Limiting access of a GCP Cloud IAM custom role only to a bucket

Question

AWS provides a way through its IAM policies to limit access from a particular user/role to a specific named resource.

For example the following permission:


    {
      "Sid": "ThirdStatement",
      "Effect": "Allow",
      "Action": [
        "s3:List*",
        "s3:Get*"
      ],
      "Resource": [
        "arn:aws:s3:::confidential-data",
        "arn:aws:s3:::confidential-data/*"
      ]
    }

will allow all List* and Get* operations on the confidential-data bucket and its contents.

However, I could not find such an option when going through GCP's custom roles.

Now, I know that for GCS buckets (which is my use case) you can create either ACLs to achieve (more or less?) the same result.

My question is, assuming I create a service account identified by [email protected] and I want this account to have read/write permissions to gs://mybucket-on-google-cloud-storage, how should I format the ACL to do this?

(for the time being, it does not matter to me whatever other permissions are inherited from the organization/folder/project)

sllopis sllopis · Accepted Answer · 2020-01-14T15:47:30

From documentation:

Grant the service account [email protected] WRITE access to the bucket example-bucket:

gsutil acl ch -u [email protected]:W gs://example-bucket

Grant the service account [email protected] READ access to the bucket example-bucket:

gsutil acl ch -u [email protected]:R gs://example-bucket

Limiting access of a GCP Cloud IAM custom role only to a bucket

2 Answers