Authorize Google Cloud Platform Service Account to Access Only One Google Cloud Storage Bucket

Asked 4/12, 2019 at 13:14 Answered 27/6, 2023 at 6:25

google-cloud-platform google-cloud-storage gsutil google-cloud-iam

I have created a Google Cloud Platform service account, $GCP_SERVICE_ACCOUNT, with the Storage Admin (roles/storage.admin) role.

Now I wish to restrict this account so that it can only access a specific Google Cloud Storage (GCS) Bucket ($GCS_BUCKET_NAME).

The problem now is that $GCP_SERVICE_ACCOUNT has access to all GCS Buckets. I can't remove $GCP_SERVICE_ACCOUNT from other GCS Buckets because roles/storage.admin is inherited.

What should I do?

Solo answered 4/12, 2019 at 13:14 Comment(1)

Did you solve your problem? – Ronironica 23/3, 2021 at 11:45

You can restrict the access for a service account to a specific bucket using Cloud IAM.

This is the gsutil command you can use:

gsutil iam ch serviceAccount:[email protected]:objectAdmin gs://my-project/my-bucket

for custom roles use

gsutil iam ch serviceAccount:[email protected]:projects/{your_project_id}/roles/{your_custom_role_id} gs://my-bucket

To remove a service account from all roles on a bucket:

gsutil iam ch -d serviceAccount:[email protected] gs://my-project/my-bucket

Or you can control access to buckets and objects using ACLs.

For example grant the service account WRITE (R: READ,W: WRITE,O: OWNER) access to the bucket:

gsutil acl ch -u [email protected]:W gs://my-project/my-bucket

To remove access of service account from the bucket:

gsutil acl ch -d [email protected] gs://my-project/my-bucket

I would suggest to remove the access of the service account from the buckets. Then grant access to a specific bucket.

Ringleader answered 4/12, 2019 at 13:36 Comment(9)

Thanks for the response. Will this remove the access to other buckets? the sa user already is an object admin of the bucket gs://my-project/my-bucket – Solo 4/12, 2019 at 13:40

I understand that you want to remove the access of the service account to all the buckets and then assign it only to a specific bucket. – Ringleader 4/12, 2019 at 13:49

Correct. I tried the first gsutil command but this doesnt remove the access to other buckets. – Solo 4/12, 2019 at 13:54

ok I see your update. Will I have to run this for every bucket I want to remove the sa?: " gsutil iam ch -d serviceAccount:[email protected]:objectAdmin gs://my-project/my-bucket" – Solo 4/12, 2019 at 14:12

Ok so I ran this on another bucket where I want to remove the user but nothing happens. "gsutil iam ch -d serviceAccount:[email protected]:objectAdmin gs://my-project/my-other-bucket" – Solo 4/12, 2019 at 14:23

It typically takes about a minute for revoking access to take effect.I had a typo, can you use the command again ? – Ringleader 4/12, 2019 at 14:45

"You can restrict the access for a service account to a specific bucket" this does not seem to be true. Existing service accounts with the storage admin role will still have access to this bucket after the gsutil iam ch... command. – Winfrid 20/1, 2021 at 12:8

can this be done without gsutil? its utterly bizarre that some of these tasks depend on gsutils :( – Practiced 5/5, 2021 at 12:49

the gs://my-project/my-bucket seems wrong, at least to me. BucketNotFoundException: 404 gs://my-project-id bucket does not exist. – Monophagous 6/4 at 10:8

I had the same problem.

Delete all your service account that are not supposed to have access on ALL buckets of your project.
Create a new service account "my_user" in "IAM -> Service Accounts". Do NOT give it any right during creation (this would allow access to ALL buckets of the project as you described in your question)
Give the new service account rights in the bucket:

gsutil iam ch serviceAccount:my_user@my_project.iam.gserviceaccount.com:roles/storage.objectViewer gs://my_bucket

(I was not able to do this using the GCP UI)

Replace my_user, my_project and my_bucket. "storage.objectViewer" gives the user the right to read objects.

Warning: it takes some time until you do see this "right" in "bucket -> Permissions", you also see it in the output of "gsutil iam get gs://my-bucket"!? When and if you see it was not fully reproducable to me.

Due to my test the service account now has only access to this bucket and not to the other buckets in the project.

Ronironica answered 23/3, 2021 at 16:11 Comment(0)

This is how I achieve this via the Cloud IAM conditions.

Say I want to restrict permissions for a service account (my-account-name) to upload objects to only one bucket (my-bucket-name).

Go to IAM > Service Accounts
Click on "+ CREATE SERVICE ACCOUNT"
Given the the service account name of "my-account-name" and the descriptions of "Only upload to my-bucket-name", then click "CREATE AND CONTINUE"
Under the section of "Grant this service account access to project"

4a. assign role Storage Object Viewer with condition editor of resource.name.startsWith("projects/_/buckets/my-bucket-name")

4b. assign role Storage Object Creator with condition editor of resource.name.startsWith("projects/_/buckets/my-bucket-name")

Waitress answered 27/6, 2023 at 6:25 Comment(0)

Recommended topics

Hot tags