0

just to extend on this question: What's the difference between Project Browser role and Project Viewer role in Google Cloud Platform

There is already a good answer from @John Hanley. But to clarify further: what's the meaning of a "list" permission? Does "list" mean that "you can list it/view it" but "you cannot access it"? If so, the IAM role:

roles/browser

which contains the permission (https://cloud.google.com/iam/docs/understanding-roles#project-roles):

resourcemanager.projects.list

should be able to see all project's resources including Cloud Storage (as a child resource of a project)! Why then that answer states that with this role You cannot list the objects in the bucket. ? I expect you could (just) see all nested resources instead!

thanks

toto'
  • 1,325
  • 1
  • 17
  • 36

4 Answers4

1

According to the official documentation link, link :

The resourcemanager.projects.list permission allows a user to list the projects they own.

For example, the storage.buckets.list permission allows a member to list the buckets in your project

To list the content of a bucket you need storage.objects.list

marian.vladoi
  • 7,663
  • 1
  • 15
  • 29
  • thanks for the suggestion. But again according to this logic then any "list" permission should behave accordingly. For example the "storage.buckets.list" should then only list the buckets, however that permission literally means "list the *content* of a bucket" https://stackoverflow.com/questions/54778596/whats-the-difference-between-project-browser-role-and-project-viewer-role-in-go. So to me either there is a lack of consistency on the "list" meaning or I am just missing something!? – toto' Dec 08 '19 at 19:18
0

So I have found out that the answer to this question What's the difference between Project Browser role and Project Viewer role in Google Cloud Platform is misleading:

storage.buckets.list -> You will see that this role only has permission to list the contents of a bucket. No permissions are granted to view the contents of an object in a bucket.

This is not true! That role gives you the permission to list the buckets only. In order to list the content of a bucket one needs the role:

roles/storage.objectViewer

Even worst, in the Google Console you see a message saying that to see the object one needs the "storage.buckets.list" permission. Isn't that a GCP bug?

toto'
  • 1,325
  • 1
  • 17
  • 36
0

The list privileges works display a top level and no a hierarchy level, browse permit browse the content but no read it, it's different access level.

List it's no the same as browse, you can list buckets (the list of buckets you have as example) but not necessary you be able to browse the content on them.

David C
  • 365
  • 2
  • 8
0

resourcemanager.projects.list

allows you to list projects under a parent resource that contains projects, usually an organization or a folder. In other words, you can call this API for a given folder or organization: https://cloud.google.com/resource-manager/reference/rest/v1/projects/list

storage.buckets.list

allows you to list buckets under a parent resource that contains buckets, usually a project. In other words, you can call this API for a given project: https://cloud.google.com/storage/docs/json_api/v1/buckets/list

Circy
  • 1,058
  • 11
  • 15