I'm a project owner for a particular project, which has a bucket with a few hundred gigs of objects. I have recently discovered by a failed gcloud rsync that there are some objects in my bucket that I can list but not cp or acl get etc., neither from the commandline nor from the cloud console.
For example:
gsutil acl get gs://$MYBUCKET/$SOMEOBJECT
AccessDeniedException: Access denied. Please ensure you have OWNER permission on gs://$MYBUCKET/$SOMEOBJECT
I have
- verified I'm authenticated as the right user (
gcloud auth list) - verified that I'm in the roles/owners member section of the project (
gcloud projects get-iam-policy $PROJECT_ID) - verified that the bucket belongs to the project (the entity "project-owners-$PROJECT_ID" has the projectNumber $PROJECT_ID and role OWNER).
- The same problem occurs in the google cloud console, despite the fact that I'm the creator of the project
What on earth is going on?
Best Answer
Access to GCS resources is not recursive. Owning a project or a bucket within that project does not necessarily imply that you also have read access to some specific object. Owning the bucket does imply that you can list or delete the object, but that's it.
The owner of an object is always the user that uploaded it. By default, the ACLs on the object will align with the bucket's "default object ACL" setting, but the uploader can choose any other ACL during the upload.