DevOps Blog - Nicolas Paris

GCP Create Custom Role to Write to a Bucket


I want to give a service account right to write-only (no read, no delete) in a Google Storage. The account will push a backup into a bucket. With the least privilege principle, I want just enough right to do so. I do not want to delete any file, if someone access the compute engine where the service account is, I don't want him to delete or encrypt the backup.

The basic setup is the following

Authenticate like this:

gcloud auth activate-service-account --key-file=key.json

I started with the following access.


Obviously, it wasn't enough as I had the following error, a 403 with no storage.objects.list even if he had the right correctly setup.

AccessDeniedException: 403 does not have storage.objects.list access to the Google Cloud Storage bucket.
ERROR: (gcloud.projects.get-iam-policy) User [] does not have permission to access projects instance [xxx:getIamPolicy] (or it may not exist): The caller does not have permission

I was focusing on the first message which I was sure to give the access, but he needs the getIamPolicy too.

Change with the following.


It was enough, I won't forget about the getIamPolicy again.