How to restore permissions on bucket

0
votes

I just created a new bucket under the default project "My First Project".

I accidentally deleted all permissions on the bucket. Is it possible for the default permissions to be restored?

I don't need the bucket so it can be deleted, but I don't have permission to do that either.

Update

To clarify, I own the project and bucket. No other user should have access. Following suggestions by @gso_gabriel I have tried the following:

I can list objects in the bucket:

> gsutil ls -r gs://my-bucket-name/
gs://my-bucket-name/name-of-my-file

I cannot change the ACL:

> gsutil defacl set public-read gs://my-bucket-name/
Setting default object ACL on gs://my-bucket-name/...
AccessDeniedException: 403 my-email-address does not have storage.buckets.update access to the Google Cloud Storage bucket.

> gsutil acl set -R public-read gs://my-bucket-name/
Setting ACL on gs://my-bucket-name/name-of-my-file...
AccessDeniedException: 403 my-email-address does not have storage.objects.update access to the Google Cloud Storage object.

I think there is no ACL (see the last line):

> gsutil ls -L gs://my-bucket-name/
gs://my-bucket-name/name-of-my-file
    Creation time:          Wed, 10 Jun 2020 01:31:20 GMT
    Update time:            Wed, 10 Jun 2020 01:31:20 GMT
    Storage class:          STANDARD
    Content-Length:         514758
    Content-Type:           application/octet-stream
    Hash (crc32c):          AD4ziA==
    Hash (md5):             W3aLFrdB/eF85IZux9UVfQ==
    ETag:                   CIPc1uiM9ukCEAE=
    Generation:             1591752680386051
    Metageneration:         1
    ACL:                    []

Update 2

The output from the gcloud command suggested by @gso_gabriel is:

> gcloud projects get-iam-policy my_project_ID
bindings:
- members:
  - user:my-email-address
  role: roles/owner
etag: BwWnsC5jgkw=
version: 1

I also tried the "Policy Troubleshooter" in the IAM & Admin section of the GCP console. It showed the following:

  • I can create buckets and objects on the project e.g. storage.buckets.create is enabled
  • I cannot delete buckets and objects on the project e.g. storage.buckets.delete is disabled
  • I cannot get the IAM policy on buckets and objects on the project e.g. storage.buckets.getIamPolicy is disabled

The "Roles" associated with the project include permissions in the Storage Admin group (see the Roles subsection in the IAM & Admin section of the GCP console). i.e. permissions such as storage.objects.delete is supposedly enabled, but the Policy Troubleshooter shows that they are not being granted.

1
google-cloud-platformgoogle-cloud-storagebucket
Hi @John probably the ACL is just not showing to you, but it should exist - happens if it's created with private configuration. Could you please run the command gcloud projects get-iam-policy my_project and check the accounts and their roles? This way, you will be able to confirm the accounts that have access. Following this official documentation here, should provide you more insights as well, on how to check accounts.gso_gabriel
Hi @gso_gabriel The gcloud command shows I am the owner of the project. The console shows I have Storage Admin permissions, but it doesn't seem to be applied - see my update to the OPJohn
Hi @John thanks for trying out! Indeed, this is a very weird situation. I would recommend you to reach out to Google's Support, so they can investigate deeper what might be affecting your instance and bucket.gso_gabriel
Hey @John I'm stuck with similar situation. were you able to resolve this? stackoverflow.com/questions/63911573/…Kazuki
Hi @Kazuki No I couldn't resolve it.John

1 Answers

1
votes

As well explained here, if you are the owner of the bucket - or at least has access to the account who owns it - you should be able to modify the ACL of it and add the permissions back as they were.

Once you are logged in as the owner, you just need to run the command gsutil acl set -R public-read gs://bucketName to provide public read to the bucket for users. You can also check the exactly default permissions here. In case you are not sure which account is the Owner, run the below command - as indicated here - that it will returns all accounts with permissions, including one that will mention Owner on it.

gsutil ls -L gs://your-bucket/your-object

The return should be something like this.

{
    "email": "[email protected]",
    "entity": "[email protected]",
    "role": "OWNER"
}

Let me know if the information helped you!