GCP - Controlling access to Service Account for Google Cloud Storage

0
votes

I am trying to upload a file using @google-cloud/storage client from Node.js. I have successfully created a Service Account with the role that gives it right to create (upload), delete (reupload the object with same name) and download an object on Cloud Storage. This has been made possible due to the Storage Object Admin role.

When I assigned the Storage Object Creator role, I was not able to upload an image with the same name to the Storage.

What I actually require is, I need to give the upload and delete rights but not the download rights to the Node.js client.

It would also be great if there would be a way to only allow .jpg files to be uploaded. I tried to add conditions with the credentials, but that did not help.

1
google-cloud-platformgoogle-cloud-storage

1 Answers

0
votes

You have to create a custom role with the following permissions:

resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
storage.objects.delete

Please keep in mind that the permission storage.objects.create gives you the opportunity to add new objects to a bucket but also the chance to download the object that you created. According to my testing, with this custom role you will not be able to download files that you did created. If you try, you will receive the following error message:

403 service account does not have storage.objects.list permission

I do not think you can forbid a customer to download the object that he created.

Regarding the condition part, you can create conditions on download (resource.name.endsWith(".jpg") but I do not think you create conditions on upload.