1

I'm the owner of the GCP project and I can manage the objects in the storage. However there is no “Edit metadata” item in the storage console, only “View metadata”.

http://prntscr.com/ps54zo

Why is that?

In the other bucket of the same project I have this option: http://prntscr.com/ps574t.

UPDATE

Doing gsutil ls -L gives me the following output:

    Creation time:          Tue, 29 Oct 2019 10:29:50 GMT
    Update time:            Tue, 29 Oct 2019 10:29:50 GMT
    Storage class:          MULTI_REGIONAL
    Content-Length:         22536821
    Content-Type:           audio/mp3
    Hash (crc32c):          Gn3MXQ==
    Hash (md5):             VnUZeK6CjUZ8uqN9dIlGew==
    ETag:                   CJbNjcWhweUCEAE=
    Generation:             1572344990754454
    Metageneration:         1
    ACL:                    ACCESS DENIED
        Note:               You need OWNER permission on the object to read its ACL
TOTAL: 1 objects, 22536821 bytes (21.49 MiB)

That's strange that it says that I'm not the owner of the object. http://prntscr.com/ps7o5m - Bucket permissions. http://prntscr.com/ps7pdy - Project IAM

AKd
  • 501
  • 4
  • 17
  • If you move the bucket to a different location, can you see the metadata of the blob? – marian.vladoi Nov 04 '19 at 09:09
  • can you perform a `gsutil -L gs://path/to/file` and past the result in your question? – guillaume blaquiere Nov 04 '19 at 10:27
  • @guillaumeblaquiere thanks, I've updated the question. Seems I don't have the OWNER permissions on the object, but how possible if I'm the owner of the project? – AKd Nov 04 '19 at 11:31
  • Seems related to https://stackoverflow.com/questions/27174239/cant-access-resource-as-owner-despite-the-fact-im-the-owner, but I can't figure out a way to resolve the issue. – AKd Nov 04 '19 at 11:47

2 Answers2

2

The permission required to view an object's ACL is storage.objects.getIamPolicy. This is, maybe surprisingly, not one of the permissions granted by the role roles/storage.legacyBucketOwner. Similarly, that permision also does not grant permission to read the objects.

If you want to be able to download all of the objects in a bucket and see all of the ACLs, you'll need to grant yourself roles/storage.legacyObjectOwner for that bucket as well.

Brandon Yarbrough
  • 37,021
  • 23
  • 116
  • 145
  • Thanks, helpful. I'm wondering why the default bucket permissions are like that https://prnt.sc/ps7o5m. However, it's another question :) – AKd Nov 06 '19 at 23:09
  • > _for that bucket _ Thanks! I had to update the permissions above for each bucket in my project, of which I am an owner. Granting those permissions generally, or `storage admin` didn't solve the issue for me. – Jason R Stevens CFA Feb 04 '20 at 20:04
0

I reproduced your issue. For this, I granted a user as Storage Legacy Bucket Owner and I can only view the medatadata.

For solving this, I granted the storage admin role to the user. Try to grant this role to your user.

Another thing. You can be Owner of a project but, if the bucket has not been created in this project, your owner role isn't inherited in the bucket.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Can't test right now, but will do later. Don't you know why this role is not granted to the owners of the project by default? The bucket belongs to the same GCP project, so your second supposition is not the case. – AKd Nov 04 '19 at 13:25