I have created a Google Cloud Platform service account, $GCP_SERVICE_ACCOUNT
, with the Storage Admin (roles/storage.admin
) role.
Now I wish to restrict this account so that it can only access a specific Google Cloud Storage (GCS) Bucket ($GCS_BUCKET_NAME
).
The problem now is that $GCP_SERVICE_ACCOUNT
has access to all GCS Buckets. I can't remove $GCP_SERVICE_ACCOUNT
from other GCS Buckets because roles/storage.admin
is inherited.
What should I do?
In the Google Cloud console, go to the Cloud Storage Buckets page. Click the Bucket overflow menu ( ) associated with the bucket to which you want to grant a principal a role. Choose Edit access.
Granting the Service Account User role to a user for a project gives the user access to all service accounts in the project, including service accounts that might be created in the future. Granting the Service Account User role to a user for a specific service account gives a user access to only that service account.
You can restrict the access for a service account to a specific bucket using Cloud IAM.
This is the gsutil command you can use:
gsutil iam ch serviceAccount:[email protected]:objectAdmin gs://my-project/my-bucket
To remove a service account from all roles on a bucket:
gsutil iam ch -d serviceAccount:[email protected] gs://my-project/my-bucket
Or you can control access to buckets and objects using ACLs.
For example grant the service account WRITE (R: READ,W: WRITE,O: OWNER) access to the bucket:
gsutil acl ch -u [email protected]:W gs://my-project/my-bucket
To remove access of service account from the bucket:
gsutil acl ch -d [email protected] gs://my-project/my-bucket
I would suggest to remove the access of the service account from the buckets. Then grant access to a specific bucket.
I had the same problem.
Delete all your service account that are not supposed to have access on ALL buckets of your project.
Create a new service account "my_user" in "IAM -> Service Accounts". Do NOT give it any right during creation (this would allow access to ALL buckets of the project as you described in your question)
Give the new service account rights in the bucket:
gsutil iam ch serviceAccount:my_user@my_project.iam.gserviceaccount.com:roles/storage.objectViewer gs://my_bucket
(I was not able to do this using the GCP UI)
Replace my_user, my_project and my_bucket. "storage.objectViewer" gives the user the right to read objects.
Warning: it takes some time until you do see this "right" in "bucket -> Permissions", you also see it in the output of "gsutil iam get gs://my-bucket"!? When and if you see it was not fully reproducable to me.
Due to my test the service account now has only access to this bucket and not to the other buckets in the project.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With