1

I would like to download blobs from a storage using Python. The examples show this code:

from google.cloud import storage
client = storage.Client()
bucket = client.get_bucket(BUCKETNAME)
blob = bucket.get_blob(BLOBNAME)
raw_bytes = blob.download_as_bytes()

While this works, it not only requires the storage.objects.get permission granted with the "Storage Object Viewer" role (roles/storage.objectViewer), but also the storage.buckets.get Permission to execute the get_bucket line. This permission is granted by other roles that sound either overly powerful or legacy, like "Storage Admin" or "Storage Legacy Bucket Reader".

Is there a way to change the Python code, such that only the storage.objects.get permission is required? It seems that the JSON API which is probably behind the Python API allows this: https://cloud.google.com/storage/docs/json_api/v1/objects/get

Best, Boris

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Boris Lau
  • 55
  • 1
  • 9
  • 1) You can create custom IAM roles. 2) Legacy in the name **Storage Legacy Bucket Reader** does not mean legacy as in no longer recommended or supported. It refers to permissions that existed before IAM was developed. Before IAM, OAuth Scopes were the authorization mechanism. – John Hanley Nov 12 '21 at 16:08
  • But the question remains: how can I read the blob without the storage.buckets.get permission using Python? If I can do that using the JSON API, it would be sad if the implementation of the Python API prevents that. – Boris Lau Nov 13 '21 at 23:51

1 Answers1

1

In the sample code, the bucket statement bucket = client.get_bucket(BUCKETNAME) is used to list the bucket operation.

If you are to output the value you get as a response, rather than performing the client.get_bucket, you can pass this as a static value. By using a static value, you would not be utilizing the client.get_bucket operation which requires the storage.buckets.get permission.

You may also refer to a similar Stackoverflow case.

Mousumi Roy
  • 609
  • 1
  • 6