'Google Cloud Storage confused about ACL/IAM and legacy permissions
I have a bucket whose contents I want to be publicly readable. However, I do not want the users to be able to list all of the contents by removing the keyname from the URL.
For the sake of simplicity, please assume that I am setting these permissions via the console.
- Setting
Storage Object Viewer
forallUsers
allows me to access the objects as well as list the contents. - Setttings
Storage Legacy Object Reader
forallusers
allows me to access the objects but not list the contents.
This seems odd to me, why is the permission a "Legacy" permission? Does that mean it will be removed in future? This is a very important functionality for me.
Additionally, if it is not going to be removed, how can I ensure all future content published to this bucket inherits the bucket's permission?
Thank you in advance.
Solution 1:[1]
It is 'Legacy' because it exactly matches the pre-IAM permissions granted via the legacy READER role on an Object.
I can't say for certain what the plans are for those legacy roles (there are 5 of them), but if they are deprecated there would definitely need to be a deprecation period and an announcement.
If you are uncomfortable using a 'Legacy' role (or in any case where there is no curated role that exactly fits your use case) you can always create a custom role with exactly the set of permissions you need. https://cloud.google.com/iam/docs/creating-custom-roles
As for 'how can I ensure all future content published to this bucket inherits the bucket's permission'. The bucket IAM policy is always inherited by all objects in the bucket. As you have a role granting the 'storage.objects.get' to allUsers on the bucket policy it will be applied to all objects in the bucket.
Solution 2:[2]
I also thought not just "Storage Legacy Object Reader" but also "Storage Legacy Bucket Owner", "Storage Legacy Bucket Reader", "Storage Legacy Bucket Writer" and "Storage Legacy Object Owner" were deprecated because they have the word "Legacy".
But as long as I researched, they are not deprecated even now "Apr, 2022" which is about 5 years after you asked this question. I think they are kind of stable roles which are not easily and immediately deprecated.
If you are worried that they are deprecated sooner or later, you can create a custom role following this instruction "Creating a custom role".
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Joshua Royalty |
Solution 2 | Kai - Kazuya Ito |