Menu
According to the console popup, the Project Browser role has browse access to the project's resources while the Project Viewer has read access to those resources.
Does this mean that with the browser role I can only list the filenames stored in the project's buckets but I need viewer role to download those files?
937
Browser. ( roles/browser ) Read access to browse the hierarchy for a project, including the folder, organization, and allow policy. This role doesn't include permission to view resources in the project.
There are several kinds of roles in IAM: basic roles, predefined roles, and custom roles. Basic roles include three roles that existed prior to the introduction of IAM: Owner, Editor, and Viewer.
For production environments: Basic roles, including Owner ( roles/owner ), Editor ( roles/editor ), and Viewer ( roles/viewer ). Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative.
Primitive roles, i.e. "Owner", "Editor" and "Viewer", are managed roles that existed prior to the introduction of Cloud IAM. Predefined roles are roles created and maintained by Google, that provide granular access to specific Google Cloud Platform (GCP) resources and deny unwanted access to other resources.
Does this mean that with the browser role I can only list the filenames stored in the project's buckets but I need viewer role to download those files?
The browser role roles/browser does not have any permissions to access Google Cloud Storage. You cannot list the objects in the bucket. The viewer role roles/viewer does not have permissions to view (download) Google Cloud Storage objects.
To better understand roles, you need to know what permissions a role contains.
If you take the role roles/browser and view the permissions:
gcloud iam roles describe roles/browser
You will find that this role has the following six permissions:
description: Access to browse GCP resources.
etag: AA==
includedPermissions:
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
name: roles/browser
stage: GA
title: Browser
Notice that this role has no permissions to Google Cloud Storage.
In comparison if you review the permissions for roles/viewer you will find that this role has 721 permissions. I have limited this listing to just the storage permissions:
storage.buckets.list
You will see that this role only has permission to list the contents of a bucket. No permissions are granted to view the contents of an object in a bucket.
In order to view (download) a Google Cloud Storage object, you need the storage.objects.get permission. This is contained in the roles roles/storage.object.viewer, roles/storage.objectAdmin, roles/storage.admin and roles/storage.legacyObjectReader.
80
According to the docs
The Project Browser role has "Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project."
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
