Why can't I access a cloud storage object despite being a project owner?
I'm a project owner for a particular project, which has a bucket with a few hundred gigs of objects. I have recently discovered by a failed gcloud rsync that there are some objects in my bucket that I can list
but not cp
or acl get
etc., neither from the commandline nor from the cloud console.
For example:
gsutil acl get gs://$MYBUCKET/$SOMEOBJECT
AccessDeniedException: Access denied. Please ensure you have OWNER permission on gs://$MYBUCKET/$SOMEOBJECT
I have
- verified I'm authenticated as the right user (
gcloud auth list
) - verified that I'm in the roles/owners member section of the project (
gcloud projects get-iam-policy $PROJECT_ID
) - verified that the bucket belongs to the project (the entity "project-owners-$PROJECT_ID" has the projectNumber $PROJECT_ID and role OWNER).
- The same problem occurs in the google cloud console, despite the fact that I'm the creator of the project
What on earth is going on?
Access to GCS resources is not recursive. Owning a project or a bucket within that project does not necessarily imply that you also have read access to some specific object. Owning the bucket does imply that you can list or delete the object, but that's it.
The owner of an object is always the user that uploaded it. By default, the ACLs on the object will align with the bucket's "default object ACL" setting, but the uploader can choose any other ACL during the upload.
You can set Cloud IAM policy to project or bucket.
For example, if you are a project owner and you want to full access of all buckets in the project, follow the steps below.
- Open IAM management
- Click
Edit permissions
icon associated with the user which you want to add Cloud IAM policy - Add
[Storage]
-[Storage Admin]
role. not[Storage Legacy]
. - Click
Save
button
Then you are granted full access to the object even if you are not the owner of the object.