Preventing Google Cloud Storage account owner visibility into user bucket objects
Question
I am creating an application that will store user data in Google Storage buckets. To start, I want to create one bucket for each user.
As the application / account owner, I expect to be able to see that a user's bucket exists, but I don't want to have access to the contents of that bucket.
Does Google Cloud Storage offer this option? I expect it depends on IAM settings, but I'm unsure about the best approach, or best practice.
1 answers
solution1
2 ACCPTED 2022-04-30 14:40:21
You can create a Custom Role and attach it to the service account and/or user account that you are using.
On that Custom Role you can add only the required bucket permission: storage.buckets.list
Is a very good security practice to apply the least privilege principle for Service Accounts and User Accounts. Custom roles help us with it.
Here we have a list with every privilege available. You can create Custom Roles with the required privileges only.
[UPDATE]
Every project needs at least one admin (project-owner) and this guy will have superpowers. Cause, tomorrow you may need to change permissions: For instance: list buckets and list objects but not see objects. Without admin permissions, you will not be able to do it.
So, to prevent even someone with the role project-owner from being able to see the contents of the bucket, it is possible to encrypt the objects. That way, only those who have the encryption key can consume the contents of the bucket. See more about encryption here
See ya
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.