What's the difference between Project Browser role and Project Viewer role in Google Cloud Platform
Does this mean that with the browser role I can only list the filenames stored in the project's buckets but I need viewer role to download those files?
The browser role roles/browser
does not have any permissions to access Google Cloud Storage. You cannot list the objects in the bucket. The viewer role roles/viewer
does not have permissions to view (download) Google Cloud Storage objects.
To better understand roles, you need to know what permissions a role contains.
If you take the role roles/browser
and view the permissions:
gcloud iam roles describe roles/browser
You will find that this role has the following six permissions:
description: Access to browse GCP resources.
etag: AA==
includedPermissions:
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
name: roles/browser
stage: GA
title: Browser
Notice that this role has no permissions to Google Cloud Storage.
In comparison if you review the permissions for roles/viewer
you will find that this role has 721 permissions. I have limited this listing to just the storage permissions:
storage.buckets.list
You will see that this role only has permission to list the contents of a bucket. No permissions are granted to view the contents of an object in a bucket.
In order to view (download) a Google Cloud Storage object, you need the storage.objects.get
permission. This is contained in the roles roles/storage.object.viewer
, roles/storage.objectAdmin
, roles/storage.admin
and roles/storage.legacyObjectReader
.
According to the docs
The Project Browser role has "Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project."