'Google Storage Bucket Permission to view object but not to list

I created a storage bucket with publicly accessible files. I want to ensure that viewers can view individual objects if they access them directly, but I do not want them to be able to list the contents of the bucket or individual folders.

I created a user called allUsers

I looked at the Storage Object Viewer role, which is defined as "Read access to GCS objects." After doing some more research, this role does allows listing of the objects in a bucket: "Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket." - https://cloud.google.com/iam/docs/understanding-roles#storage-roles

I see another role called Storage Legacy Object Reader which is described as "Read access to objects without listing." - exactly what I need. But it's legacy and given Google's record for surprise announcements I'm expecting this to be deprecated with very short notice.

How to achieve the same permission as Storage Legacy Object Reader but in a non-legacy way?

Thank you

google-cloud-platformpermissionsgoogle-cloud-storagerolesdeprecated


Solution 1:[1]

As official doc mentionned :

Note: roles/storage.objectViewer includes permission to list the objects in the bucket. If you don't want to grant listing publicly, use roles/storage.legacyObjectReader.

The role Storage Legacy Object Reader includes only the permission storage.objects.get, so you can consider at least 2 options :

  • Use this legacy role, which is not planned to be deprecated, and continues to be recommended by official docs especially to make a link with ACL.

  • Create a custom role with this unique permission.

Solution 2:[2]

I also thought not just "Storage Legacy Object Reader" but also other "Storage Legacy ..." roles as shown below were deprecated because they contain the word "Legacy":

enter image description here

But as long as I researched, they are not deprecated even now "Apr, 2022" which is about 2 and half years after you asked this question. I guess they are kind of stable roles which are not easily and immediately deprecated.

If you are worried that they are deprecated sooner or later, you can create a custom role following this instruction "Creating a custom role".

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Thierry Falvo
Solution 2 Kai - Kazuya Ito

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project