I have a bucket whose contents I want to be publicly readable. However, I do not want the users to be able to list all of the contents by removing the keyname from the URL.
For the sake of simplicity, please assume that I am setting these permissions via the console.
Storage Object Viewer for allUsers allows me to access the objects as well as list the contents.Storage Legacy Object Reader for allusers allows me to access the objects but not list the contents.This seems odd to me, why is the permission a "Legacy" permission? Does that mean it will be removed in future? This is a very important functionality for me.
Additionally, if it is not going to be removed, how can I ensure all future content published to this bucket inherits the bucket's permission?
Thank you in advance.
It is 'Legacy' because it exactly matches the pre-IAM permissions granted via the legacy READER role on an Object.
I can't say for certain what the plans are for those legacy roles (there are 5 of them), but if they are deprecated there would definitely need to be a deprecation period and an announcement.
If you are uncomfortable using a 'Legacy' role (or in any case where there is no curated role that exactly fits your use case) you can always create a custom role with exactly the set of permissions you need. https://cloud.google.com/iam/docs/creating-custom-roles
As for 'how can I ensure all future content published to this bucket inherits the bucket's permission'. The bucket IAM policy is always inherited by all objects in the bucket. As you have a role granting the 'storage.objects.get' to allUsers on the bucket policy it will be applied to all objects in the bucket.