Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I give a GCP service account storage.buckets.list access with read only access?

Tags:

google-cloud-platform

google-cloud-iam

I'm trying to do gsutil ls however that results in:

ubuntu@ip:~$ gsutil ls
AccessDeniedException: 403 [email protected] does not have storage.buckets.list access to project xxxxxxxxxxxxxxx.

Can I give this permission with only read / viewer access IAM roles?

like image 468
Chris Stryczynski Avatar asked Nov 14 '19 20:11

Chris Stryczynski

3 Answers

You certainly can. At a minimum, you can always create a custom role with exactly the permissions you want. You do this by clicking the Create Role button at the top of the roles tab. Then, once it is created, apply that role to your service account on the IAM page, like any other role.

Alternatively, you can use the same roles tab in the cloud console to search for that permission explicitly to see which roles contain it and see if any would work for you.

In this case, I don't see an obvious default one that is limited, however. That said,you could look at Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) as a starting point for a custom role in this case -- if you select this role on the roles tab, you can 'Create Role from Selection' to use it as a starting point).

like image 130
robsiemb Avatar answered Oct 31 '22 04:10

robsiemb

The command gsutil ls lists the buckets in your project.

To list buckets you need the permission storage.buckets.list.

To list the objects in a bucket you need the permission storage.objects.list.

Neither of those permissions allows you to read an object. To read an object you need the permission storage.objects.get.

To only read an object, you do not need the list permissions. However, since you are using the gsutil command, you do.

There are several predefined roles that you can attach to your service account to grant the necessary permissions for gsutil.

Recommended:

roles/storage.objectViewer

Or the following two roles:

roles/storage.legacyObjectReader
roles/storage.legacyBucketReader

If you ONLY want to assign a role to read an object but not list them:

roles/storage.legacyObjectReader
like image 37
John Hanley Avatar answered Oct 31 '22 04:10

John Hanley

Read only permissions for a GCP GCS bucket as of January 2022:

storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
like image 45
Nestor Urquiza Avatar answered Oct 31 '22 04:10

Nestor Urquiza
Sign in to Comment

Related questions

At what stage does Dataflow/Apache Beam ack a pub/sub message?
Google Cloud Endpoint at "/" Method does not exist
BigQuery Partitioned tables insert data from the past
Setting up environment variables in node, specifically, GOOGLE_APPLICATION_CREDENTIALS
Gcloud Kubernetes connection refused to exposed service
Google Storage : how to check if a bucket exists
how to create custom operators in airflow and use them in airflow template which is running through cloud composer(in google cloud platform)
Running multiple Colab notebooks in parallel over Google Cloud?
Kubernetes - Pass Public IP of Load Balance as Environment Variable into Pod
GKE - how to attach static ip to internal load balancer
How can I give a service account access to a particular secret?
Google Cloud Storage authentication for App Engine
Does Google Cloud Spanner support stored procedures?
GCP Dataflow: System Lag for streaming from Pub/Sub IO
Automatically shutdown Google Dataproc cluster after all jobs are completed
Export nested BigQuery data to cloud storage
What scopes / roles are required for a service account to be able to submit container builder jobs?
Google Managed Services (BigQuery,Cloud Storage etc) via a VPC/VPN
Maven conflict in Java app with google-cloud-core-grpc dependency
Is there a way to get all documents in a subcollection (Firestore)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!