GCP Create Custom Role to Write to a BucketDevOpsGCP
I want to give a service account right to write-only (no read, no delete) in a Google Storage. The account will push a backup into a bucket. With the least privilege principle, I want just enough right to do so. I do not want to delete any file, if someone access the compute engine where the service account is, I don't want him to delete or encrypt the backup.
The basic setup is the following
- IAM > Roles
- Create a Role
- Give name and associate needed roles
- Service Accounts
- Create Service Account
- Grant Access > Quick Access > Custom Roles
- Generate Json key
gcloudwith that key.
Authenticate like this:
gcloud auth activate-service-account --key-file=key.json
I started with the following access.
Obviously, it wasn't enough as I had the following error, a 403 with no
storage.objects.list even if he had the right correctly setup.
AccessDeniedException: 403 firstname.lastname@example.org does not have storage.objects.list access to the Google Cloud Storage bucket. ERROR: (gcloud.projects.get-iam-policy) User [email@example.com] does not have permission to access projects instance [xxx:getIamPolicy] (or it may not exist): The caller does not have permission
I was focusing on the first message which I was sure to give the access, but he needs the
Change with the following.
resourcemanager.projects.getIamPolicy storage.objects.create storage.objects.list
It was enough, I won't forget about the