What roles are needed to download an object from a Google Storage Bucket

Question

I have created a service account and given it only the Storage Object Viewer role. I would like to use this service account to download objects from a bucket using the python API.

I have set the GOOGLE_APPLICATION_CREDENTIALS environment variable accordingly and can see the relevant service account showing up on the bucket's permissions page.

I use the following code to try and download an object

from google.cloud import storage
storage_client = storage.Client()
bucket = storage_client.get_bucket(BUCKET_NAME)

But I get the following error when calling get_bucket

google.api_core.exceptions.Forbidden: 
403 GET https://storage.googleapis.com/storage/v1/b/samplereadbucket?projection=noAcl: 
sample-service-account@project.iam.gserviceaccount.com does not have storage.buckets.get 
access to samplereadbucket.

What is the minimum set of roles I need to set so that the service account has storage.buckets.get access if not Storage Object Viewer?

score 5 · Accepted Answer · answered Nov 13 '19 at 16:08

5

Storage Object Viewer (roles/storage.objectViewer) only includes these permissions:

resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list

For buckets, you will need a role like Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) (or create a custom role). This gives you:

storage.buckets.get
storage.objects.list

You can always use the IAM & Admin > Roles tab in the cloud console to search for the specific permissions to see what roles currently grant those permissions.

answered Nov 13 '19 at 16:08

robsiemb

6,157
7
32
46

I was thrown off by the word `Legacy` and thought I shouldn't be using those roles. This looks to be the correct answer though! – Increasingly Idiotic Nov 13 '19 at 16:10
You can also just create a custom role. – robsiemb Nov 13 '19 at 16:11
1

Here's also a link to the Storage Role documentation for anyone in the future: https://cloud.google.com/iam/docs/understanding-roles#storage-roles – Increasingly Idiotic Nov 13 '19 at 16:11
1

I also thought I wouldn't/shouldn't need to create a custom role to do something as common as download an object from a bucket. =P – Increasingly Idiotic Nov 13 '19 at 16:13
1

Sure, I suppose you also could use the Storage Admin role, but that seems wrong too :) – robsiemb Nov 13 '19 at 16:26
Yes, granting your service account the **Storage Admin** role would work as well. – Deniss T. Nov 14 '19 at 09:24

score 0 · Answer 2 · answered Mar 23 '22 at 11:05

it's needed to add these roles to the SA:

Storage Object Viewer (roles/storage.objectViewer)

   resourcemanager.projects.get
   resourcemanager.projects.list
   storage.objects.get
   storage.objects.list

Storage Legacy Bucket Reader (roles/storage.legacyBucketReader)

   storage.buckets.get 
   storage.multipartUploads.list
   storage.objects.list

Or even better would be creating a custom role with roles

What roles are needed to download an object from a Google Storage Bucket

2 Answers2