Granting full gcs bucket permissions to a GCP service account

0
votes

I want to create a GCP service account that will have full access to a specific bucket (say my-bucket).

I can work around this by providing to my service account the roles.storageAdmin role as follows:

gcloud iam service-accounts create my-sa \
    --description="My Service Account" \
    --display-name="my-sa"

and

gcloud projects add-iam-policy-binding my-project \
    --member="serviceAccount:[email protected]" \
    --role="roles/storage.objectAdmin"

but unless I am wrong, this gives very broad permissions to all the project's buckets.

Is there a way to provide full access to a specific bucket (and only this one) to a service account?

1
securitygoogle-cloud-platformgoogle-cloud-storagegoogle-cloud-iam

1 Answers

1
votes

You can use gsutil ch :

gsutil iam ch \
    serviceAccount:[email protected]:objectAdmin \
    gs://my-bucket

You can also get the IAM for your bucket :

gsutil iam get gs://my-bucket > iam.json

, modify it to add the bindings you want, and then set the IAM with the updated file :

gsutil iam set iam.json gs://my-bucket