I have created a service account and given it only the Storage Object Viewer
role. I would like to use this service account to download objects from a bucket using the python API.
I have set the GOOGLE_APPLICATION_CREDENTIALS
environment variable accordingly and can see the relevant service account showing up on the bucket's permissions page.
I use the following code to try and download an object
from google.cloud import storage
storage_client = storage.Client()
bucket = storage_client.get_bucket(BUCKET_NAME)
But I get the following error when calling get_bucket
google.api_core.exceptions.Forbidden:
403 GET https://storage.googleapis.com/storage/v1/b/samplereadbucket?projection=noAcl:
[email protected] does not have storage.buckets.get
access to samplereadbucket.
What is the minimum set of roles I need to set so that the service account has storage.buckets.get
access if not Storage Object Viewer
?
Storage Object Viewer (roles/storage.objectViewer
) only includes these permissions:
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
For buckets, you will need a role like Storage Legacy Bucket Reader (roles/storage.legacyBucketReader
) (or create a custom role). This gives you:
storage.buckets.get
storage.objects.list
You can always use the IAM & Admin > Roles tab in the cloud console to search for the specific permissions to see what roles currently grant those permissions.