5

I am trying to give a user read access to a Google Cloud Storage bucket. The user has the "Storage Object Viewer" role

Role: Storage Object Viewer

but the user cannot see the items in the bucket:

Error message

The project ID is valid and according to the docs the "Storage Object Viewer" role includes the storage.buckets.list permission (EDIT: This is incorrect, see https://cloud.google.com/storage/docs/access-control/iam-roles#standard-roles).

The user can access the bucket if I give him the "Storage Object Admin" role, but then he also has write access. How do I just grant read access?

Stephen
  • 8,508
  • 12
  • 56
  • 96
Martin Wiebusch
  • 1,681
  • 2
  • 11
  • 15
  • You can only VIEW the object (data and metadata) but you haven't permission on the bucket to list the object. Add another role or create a custom role with the appropriate permissions. – guillaume blaquiere Mar 29 '22 at 14:07

1 Answers1

7

According to docs, Storage Object Viewer does not have storage.buckets.list permission! it only contains the following 4 permissions (see the screenshot).

enter image description here

This means that the identity that has this role can only list/view objects inside a bucket and will not be allowed to list buckets and/or view bucket details.

if you need the identity to also list/view buckets, there is another predefined legacy role that you can use, named Storage Legacy Bucket Reader. See here

Atef Hares
  • 4,715
  • 3
  • 29
  • 61
  • 1
    It seems that Google might be in the process of retiring `Storage Legacy Bucket Reader`, at least based on the fact that I can't find it to grant it any more. This leaves no good way to grant this permission, from what I can see, other than granting the `Viewer` basic role or creating a custom role. – Stephen Sep 19 '22 at 20:31
  • 1
    I don't really understand why they're making it so hard. The use case is pretty common: Say you want to let people see buckets, and create/view objects in those buckets, but not grant delete permissions on those objects. Since you don't want to grant delete you shouldn't grant `Storage Admin` at the project level, but then how do you let people see buckets? The only option other than a custom role seems to be the `Viewer` basic role, but I'd like to move away from basic roles because they grant too many permissions. – Stephen Sep 19 '22 at 20:45
  • @Stephen Hmm I am able to find the role and use it (just tried). anyways, custom role is the only other solution. maybe they will simplify things in future! – Atef Hares Sep 20 '22 at 11:48