What's the difference between Project Browser role and Project Viewer role in Google Cloud Platform

Does this mean that with the browser role I can only list the filenames stored in the project's buckets but I need viewer role to download those files?

The browser role roles/browser does not have any permissions to access Google Cloud Storage. You cannot list the objects in the bucket. The viewer role roles/viewer does not have permissions to view (download) Google Cloud Storage objects.

To better understand roles, you need to know what permissions a role contains.

If you take the role roles/browser and view the permissions:

gcloud iam roles describe roles/browser

You will find that this role has the following six permissions:

description: Access to browse GCP resources.
etag: AA==
includedPermissions:
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
name: roles/browser
stage: GA
title: Browser

Notice that this role has no permissions to Google Cloud Storage.

In comparison if you review the permissions for roles/viewer you will find that this role has 721 permissions. I have limited this listing to just the storage permissions:

storage.buckets.list

You will see that this role only has permission to list the contents of a bucket. No permissions are granted to view the contents of an object in a bucket.

In order to view (download) a Google Cloud Storage object, you need the storage.objects.get permission. This is contained in the roles roles/storage.object.viewer, roles/storage.objectAdmin, roles/storage.admin and roles/storage.legacyObjectReader.


According to the docs

The Project Browser role has "Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project."