15

I have created a Google Cloud Platform service account, $GCP_SERVICE_ACCOUNT, with the Storage Admin (roles/storage.admin) role.

Now I wish to restrict this account so that it can only access a specific Google Cloud Storage (GCS) Bucket ($GCS_BUCKET_NAME).

The problem now is that $GCP_SERVICE_ACCOUNT has access to all GCS Buckets. I can't remove $GCP_SERVICE_ACCOUNT from other GCS Buckets because roles/storage.admin is inherited.

What should I do?

Mike
  • 1,080
  • 1
  • 9
  • 25
i_am_cris
  • 557
  • 1
  • 5
  • 19

3 Answers3

17

You can restrict the access for a service account to a specific bucket using Cloud IAM.

This is the gsutil command you can use:

gsutil iam ch serviceAccount:my-service-account@project.iam.gserviceaccount.com:objectAdmin gs://my-project/my-bucket

for custom roles use

gsutil iam ch serviceAccount:my-service-account@project.iam.gserviceaccount.com:projects/{your_project_id}/roles/{your_custom_role_id} gs://my-bucket

To remove a service account from all roles on a bucket:

gsutil iam ch -d serviceAccount:my-service-account@project.iam.gserviceaccount.com gs://my-project/my-bucket

Or you can control access to buckets and objects using ACLs.

For example grant the service account WRITE (R: READ,W: WRITE,O: OWNER) access to the bucket:

gsutil acl ch -u my-service-account@project.iam.gserviceaccount.com:W gs://my-project/my-bucket

To remove access of service account from the bucket:

gsutil acl ch -d my-service-account@project.iam.gserviceaccount.com gs://my-project/my-bucket

I would suggest to remove the access of the service account from the buckets. Then grant access to a specific bucket.

Abrar Ahmed
  • 124
  • 1
  • 3
  • 14
marian.vladoi
  • 7,663
  • 1
  • 15
  • 29
  • Thanks for the response. Will this remove the access to other buckets? the sa user already is an object admin of the bucket gs://my-project/my-bucket – i_am_cris Dec 04 '19 at 13:40
  • I understand that you want to remove the access of the service account to all the buckets and then assign it only to a specific bucket. – marian.vladoi Dec 04 '19 at 13:49
  • Correct. I tried the first gsutil command but this doesnt remove the access to other buckets. – i_am_cris Dec 04 '19 at 13:54
  • ok I see your update. Will I have to run this for every bucket I want to remove the sa?: " gsutil iam ch -d serviceAccount:my-service-account@project.iam.gserviceaccount.com:objectAdmin gs://my-project/my-bucket" – i_am_cris Dec 04 '19 at 14:12
  • Ok so I ran this on another bucket where I want to remove the user but nothing happens. "gsutil iam ch -d serviceAccount:my-service-account@project.iam.gserviceaccount.com:objectAdmin gs://my-project/my-other-bucket" – i_am_cris Dec 04 '19 at 14:23
  • It typically takes about a minute for revoking access to take effect.I had a typo, can you use the command again ? – marian.vladoi Dec 04 '19 at 14:45
  • "You can restrict the access for a service account to a specific bucket" this does not seem to be true. Existing service accounts with the storage admin role will still have access to this bucket after the `gsutil iam ch...` command. – Chris Stryczynski Jan 20 '21 at 12:08
  • 2
    can this be done without gsutil? its utterly bizarre that some of these tasks depend on gsutils :( – RicardoDuarte May 05 '21 at 12:49
7

I had the same problem.

  1. Delete all your service account that are not supposed to have access on ALL buckets of your project.

  2. Create a new service account "my_user" in "IAM -> Service Accounts". Do NOT give it any right during creation (this would allow access to ALL buckets of the project as you described in your question)

  3. Give the new service account rights in the bucket:

gsutil iam ch serviceAccount:my_user@my_project.iam.gserviceaccount.com:roles/storage.objectViewer gs://my_bucket

(I was not able to do this using the GCP UI)

Replace my_user, my_project and my_bucket. "storage.objectViewer" gives the user the right to read objects.

Warning: it takes some time until you do see this "right" in "bucket -> Permissions", you also see it in the output of "gsutil iam get gs://my-bucket"!? When and if you see it was not fully reproducable to me.

Due to my test the service account now has only access to this bucket and not to the other buckets in the project.

Stiefel
  • 2,677
  • 3
  • 31
  • 42
2

This is how I achieve this via the Cloud IAM conditions.

Say I want to restrict permissions for a service account (my-account-name) to upload objects to only one bucket (my-bucket-name).

  1. Go to IAM > Service Accounts

  2. Click on "+ CREATE SERVICE ACCOUNT"

  3. Given the the service account name of "my-account-name" and the descriptions of "Only upload to my-bucket-name", then click "CREATE AND CONTINUE"

  4. Under the section of "Grant this service account access to project"

    4a. assign role Storage Object Viewer with condition editor of resource.name.startsWith("projects/_/buckets/my-bucket-name")

    4b. assign role Storage Object Creator with condition editor of resource.name.startsWith("projects/_/buckets/my-bucket-name")

rainchei
  • 21
  • 2