Using a Google Cloud Storage (GCS) bucket for static storage is a very easy way to serve static content over HTTPS. For this to work, public access has to be enabled on the bucket’s objects. The access should be read only at the public level and can be set using one of Google IAM’s predefined roles.

At first glance, the role for this would seem to be Storage Object Viewer, and that’s what I went with when setting up a bucket recently to serve images. This role though also exposes the bucket contents as an XML, which is not something you want.

It turns out that the appropriate role is Storage Legacy Object Reader. The difference between the roles can be seen in their permissions.

Storage Object Viewer has both list and get permissions:

Storage Object Viewer

whereas Storage Legacy Object Reader has just a get permission:

Storage Legacy Object Reader

Thank you for reading, and do reach out via comments or on Twitter if you want to chat or share your thoughts.