I'm trying to get a list of buckets in a project, using python like this:
from google.cloud import storage
storage_client = storage.Client(project='[project-id]')
bucket = storage_client.get_bucket([bucket-name])
blobs = bucket.list_blobs()
for blob in blobs:
print(blob.name)
But i get an error:
[service-account-ID]-compute@developer.gserviceaccount.com does not have storage.buckets.get access to [bucket-name]
Anyways if i try using gsutil (using the same service account):
gsutil ls gs://[bucket-name]
I can get the list of objects in the bucket…
So i dont understand what is happening, any clue about what should i do?
Best Answer
GCP has the concept of roles and permissions. A role is something like Storage Admin (
roles/storage.admin
) and a permission is something likestorage.buckets.get
. Roles are made up of one or more permissions. Permissions are always granted by applying a role to a principal (user, service account, or group) -- that is, you cannot assign a permission directly to a principal.The error you're seeing is because the permission
storage.buckets.get
is missing from the service account -- that is, none of the role(s) applied to the service account grant the storage.buckets.get permission. You can list the objects of a bucket (storage.objects.list permission) without the ability to list buckets (storage.buckets.get permission).Therefore you need to assign a role such as
roles/storage.admin
that has the storage.buckets.get permission. You can also create a Custom Role with just that permission if you want to operate with a least-privilege model.