Authorize Google Cloud Platform Service Account to Access Only One Google Cloud Storage Bucket

You can restrict the access for a service account to a specific bucket using Cloud IAM.

This is the gsutil command you can use:

    gsutil iam ch serviceAccount:[email protected]:objectAdmin gs://my-project/my-bucket

To remove a service account from all roles on a bucket:

    gsutil iam ch -d serviceAccount:[email protected] gs://my-project/my-bucket

Or you can control access to buckets and objects using ACLs.

For example grant the service account WRITE (R: READ,W: WRITE,O: OWNER) access to the bucket:

   gsutil acl ch -u [email protected]:W gs://my-project/my-bucket

To remove access of service account from the bucket:

   gsutil acl ch -d [email protected] gs://my-project/my-bucket

I would suggest to remove the access of the service account from the buckets. Then grant access to a specific bucket.

I had the same problem.

1. Delete all your service account that are not supposed to have access on ALL buckets of your project.

2. Create a new service account "my_user" in "IAM -> Service Accounts". Do NOT give it any right during creation (this would allow access to ALL buckets of the project as you described in your question)

3. Give the new service account rights in the bucket:

gsutil iam ch serviceAccount:my_user@my_project.iam.gserviceaccount.com:roles/storage.objectViewer gs://my_bucket

(I was not able to do this using the GCP UI)

Replace my_user, my_project and my_bucket. "storage.objectViewer" gives the user the right to read objects.

Warning: it takes some time until you do see this "right" in "bucket -> Permissions", you also see it in the output of "gsutil iam get gs://my-bucket"!? When and if you see it was not fully reproducable to me.

Due to my test the service account now has only access to this bucket and not to the other buckets in the project.