Home / server / Questions / 811456
Accepted
as.
Asked: 2016-10-27 08:26:52 +0800 CST

Why can't I access a cloud storage object despite being a project owner?

  • 772

I'm a project owner for a particular project, which has a bucket with a few hundred gigs of objects. I have recently discovered by a failed gcloud rsync that there are some objects in my bucket that I can list but not cp or acl get etc., neither from the commandline nor from the cloud console.

For example:

gsutil acl get gs://$MYBUCKET/$SOMEOBJECT  
AccessDeniedException: Access denied. Please ensure you have OWNER permission on gs://$MYBUCKET/$SOMEOBJECT

I have

  • verified I'm authenticated as the right user (gcloud auth list)
  • verified that I'm in the roles/owners member section of the project (gcloud projects get-iam-policy $PROJECT_ID)
  • verified that the bucket belongs to the project (the entity "project-owners-$PROJECT_ID" has the projectNumber $PROJECT_ID and role OWNER).
  • The same problem occurs in the google cloud console, despite the fact that I'm the creator of the project

What on earth is going on?

google-cloud-storage

4 Answers

  1. Best Answer

    Access to GCS resources is not recursive. Owning a project or a bucket within that project does not necessarily imply that you also have read access to some specific object. Owning the bucket does imply that you can list or delete the object, but that's it.

    The owner of an object is always the user that uploaded it. By default, the ACLs on the object will align with the bucket's "default object ACL" setting, but the uploader can choose any other ACL during the upload.

    • 9

  2. You can set Cloud IAM policy to project or bucket.

    For example, if you are a project owner and you want to full access of all buckets in the project, follow the steps below.

    1. Open IAM management
    2. Click Edit permissions icon associated with the user which you want to add Cloud IAM policy
    3. Add [Storage]-[Storage Admin] role. not [Storage Legacy].
    4. Click Save button

    Then you are granted full access to the object even if you are not the owner of the object.

    • 3

  3. I've solved my similar problem using IAM, like this:

        gsutil iam ch 'user:[email protected]:legacyObjectOwner' gs://mybucket

    After that, the user has owner rights.

    • 0

  4. I struggled with a similar situation: A service account that created an object was listed as OWNER (with gsutil acl get gs://...) but failed to set ACL. Then I found the following quote in https://cloud.google.com/storage/docs/access-control/lists#predefined-acl:

    You cannot apply ACLs that change the ownership of a bucket or object (which should not be confused with the OWNER permission)

    • 0