Disable the default assignment of roles/storage.legacyBucketReader to projectViewer

aucampia · September 30, 2022, 12:05pm

By default when I create a storage bucket (terraform code here) the following IAM policy is added to it:

bindings:
  - members:
      - projectEditor:try-buckdef-660n
      - projectOwner:try-buckdef-660n
    role: roles/storage.legacyBucketOwner
  - members:
      - projectViewer:try-buckdef-660n
    role: roles/storage.legacyBucketReader
  - members:
      - projectEditor:try-buckdef-660n
      - projectOwner:try-buckdef-660n
    role: roles/storage.legacyObjectOwner
  - members:
      - projectViewer:try-buckdef-660n
    role: roles/storage.legacyObjectReader
etag: CAE=

Is there some way this behaviour can be changed, I don’t want bucket content to be readable by all project viewers by default.

I can of course just not assign role/viewer to anyone but I’m still not very happy with this behaviour.

aucampia · September 30, 2022, 12:58pm

This behaviour is described as “modifiable” here, however, it is not clear how to actually modify it. The section just explains that the consequences of the behaviour can be undone.

Topic		Replies	Views
Storage objects readable by allUsers in Cloud Rails guide Compute Infrastructure cloud-storage	1	9	December 10, 2021
Vertex Ai service account unable to access GCS buckets though it has StorageObjectViewer roles Compute Infrastructure cloud-storage	5	96	November 2, 2023
Why are gcp IAM permissions so open by default and how should I restrict them? Compute Infrastructure compute-engine , infrastructure-general , cloud-storage	1	56	March 20, 2024

Disable the default assignment of roles/storage.legacyBucketReader to projectViewer

AI Suggested topics