Making a Cloud Storage bucket accessible only by a certain service account

0
votes

I have an storage bucket that I created on GCP. I created the bucket following the instructions described here (https://cloud.google.com/storage/docs/creating-buckets). Additionally, I created it using uniform bucket-level access control.

However, I want the objects in the bucket to be accessible by instances running under a certain service account. Although, I do not see how to do that. In the permissions settings, I do not see how I can specify a service account for read-write access.

3
google-cloud-platformgoogle-cloud-storage
You mean Google Cloud Storage (GCS) bucket right? S3 is AWS specific name.MR.K
@MR.K Ah yes :) Sorry, new to this.Luca
You can see my answer below: stackoverflow.com/a/58818696/4539626MR.K

3 Answers

3
votes

To create a service account, run the following command in Cloud Shell:

gcloud iam service-accounts create storage-sa --display-name "storage service account"

You can grant roles to a service account so that the service account can perform specific actions on the resources in your GCP project. For example, you might grant the storage.admin role to a service account so that it has control over objects and buckets in Google Cloud Storage.

gcloud projects add-iam-policy-binding <Your Project ID> --member <Service Account ID> --role <Role You want to Grant>

Once role is granted you can select this service account while creating the instance.

Alternatively, to do this via Google Cloud Console see Creating and enabling service accounts for instances

2
votes

Once you have created your service account, you can then change/set the access control list (ACL) permissions on your bucket or objects using ths gsutil command.

Specifically:

gsutil acl set [-f] [-r] [-a] file-or-canned_acl_name url...
gsutil acl get url
gsutil acl ch [-f] [-r] <grant>... url...

where each <grant> is one of the following forms:

  -u <id|email>:<perm>
  -g <id|email|domain|All|AllAuth>:<perm>
  -p <viewers|editors|owners>-<project number>:<perm>
  -d <id|email|domain|All|AllAuth|<viewers|editors|owners>-<project number>>:<perm>

Please review the following article for more depth and description:

You can also set/change acls through the Cloud Console web interface and through GCS API.

1
votes

  1. You have to create a service account Creating a new service account.

  2. Set up a new instance to run as a service account Set instance.

  3. In the Google Cloud Console go to Storage/bucket/right_corner dots/Edit bucket permissions

Add Member/servive account/

Role/Storage Admin