GCS 'Storage Object Viewer' role cannot view objects

Question

I am trying to give a user read access to a Google Cloud Storage bucket. The user has the "Storage Object Viewer" role

but the user cannot see the items in the bucket:

The project ID is valid and according to the docs the "Storage Object Viewer" role includes the storage.buckets.list permission (EDIT: This is incorrect, see https://cloud.google.com/storage/docs/access-control/iam-roles#standard-roles).

The user can access the bucket if I give him the "Storage Object Admin" role, but then he also has write access. How do I just grant read access?

Answer 1

It looks like "Storage Insights Collector Service" has the storage.buckets.get privilege. https://cloud.google.com/storage/docs/access-control/iam-roles

Use that.

Answer 2

According to docs, Storage Object Viewer does not have storage.buckets.list permission! it only contains the following 4 permissions (see the screenshot).

This means that the identity that has this role can only list/view objects inside a bucket and will not be allowed to list buckets and/or view bucket details.

---

if you need the identity to also list/view buckets, there is another predefined legacy role that you can use, named Storage Legacy Bucket Reader. See here