Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I give a GCP service account storage.buckets.list access with read only access?

I'm trying to do gsutil ls however that results in:

ubuntu@ip:~$ gsutil ls
AccessDeniedException: 403 [email protected] does not have storage.buckets.list access to project xxxxxxxxxxxxxxx.

Can I give this permission with only read / viewer access IAM roles?

like image 468
Chris Stryczynski Avatar asked Nov 14 '19 20:11

Chris Stryczynski


3 Answers

You certainly can. At a minimum, you can always create a custom role with exactly the permissions you want. You do this by clicking the Create Role button at the top of the roles tab. Then, once it is created, apply that role to your service account on the IAM page, like any other role.

Alternatively, you can use the same roles tab in the cloud console to search for that permission explicitly to see which roles contain it and see if any would work for you.

In this case, I don't see an obvious default one that is limited, however. That said,you could look at Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) as a starting point for a custom role in this case -- if you select this role on the roles tab, you can 'Create Role from Selection' to use it as a starting point).

like image 130
robsiemb Avatar answered Oct 31 '22 04:10

robsiemb


The command gsutil ls lists the buckets in your project.

To list buckets you need the permission storage.buckets.list.

To list the objects in a bucket you need the permission storage.objects.list.

Neither of those permissions allows you to read an object. To read an object you need the permission storage.objects.get.

To only read an object, you do not need the list permissions. However, since you are using the gsutil command, you do.

There are several predefined roles that you can attach to your service account to grant the necessary permissions for gsutil.

Recommended:

roles/storage.objectViewer

Or the following two roles:

roles/storage.legacyObjectReader
roles/storage.legacyBucketReader

If you ONLY want to assign a role to read an object but not list them:

roles/storage.legacyObjectReader
like image 37
John Hanley Avatar answered Oct 31 '22 04:10

John Hanley


Read only permissions for a GCP GCS bucket as of January 2022:

storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
like image 45
Nestor Urquiza Avatar answered Oct 31 '22 04:10

Nestor Urquiza