Can't remove OWNER access to a Google Cloud Storage object

0
votes

I have a server that writes some data files to a Cloud Storage bucket, using a service account to which I have granted "Storage Object Creator" permissions for the bucket. I want that service account's permissions to be write-only.

The Storage Object Creator permission also allows read access, as far as I can tell, so I wanted to just remove the permission for the objects after they have been written. I thought I could use an ACL to do this, but it doesn't seem to work. If I use

gsutil acl get gs://bucket/object > acl.json

then edit acl.json to remove the OWNER permission for the service account, then use

gsutil acel set acl.json gs://bucket/object

to update the ACL, I find that nothing has changed; the OWNER permission is still there if I check the ACL again. The same thing happens if I try to remove the OWNER permission in the Cloud Console web interface.

Is there a way to remove that permission? Or another way to accomplish this?

2
google-cloud-storage

2 Answers

1
votes

You cannot remove the OWNER permissions for the service account that uploaded the object, from:

https://cloud.google.com/storage/docs/access-control/lists#bestpractices

The bucket or object owner always has OWNER permission of the bucket or object.

The owner of a bucket is the project owners group, and the owner of an object is either the user who uploaded the object, or the project owners group if the object was uploaded by an anonymous user.

When you apply a new ACL to a bucket or object, Cloud Storage respectively adds OWNER permission to the bucket or object owner if you omit the grants.

I have not tried this, but you could upload the objects using once service account (call it SA1), then rewrite the objects using a separate service account (call it SA2), and then delete the objects. SA1 will no longer be the owner, and therefore won't have read permissions. SA2 will continue to have both read and write permissions though, there is no way to prevent the owner of an object from reading it.

1
votes

Renaming the object does the trick.

gsutil mv -p gs://bucket/object gs://bucket/object-renamed
gsutil mv -p gs://bucket/object-renamed gs://bucket/object

The renamer service account will become the object OWNER.