can't add 'allUsers' to GCP project

Question

I have a GCP project and just for testing purpose, I want to grant the permission to 'allUsers'. But when I am trying to add, I am getting error Members of type allUsers and allAuthenticatedUsers cannot be added to this resource. Can somebody help me to understand what I am doing wrong or missing here? Thanks

Answer 1

Check the docs.

Project does not support allUsers and allAuthenticatedUsers as members in a Binding of a Policy.

Answer 2

Go to your bucket and revoke public access as in below image. Then go to your resource and add permission allUser

Answer 3

The member types permission used to grant allUser or allAuthenticatedUser access to certain Google Cloud resources such as buckets cannot be applied as project roles to projects. Google Cloud projects provide different levels of access control that are different from those used with buckets, as explained in the following Access Control for Projects using IAM documentation.

There is a three-level policy hierarchy in Google Cloud that puts projects and resources as separate entities. In this hierarchy, policies are inheritable but do have different access control models which are not interchangeable.

You can grant to a Google Cloud project the following permissions:

• roles/owner - Full access to all resources.

• roles/editor - Edit access to all resources.

• roles/viewer - Read access to all resources.

• roles/browser - Access to browse resources in the project.

The above project permissions can be fine-tuned at the resource level using member types as explained above.

Answer 4

Sometimes it might be that you’re trying to use a deprecated feature that is already no longer available in web UI and control panels but in fact, is still silently supported for thus who are unable to upgrade.

Granting a role for allUsers is one of these cases and you can find an example of such a case in this answer of a smart-things community.

Regarding the:

Can somebody help me to understand what I am doing wrong or missing here?

You are trying to use insecure permissions that are strongly discouraged. And that is wrong, that is not available in some web user interfaces for a reason. But if Google would ditch such support at all, then IoT devices that are still dependent on this yet out of the reach of developers who could upgrade them would become inoperable, so new users unlikely to see such possibility but thus who used it in the passed will be stay operable.

But if you were unfortunate to delete such permission and now you left a lot of IoT devices without an ability to publish for a PubSub topic (and upgrading devices is not a feasible option) then following mentioned answer from smart things community if you want to allow publishing for a topic bar of the project foo then you can use a set IAM policy API to apply a role roles/pubsub.publisher for allUsers

A resource will be: projects/foo/topic/bar

And policy object will be:

{
  "policy": {
    "bindings": [
      {
        "role": "roles/pubsub.publisher",
        "members": [
          "allUsers"
        ]
      }
    ]
  }
}

Answer 5

Try to remove the prevent public access in permissions of your GCP cloud storage bucket. This allows to have fine granular control on individual objects. So that one or many objects in the bucket can be public. Public access prevention prevents data in your organization or project from being accidentally exposed to the public. When you enforce public access prevention on a new or existing Cloud Storage resource, no one in your organization can make data public through IAM policies or ACLs. For more see the docs here

Answer 6

Disable the prevention to public access

1. Go to permissions (right-hand side of configuration)
2. Disable public access prevention.
3. then again try to make image public it'll work