21

I know that I can do it via the UI (Cloud Console), and that I can also assign a role. Although, how do I grant a single permission easily?

For example, I was pushing an image to Google Container Registry with a newly created service account, and I got an error saying that this service account doesn't have the storage.buckets.get permission. What is the easiest way to grant this specific permission using the CLI?

Maxim
  • 4,075
  • 1
  • 14
  • 23
stkvtflw
  • 12,092
  • 26
  • 78
  • 155

3 Answers3

31

You can't directly grant a permission to a service account, that's simply not how Google Cloud IAM works. Only roles are assigned to service accounts, users or groups which in turn usually contain a set of permissions.

If you want a role to only contain a single permission, or only permissions you're interested in, you can look into creating a custom role, which allows you to specify which permission(s) you want to give to a role of your definition in order to restrict the access on a more granular level. And then, assign that custom role to the service account:

  1. Using the gcloud CLI you can create a custom role with gcloud iam roles create, i.e:

    gcloud iam roles create bucketViewer \
    --project example-project-id-1 \
    --title "Bucket viewer" \
    --description "This role has only the storage.buckets.get permission" \
    --permissions storage.buckets.get

    This will create a custom role with the ID bucketViewer, for the project ID example-project-id-1, containing only the permission storage.buckets.get. Replace these values as desired and accordingly.

  2. Once done, you can assign this custom role also with a single gcloud command by using gcloud projects add-iam-policy-binding:

    gcloud projects add-iam-policy-binding example-project-id-1 \
      --member='serviceAccount:test-proj1@example.domain.com' \
      --role='projects/example-project-id-1/roles/bucketViewer'

    Replace example-project-id-1 with your project ID, and test-proj1@example.domain.com with the actual name of the service account you want to assign the role to.

Milkncookiez
  • 6,817
  • 10
  • 57
  • 96
Maxim
  • 4,075
  • 1
  • 14
  • 23
  • 1
    Do you know what is the reason behind such a clunky access management approach? – stkvtflw Jan 16 '20 at 06:26
  • 1
    maybe create custom roles looks like a unnecessary step, but if you have a lot of users is easier to set roles instead individual permissions for each user, i think that this is not fit for projects or organizations with few users, but when the project grows in the number of users this option has more sense. – Jan Hernandez Jan 16 '20 at 14:27
  • Command to add binding worked without quotes for me. – Sachin G. Oct 19 '21 at 12:26
2

You most likely don't want to assign single permission. It usually requires more permissions to achieve what you want.

Those permissions are organized into roles - you either pick existing one, or create own, like described in this answer https://stackoverflow.com/a/59757152.

But typically there are some existing predefined roles. You need to find them in Google Cloud documentation - e.g. for container registry https://cloud.google.com/container-registry/docs/access-control - your choice could be Storage Object Admin (roles/storage.objectAdmin).

Those roles are actually Cloud Storage roles which are described in https://cloud.google.com/storage/docs/access-control/iam-roles.

Arnost Valicek
  • 2,418
  • 1
  • 18
  • 14
0

Easily grant bucket access permission to a service account

TL;DR

Buckets => tree dots menu on the target bucket line => Edit Access
... and no, it's not in the Service account permissions tab...

Step by step

  1. In the Google Cloud console GUI go to the navigation menu and choose "Cloud Storage" (https://console.cloud.google.com/storage/)
  2. Choose "Buckets" if not already chosen
  3. Find the bucket you want to add the permission to
  4. Open the "More actions"/"three dots" menu on the target bucket row
  5. Choose "Edit Access" (shows an option to add new and list of existing permissions below)
  6. Click "Add Principal"
  7. To "New principals" field add your Service account - you can find its email ID in:
    "IAM & Admin" > "Service Accounts" > column "Email"
  8. In the "Assign roles" section, click into the field "Select a role"
  9. In category "Cloud storage" - choose the most appropriate role
    • for the OP's case that's most likely "Storage Object Viewer"
    • WARNING: "Storage Object User" CAN: "create, read, update and DELETE objects and multipart uploads in GCS"
  10. Click "Save", wait for the updated finished success message and you're good to go :-)

Final note: Some people get confused and are trying to set these permissions in the Service account's permission tab - that is wrong - those are permissions to access/manage/view the service account itself! :-)

jave.web
  • 13,880
  • 12
  • 91
  • 125