gcp Cloud Storage permission - ghdrako/doc_snipets GitHub Wiki
Uniform bucket-level access allows you to use Identity and Access Management (IAM) alone to manage permissions. IAM applies permissions to all the objects contained inside the bucket or groups of objects with common name prefixes. IAM also allows you to use features that are not available when working with ACLs, such as IAM Conditions and** Cloud Audit Logs**.
Dla transportera
roles/storage.objectCreator
resource "google_storage_bucket_iam_binding" "transporter_iam_binding" {
bucket = "lab-biz-acp-batch-6v7mkw"
role = "roles/storage.objectAdmin"
members = [
"serviceAccount:[email protected]",
]
}
Using uniform bucket-level access
# Enable
gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME
# View
gsutil uniformbucketlevelaccess get gs://BUCKET_NAME
# Adding a member to a bucket-level policy
gsutil iam ch MEMBER_TYPE:MEMBER_NAME:IAM_ROLE gs://BUCKET_NAME
# Viewing the IAM policy for a bucket
gsutil iam get gs://BUCKET_NAME
# Removing a member from a bucket-level policy
gsutil iam ch -d MEMBER_TYPE:MEMBER_NAME gs://BUCKET_NAME
gsutil iam ch allUsers:objectViewer gs://[BUCKET_NAME]
gsutil iam ch user:[email protected]:objectCreator gs://[BUCKET_NAME]
gsutil iam ch group:[email protected]:objectCreator gs://[BUCKET_NAME]
objectViewer,objectCreator,rosels/CustomRoleName
# Export iam policy to file
gsutil iam get gs://[BUCKET_NAME] > bucket_iam.txt
gsutil iam get gs://[BUCKET_NAME]/[PATH TO FILE] > object_iam.txt
Terraform
Using IAM
- Authoritative. Sets the IAM policy for the bucket and replaces any existing policy already attached.
data "google_iam_policy" "admin" {
binding {
role = "roles/storage.admin"
members = [
"user:[email protected]",
]
}
}
resource "google_storage_bucket_iam_policy" "policy" {
bucket = google_storage_bucket.default.name
policy_data = data.google_iam_policy.admin.policy_data
}
- Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the bucket are preserved.
resource "google_storage_bucket_iam_binding" "binding" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
members = [
"user:[email protected]",
]
}
- Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the bucket are preserved.
resource "google_storage_bucket_iam_member" "member" {
bucket = google_storage_bucket.default.name
role = "roles/storage.admin"
member = "user:[email protected]"
}
Using ACL
- ACLs can be managed non authoritatively
resource "google_storage_bucket_access_control" "public_rule" {
bucket = google_storage_bucket.bucket.name
role = "READER"
entity = "allUsers"
}
resource "google_storage_bucket_access_control" "public_rule" {
bucket = lab-biz-acp-batch-6v7mkw
role = "WRITER"
entity = "[email protected]"
}
- Authoritatively manages a bucket's ACLs
resource "google_storage_bucket_acl" "image-store-acl" {
bucket = google_storage_bucket.image-store.name
role_entity = [
"OWNER:[email protected]",
"READER:group-mygroup",
]
}
IAM roles for Cloud Storage
https://cloud.google.com/storage/docs/access-control/iam-roles
Predefined roles:
- Storage Object Creator (roles/storage.objectCreator) Allows users to create objects. Does not give permission to view, delete, or replace objects.
- Storage Object Viewer (roles/storage.objectViewer) Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.
- Storage Object Admin (roles/storage.objectAdmin) Grants full control over objects, including listing, creating, viewing, and deleting objects.