Granting access to a Google Cloud Storage bucket to a third-party

Question

I need a third-party to upload some files to a Google Cloud Storage bucket. What is the best (or easiest) way to give them access?

Answer 1

The first two methods require that the user have a valid Google Account. I am ignoring Google Identity Platform in this answer. If the user has a Gmail Account, then this means they also have a Google Account. The third method uses a Google Service Account.

Method 1: Use the Google Cloud Storage Console:

• Go to Storage -> Browser.

• Check the desired bucket. In the right side panel under permissions, click the Add button.

• Add the user's Google Account email address. Select Storage Object Creator.

The role granted is roles/storage.objectCreator. This role grants the user permissions to create objects in the bucket but the user cannot delete or overwrite objects.

Link to Cloud Storage Roles

Method 2: Use the gsutl CLI:

gsutil iam ch user:[email protected]:ObjectCreator gs://examplebucket

Link to gcloud IAM

Command to read the current bucket IAM policy:

gsutil iam get gs://examplebucket

Method 3: Use a Google Service Account

Create a Google Service Account in the Google Cloud Console

1. Go to IAM & admin -> Service accounts
2. Click CREATE SERVICE ACCOUNT
3. Enter a Service account name and Service account description
4. Click CREATE
5. In the next screen Service account permissions, select a role.
6. Select Storage -> Storage Object Creator
7. Click CONTINUE
8. Click Create key
9. Check the JSON radio button for the Key type
10. Save the json file to your local computer.

You now have Google Service Account credentials that can be setup with gsutil, gcloud and software programs.

Setting up gcloud with Service Account Credentials