How to give service account only access to one bucket (Google Cloud)?

2
votes

How to give service account only access to one bucket? If you just in case wanna give another 3rd party service access to your private bucket?

The problem is by default (service account) has access to all buckets and I've no idea how to restrict it to only one bucket only.

Is it possible to achieve this from dashboard or only console? If it is possible from dashboard then I would like to know the steps of that.

Thank you.

Edit**

I have 3 buckets and when I create a service account with (Object Viewer) permission it automatically gets added to all 3 of them and when I try to delete it from permission of any of bucket I don't want it to have access to, I get this message saying (Member is inherited from another policy and cannot be deleted.)

2
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-storage
Did you solve your problem?Stiefel
@Stiefel yes I figured the solution myself.Newbie

2 Answers

3
votes

If you go to the Google Cloud Storage Console, you'll find a list of buckets for your GCP project. Click on the three vertical dots to the right of the relevant project, and choose "Edit bucket permissions". You can then use "Add member" to give appropriate permissions to the relevant service account.

0
votes

You need to create an IAM entry and restrict access by specifying a condition.

For example, if I want the user [email protected] to access the bucket b_1with the permission Storage Object Admin

  1. Browse to your bucket b_1
  2. On the kebab menu (three vertical dots) > edit access
  3. Add principal : [email protected]
  4. Specify role : Storage Object Admin
  5. Specify condition
    • enter the Title of condition
    • enter a Description
    • In the Condition Builder select Condition type : Resource > Name
    • In Operator select is or Starts With, etc..
    • Enter your bucket name projects/<your_project>/buckets/b_1
  6. You may want to enter an other Conditions type such as Resource> Typeand select storage.googleapis.com/Bucket