Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GCloud Storage: How to grant permission to see buckets in console but only see files in single bucket?

Ok, this is making me pull my hair out I can't believe it's so complex...

So, to achieve what subject says, without giving user read access to all files in all buckets (Other buckets in proj have sensitive data)

I Navigated to the bucket -> permissions and added user as Storage Object Viewer, expecting this to be enough (later it appears this is enough if you have a direct link - or probably also api) but the user trying to navigate console gets stuck on https://console.cloud.google.com/storage/browser?project=xyz (bucket browser page). Message is: "You don’t have permission to view the Storage Browser or Storage Settings pages in this project"

How can I give the user access to list buckets (and therefore go through the UI path in console, without giving general read access to all of Storage? There are no roles called "storage browser" or similar... I'm even up for creating a custom role but what permissions would it need. Apparently storage.objects.list is not it.

like image 349
Kristofer Avatar asked Dec 07 '18 13:12

Kristofer


People also ask

How do I grant access to the Google Cloud storage bucket?

In the Google Cloud console, go to the Cloud Storage Browser page. Click the Bucket overflow menu ( ) associated with the bucket to which you want to grant a principal a role. Choose Edit access. Click the + Add principal button.

How do you turn off uniform bucket level in access?

To disable uniform bucket-level access on a bucket, you must first remove all IAM Conditions from that bucket's policy. For information on how to view and remove conditions from a bucket's policy, see Using IAM Conditions on bucket.

Can we use signed URLs to give users access to files in Cloud Storage buckets?

You can use signed URLs in addition to IAM and ACLs. For example, you can use IAM to grant access to a bucket for only a few people, then create a signed URL that allows others to access a specific resource within the bucket.

How do I grant access to a Google Cloud storage bucket?

In the Google Cloud Console, go to the Cloud Storage Browser page. Click the Bucket overflow menu () on the far right of the row associated with the bucket. Choose Edit access. Click Add principals. For New principals, fill out the principals to which you want to grant access to your bucket.

How do I enable uniform bucket-level access in Google Cloud Storage?

You must enable uniform bucket-level access on the bucket before adding conditions. In the Google Cloud Console, go to the Cloud Storage Browser page. Click the Bucket overflow menu () on the far right of the row associated with the bucket. Choose Edit access.

How do I give a user access to a bucket?

Unfortunately, there is no way to only list the buckets you want the user to see, but since you can control their access to a bucket, your data is still private and secure. Go into Cloud IAM . Add an IAM user assign them the new role you created in Step 1. Assign Permissions on the Bucket Resource. Go into the bucket you want to provide access to.

How do I set IAM permissions for a specific bucket?

From the console, open the IAM user or role that should have access to only a certain bucket. 3. In the Permissions tab of the IAM user or role, expand each policy to view its JSON policy document.


Video Answer


2 Answers

Quick answer:

You need a custom role with:

storage.buckets.list

Rant answer: Finally found the complete permissions reference. https://cloud.google.com/storage/docs/access-control/iam-permissions

Looked easy enough knowing there are storage.bucket... permissions. With UI it was still a nightmare to create the role though. Adding permissions modal is tiny, and only filterable by role ^^. I don't know a role with these permissions but I know the exact permission. Shows 10 per page of 18xx permissions. Luckily storage permissions are very close to the end so adding service column + reverse sort only took 2 page steps or something. Oh wow, it's like they don't want people to understand this.

like image 168
Kristofer Avatar answered Nov 15 '22 16:11

Kristofer


As of January 2021, to give a user access to the cloud storage console and access to a particular bucket, let's say to view or upload files:

  1. Create a custom role in Cloud IAM
  • This custom role needs resourcemanager.projects.get and storage.buckets.list permissions.
  • The first permission allows the user to actually select the relevant project.
  • The second permission allows the user to list all the buckets in your account. Unfortunately, there is no way to only list the buckets you want the user to see, but since you can control their access to a bucket, your data is still private and secure.
  1. Create an IAM user
  • Go into Cloud IAM .
  • Add an IAM user assign them the new role you created in Step 1.
  1. Assign Permissions on the Bucket Resource.
  • Go into the bucket you want to provide access to.
  • Go into the permissions pane.
  • Assign permission(s) to the IAM user you created in step 2. Assign a Storage role that makes sense for your situation (i.e. Storage Admin if they need to read objects/write objects/update permissions/fully configure the bucket for the bucket or Storage Viewer for read only access).

You can easily test this by using a personal email address and seeing if the permissions are correct and that you're not creating a data breach.

My use case: I needed to give a third party developer access to a bucket that would hold assets for our marketing site. He should not have access to any other bucket but should be free to add/remove assets in this marketing bucket. Being so, I assigned the developer Storage Object Admin role.

like image 30
Govind Rai Avatar answered Nov 15 '22 15:11

Govind Rai