Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does gsutil cp require storage.objects.delete on versioned bucket?

Tags:

google-cloud-storage

gsutil

I'm using a service account to upload a file to Google Cloud Storage bucket that has versioning. I want to keep the service account privileges minimal, it only ever needs to upload files so I don't want to give it permission to delete files, but the upload fails (only after streaming everything!) saying it requires delete permission.

Shouldn't it be creating a new version instead of deleting?

Here's the command:

cmd-that-streams | gsutil cp -v - gs://my-bucket/${FILE}

ResumableUploadAbortException: 403 [email protected] does not have storage.objects.delete access to my-bucket/file

I've double checked that versioning is enabled on the bucket

> gsutil versioning get gs://my-bucket
gs://my-bucket: Enabled
like image 523
ChrisJ Avatar asked Oct 19 '25 04:10

ChrisJ

2 Answers

The permission storage.objects.delete is required if you are executing the gsutl cp command as per cloud storage gsutil commands.

Command: cp

Required permissions:

  • storage.objects.list* (for the destination bucket)
  • storage.objects.get (for the source objects)
  • storage.objects.create (for the destination bucket)
  • storage.objects.delete** (for the destination bucket)

**This permission is only required if you don't use the -n flag and you insert an object that has the same name as an object that already exists in the bucket.

Google docs suggests to use -n (do not overwrite an existing file) so storage.objects.delete won't be required. But your use case uses versioning and you will be needing to overwrite, thus you will need to add storage.objects.delete on your permissions.

I tested this with a bucket versioning is enabled and only has 1 version. Service account that have roles Storage Object Creator and Storage Object Viewer.

See screenshot for the commands and output: enter image description here

like image 135
Ricco D Avatar answered Oct 22 '25 06:10

Ricco D

If you're overwriting an object, regardless of whether or not its parent bucket has versioning enabled, you must have storage.objects.delete permission for that object.

Versioning works such that when you delete the "live" version of an object, that version is marked as a "noncurrent" version (and the timeDeleted field is populated). In order to create a new version of an object when a live version already exists (i.e. overwriting the object), the transaction that happens is:

  • Delete the current version
  • Create a new version that becomes the "live" or "current" version
like image 23
mhouglum Avatar answered Oct 22 '25 07:10

mhouglum
Sign in to Comment

Related questions

Is there a way to find all files/objects in a Google Cloud Storage Bucket larger than a certain size?
How to send/copy/upload file from AWS S3 to Google GCS using Python

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!