Google Cloud Storage - How to limit access to specific bucket

1
votes

I'd like to give an application access to one of my Google Storage buckets by giving it a suitable OAuth2 token.

If I understand https://cloud.google.com/storage/docs/authentication correctly, then there is no way to limit a token to a specific bucket.

What is the easiest / recommended way to create a token with limited access? I guess I could create an entirely new Google account just for this purpose, adjust the ACLs of the bucket to give access to the new user as well, and then create an OAuth token using that user. But that seems... awkward and not very scalable.

(In case it matters: the application is using the OAuth2 device flow, i.e. it gives me a Google URL that I have to visit and use to log in)

2
google-cloud-platformgoogle-cloud-storagegoogle-oauth

2 Answers

1
votes

You can create a service account, with access limited to the required bucket. https://cloud.google.com/iam/docs/understanding-service-accounts

1
votes

Use Bucket ACLs and grant the user's email address to the bucket. The user's email address must be part of Google Accounts or G Suite that the user logs in with (to Google Accounts).

The following gsutil example will grant [email protected] the permission write on Bucket example-bucket:

gsutil acl ch -u [email protected]:WRITE gs://example-bucket

Documentation:

GSUTIL - ACLs