'Google Cloud Storage confused about ACL/IAM and legacy permissions

I have a bucket whose contents I want to be publicly readable. However, I do not want the users to be able to list all of the contents by removing the keyname from the URL.

For the sake of simplicity, please assume that I am setting these permissions via the console.

  1. Setting Storage Object Viewer for allUsers allows me to access the objects as well as list the contents.
  2. Setttings Storage Legacy Object Reader for allusers allows me to access the objects but not list the contents.

This seems odd to me, why is the permission a "Legacy" permission? Does that mean it will be removed in future? This is a very important functionality for me.

Additionally, if it is not going to be removed, how can I ensure all future content published to this bucket inherits the bucket's permission?

Thank you in advance.

google-cloud-platformpermissionsgoogle-cloud-storagerolesdeprecated


Solution 1:[1]

It is 'Legacy' because it exactly matches the pre-IAM permissions granted via the legacy READER role on an Object.

I can't say for certain what the plans are for those legacy roles (there are 5 of them), but if they are deprecated there would definitely need to be a deprecation period and an announcement.

If you are uncomfortable using a 'Legacy' role (or in any case where there is no curated role that exactly fits your use case) you can always create a custom role with exactly the set of permissions you need. https://cloud.google.com/iam/docs/creating-custom-roles

As for 'how can I ensure all future content published to this bucket inherits the bucket's permission'. The bucket IAM policy is always inherited by all objects in the bucket. As you have a role granting the 'storage.objects.get' to allUsers on the bucket policy it will be applied to all objects in the bucket.

Solution 2:[2]

I also thought not just "Storage Legacy Object Reader" but also "Storage Legacy Bucket Owner", "Storage Legacy Bucket Reader", "Storage Legacy Bucket Writer" and "Storage Legacy Object Owner" were deprecated because they have the word "Legacy".

enter image description here

But as long as I researched, they are not deprecated even now "Apr, 2022" which is about 5 years after you asked this question. I think they are kind of stable roles which are not easily and immediately deprecated.

If you are worried that they are deprecated sooner or later, you can create a custom role following this instruction "Creating a custom role".

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Joshua Royalty
Solution 2 Kai - Kazuya Ito

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project