Making a Cloud Storage bucket accessible only by a certain service account

问题

I have an storage bucket that I created on GCP. I created the bucket following the instructions described here (https://cloud.google.com/storage/docs/creating-buckets). Additionally, I created it using uniform bucket-level access control.

However, I want the objects in the bucket to be accessible by instances running under a certain service account. Although, I do not see how to do that. In the permissions settings, I do not see how I can specify a service account for read-write access.

回答1:

To create a service account, run the following command in Cloud Shell:

gcloud iam service-accounts create storage-sa --display-name "storage service account"

You can grant roles to a service account so that the service account can perform specific actions on the resources in your GCP project. For example, you might grant the storage.admin role to a service account so that it has control over objects and buckets in Google Cloud Storage.

gcloud projects add-iam-policy-binding <Your Project ID> --member <Service Account ID> --role <Role You want to Grant>

Once role is granted you can select this service account while creating the instance.

Alternatively, to do this via Google Cloud Console see Creating and enabling service accounts for instances

回答2:

Once you have created your service account, you can then change/set the access control list (ACL) permissions on your bucket or objects using ths gsutil command.

Specifically:

gsutil acl set [-f] [-r] [-a] file-or-canned_acl_name url...
gsutil acl get url
gsutil acl ch [-f] [-r] <grant>... url...

where each <grant> is one of the following forms:

  -u <id|email>:<perm>
  -g <id|email|domain|All|AllAuth>:<perm>
  -p <viewers|editors|owners>-<project number>:<perm>
  -d <id|email|domain|All|AllAuth|<viewers|editors|owners>-<project number>>:<perm>

Please review the following article for more depth and description:

• acl - Get, set, or change bucket and/or object ACLs

You can also set/change acls through the Cloud Console web interface and through GCS API.

回答3:

1. You have to create a service account Creating a new service account.

2. Set up a new instance to run as a service account Set instance.

3. In the Google Cloud Console go to Storage/bucket/right_corner dots/Edit bucket permissions

Add Member/servive account/

Role/Storage Admin

来源：https://stackoverflow.com/questions/58817946/making-a-cloud-storage-bucket-accessible-only-by-a-certain-service-account