How to use Google Cloud IAM on Cloud Storage?

aws
Reading Time: 4 minutes

Hello folks, In this blog, we’ll explore What abstraction is primarily used to administer user access in IAM? also how we can create and set permissions to the service account role in GCP.

Create Service Account for all buckets objects:

  • click IAM & admin > Service Accounts
  • Click createserviceaccount 
  • Name: serviceacc1
  • click CREATE AND CONTINUE
  • Add two roles: Storage Object Viewer and Storage Object Creator
  • Click CONTINUE and DONE

Alright, we’ve created the service account.

NOTE: These roles have object viewer/creator which means we can list and create objects to all existing buckets but we can’t create the buckets.

After that, we’ll create the ec2 instance.

Create a VM:

  1. Click CREATE INSTANCE
  2. Specify the following, and leave the remaining settings as their defaults:
PropertyValue (type value or select option as specified)
Nameinstance-1
Regionus-central1
Zoneus-centra1-a
SeriesN1
Machine Typef1-micro
Boot diskDebian GNU/Linux 10 (buster)
Service accountserviceacc1
  1. Click Create

Prepare a resource for access testing

Create a bucket and upload a sample file

  • On the Navigation menu, click Cloud Storage > Browser.
  • Click Create bucket
  • Specify the following, and leave the remaining settings as their defaults:
  • Name: Enter a globally unique name and Location type: Multi-region

Note the bucket name: it will be used in a later step and referred to as [YOUR_BUCKET_NAME]

Explore the Service Account User role

At this point, you might have the test access by connecting via SSH to the VM and performing the next actions. As the owner of the project, you already possess the Service Account User role. So you can simulate what the user would experience by just using SSH to access the VM from the Cloud Console.

  1. click SSH to launch a terminal and connect.
  2. Run the following command:
gcloud compute instances describe instance-1 --format json

If your instance region is the same as displays type y otherwise n.

If you want to list the objects of the bucket you can get the list by the below command

gsutil ls gs://[YOUR_BUCKET_NAME]

As I didn’t upload any file to the bucket so I get nothing so now let’s create a simple file

touch filename

Copy the hi.json file into the bucket you created earlier.

gsutil cp filename gs://[YOUR_BUCKET_NAME]

To get the list of objects in the bucket, run the following command:

gsutil ls gs://[YOUR_BUCKET_NAME]

The command succeeds as the service account has the correct permissions.

we’ve seen that the serviceacc1 has two roles for cloud storage objects that will work the same for all buckets objects in the same project but let’s say you want to give the permission to only one bucket so that we can only view/create the objects of that bucket.

Create Service Account for specific buckets objects:

  • click IAM & admin > Service Accounts
  • Click createserviceaccount 
  • Name: serviceacc2
  • click CREATE AND CONTINUE

Create Another bucket:

  • On the Navigation menu, click Cloud Storage > Browser.
  • Click Create bucket
  • Specify the following, and leave the remaining settings as their defaults:
  • Name: Enter a globally unique name (service-buc-2)and Location type: Multi-region
  • go to bucket permissions and add the principle as serviceacc2 and select the storage admin role

Create a VM with the serviceacc2

  1. Click CREATE INSTANCE
  2. Specify the following, and leave the remaining settings as their defaults:
PropertyValue (type value or select option as specified)
Nameinstance-2
Regionus-central1
Zoneus-centra1-a
SeriesN1
Machine Typef1-micro
Boot diskDebian GNU/Linux 10 (buster)
Service accountserviceacc2
  1. Click Create

Alright now SSH to instance-2 and perform the below commands:

gsutil ls gs://service-buc-2
touch file2.py
gsutil cp file2.py gs://service-buc-2

Alright, I can perform the actions on service-buc-2 but I’ve another bucket named service-buc-3, I’m not able to list the objects because I have access to only service-buc-2.

I hope you’ve gotten the difference between these 2 operations and have an understanding of both cases.

Conclusion:

Therefore, we’ve learned about Cloud IAM and how we can work with it and Use Cloud IAM to implement access control as well as Restrict access to specific features or objects by Using the Service Account role.

Thanks for reading!

Written by 

A curious DevOps Intern , love to learn and working on technical skills/tools, know the basics of Linux, Docker, Ansible , Kubernetes and more..