Restrict Storage Admins from specific GCS bucket

Question

Can I restrict users/service accounts with roles/storageAdmin permission from a specific GCS Bucket?

I have a sensitive bucket that should be writeable only from a specific service account, and restrict write permissions from all other accounts, even from storage admins.

I've tried setting the permissions to unified instead of acl, with the following iam set on the bucket:

{
  "bindings": [
    {
      "members": [
        "serviceAccount:my-sa@my-account.iam.gserviceaccount.com"
      ],
      "role": "roles/storage.objectAdmin"
    },
    {
      "members": [
        "group:my-dev-team@my-company.com"
      ],
      "role": "roles/storage.objectViewer"
    }
  ],
  "etag": "abcd"
}

Some of my team members have the roles/storageAdmin role, and they can also write to the bucket - which I need to restrict.

Answer 1

At the bucket level, there is uniform bucket-level access, Identity and Access Management (IAM) and Access Control List (ACL). If you want to avoid creating GCP accounts for the users, then try Access Control List (ACL).

If you want to regulate the access each user has within the bucket, you should try Access Control List (ACL).

An access control list (ACL) is a mechanism you can use to define who has access to your buckets and objects, and what level of access they have. In Cloud Storage, you apply ACLs to individual buckets and objects. Each ACL consists of one or more entries. An entry gives a specific user (or group) the ability to perform specific actions. Each entry consists of two pieces of information: A permission, which defines what actions can be performed (for example, read or write). A scope (sometimes referred to as a grantee), which defines who can perform the specified actions (for example, a specific user or group of users).

Here is a list of the accesses that can be granted: