Bug P2
Status Update
No update yet.
Comments
ro...@google.com
Hello,
At this moment, this is a documented limitation for the IAM conditions as mentioned over at [1]:
"The allUsers and allAuthenticatedUsers values are unsupported member types in a conditional role binding. If you specify one of these member types, the setIamPolicy operation will fail."
Could you please provide a justification for this behaviour in order to create a feature request for the appropriate product team regarding this issue.
Best regards
[1]https://cloud.google.com/iam/docs/conditions-overview#limitations
At this moment, this is a documented limitation for the IAM conditions as mentioned over at [1]:
"The allUsers and allAuthenticatedUsers values are unsupported member types in a conditional role binding. If you specify one of these member types, the setIamPolicy operation will fail."
Could you please provide a justification for this behaviour in order to create a feature request for the appropriate product team regarding this issue.
Best regards
[1]
be...@matters.tech
Hello,
Thanks for the reply, I would like to set a public read access permission (allUsers) on a bucket "folder" by using an IAM condition : resource.name.startsWith('projects/_/buckets/mybucketname/objects/public')
So that a bucket could have one public “folder" and the rest private. We currently have 2 buckets (one public and one private) but our devs would appreciate the usage of only one bucket in their code. We use this behavior in our AWS stack by setting a policy on an s3 bucket like so :
Action = "s3:GetObject",
Resource = [
"arn:aws:s3:::bucket_name/public/*",
]
Thanks for the reply, I would like to set a public read access permission (allUsers) on a bucket "folder" by using an IAM condition : resource.name.startsWith('projects/_/buckets/mybucketname/objects/public')
So that a bucket could have one public “folder" and the rest private. We currently have 2 buckets (one public and one private) but our devs would appreciate the usage of only one bucket in their code. We use this behavior in our AWS stack by setting a policy on an s3 bucket like so :
Action = "s3:GetObject",
Resource = [
"arn:aws:s3:::bucket_name/public/*",
]
ro...@google.com
Hello,
Thank you for this information, the product team is currently reviewing the feature you mentioned and we will be keeping you updated through this thread regarding any update on it. Please have some patience while this is being done as there is no ETA on the resolution of this issue.
Best regards
Thank you for this information, the product team is currently reviewing the feature you mentioned and we will be keeping you updated through this thread regarding any update on it. Please have some patience while this is being done as there is no ETA on the resolution of this issue.
Best regards
Description
Please provide as much information as possible. At least, this should include a description of your issue and steps to reproduce the problem. If possible please provide a summary of what steps or workarounds you have already tried, and any docs or articles you found (un)helpful.
Problem you have encountered:
Whenever I try to set an IAM condition on a GCS bucket to allUsers, I get rejected by the Google API with the error "Conditions are not allowed on public members allUsers"
What you expected to happen:
Be able to add an IAM condition for "allUsers". I would like to set public read access permission (allUsers) on a bucket "folder" by using an IAM condition : resource.name.startsWith('projects/_/buckets/mybucketname/objects/public')
Steps to reproduce:
Set an IAM condition to allUsers
Other information (workarounds you have tried, documentation consulted, etc):
Is this the expected behavior and why ? Is this a known issue or a feature listed in the roadmap ?