I was going through ACG exam simulator for GCP ACE. The question was mis-leading somehow.
You need to to read objects from a newly-created GCS bucket. Which of the following would allow you to do this? choose 2
1. roles/owner
2. roles/iam.roleViewer
3. roles/resourcemanager.folderViewer
4. roles/compute.storageAdmin
5. roles/storage.legacyBucketReader
correct answer 1 and 5.
Explanation says "The iam.roleViewer role “Provides read access to all custom roles in the project.” The compute.storageAdmin role grants “Permissions to create, modify, and delete disks, images, and snapshots.” The resourcemanager.folderViewer role is related to project organization, not GCS. The legacyBucketReader and project owner roles interact a bit differently than you might expect, so it could be a good idea to read through the linked documentation pages, even if you answered this question correctly."
project owner does not have object read permissions by default, but when it creates a bucket it becomes owner of the bucket, hence can read objects. roles/storage.legacyBucketReader does not have object.read permissions. It has 2 assigned permissions storage.buckets.get and storage.objects.list.
I am confused why the answer is the way it is.
1 Answers
Hello!
First off, I think you can answer this question based purely on eliminating the wrong response options. 2, 3, and 4 are all wrong as per the given explanation: they simply deal with completely different things than GCS.
But the reasons why 1 and 5 are correct is a bit more complicated. This doc page–linked with the explanation–is most useful. Here’s one of the key quotes:
the Editor and Owner project roles have limited Cloud Storage access by themselves, but members assigned these roles gain roles/storage.legacyBucketOwner for new buckets
And if you follow the link from that page to this one that describes the GCS Roles, we see that both roles/storage.legacyObjectReader and roles/storage.legacyObjectOwner include the storage.objects.get permission.
And even though you were actually pretty clear in what you wrote, this is the point at which I finally realized my mistake! So thank you for raising this!
The issue that you already realized is that roles/storage.legacyBucketReader is not roles/storage.legacyObjectReader. The question should ask about listing files–or option 5 should be legacy_Object_Reader. I will fix the question because I don’t think digging so deeply into GCS ACLs is necessary for the ACE exam (though please correct me if I’m wrong!).
Thanks, again! (And, by the way, congrats on passing your exam, too! 🙂 )
Mattias
There is no storage.objects.read permissions. All of the individual permissions for Google Cloud Storage that make up the roles are given here, "https://cloud.google.com/storage/docs/access-control/iam-permissions#object_permissions". The roles/owner at the project level will inherit all of these storage.* permissions.