Reputation: 427
GCS limit bucket access to an existing service account
Usually there is Compute Engine default service account that is created automatically by GCP, this account is used for example by VM agents to access different resources across GCP and by default has role/editor permissions.
Suppose I want to create GCS bucket that can only be accessed by this default service account and no one else. I've looked into ACLs and tried to add an ACL to the bucket with this default service account email but it didn't really work.
I realized that I can still access bucket and objects in this bucket from other accounts that have for example storage bucket read and storage object read permissions and I'm not sure what I did wrong (maybe some default ACLs are present?).
My questions are:
- Is it possible to limit access to just that default account? In that case who will not be able to access it?
- What would be the best way to do it? (would appreciate a lot an example using Storage API)
- There are still roles such as
role/StorageAdmin, and actually no matter what ACLs will be put on the bucket I could still access it if I had this role (or higher role such as owner) right?
Thanks!
Upvotes: 0
Views: 1799
Answers (2)
Reputation: 75715
I recommend you not to use ACL (and Google also). It's better to switch the bucket in uniform IAM policy.
There are 2 bad side of ACL:
- New created files aren't ACL and you need to set it everytime that you create a ne file
- It's difficult to know who has and who hasn't access with ACL. IAM service is better for auditing.
When you switch to Uniform IAM access, Owner, Viewer, and Editor role no longer have access to buckets (the role/storage.admin isn't included in this primitive role). It could solve in one click all the unwanted access. Else, as John said, remove all the IAM permission on the bucket and the project that have access to the bucket except your service account.
Upvotes: 1
Reputation: 2116
You can control access to buckets and objects using Cloud IAM and ACLs.
For example grant the service account WRITE (R: READ,W: WRITE,O: OWNER) access to the bucket using ACLs:
gsutil acl ch -u [email protected]:W gs://my-bucket
To remove access of service account from the bucket:
gsutil acl ch -d [email protected] gs://my-bucket
If There are roles such as role/StorageAdmin in the IAM identities (project level), they will have access to all the GCS resources of the project. You might have to change the permission to avoid them having access.
Upvotes: 0
Related Questions
- Authorize Google Cloud Platform Service Account to Access Only One Google Cloud Storage Bucket
- How to give service account only access to one bucket (Google Cloud)?
- how to Set a limit to GCS bucket
- Granting full gcs bucket permissions to a GCP service account
- Create bucket for public access with service account
- Limiting access of a GCP Cloud IAM custom role only to a bucket
- How to restrict a Google Service Account to a single bucket in Google Cloud Storage?
- How do I limit access to a bucket in GCS?
- Making a Cloud Storage bucket accessible only by a certain service account
- Google Cloud Storage - How to limit access to specific bucket