAM roles can do which things is the Google Cloud Platform IAM Permissions Reference.

On that page, CTRL-F for storage.objects.list (or for that matter, any other permission you're interested in) and you will see the roles that grant it on the right-hand column. Note that project owner (roles/owner) is not in the list of roles that grant this permission.

When buckets are created, roles/storage.legacyBucketOwner is granted to project owners, editors, and viewers by default. However, this permission can always be revoked, and in fact many users choose to remove this permission for more granular control over access to data in the bucket as opposed to project resources like VMs.

A good example would be a bucket which contains sensitive PII data. You might not want people who can SSH into VMs in the project to be in-scope to read that data.

Dom Zippilli
  • 640
  • 6
  • 12
3

In the GCP Console navigate to the IAM Admin menu.

  1. Choose IAM (top menu item)

Select your account.

In the info panel click on Add Role

Add the Storage Object Admin role to your account

  1. Choose Service Accounts menu item from the IAM menu (below Quotas)

Select the compute@developer.gserviceaccount.com or default account.

In the info panel click on Add Member and add your account.

You should now have full access to the Storage Bucket

R3N13R
  • 31
  • 2
0

I remember when I used google storage for speech API, I need to go to IAM console to add "Storage Admin" role to the service account even though I'm the project owner.

I understand that you're not using gsutil. But at this point, maybe give it a try to create the service account and give it the right permission? Hopefully, this will make it work for you.

alant
  • 82
  • 7
0

You can try running this command

gsutil iam ch 'user:myacc@mydoma.in:legacyObjectOwner' gs://mybucket

it's worked for me.

else you can go in I&AM and assign the storage admin role to your account.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102