My goal is to have a security policy that I can attach to multiple users or service accounts granting read access to a specific GCS bucket. So far, I was only able to either:
- Create an IAM role that has wide read permissions on all GCS buckets and attach that to each service account / user I create (not what I want, as it grants too broad permissions)
or:
- From the GCS bucket, grant specific read access to each user / service account as I create them (not what I want, because it is manual and error prone, and there's no decoupling, e.g. if I want to change the access level or the bucket name I will have to do it to all users).
What I'd really like is to have the ability to create a role that limits access to specific bucket(s), or have some kind of notion of "group" that I can add both users and service accounts to, and give that entire group read permission to a bucket.
This is quite easy to do in AWS IAM using groups or roles. But from what I can tell, GCP Roles are a bit different, and GCP groups are really groups of email addresses. While I suppose I can use groups for this, it feels very clunky and not the right way to achieve this.
So my question is, is there a way to create a list of service accounts / users, and give them limited permissions to specific resources (namely a GCS bucket), without having to manually manage each member?
I have seen the answer in Google Cloud Platform creating custom IAM role and limiting access to a storage bucket but this is not what I'm looking for, as this is what I suggested above in #2.
