Reputation: 679
Google cloud storage delete only own objects
I have a bucket where multiple service accounts can upload their objects so they have storage.objects.create, and ACL set to projectPrivate. But I want them to be able to overwrite(delete) only the objects they uploaded, so they don't overwrite other peoples objects. All objects need to be readable by everyone. But if I give them storage.objects.delete, they can overwrite any objects in this bucket.
Can I set some permission so they can delete only items they are creators?
Upvotes: 1
Views: 969
Answers (3)
Reputation: 2642
According to GCP documentation:
to overwrite an object, the person performing the overwrite (and is gaining ownership of the object by doing so) must have WRITER or OWNER permission on the bucket in which the object is being uploaded.
Since, having the writer or owner permission on the bucket will grant access to other files within the bucket, I'm afraid that what you're asking is not possible.
However, you can use different buckets for different service accounts.
Upvotes: 2
Reputation: 581
Excellent question. I think this will help you.
There is something called Default object ACLs
By default, anyone who has OWNER permission or WRITER permission on a bucket can upload objects into that bucket. When you upload an object, you can provide a predefined ACL or not specify an ACL at all. If you don't specify an ACL, Cloud Storage applies the bucket's default object ACL to the object. Every bucket has a default object ACL, and this ACL is applied to all objects uploaded to that bucket without a predefined ACL or an ACL specified in the request (JSON API only). The initial value for the default object ACL of every bucket is projectPrivate.
Based on how objects are uploaded, object ACLs are applied accordingly:
Authenticated Uploads
If you make an authenticated request to upload an object and do not specify any object ACLs when you upload it, then you are listed as the owner of the object and the predefined projectPrivate ACL is applied to the object by default. This means:
- You (the person who uploaded the object) are listed as the object owner. Object ownership cannot be changed by modifying ACLs. You can change object ownership only by overwriting an object.
- You (the object owner) are granted OWNER permission on the object. If you attempt to give less than OWNER permission to the owner, Cloud Storage automatically escalates the permission to OWNER.
- The project owners and project editors group have OWNER permission on the object.
- The project team members group has READER permission on the object.
Source and for more information : Click here
Upvotes: 0
Reputation: 15266
If we look at the documentation found here:
https://cloud.google.com/storage/docs/access-control/lists#predefined-acl
We find that the ACL projectPrivate gives the user/serviceAccount permissions based on their role. However, there is an alternate ACL called private that is documented as:
Gives the bucket or object owner OWNER permission for a bucket or object, and removes all other access permissions.
If I am reading this correctly, it sounds like what you want. Especially the concept that it removes all other access permissions which I take to mean that it removes all other access permissions for OTHER users.
Upvotes: 0
Related Questions
- Delete all objects from a directory in google storage bucket using cloud storage options
- How to delete object, filter by extension in Google Cloud Storage
- Delete multiple objects fron google cloud storage using node.js
- Remove all files under a folder Google Cloud Storage
- Google cloud object persists after deletion
- Deleting Buckets in Google Cloud Storage
- GoogleCloud Storage - Delete file?
- Google cloud storage delete directory
- Google cloud storage object deletion with google cloud API, Node.js, and request.del()
- Deleting Cloud Storage Objects in Batch