Reputation: 3623
Google Storage access based on IP Address
Is there a way to give access to a Google Cloud Storage bucket based on the IP address it is coming from.
On Amazon s3, you can just set this in the access policy like this:
"Condition" : {
"IpAddress" : {
"aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
}
}
I do not want to use a signed url.
Upvotes: 20
Views: 12165
Answers (4)
Reputation: 113
I used VPC Service Controls on behalf of a client recently to attempt to accomplish this. You cannot use VPC Service Controls to whitelist an ip address on a single bucket. Jterrace is right. There is no such solution for that today. However, using VPC Service Controls you can draw a service perimeter around the Google Cloud Storage (GCS) service as a whole within a given project, then apply an access level to your service perimeter in the project to allow an ip address/ip address range access to the service (and resources within). The implications are that any new buckets created within the project will be created within the service perimeter and thus be regulated by the access levels applied to the perimeter. So you'll likely want this to be the sole bucket in this project.
Note that the service perimeter only affects services you specify. It does not protect the project as a whole.
Developer Permissions:
Steps to accomplish this:
- Use VPC Service Controls to create a service perimeter around the entire Google Cloud Storage service in the project of your choosing
- Use Access Context Manager to create access levels for ip address you want to whitelist and users/groups who will have access to the service
- Apply these access levels to the service perimeter created in the previous step (it will take 30 minutes for this change to take effect)
Note: Best practice would be to provide access to the bucket using a service account or users/groups ACL, if that is possible. I know it isn't always so.
Upvotes: 1
Reputation: 81424
The updated answers on this page are only partially correct and should not be recommended for the use case of access control to Cloud Storage Objects.
Access Context Manager (ACM) defines rules to allow access (e.g. an IP address).
VPC Service Controls create an "island" around a project and ACM rules can be attached. These rules are "ingress" rules and not "egress" rules meaning "anyone at that IP can get into all resources in the project with the correct IAM permissions".
The ACM rule specifying an IP address will allow that IP address to access all Cloud Storage Objects and all other protected resources owned by that project. This is usually not the intended result. You cannot apply an IP address rule to an object, only to all objects in a project. VPC Service Controls are designed to prevent data from getting out of a project and are NOT designed to allow untrusted anonymous users access to a project's resources.
Upvotes: 9
Reputation: 67093
UPDATE: This is now possible using VPC Service Controls
No, this is not currently possible.
There's currently a Feature request to restrict google cloud storage bucket by IP Address.
Upvotes: 8
Reputation: 2435
The VPC Service Controls [1] allow users to define a security perimeter around Google Cloud Platform resources such as Cloud Storage buckets (and some others) to constrain data within a VPC and help mitigate data exfiltration risks.
[1] https://cloud.google.com/vpc-service-controls/
Upvotes: 1
Related Questions
- Restrict a Load-Balanced Google backend bucket to a specific IP range
- Google Cloud Storage files access policy based on IP Address
- IP Restriction Google Cloud Storage
- Can I restrict which IP address can access objects in a bucket?
- Google Cloud Storage - How to limit access to specific bucket
- configure static IP for static website on google storage
- Access to cloud storage from client URL
- Google Cloud Storage static IP address
- Google Storage API Forbidden ipRefererBlocked Error
- "Whitelisting by IP Address (Server-side applications)" for Google Cloud Storage JSON API