Google Cloud Storage: Grant User / Pass credentials per object

Question

I have a web application whose backend is deployed to Google Cloud Functions, and it uses Google Cloud Storage to store documents of end users. Users are authenticated to my application with Username and Password.

Is it possible to grant a specific read access to object on GCS for the object owner users, so that if User A owns document A on GCS, he's the only one to have access to it?

Thanks

Answer 1

Cloud IAM Conditions might be exactly what you are looking for.

With Cloud IAM Conditions, you can choose to grant resource access to identities (members) only if configured conditions are met. For example, this could be done to configure temporary access for users in the event of a production issue or to limit access to resources only for employees making requests from your corporate office.

So for each member you can configure something like this:

"condition": {
    "title": Limit access to [Dedicated VM]
    "expression": "resource.type == "compute.googleapis.com/Instance" && resource.name == [Dedicated VM]"
}

There is a limit 20 rules per person, which shouldn't matter too much in this case.

Answer 2

Currently you can only control access to buckets with either Identity and Access Management (IAM) or Access Control Lists, as you can see on the access control documentation, you can also get more details on each one at the related documentations.

What you are trying to do is not possible because either one of the options mentioned are dependent on having an google email and/or a google group email or something similar to assign the roles.

A possible workaround is what @lukaszberwid mentioned on the comments, if you have a bucket for each user their access will be independently managed, so it will probably suit your app's needs.

Hope this helps.