CODEWITHSUNDEEP
google-cloud-platformgoogle-cloud-storagepre-signed-url
Aseem
Aseem

Reputation: 6779

What permissions are needed for an service account to generate signed url for blobs on cloud storage in gcp

I would like to know exact permissions needed by a service account to be able to generate signed urls (GET and PUT) on any object in a specific bucket B1. A terraform script is welcome. Currently I just use default app engine service account which has a lot of extra permissions

Upvotes: 4

Views: 3095

Answers (1)

Aseem
Aseem

Reputation: 6779

To generate a GET signed url, your service account needs to have storage.objects.get permission

To generate a PUT signed url, your service account needs to have storage.objects.create permission

So ideally I would create a new role - generate_signed_url and grant these 2 permissions on that role. Then assign that role to the service account that's being used to generate a signed url.

Upvotes: 4

Related Questions