Ok, this is making me pull my hair out I can't believe it's so complex...
So, to achieve what subject says, without giving user read access to all files in all buckets (Other buckets in proj have sensitive data)
I Navigated to the bucket -> permissions and added user as Storage Object Viewer, expecting this to be enough (later it appears this is enough if you have a direct link - or probably also api) but the user trying to navigate console gets stuck on https://console.cloud.google.com/storage/browser?project=xyz (bucket browser page). Message is: "You don’t have permission to view the Storage Browser or Storage Settings pages in this project"
How can I give the user access to list buckets (and therefore go through the UI path in console, without giving general read access to all of Storage? There are no roles called "storage browser" or similar... I'm even up for creating a custom role but what permissions would it need. Apparently storage.objects.list
is not it.
In the Google Cloud console, go to the Cloud Storage Browser page. Click the Bucket overflow menu ( ) associated with the bucket to which you want to grant a principal a role. Choose Edit access. Click the + Add principal button.
To disable uniform bucket-level access on a bucket, you must first remove all IAM Conditions from that bucket's policy. For information on how to view and remove conditions from a bucket's policy, see Using IAM Conditions on bucket.
You can use signed URLs in addition to IAM and ACLs. For example, you can use IAM to grant access to a bucket for only a few people, then create a signed URL that allows others to access a specific resource within the bucket.
In the Google Cloud Console, go to the Cloud Storage Browser page. Click the Bucket overflow menu () on the far right of the row associated with the bucket. Choose Edit access. Click Add principals. For New principals, fill out the principals to which you want to grant access to your bucket.
You must enable uniform bucket-level access on the bucket before adding conditions. In the Google Cloud Console, go to the Cloud Storage Browser page. Click the Bucket overflow menu () on the far right of the row associated with the bucket. Choose Edit access.
Unfortunately, there is no way to only list the buckets you want the user to see, but since you can control their access to a bucket, your data is still private and secure. Go into Cloud IAM . Add an IAM user assign them the new role you created in Step 1. Assign Permissions on the Bucket Resource. Go into the bucket you want to provide access to.
From the console, open the IAM user or role that should have access to only a certain bucket. 3. In the Permissions tab of the IAM user or role, expand each policy to view its JSON policy document.
Quick answer:
You need a custom role with:
storage.buckets.list
Rant answer: Finally found the complete permissions reference. https://cloud.google.com/storage/docs/access-control/iam-permissions
Looked easy enough knowing there are storage.bucket... permissions. With UI it was still a nightmare to create the role though. Adding permissions modal is tiny, and only filterable by role ^^. I don't know a role with these permissions but I know the exact permission. Shows 10 per page of 18xx permissions. Luckily storage permissions are very close to the end so adding service column + reverse sort only took 2 page steps or something. Oh wow, it's like they don't want people to understand this.
resourcemanager.projects.get
and storage.buckets.list
permissions.Storage Admin
if they need to read objects/write objects/update permissions/fully configure the bucket for the bucket or Storage Viewer
for read only access).You can easily test this by using a personal email address and seeing if the permissions are correct and that you're not creating a data breach.
My use case: I needed to give a third party developer access to a bucket that would hold assets for our marketing site. He should not have access to any other bucket but should be free to add/remove assets in this marketing bucket. Being so, I assigned the developer Storage Object Admin
role.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With