GCloud Storage: How to grant permission to see buckets in console but only see files in single bucket?

6
votes

Ok, this is making me pull my hair out I can't believe it's so complex...

So, to achieve what subject says, without giving user read access to all files in all buckets (Other buckets in proj have sensitive data)

I Navigated to the bucket -> permissions and added user as Storage Object Viewer, expecting this to be enough (later it appears this is enough if you have a direct link - or probably also api) but the user trying to navigate console gets stuck on https://console.cloud.google.com/storage/browser?project=xyz (bucket browser page). Message is: "You don’t have permission to view the Storage Browser or Storage Settings pages in this project"

How can I give the user access to list buckets (and therefore go through the UI path in console, without giving general read access to all of Storage? There are no roles called "storage browser" or similar... I'm even up for creating a custom role but what permissions would it need. Apparently storage.objects.list is not it.

2
google-cloud-platformgoogle-cloud-storage

2 Answers

9
votes

Quick answer:

You need a custom role with:

storage.buckets.list

Rant answer: Finally found the complete permissions reference. https://cloud.google.com/storage/docs/access-control/iam-permissions

Looked easy enough knowing there are storage.bucket... permissions. With UI it was still a nightmare to create the role though. Adding permissions modal is tiny, and only filterable by role ^^. I don't know a role with these permissions but I know the exact permission. Shows 10 per page of 18xx permissions. Luckily storage permissions are very close to the end so adding service column + reverse sort only took 2 page steps or something. Oh wow, it's like they don't want people to understand this.

2
votes

As of January 2021, to give a user access to the cloud storage console and access to a particular bucket, let's say to view or upload files:

  1. Create a custom role in Cloud IAM
  • This custom role needs resourcemanager.projects.get and storage.buckets.list permissions.
  • The first permission allows the user to actually select the relevant project.
  • The second permission allows the user to list all the buckets in your account. Unfortunately, there is no way to only list the buckets you want the user to see, but since you can control their access to a bucket, your data is still private and secure.
  1. Create an IAM user
  • Go into Cloud IAM .
  • Add an IAM user assign them the new role you created in Step 1.
  1. Assign Permissions on the Bucket Resource.
  • Go into the bucket you want to provide access to.
  • Go into the permissions pane.
  • Assign permission(s) to the IAM user you created in step 2. Assign a Storage role that makes sense for your situation (i.e. Storage Admin if they need to read objects/write objects/update permissions/fully configure the bucket for the bucket or Storage Viewer for read only access).

You can easily test this by using a personal email address and seeing if the permissions are correct and that you're not creating a data breach.

My use case: I needed to give a third party developer access to a bucket that would hold assets for our marketing site. He should not have access to any other bucket but should be free to add/remove assets in this marketing bucket. Being so, I assigned the developer Storage Object Admin role.