Skip to content

gcp Cloud Storage permission

Jump to bottom
ghdrako edited this page Jan 13, 2023 · 1 revision

Uniform bucket-level access allows you to use Identity and Access Management (IAM) alone to manage permissions. IAM applies permissions to all the objects contained inside the bucket or groups of objects with common name prefixes. IAM also allows you to use features that are not available when working with ACLs, such as IAM Conditions and** Cloud Audit Logs**.

Dla transportera

roles/storage.objectCreator


resource "google_storage_bucket_iam_binding" "transporter_iam_binding" {
  bucket = "lab-biz-acp-batch-6v7mkw"
  role = "roles/storage.objectAdmin"
  members = [
    "serviceAccount:pko-sa-transporter-rw@lab-biz-acp-gcp-pr.iam.gserviceaccount.com",
  ]
}

Using uniform bucket-level access

# Enable
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME
# View
gsutil uniformbucketlevelaccess get gs://BUCKET_NAME


# Adding a member to a bucket-level policy
gsutil iam ch MEMBER_TYPE:MEMBER_NAME:IAM_ROLE gs://BUCKET_NAME

# Viewing the IAM policy for a bucket
gsutil iam get gs://BUCKET_NAME

# Removing a member from a bucket-level policy
gsutil iam ch -d MEMBER_TYPE:MEMBER_NAME gs://BUCKET_NAME

gsutil iam ch allUsers:objectViewer gs://[BUCKET_NAME] 
gsutil iam ch user:akepka@o2.pl:objectCreator gs://[BUCKET_NAME] 
gsutil iam ch group:reader@example.com:objectCreator gs://[BUCKET_NAME] 

objectViewer,objectCreator,rosels/CustomRoleName

# Export iam policy to file
gsutil iam get gs://[BUCKET_NAME] > bucket_iam.txt
gsutil iam get gs://[BUCKET_NAME]/[PATH TO FILE] > object_iam.txt

Terraform

Using IAM

  • Authoritative. Sets the IAM policy for the bucket and replaces any existing policy already attached.
data "google_iam_policy" "admin" {
  binding {
    role = "roles/storage.admin"
    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_storage_bucket_iam_policy" "policy" {
  bucket = google_storage_bucket.default.name
  policy_data = data.google_iam_policy.admin.policy_data
}
  • Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the bucket are preserved.
resource "google_storage_bucket_iam_binding" "binding" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.admin"
  members = [
    "user:jane@example.com",
  ]
}
  • Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the bucket are preserved.
resource "google_storage_bucket_iam_member" "member" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.admin"
  member = "user:jane@example.com"
}

Using ACL

  • ACLs can be managed non authoritatively
resource "google_storage_bucket_access_control" "public_rule" {
  bucket = google_storage_bucket.bucket.name
  role   = "READER"
  entity = "allUsers"
}

resource "google_storage_bucket_access_control" "public_rule" {
  bucket = lab-biz-acp-batch-6v7mkw 
  role   = "WRITER"
  entity = "pko-sa-transporter-rw@lab-biz-acp-gcp-pr.iam.gserviceaccount.com"
}
  • Authoritatively manages a bucket's ACLs
resource "google_storage_bucket_acl" "image-store-acl" {
  bucket = google_storage_bucket.image-store.name

  role_entity = [
    "OWNER:user-my.email@gmail.com",
    "READER:group-mygroup",
  ]
}

IAM roles for Cloud Storage

https://cloud.google.com/storage/docs/access-control/iam-roles

Predefined roles:

  • Storage Object Creator (roles/storage.objectCreator) Allows users to create objects. Does not give permission to view, delete, or replace objects.
  • Storage Object Viewer (roles/storage.objectViewer) Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.
  • Storage Object Admin (roles/storage.objectAdmin) Grants full control over objects, including listing, creating, viewing, and deleting objects.

Test

Clone this wiki locally