4

AWS provides a way through its IAM policies to limit access from a particular user/role to a specific named resource.

For example the following permission:


    {
      "Sid": "ThirdStatement",
      "Effect": "Allow",
      "Action": [
        "s3:List*",
        "s3:Get*"
      ],
      "Resource": [
        "arn:aws:s3:::confidential-data",
        "arn:aws:s3:::confidential-data/*"
      ]
    }

will allow all List* and Get* operations on the confidential-data bucket and its contents.

However, I could not find such an option when going through GCP's custom roles.

Now, I know that for GCS buckets (which is my use case) you can create either ACLs to achieve (more or less?) the same result.

My question is, assuming I create a service account identified by someone@myaccount-googlecloud.com and I want this account to have read/write permissions to gs://mybucket-on-google-cloud-storage, how should I format the ACL to do this?

(for the time being, it does not matter to me whatever other permissions are inherited from the organization/folder/project)

Maxim
  • 3,172
  • 9
  • 21
pkaramol
  • 9,548
  • 14
  • 80
  • 167

2 Answers2

2

From documentation:

Grant the service account foo@developer.gserviceaccount.com WRITE access to the bucket example-bucket:

gsutil acl ch -u foo@developer.gserviceaccount.com:W gs://example-bucket

Grant the service account foo@developer.gserviceaccount.com READ access to the bucket example-bucket:

gsutil acl ch -u foo@developer.gserviceaccount.com:R gs://example-bucket
sllopis
  • 1,826
  • 1
  • 5
  • 11
1

The format for ACL is as below

{
  "bindings":[
    {
      "role": "[IAM_ROLE]",
      "members":[
        "[MEMBER_NAME]"
      ]
    }
  ]
}

Please refer to the Google Docs

e.g.

{
 "kind": "storage#policy",
 "resourceId": "projects/_/buckets/bucket_name",
 "version": 1,
 "bindings": [
  {
   "role": "roles/storage.legacyBucketWriter",
   "members": [
    "projectEditor:projectname",
    "projectOwner:projectname"
   ]
  },
  {
   "role": "roles/storage.legacyBucketReader",
   "members": [
    "projectViewer:projectname"
   ]
  }
 ],
 "etag": "CAE="
}
Vikram Shinde
  • 852
  • 3
  • 16