Separate access to Google Cloud Storage for hundreds of users

0
votes

I plan to run hundreds of websites within one Google Cloud Platform project (using GKE). Each of them will use two Google Cloud Storage buckets for storing its assets.

I planned to create one service for every website in order to grant access to only its own respective buckets. However, there's a limit of 100 service accounts per project, which apparently can't be raised.

How can I make sure that each website only has access to the buckets (or sub paths in a bucket) which is allowed to see?

1
google-cloud-platformgoogle-cloud-storagegoogle-iam
Why not just create hundreds of projects with one website per project instead of hundreds of websites under one project? - Robin-Hoodie
@NexusDuck The websites need to reside in one Kubernetes cluster in order to optimize resource (compute instance) usage. But thinking about it, a way might be to create a project for each website and only use it for the buckets. Not optimal, but doable. - Robert Lemke
In the meantime I have found a hint in Google's FAQ, that the service accounts limit might be raised if you ask politely: "Contact your account manager if you need to create more than 100 service accounts in a project." - Robert Lemke
If you can't overcome the Service Account limitation, you can still proxy data access through a single central service that uses 1 service account and implements access control itself. - sw0rdf1sh

1 Answers

1
votes

We have a similar use-case and I believe I've found a solution for this problem. The key is that service accounts from other projects can be given access to buckets of your GCS-enabled project.

Basically you'll use two kinds of GCP projects:

  • One main project that holds all the data (GCS buckets) and whatever shared resources you have, like Compute Engine VMs or App Engine services
  • Multiple other projects that are only holding 100 service accounts each

The service accounts from the second type of "user pool" projects can be given access to the buckets of your data project with a fine granularity (1 service account -> 1 bucket). When the last user pool is close to the 100 limit, just create a new project and start adding new service accounts there.