Reputation: 19412
Limiting access of a GCP Cloud IAM custom role only to a bucket
AWS provides a way through its IAM policies to limit access from a particular user/role to a specific named resource.
For example the following permission:
{
"Sid": "ThirdStatement",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::confidential-data",
"arn:aws:s3:::confidential-data/*"
]
}
will allow all List* and Get* operations on the confidential-data bucket and its contents.
However, I could not find such an option when going through GCP's custom roles.
Now, I know that for GCS buckets (which is my use case) you can create either ACLs to achieve (more or less?) the same result.
My question is, assuming I create a service account identified by [email protected] and I want this account to have read/write permissions to gs://mybucket-on-google-cloud-storage, how should I format the ACL to do this?
(for the time being, it does not matter to me whatever other permissions are inherited from the organization/folder/project)
Upvotes: 4
Views: 1501
Answers (2)
Reputation: 2368
From documentation:
Grant the service account [email protected] WRITE access to the bucket example-bucket:
gsutil acl ch -u [email protected]:W gs://example-bucket
Grant the service account [email protected] READ access to the bucket example-bucket:
gsutil acl ch -u [email protected]:R gs://example-bucket
Upvotes: 2
Reputation: 1028
The format for ACL is as below
{
"bindings":[
{
"role": "[IAM_ROLE]",
"members":[
"[MEMBER_NAME]"
]
}
]
}
Please refer to the Google Docs
e.g.
{
"kind": "storage#policy",
"resourceId": "projects/_/buckets/bucket_name",
"version": 1,
"bindings": [
{
"role": "roles/storage.legacyBucketWriter",
"members": [
"projectEditor:projectname",
"projectOwner:projectname"
]
},
{
"role": "roles/storage.legacyBucketReader",
"members": [
"projectViewer:projectname"
]
}
],
"etag": "CAE="
}
Upvotes: 1
Related Questions
- How do I give a GCP service account storage.buckets.list access with read only access?
- GCP limit service account to have conditional access to a single instance
- Google Cloud: how to add role for service user to an individual bucket?
- Granting full gcs bucket permissions to a GCP service account
- GCS limit bucket access to an existing service account
- How to restrict a Google Service Account to a single bucket in Google Cloud Storage?
- How do I limit access to a bucket in GCS?
- Making a Cloud Storage bucket accessible only by a certain service account
- Google Cloud Platform creating custom IAM role and limiting access to a storage bucket
- Google Cloud Storage - How to limit access to specific bucket