Google cloud storage listing files in bucket requires permission for project owner

Question

I'm currently using web UI to browse the files in one of the buckets and I happen to be the project owner as well. However I get a permission error

You need the storage.objects.list permission to list objects in this bucket. Ask a project or bucket owner to give you this permission, then try again.

I'm completely stumped as I'm project owner. Any ideas?

Answer 1

The role roles/owner doesn't grant access to data within buckets.

The best resource to figure out which built-in IAM roles can do which things is the Google Cloud Platform IAM Permissions Reference.

On that page, CTRL-F for storage.objects.list (or for that matter, any other permission you're interested in) and you will see the roles that grant it on the right-hand column. Note that project owner (roles/owner) is not in the list of roles that grant this permission.

When buckets are created, roles/storage.legacyBucketOwner is granted to project owners, editors, and viewers by default. However, this permission can always be revoked, and in fact many users choose to remove this permission for more granular control over access to data in the bucket as opposed to project resources like VMs.

A good example would be a bucket which contains sensitive PII data. You might not want people who can SSH into VMs in the project to be in-scope to read that data.

Answer 2

In the GCP Console navigate to the IAM Admin menu.

1. Choose IAM (top menu item)

Select your account.

In the info panel click on Add Role

Add the Storage Object Admin role to your account

2. Choose Service Accounts menu item from the IAM menu (below Quotas)

Select the [email protected] or default account.

In the info panel click on Add Member and add your account.

You should now have full access to the Storage Bucket