how to grant read permission on google cloud storage to another service account

Question

our team create some data on google cloud storage so other team can copy/download/read it from there, but when they tried, they always got 403 forbidden message. I tried to edit the permission on that bucket and added new permission as 'Project', 'viewers-(other team's project id)', and 'Reader', but still they got the same error when they ran this command:

gsutil cp -R gs://our-bucket gs://their-bucket

i also tried with their client id and email account, still the same.

Answer 1

try:

gsutil acl ch -u serviceaccount@google.com:R gs://your-bucket

This ch:changes the permission on 'your-bucket' for u:user serviceaccount@google.com to R:Reader.

Answer 2

I'm not sure one can define another group's collection of users with a give access right (readers, in this case), and apply it to an object in a different project.

An alternative to this would be to control bucket access via Google Groups: simply set up a group for readers, adding the users you wish to grant this right to. Then you can use said Group to control access to the bucket and/or contents. Further information, and use case scenario, here https://cloud.google.com/storage/docs/collaboration#group