Reputation: 6255
Is it possible to do this?
The analogous feature in AWS using IAM does support restricting access to a single bucket, but from looking https://cloud.google.com/compute/docs/access/service-accounts it doesnt look like it is possible in GCP.
Upvotes: 10
Views: 6691
Reputation: 1293
To restrict access for a service account to a specific bucket using IAM permissions you can use gsutil:
gsutil iam ch serviceAccount:${SERVICE_ACCOUNT}@${PROJECT}.iam.gserviceaccount.com:objectViewer gs://${BUCKET}
And repeat for each role you want to grant (eg objectAdmin
).
The docs are here Using Cloud IAM with buckets. If you need finer control on specific objects, you have to use ACLs.
Upvotes: 11
Reputation: 659
What worked for me:
Create a new service account.
Edit permissions for bucket "XYZ". Add Legacy Bucket Reader
role for the service account from point #1.
And that's all.
The biggest problem I had is that I assumed that Legacy roles are not supposed to be used...
See: https://cloud.google.com/storage/docs/access-control/iam-roles#legacy-roles
Upvotes: 0
Reputation: 2270
The Identity and Access Management (IAM) and service account permissions are the recommended methods for controlling access to your resources for a general scope; However, you should rather use Access Control Lists in case you want to customize the access scope to individual buckets and it's objects.
I recommend you to take a look on the Creating and Managing Access Control Lists guide that contains detail information about the usage of ACLs as well as the step-by-step instructions to set ACL permissions to an existing bucket.
Upvotes: 3