1

Has anyone worked with a google bucket + iam + condition? Created a service account with the Storage Admin role and added the condition:

resource.type == "storage.googleapis.com/Bucket" &&
resource.name.startsWith("projects/_/buckets/stagestorage")

enter image description here

While loading the file to storage, I get

Error 403: my-sa@cloudbuild.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object, forbidden...

But if only resource.name.startsWith("projects/_/buckets/stagestorage") is left in the condition, then everything works. I also tried changing the role to Storage Object Admin, but the result is the same.

Maybe 'resource.type' is a redundant condition?

Dmitry Zimin
  • 285
  • 4
  • 12
  • Try `resource.type == "storage.googleapis.com/Bucket" && resource.name.startsWith("projects/_/buckets/stagestorage")` – John Hanley Sep 09 '22 at 17:39
  • The issue is that you are incorrectly using quotes. – John Hanley Sep 09 '22 at 17:40
  • Oh, I'm bad, I forgot to delete the first bracket. In original it looks like this: resource.type == \"storage.googleapis.com/Bucket\" && resource.name.startsWith(\"projects/_/buckets/unitely-stage\"). But it doesn't work. – Dmitry Zimin Sep 12 '22 at 07:04
  • `Oh, I'm bad, I forgot to delete the first bracket…` Could you edit your question and post the actual conditions you used? What error do you get with the `Storage Admin` role? What error do you get with the `Storage Object Admin` role? – Andrés Sep 12 '22 at 20:17
  • updated a question – Dmitry Zimin Sep 13 '22 at 07:09
  • Who or what is using said Service Account? Perhaps, another GCP product? Ie. some developers miss to fully configure GKE’s [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity) for GKE to use other GCPs products. – Andrés Sep 14 '22 at 23:40

0 Answers0