GCP Create Custom Role to Write to a Bucket
DevOpsGCPI want to give a service account right to write-only (no read, no delete) in a Google Storage. The account will push a backup into a bucket. With the least privilege principle, I want just enough right to do so. I do not want to delete any file, if someone access the compute engine where the service account is, I don't want him to delete or encrypt the backup.
The basic setup is the following
- IAM > Roles
- Create a Role
- Give name and associate needed roles
- Service Accounts
- Create Service Account
- Grant Access > Quick Access > Custom Roles
- Generate Json key
- Authenticate
gcloud
with that key.
Authenticate like this:
gcloud auth activate-service-account --key-file=key.json
I started with the following access.
storage.objects.create
storage.objects.list
Obviously, it wasn't enough as I had the following error, a 403 with no storage.objects.list
even if he had the right correctly setup.
AccessDeniedException: 403 xxx@xxx.iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket.
ERROR: (gcloud.projects.get-iam-policy) User [xxx@xxx.iam.gserviceaccount.com] does not have permission to access projects instance [xxx:getIamPolicy] (or it may not exist): The caller does not have permission
I was focusing on the first message which I was sure to give the access, but he needs the getIamPolicy
too.
Change with the following.
resourcemanager.projects.getIamPolicy
storage.objects.create
storage.objects.list
It was enough, I won't forget about the getIamPolicy
again.
- Next: Monolith in Cloud
- Previous: You Should Learn FinOps as DevOps