问题
According to the console popup, the Project Browser role has browse access to the project's resources while the Project Viewer has read access to those resources.
Does this mean that with the browser role I can only list the filenames stored in the project's buckets but I need viewer role to download those files?
回答1:
Does this mean that with the browser role I can only list the filenames stored in the project's buckets but I need viewer role to download those files?
The browser role roles/browser does not have any permissions to access Google Cloud Storage. You cannot list the objects in the bucket. The viewer role roles/viewer does not have permissions to view (download) Google Cloud Storage objects.
To better understand roles, you need to know what permissions a role contains.
If you take the role roles/browser and view the permissions:
gcloud iam roles describe roles/browser
You will find that this role has the following six permissions:
description: Access to browse GCP resources.
etag: AA==
includedPermissions:
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
name: roles/browser
stage: GA
title: Browser
Notice that this role has no permissions to Google Cloud Storage.
In comparison if you review the permissions for roles/viewer you will find that this role has 721 permissions. I have limited this listing to just the storage permissions:
storage.buckets.list
You will see that this role only has permission to list the contents of a bucket. No permissions are granted to view the contents of an object in a bucket.
In order to view (download) a Google Cloud Storage object, you need the storage.objects.get permission. This is contained in the roles roles/storage.object.viewer, roles/storage.objectAdmin, roles/storage.admin and roles/storage.legacyObjectReader.
回答2:
According to the docs
The Project Browser role has "Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project."
来源:https://stackoverflow.com/questions/54778596/whats-the-difference-between-project-browser-role-and-project-viewer-role-in-go