Google cloud storage permission only on some object

Question

i have a bucket with multiple folders and each folders contains multiple object (pdf). Is possible to allow only some user to see only specific object(is ok if he can see other folder)?

I tried to apply the reader acl permission only on some object after I created them like this:

myFile.acl.add({ entity: 'group-' + email, role: 'READER' })

But the user doesn't see the bucket, so I gave to him the "Storage Object Viewer" permission but now he can see all the objects.

Group is correct (i hope), i created a group with the specific users.

Thanks for any help!

Answer 1

By adding the role of READER you're allowing the user to list the buckets content as explained here

Allows a user to list a bucket's contents. Also allows a user to read bucket metadata, excluding ACLs.

In order to allow an specific user you can use the addUser function:

  const {Storage} = require('@google-cloud/storage');

  const storage = new Storage();

  async function addFileReader() {
    await storage
      .bucket(bucketName)
      .file(filename)
      .acl.readers.addUser(userEmail);
  }

Or if you want to add a group:

  const {Storage} = require('@google-cloud/storage');

  const storage = new Storage();
  async function addFileReader() {
    await storage
      .bucket(bucketName)
      .file(filename)
      .acl.readers.addGroup(groupEmail);
  }

Also you can do it from the UI:

1. Go inside the Storage section
2. Click on the specific bucket that you want to grant access to
3. Click on the specific file that you want to grant access
4. Go to EDIT PERMISSIONS, in the popup inside Entity column select User or Group in the Name column enter the email and select Reader in the Access column