Access denied for GCP bucket shared with other gmail users

Question

I'm struggling to give third parties access to a GCP bucket which they can access at https://storage.googleapis.com/<bucketname>/. I've been following the steps set out for GCP Authenticated browser downloads.

The bucket has uniform access level and has public access set to off. This bucket and associated project is not within an organisation -- this is run off a private account.

I've used the console to add two users with Storage Object Viewer permissions to the bucket. However if I log in (using a different browser) as one of these users I get an Access Denied message.

I wondered if the permission error is due to only adding the users after using gsutil to upload content, so I tried to add read permissions on the bucket:

gsutil acl ch -r -u <gmailuser>:R gs://<bucketname>/
CommandException: Failed to set acl for gs://<bucketname>/subdir/. Please ensure you have OWNER-role access to this resource.

Since I'm running gsutil as the project and bucket owner perhaps I've messed up permissions somehow. Insights gratefully received.

---

Update 27 October

Need an organisation?

Based on @Hemanth's hepful comments and further testing this problem appears to be an issue with my needing an organisation, something not set out in the docs. I don't want to setup an organisation with allied adoption of one of my domains and necessity of migrating projects.

I don't know if Google are trying to migrate individuals to forcibly setting up organisations, but if so the errors reported need to be improved as do the docs. Apart from ruining a sales pipeline of gmail users adopting cloud storage, this issue may also account for buckets being opened publicly as people try to understand this problem.

Dear Google. Why is this so hard?

Answer 1

As per the predefined ACLS guidelines, by applying a predefined ACL to an existing bucket or object, you completely replace the existing bucket or object ACL with the predefined ACL. This change might cause you to lose access to the bucket or object ACL in some cases. This might remove the Bucket owner permissions and when trying to access it is asking the owner permissions.

You can use the IAM role storage.objectAdmin so that you have the permission necessary to update the object's ACL and correct the change. Grant the Storage Legacy Bucket Owner in IAM and also try giving "Storage Admin" and "Storage Object Admin/Creator/Viewer" permissions which gives owner roles to the bucket.

You can also grant the owner permission by using the below command :

gsutil acl ch -p owners-example-project:W gs://example-bucket

Refer to this doc for more examples.

Updated answer :

• Seems to be you might be using the free tier account which might run out of free limits. So, can you try by upgrading your account to a paid one which will have a billing account also.
• This error may also occur because the Cloud Storage bucket you are trying to use does not exist. You may verify this by clicking the blue button titled Open the Cloud Storage Browser
• For billing account assistance, open a Billing Support Request using the Billing Support Requests form provided here.