6

I'm trying to do gsutil ls however that results in:

ubuntu@ip:~$ gsutil ls
AccessDeniedException: 403 xxxxxxxxxxxx@xxxxxxxxxx.iam.gserviceaccount.com does not have storage.buckets.list access to project xxxxxxxxxxxxxxx.

Can I give this permission with only read / viewer access IAM roles?

robsiemb
  • 4,959
  • 7
  • 24
  • 33
Chris Stryczynski
  • 19,899
  • 28
  • 104
  • 198

2 Answers2

4

You certainly can. At a minimum, you can always create a custom role with exactly the permissions you want. You do this by clicking the Create Role button at the top of the roles tab. Then, once it is created, apply that role to your service account on the IAM page, like any other role.

Alternatively, you can use the same roles tab in the cloud console to search for that permission explicitly to see which roles contain it and see if any would work for you.

In this case, I don't see an obvious default one that is limited, however. That said,you could look at Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) as a starting point for a custom role in this case -- if you select this role on the roles tab, you can 'Create Role from Selection' to use it as a starting point).

robsiemb
  • 4,959
  • 7
  • 24
  • 33
3

The command gsutil ls lists the buckets in your project.

To list buckets you need the permission storage.buckets.list.

To list the objects in a bucket you need the permission storage.objects.list.

Neither of those permissions allows you to read an object. To read an object you need the permission storage.objects.get.

To only read an object, you do not need the list permissions. However, since you are using the gsutil command, you do.

There are several predefined roles that you can attach to your service account to grant the necessary permissions for gsutil.

Recommended:

roles/storage.objectViewer

Or the following two roles:

roles/storage.legacyObjectReader
roles/storage.legacyBucketReader

If you ONLY want to assign a role to read an object but not list them:

roles/storage.legacyObjectReader
John Hanley
  • 44,336
  • 6
  • 35
  • 81
  • -1 after I tested `roles/storage.objectViewer` predictably results in `does not have storage.buckets.list access to the Google Cloud project` – kubanczyk Nov 06 '20 at 08:29
  • @kubanczyk - Thank you, you are correct. In the first part of my answer I provided the role to access objects. In the second part I answered to list buckets. I oversimplified the problem to the point that part of my answer is wrong. – John Hanley Nov 06 '20 at 09:34