This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Give permission to list the files in folder of bucket

Posted on 04-17-2022 10:15 PM
peterbekti
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

So, I want to grant a user to access a folder in a bucket.

So a user with user-id `A` can access <bucket>/<folder for storing>/<user-id>/

So, the requirement

  1. upload files to the folder in bucket.
  2. Reupload the file to the folder in bucket.
  3. view files in the bucket.
  4. (Added in edit) user must not see files in other folder.

 

Through this IAM condition documentation, I can achieve requirements 1 and 2.

  • Role: Storage Object Admin (predefined role)
  • Condition:  resource.name.startsWith('projects/_/buckets/<bucket-name>/objects/<folder for storing>/<user-id>/')
The problem is the user cannot list the files. Please check image below.
peterbekti_0-1650258394683.png

 

 

 

 

 

 Additional permissions required to list objects in this bucket. Ask a bucket owner to grant you 'storage.objects.list' permission.

 

 

 

 

 

But, user can upload the files, and reupload the file if user knows the exact name.

peterbekti_1-1650258671918.png

 

Point to note

  1. I am sure that the role that is given above already has permission to list object, because when I remove the condition, files can be viewed.

I have tried to look on the documentation, but I haven't get the answer.  

Solved Solved
1 4 6,971
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
djacalesg
Staff
Reply posted on --/--/---- --:-- AM

As mentioned at documentation:

"

  • Since the storage.objects.list permission is granted at the bucket level, you cannot use the resource.name condition attribute to restrict object listing access to a subset of objects in the bucket. Users without storage.objects.list permission at the bucket level can experience degraded functionality for the Console and gsutil.

"

Following least privilege principle I'd recommend to assign storage/objectViewer  at bucket level for your users accounts.

For testing the results I'd recommend to run gsutil ls gs://<bucket_name>/<folder for storing>/<user-id>/ as the user you want to have access to the bucket [1].  Then you should be able to list the folder's content.

 

As well you should be able to list the folder content within Cloud Console UI.

1- https://stackoverflow.com/questions/56658640/is-there-a-way-to-use-gsutil-while-impersonating-a-serv...

View solution in original post

Jump to Solution
4 REPLIES 4
Top Labels in this Space
Top Solution Authors
View all