-
Notifications
You must be signed in to change notification settings - Fork 3
gcp Cloud Storage permission
ghdrako edited this page Jan 13, 2023
·
1 revision
Uniform bucket-level access allows you to use Identity and Access Management (IAM) alone to manage permissions. IAM applies permissions to all the objects contained inside the bucket or groups of objects with common name prefixes. IAM also allows you to use features that are not available when working with ACLs, such as IAM Conditions and** Cloud Audit Logs**.
Dla transportera
roles/storage.objectCreator
resource "google_storage_bucket_iam_binding" "transporter_iam_binding" {
bucket = "lab-biz-acp-batch-6v7mkw"
role = "roles/storage.objectAdmin"
members = [
"serviceAccount:pko-sa-transporter-rw@lab-biz-acp-gcp-pr.iam.gserviceaccount.com",
]
}
# Enable
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME
# View
gsutil uniformbucketlevelaccess get gs://BUCKET_NAME
# Adding a member to a bucket-level policy
gsutil iam ch MEMBER_TYPE:MEMBER_NAME:IAM_ROLE gs://BUCKET_NAME
# Viewing the IAM policy for a bucket
gsutil iam get gs://BUCKET_NAME
# Removing a member from a bucket-level policy
gsutil iam ch -d MEMBER_TYPE:MEMBER_NAME gs://BUCKET_NAME
gsutil iam ch allUsers:objectViewer gs://[BUCKET_NAME]
gsutil iam ch user:akepka@o2.pl:objectCreator gs://[BUCKET_NAME]
gsutil iam ch group:reader@example.com:objectCreator gs://[BUCKET_NAME]
objectViewer,objectCreator,rosels/CustomRoleName
# Export iam policy to file
gsutil iam get gs://[BUCKET_NAME] > bucket_iam.txt
gsutil iam get gs://[BUCKET_NAME]/[PATH TO FILE] > object_iam.txt
- Authoritative. Sets the IAM policy for the bucket and replaces any existing policy already attached.
data "google_iam_policy" "admin" {
binding {
role = "roles/storage.admin"
members = [
"user:jane@example.com",
]
}
}
resource "google_storage_bucket_iam_policy" "policy" {
bucket = google_storage_bucket.default.name
policy_data = data.google_iam_policy.admin.policy_data
}
- Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the bucket are preserved.
resource "google_storage_bucket_iam_binding" "binding" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
members = [
"user:jane@example.com",
]
}
- Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the bucket are preserved.
resource "google_storage_bucket_iam_member" "member" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
member = "user:jane@example.com"
}
- ACLs can be managed non authoritatively
resource "google_storage_bucket_access_control" "public_rule" {
bucket = google_storage_bucket.bucket.name
role = "READER"
entity = "allUsers"
}
resource "google_storage_bucket_access_control" "public_rule" {
bucket = lab-biz-acp-batch-6v7mkw
role = "WRITER"
entity = "pko-sa-transporter-rw@lab-biz-acp-gcp-pr.iam.gserviceaccount.com"
}
- Authoritatively manages a bucket's ACLs
resource "google_storage_bucket_acl" "image-store-acl" {
bucket = google_storage_bucket.image-store.name
role_entity = [
"OWNER:user-my.email@gmail.com",
"READER:group-mygroup",
]
}
https://cloud.google.com/storage/docs/access-control/iam-roles
Predefined roles:
- Storage Object Creator (roles/storage.objectCreator) Allows users to create objects. Does not give permission to view, delete, or replace objects.
- Storage Object Viewer (roles/storage.objectViewer) Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.
- Storage Object Admin (roles/storage.objectAdmin) Grants full control over objects, including listing, creating, viewing, and deleting objects.
Test