-1

I have some devices, and each will be handled to the customers. I need each device to have read-access to some Google Cloud storage buckets. I would like each of device (or at least each customer) to have a different service account so I can track/revoke accesses if I need to.

I am not sure what is the best way to achieve this easily. I could create a service account for each device, allow each service account on each bucket, but this seems tedious. I though of two solutions :

  • Create each device account with the Storage Object Viewer role limited to a tag, which will be set on each buckets. However, I didn't found how to set a tag on a bucket and use it to limit the role.
  • Allow each device account to impersonate another service account "bucket reader" that will be allowed to read on each bucket. However I will have to allow each account to impersonate the "bucket reader" service account. Service account impersonation do not allow for long-lived token.

What is the best solution and how to do it? Is there another way I didn't think of?

Improve this question
2
  • Tedious and Security go together. Your solution of using a separate service account is a good method in Google Cloud. Another option is IAM Conditions cloud.google.com/iam/docs/conditions-overview where you can specify which bucketname/prefix can be accessed.
    – John Hanley
    Apr 26, 2021 at 19:50
  • My main concern was "what if I want to add a bucket to the list of bucket I need access": I would have to edit conditions on all the service accounts. Besides, you are limited in the number of condition for a given service account right.
    – Hugal31
    Apr 27, 2021 at 8:29

2 Answers 2

Reset to default
3

As per my understanding of the case, you want to provide reader access for each device on Google Cloud storage buckets. However, you are also concerned about the increasing load and limit.So taking into account the various issues faced by you, I am sharing a few dimensions of the approach taken by you as follow -

1: As You already have created a script that allows a service account on each labeled bucket. So for further more details related to management of the service account you can refer to this Public Documentation: https://cloud.google.com/iam/docs/creating-managing-service-accounts

2.You can also change the IAM role to Storage Object Viewer for a particular service account on a specific bucket by following GSUtil command:

gsutil iam ch serviceAccount:[email protected]:storage.objectViewer gs://my-project/my-bucket

For more information related to how to create IAM roles for service account on a particular bucket you can refer to this Public documentation: https://cloud.google.com/storage/docs/access-control/using-iam-permissions

3.If you have exhausted 100 service accounts then you can request changes to quota from the Quotas page in the Cloud Console. There is no charge for requesting a quota increase. Your costs increase only if you use more resources. For more details you can refer to this documentation: https://cloud.google.com/compute/quotas#requesting_additional_quota For knowing the quota limits for all the resources available you can refer to this public documentation : https://cloud.google.com/iam/quotas

Hope this helps you!

Improve this answer
0

Finally, I decided to go with 1 account / customer, add a label to each of the bucket I need to enable access, and simply wrote a script that allow a service account on each labeled bucket.

My last concern is the limited number of service account per project (1000), but I'll figure out by time I get +1000 customers.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .