Issue Removing Last IAM Member from Bucket

[ep-tpat]

Please reference Issue #1210, as I was asked to open a new ticket here

In which file did you encounter the issue?
python-docs-samples/storage/cloud-client/iam.py

Did you change the file? If so, how?
No

Describe the issue
I'm trying to create a script that will remove all permissions on a bucket. The issue I'm running into is when trying to run the code below when it is the last permission/member assigned to the bucket. I have the traceback below, which is pointing to the "bucket.set_iam_policy(policy)". It seems the function errors out when there is no permission/member left when trying to set the policy. Is there a fix for this?

def remove_bucket_iam_member(bucket_name, role, member):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)
    policy = bucket.get_iam_policy()
    policy[role].discard(member)
    bucket.set_iam_policy(policy)
    print('Removed {} with role {} from {}.'.format(
        member, role, bucket_name))

Failure:

Traceback (most recent call last):
File "/Users/epost/Library/Preferences/PyCharmCE2017.2/scratches/scratch_2.py", line 54, in 
remove_bucket_reader(bucketname)
File "/Users/epost/Library/Preferences/PyCharmCE2017.2/scratches/scratch_2.py", line 47, in remove_bucket_reader
bucket.set_iam_policy(policy)
File "/Users/epost/Python-Env/gcpenvironment/lib/python3.5/site-packages/google/cloud/storage/bucket.py", line 1194, in set_iam_policy
_target_object=None)
File "/Users/epost/Python-Env/gcpenvironment/lib/python3.5/site-packages/google/cloud/_http.py", line 293, in api_request
raise exceptions.from_http_response(response)
google.api.core.exceptions.BadRequest: 400 PUT https://www.googleapis.com/storage/v1/b/tpat-1/iam: Must specify one or more bindings in an IAM policy.

Process finished with exit code 1

[tseaver]

The GCS back-end is returning an error because it does not allow an empty IAM policy. ISTM that what you really want is to remove the policy altogether, but the GCS API docs don't show any support for that.

[ep-tpat]

Hi @tseaver,
I'm able to remove/set the permissions in the console with no issue. With a brand new bucket, I retrieve the permissions:

$ gsutil iam get gs://test-bucket-ep
{
"bindings": [
{
"members": [
"projectEditor:allofus-buckets",
"projectOwner:allofus-buckets"
],
"role": "roles/storage.legacyBucketOwner"
},
{
"members": [
"projectViewer:allofus-buckets"
],
"role": "roles/storage.legacyBucketReader"
}
],
"etag": "CAE="

I then go into the console and select remove all permissions on the bucket (here are inherited permissions that allow me to still access the bucket). When I run the command a second time, all legacy permissions are gone:

$ gsutil iam get gs://test-bucket-ep
{
"etag": "CAQ="
}

It's possible in the console, but I need to automate the removal using Python when any new buckets are created.

Thanks for your help,
EP

[tseaver]

Summoning @frankyn: can you tell us how the web console permits deleting the last binding in a bucket's IAM policy?

[ep-tpat]

Hi @tseaver, @frankyn, just checking to see the status on this potential bug? Thanks for your help.

[frankyn]

@ep-tpat and @tseaver I forwarded the question to the GCS team as I'm not sure it's possible in the UI but not using the API. Thank you for your patience!

[frankyn]

@ep-tpat and @tseaver, it's a service side bug with the JSON API. The team is now aware of it and an internal bug was filed. As for an ETA that's TBD at this time.

Out of curiosity what is the end goal of this script?

[ep-tpat]

Hi @frankyn, I'm trying to create a script that automates the removal of all these permissions since we're not using them and they're applied automatically on bucket creation. Just trying to use least privilege.

[frankyn]

Thanks for clarifying @ep-tpat.

In the mean time you could assign an unused service account with only the Storage.ObjectViewer IAM role until the bug is fixed. This is not a workaround given that you're left with a single assignment, but it does remove Owner roles from the policy.

I'll update this bug with an update when it's fixed.

[ep-tpat]

Thanks @frankyn, appreciate your efforts.

[frankyn]

@ep-tpat, could try removing all IAM roles from the bucket policy again? The should fix should be available now.

[ep-tpat]

It works perfectly...thanks @frankyn!

[chemelnucfin]

Great to know. Please let us know if there are any more problems.

[SyCode7]

Was this fixed? I am having a similar issue with the Google Java API. I have already opened an issue for it here.