Google Storage access based on IP Address

Question

Is there a way to give access to a Google Cloud Storage bucket based on the IP address it is coming from.

On Amazon s3, you can just set this in the access policy like this:

"Condition" :  {
       "IpAddress" : {
          "aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
      }
}

I do not want to use a signed url.

Answer 1

The updated answers on this page are only partially correct and should not be recommended for the use case of access control to Cloud Storage Objects.

Access Context Manager (ACM) defines rules to allow access (e.g. an IP address).

VPC Service Controls create an "island" around a project and ACM rules can be attached. These rules are "ingress" rules and not "egress" rules meaning "anyone at that IP can get into all resources in the project with the correct IAM permissions".

The ACM rule specifying an IP address will allow that IP address to access all Cloud Storage Objects and all other protected resources owned by that project. This is usually not the intended result. You cannot apply an IP address rule to an object, only to all objects in a project. VPC Service Controls are designed to prevent data from getting out of a project and are NOT designed to allow untrusted anonymous users access to a project's resources.

Answer 2

UPDATE: This is now possible using VPC Service Controls

---

No, this is not currently possible.

There's currently a Feature request to restrict google cloud storage bucket by IP Address.