What roles are needed to download an object from a Google Storage Bucket

Question

I have created a service account and given it only the Storage Object Viewer role. I would like to use this service account to download objects from a bucket using the python API.

I have set the GOOGLE_APPLICATION_CREDENTIALS environment variable accordingly and can see the relevant service account showing up on the bucket's permissions page.

I use the following code to try and download an object

from google.cloud import storage
storage_client = storage.Client()
bucket = storage_client.get_bucket(BUCKET_NAME)

But I get the following error when calling get_bucket

google.api_core.exceptions.Forbidden: 
403 GET https://storage.googleapis.com/storage/v1/b/samplereadbucket?projection=noAcl: 
[email protected] does not have storage.buckets.get 
access to samplereadbucket.

What is the minimum set of roles I need to set so that the service account has storage.buckets.get access if not Storage Object Viewer?

Answer 1

Storage Object Viewer (roles/storage.objectViewer) only includes these permissions:

resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list

For buckets, you will need a role like Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) (or create a custom role). This gives you:

storage.buckets.get
storage.objects.list

You can always use the IAM & Admin > Roles tab in the cloud console to search for the specific permissions to see what roles currently grant those permissions.

Answer 2

it's needed to add these roles to the SA:

Storage Object Viewer (roles/storage.objectViewer)

   resourcemanager.projects.get
   resourcemanager.projects.list
   storage.objects.get
   storage.objects.list

Storage Legacy Bucket Reader (roles/storage.legacyBucketReader)

   storage.buckets.get 
   storage.multipartUploads.list
   storage.objects.list

Or even better would be creating a custom role with roles