Reputation: 67
GCP - Not able to list objects inside Bucket even having devstorage.read_only permission?
I have created a EC2 instance, which creates by default service account with default permissions. So when I checked the default permissions I found that the service account is all these permissions below.
https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/trace.append
Now I tried to list all the objects inside the bucket by using the command:-
gsutil ls gs://mybucketname
Found an error
AccessDeniedException: 403 [email protected] does not have storage.objects.list access to the Google Cloud Storage bucket.
Why I am getting this error even though my service account user is having devstorage.read_only?
And I am very new to GCP here, so let me know.
Upvotes: 1
Views: 765
Answers (1)
Reputation: 8074
Please read the official documentation regarding the difference between setting the service account level of access with IAM roles and setting the GCE instance's access scopes:
When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles that you grant to the service account. If the service account has no IAM roles, then no API methods can be run by the service account on that instance.
Furthermore, an instance's access scopes determine the default OAuth scopes for requests made through the gcloud tool and client libraries on the instance. As a result, access scopes potentially further limit access to API methods when authenticating through OAuth. However, they do not extend to other authentication protocols like gRPC.
Essentially:
IAM restricts access to APIs based on the IAM roles that are granted to the service account.
Access scopes potentially further limit access to API methods when authenticating through OAuth.
Therefore I would recomend to add an IAM role with storage.objects.list permission to your instance service account (maybe roles/storage.legacyBucketReader).
Upvotes: 1
Related Questions
- Google Cloud Services not giving me permission to view a bucket I've just created?
- Google Storage Bucket Permission to view object but not to list
- User does not have storage.objects.list access to bucket
- Receiving an error while editing permissions of the objects in the bucket
- GCloud Storage: How to grant permission to see buckets in console but only see files in single bucket?
- GCP write only access to bucket (GCS)
- GCP cloud storage: 403-Forbidden while executing `Storage.BucketAccessControls.List` request
- Google cloud storage access issue
- Objects do not inherit bucket permissions
- Google Cloud Storage can't retrieve buckets or contents of buckets