Writing to a bucket should be possible without 'storage.buckets.get'

[akauppi]

I wish to have a service account be able to write, read, read metadata and read history of objects in a pre-defined and existing bucket. It does not need to be able to do anything about the bucket, itself.

From the Cloud Storage IAM Roles page..

Role	Description	Permissions
roles/storage.objectAdmin	Full control over objects, including listing, creating, viewing, and deleting objects. Does not grant permission to read or edit bucket metadata.	storage.objects.*
roles/storage.admin	Full control of buckets and objects.	storage.buckets.*, storage.objects.*

..it seems roles/storage.objectAdmin would be the role for this.

If I run the (below) code with it, I get the error:

... does not have storage.buckets.get access to .

Adding the "Storage Admin" or "Storage Legacy Bucket Reader" role makes things work.

The possible bug is that I find the reality and the documentation to be at odds. It may be that this is the same thing as google-cloud-ruby has had (and fixed) in their #1588. Their it was fixed in a way that allows accessing a bucket without bucket-level rights.

Scala code:

val sto: Storage = StorageOptions.getDefaultInstance.getService()
val bucket: Bucket = sto.get(bucketName)
bucket.create("abc", "ABC!".getBytes(UTF_8) )

Using google-cloud-storage client version 1.31.0

[andreamlin]

Hello, would it be possible to skip the bucket fetch sto.get(bucketName) call, and instead use sto.create(blobinfo, options)? See Storage.java for method signature and sample call.

[akauppi]

@andreamlin That seems to help - thanks. :)

Also, your suggestion answered another question I had, about how to write custom metadata with the Java client.