Google Cloud Platform IAM setting to allow project level RO access to buckets

0
votes

I want to give a service account read-only access to every bucket in my project. What is the best practice for doing this?

The answers here suggest one of:

  • creating a custom IAM policy
  • assigning the Legacy Bucket Viewer role on each bucket
  • using ACLs to allow bucket.get access

None of these seem ideal to me because:

  • Giving read-only access seems too common a need to require a custom policy
  • Putting "Legacy" in the name makes it seem like this permission will be retired relatively soon and any new buckets will require modification
  • Google recommends IAM over ACL and any new buckets will require modification

Is there some way to avoid the bucket.get requirement and still access objects in the bucket? Or is there another method for providing access that I don't know about?

1
google-cloud-storageservice-accountsgoogle-cloud-iam

1 Answers

0
votes

The closest pre-built role is Object Viewer. This allows listing and reading objects. It doesn't include storage.buckets.get permission, but this is not commonly needed - messing with bucket metadata is really an administrative function. It also doesn't include storage.buckets.list which is a bit more commonly needed but is still not part of normal usage patterns for GCS - generally when designing an app you have a fixed number of buckets for specific purposes, so listing is not useful.

If you really do want to give a service account bucket list and get permission, you will have to create a custom role on the project. This is pretty easy, you can do it with:

gcloud iam roles create StorageViewerLister --project=$YOUR_POJECT --permissions=storage.objects.get,storage.objects.list,storage.buckets.get,storage.buckets.list
gcloud projects add-iam-policy-binding $YOUR_PROJECT --member=$YOUR_SERVICE_ACCOUNT --role=StorageViewerLister