GCP grant a service account permission to write in a GCS bucket with Deployment Manager

Question

In a Deployment Manager Jinja template I'm trying to create log sinks:

- name: {{ ALOGSINK }}
  type: gcp-types/logging-v2:projects.sinks
  properties:
    sink: {{ ALOGSINK }}
    parent: projects/{{ PROJECT }}
    uniqueWriterIdentity: true
    outputVersionFormat: V2
    destination: storage.googleapis.com/{{ LOGGINGBUCKET }}
    filter: >-
      resource.type="deployment" AND
      resource.labels.name="{{ DEPLOYMENT }}"

I would prefer to configure them to use "unique writer identity" when writing to the destination, a GCS bucket.

This means that a specific service account will be created automatically for every log sink.

And it's necessary to grant permissions to this service account to write to the specified (and already existing) bucket.

So in the section of the template which grants the permissions I could refer to the service accounts identities (email addresses) using $(ref.logsink>.writerIdentity).

And now for the interesting part - the only reliable method to add binding to a bucket's ACL is by using the insert method of the BucketAccessControls object:

- name:  {{ LOGGINGBUCKET }}-{{ ALOGSINK }}-acl
  action: gcp-types/storage-v1:storage.BucketAccessControls.insert
  properties:
    bucket: $(ref.bucket-name)
    entity: user-$(ref.{{ ALOGSINK }}.writerIdentity}
    role: WRITER

And the problem is the writerIdentity is in the form of serviceAccount:<email>, but the entity expected by the insert method should be in the form of user-<email>.

And can't find a way to fit the former into the latter.

Answer 1

Probably you want to use bucket IAM policies, that do support Service Accounts:

https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy

I do agree is a bit misleading, and it's natural to think BucketAccessControls should also support Service Accounts...