How to restrict a Google Service Account to a single bucket in Google Cloud Storage?

Question

Is it possible to do this?

The analogous feature in AWS using IAM does support restricting access to a single bucket, but from looking https://cloud.google.com/compute/docs/access/service-accounts it doesnt look like it is possible in GCP.

Answer 1

To restrict access for a service account to a specific bucket using IAM permissions you can use gsutil:

    gsutil iam ch serviceAccount:${SERVICE_ACCOUNT}@${PROJECT}.iam.gserviceaccount.com:objectViewer gs://${BUCKET}

And repeat for each role you want to grant (eg objectAdmin).

The docs are here Using Cloud IAM with buckets. If you need finer control on specific objects, you have to use ACLs.

Answer 2

What worked for me:

1. Create a new service account.

2. Edit permissions for bucket "XYZ". Add Legacy Bucket Reader role for the service account from point #1.

And that's all.

---

The biggest problem I had is that I assumed that Legacy roles are not supposed to be used...

See: https://cloud.google.com/storage/docs/access-control/iam-roles#legacy-roles

Answer 3

The Identity and Access Management (IAM) and service account permissions are the recommended methods for controlling access to your resources for a general scope; However, you should rather use Access Control Lists in case you want to customize the access scope to individual buckets and it's objects.

I recommend you to take a look on the Creating and Managing Access Control Lists guide that contains detail information about the usage of ACLs as well as the step-by-step instructions to set ACL permissions to an existing bucket.