- create a service account. Currently this is under "IAM & Admin | Service Accounts" in the Google Cloud UI.
- In the IAM screen your service account is over-privileged, you can remove all privileges from the account here (which causes it to disappear from the IAM list). We will grant it permission over the bucket only.
- Create your bucket, then give the world access (you can also use AllUsers in the UI):
gsutil defacl ch -u AllUsers:R gs://mybucket
- Give your serviceaccount@projectname.iam.gserviceaccount.com writer access to the bucket. It seems there is no way to limit the permission to create only (options are read/write/owner).
- Test the permissions of your service account:
gcloud auth activate-service-account --key-file mysecretfile.json serviceaccountname gcloud auth list # Check your service account is the active account, then try copying to the bucket you authorized, and another bucket which should fail. gsutil cp test gs://mybucket gsutil cp test gs://someotherbucket
- You can then set the default object permissions for the bucket via the UI so that new objects are world readable by default.
Thursday, July 7, 2016
Creating a Google Cloud service account that can only create new objects in a single bucket
I wanted a service account that can only create new objects in a single bucket, and have those objects be publicly readable by default. Use case is a travis deployer that publishes build artifacts.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment