snippetMinor
How to exclude storage.bucket.list permission on public gcp storage bucket
Viewed 0 times
howpublicpermissionstoragebucketlistgcpexclude
Problem
Google Cloud Platform Storage Buckets can be directly exposed via HTTP. The recommended configuration for this is to have
The Storage Object Viewer role has got storage.bucket.list permission. I tried creating a custom role based on this role and removed the storage.bucket.list permission.
I updated the IAM permissions by getting permissions with gcutil, editing, then I tried to update.
When I tried updating I used the following command
But I got the following error
BadRequestException: 400 Role roles/CustomStorageObjectViewer is not
supported for this resource.
Is there any way to configure a public gcp storage bucket without the storage.bucket.list permission?
allUsers with the Storage Object Viewer role. The Storage Object Viewer role has got storage.bucket.list permission. I tried creating a custom role based on this role and removed the storage.bucket.list permission.
I updated the IAM permissions by getting permissions with gcutil, editing, then I tried to update.
When I tried updating I used the following command
gsutil iam set permissions.txt gs://example.com/But I got the following error
BadRequestException: 400 Role roles/CustomStorageObjectViewer is not
supported for this resource.
Is there any way to configure a public gcp storage bucket without the storage.bucket.list permission?
Solution
I am not entirely sure what configs you were using, but here is a process using CLI (gcloud and gsutil). The end product is a new custom role replacing the current standard roles/storage.objectViewer on allUsers for a GCP Bucket.
Recommend using GCP Cloud Cloud Shell in your Project: https://cloud.google.com/shell
Create yaml file to hold the new config:
Add role configurations to new custom_role.yaml:
Create new Role in GCP:
gsutil iam get gs://[YOUR BUCKET] > perms.txt
Should only be this section:
gsutil iam set perms.txt gs://[YOUR BUCKET]
The new configuration should be viewable in CLI:
Also in the UI:
Bucket Details -> Permissions
and IAM -> Roles
Hopefully this helps!
Additional Info:
Recommend using GCP Cloud Cloud Shell in your Project: https://cloud.google.com/shell
- Create a new Role with the Custom Permissions you would like.
Create yaml file to hold the new config:
vi custom_role.yamlAdd role configurations to new custom_role.yaml:
title: "storageobjectviewer.nolist"
description: "Storage Object Viewer Role without source objects list"
stage: "ALPHA"
includedPermissions:
- resourcemanager.projects.get
- storage.objects.getCreate new Role in GCP:
gcloud iam roles create storageobjectviewer.nolist --project=[YOUR PROJECT] --file=custom_role.yaml- Pull current permissions for [YOUR BUCKET] locally:
gsutil iam get gs://[YOUR BUCKET] > perms.txt
- Update Permissions with the new role.
Should only be this section:
{
"members": [
"allUsers"
],
"role": "projects/[YOUR PROJECT]/roles/storageobjectviewer.nolist"
}- Update the allUsers to the new role on [YOUR BUCKET]
gsutil iam set perms.txt gs://[YOUR BUCKET]
The new configuration should be viewable in CLI:
gsutil iam get gs://[YOUR BUCKET]Also in the UI:
Bucket Details -> Permissions
and IAM -> Roles
Hopefully this helps!
Additional Info:
- https://cloud.google.com/iam/docs/creating-custom-roles#iam-custom-roles-create-gcloud
- https://cloud.google.com/storage/docs/gsutil/commands/iam
- https://cloud.google.com/storage/docs/access-control/making-data-public#gsutil
- https://cloud.google.com/storage/docs/access-control/iam-roles
Code Snippets
vi custom_role.yamltitle: "storageobjectviewer.nolist"
description: "Storage Object Viewer Role without source objects list"
stage: "ALPHA"
includedPermissions:
- resourcemanager.projects.get
- storage.objects.getgcloud iam roles create storageobjectviewer.nolist --project=[YOUR PROJECT] --file=custom_role.yaml{
"members": [
"allUsers"
],
"role": "projects/[YOUR PROJECT]/roles/storageobjectviewer.nolist"
}gsutil iam get gs://[YOUR BUCKET]Context
StackExchange DevOps Q#5762, answer score: 2
Revisions (0)
No revisions yet.