17

According to the console popup, the Project Browser role has browse access to the project's resources while the Project Viewer has read access to those resources.

Does this mean that with the browser role I can only list the filenames stored in the project's buckets but I need viewer role to download those files?

intotecho
  • 4,925
  • 3
  • 39
  • 54

2 Answers2

12

Does this mean that with the browser role I can only list the filenames stored in the project's buckets but I need viewer role to download those files?

The browser role roles/browser does not have any permissions to access Google Cloud Storage. You cannot list the objects in the bucket. The viewer role roles/viewer does not have permissions to view (download) Google Cloud Storage objects.

To better understand roles, you need to know what permissions a role contains.

If you take the role roles/browser and view the permissions:

gcloud iam roles describe roles/browser

You will find that this role has the following six permissions:

description: Access to browse GCP resources.
etag: AA==
includedPermissions:
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
name: roles/browser
stage: GA
title: Browser

Notice that this role has no permissions to Google Cloud Storage.

In comparison if you review the permissions for roles/viewer you will find that this role has 721 permissions. I have limited this listing to just the storage permissions:

storage.buckets.list

You will see that this role only has permission to list the contents of a bucket. No permissions are granted to view the contents of an object in a bucket.

In order to view (download) a Google Cloud Storage object, you need the storage.objects.get permission. This is contained in the roles roles/storage.object.viewer, roles/storage.objectAdmin, roles/storage.admin and roles/storage.legacyObjectReader.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • 5
    While it's technically true that "The viewer role roles/viewer does not have permissions to view (download) Google Cloud Storage objects.", this can be misleading since Google will automatically grant Project Viewers the `roles/ storage.legacyBucketReader` and `roles/ storage.legacyObjectReader` roles on newly created buckets which gives Project Viewers the `storage.buckets.get`, `storage.objects.list`, and `storage.objects.get` permissions. So while they aren't granted permissions to view GCS objects at the project level, they are at the bucket level. – hulin003 Nov 10 '19 at 19:29
  • @hulin003 - Your comment is not related to the question asked. Feel free to create a question and then self answer. Assuming that permissions are granted is fine, but it is better to understand how to figure out what permissions you have or a role has. Roles such as `Project Viewer` are legacy and the first action should be is to remove that role and assign roles that provide the least privilege. These legacy roles existed before IAM. Their usage is to solve technical support problems for those who do not know who to implement IAM. – John Hanley Nov 10 '19 at 20:02
  • 1
    how is my comment not related? The user asked "but I need viewer role to download those files?", your answer stated "No permissions are granted to view the contents of an object in a bucket." This *implies* that users cannot view the contents of an object in a bucket if they only have the `role/viewer` role, but this is not true in practice with how GCP creates buckets, since it by default grants the `storage.legacyObjectReader` role on buckets to `Project Viewers`. Ultimately there is more to this than just the permissions in the role. – hulin003 Nov 11 '19 at 21:17
6

According to the docs

The Project Browser role has "Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project."

intotecho
  • 4,925
  • 3
  • 39
  • 54