I'm struggling to give third parties access to a GCP bucket which they can access at https://storage.googleapis.com/<bucketname>/
. I've been following the steps set out for GCP Authenticated browser downloads.
The bucket has uniform access level and has public access set to off. This bucket and associated project is not within an organisation -- this is run off a private account.
I've used the console to add two users with Storage Object Viewer
permissions to the bucket. However if I log in (using a different browser) as one of these users I get an Access Denied message.
I wondered if the permission error is due to only adding the users after using gsutil
to upload content, so I tried to add read permissions on the bucket:
gsutil acl ch -r -u <gmailuser>:R gs://<bucketname>/
CommandException: Failed to set acl for gs://<bucketname>/subdir/. Please ensure you have OWNER-role access to this resource.
Since I'm running gsutil
as the project and bucket owner perhaps I've messed up permissions somehow. Insights gratefully received.
Update 27 October
Need an organisation?
Based on @Hemanth's hepful comments and further testing this problem appears to be an issue with my needing an organisation, something not set out in the docs. I don't want to setup an organisation with allied adoption of one of my domains and necessity of migrating projects.
I don't know if Google are trying to migrate individuals to forcibly setting up organisations, but if so the errors reported need to be improved as do the docs. Apart from ruining a sales pipeline of gmail users adopting cloud storage, this issue may also account for buckets being opened publicly as people try to understand this problem.
As per the predefined ACLS guidelines, by applying a predefined ACL to an existing bucket or object, you completely replace the existing bucket or object ACL with the predefined ACL. This change might cause you to lose access to the bucket or object ACL in some cases. This might remove the Bucket owner permissions and when trying to access it is asking the owner permissions.
You can use the IAM role storage.objectAdmin so that you have the permission necessary to update the object's ACL and correct the change. Grant the
Storage Legacy Bucket Owner
in IAM and also try giving "Storage Admin" and "Storage Object Admin/Creator/Viewer" permissions which gives owner roles to the bucket.You can also grant the owner permission by using the below command :
Refer to this doc for more examples.
Updated answer :