stackoom
  简体   繁体   中英

Give service account access to one bucket in google cloud storage

 原文  2019-12-04 13:14:03       google-cloud-platform/ google-cloud-storage

Question

I have created a service account "my-service-account@blabla.com" with the role "Storage Admin". Now, I want to restrict this account to only access a specific bucket - "gs://my-project/my-bucket"

The problem now is that the sa user have access to all my buckets. I cant remove "my-service-account@blabla.com" from the buckets permissions (the buckets I don't want the user to have access to) because the permissions are inherited. What should I do? Cheers, Cris

2 answers

solution1
 7  2019-12-04 13:36:01

You can restrict the access for a service account to a specific bucket using Cloud IAM .

This is the gsutil command you can use:

    gsutil iam ch serviceAccount:my-service-account@project.iam.gserviceaccount.com:objectAdmin gs://my-project/my-bucket

To remove a service account from all roles on a bucket:

    gsutil iam ch -d serviceAccount:my-service-account@project.iam.gserviceaccount.com gs://my-project/my-bucket

Or you can control access to buckets and objects using ACLs .

For example grant the service account WRITE (R: READ,W: WRITE,O: OWNER) access to the bucket:

   gsutil acl ch -u my-service-account@project.iam.gserviceaccount.com:W gs://my-project/my-bucket

To remove access of service account from the bucket:

   gsutil acl ch -d my-service-account@project.iam.gserviceaccount.com gs://my-project/my-bucket

I would suggest to remove the access of the service account from the buckets. Then grant access to a specific bucket.

solution2
 3  2021-03-23 16:11:34

I had the same problem.

  1. Delete all your service account that are not supposed to have access on ALL buckets of your project.

  2. Create a new service account "my_user" in "IAM -> Service Accounts". Do NOT give it any right during creation (this would allow access to ALL buckets of the project as you described in your question)

  3. Give the new service account rights in the bucket:

gsutil iam ch serviceAccount:my_user@my_project.iam.gserviceaccount.com:roles/storage.objectViewer gs://my_bucket

(I was not able to do this using the GCP UI)

Replace my_user, my_project and my_bucket. "storage.objectViewer" gives the user the right to read objects.

Warning: it takes some time until you do see this "right" in "bucket -> Permissions", you also see it in the output of "gsutil iam get gs://my-bucket"!? When and if you see it was not fully reproducable to me.

Due to my test the service account now has only access to this bucket and not to the other buckets in the project.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to give service account only access to one bucket (Google Cloud)? Google Cloud Storage access via service account My service account which was given storage permissions does not have storage.objects.list access to the Google Cloud Storage bucket How to access to a Google Cloud Storage bucket from a Cloud Run service without using a local Service Account key file? Access to Google Cloud Storage bucket Unable to access Google Cloud Storage service account key file in Cloud GCP - Controlling access to Service Account for Google Cloud Storage Network Policy to access Google Cloud Storage Bucket Making a Cloud Storage bucket accessible only by a certain service account service account does not have storage.objects.get access for Google Cloud Storage
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM