What are the minimum permissions needed by filepicker.io when integrating with Google Cloud Storage?
We are integrating filepicker.io with Google Cloud Storage (ie. asking filepicker to write the uploaded files to our Google Cloud Storage account). Their documentation is pretty clear, however I found that I have to give the service account "Editor" access to the whole project, which is a security concern for us (it means that if somebody gets access to the access tokens used by Filepicker, they can do whatever they want with our Google Cloud project instead of just having access to the file). Trying to use some more restrictive permissions (like "Storage Object Creator" + "Storage Object Viewer") makes Filepicker fail.
Had anyone managed to configure the Google Cloud Storage integration of Filepicker.io with something less than "Editor" access to the project?
Just wanted to note that in the mean time I implemented a workaround: I created a separate Google Cloud project and only gave "Storage Admin" access to that one to Filepicker. Then I gave permissions to the accounts from the other projects to use the given storage bucket from the "upload" project. So this way at least any token leaked on Filepicker's end is limited to accessing this "upload" project.
I just tested this and it seems that the minimum required role to store to GCS using Filestack/Filepicker is either the "Project Editor" role, or the "Storage Admin" role. I will submit a feature request to allow more varied role options.
- Remove last lines in csv file with "Totals" info
- Using pandas to open Excel files stored in GCS from command line
- Does snapshot size is less than actual disk size even disk is full in google cloud?
- Execution expired error when uploading a large file to google cloud storage using google-api-client gem
- Error: error:1E08010C:DECODER routines::unsupported with Google auth library
- Add Vercel Environment Variable that points to JSON file
- Inspecting files on an old Google App Engine app
- Is there Google Cloud Storage emulator?
- Whilst deploying a GCP function, the service account keeps reverting back to its default resulting in an error
- How can I download an object from Google Cloud Storage, through the Java Admin SDK?
- Google Pubsub Cloud Storage subscription to combine messages into same avro file
- Having issues reporting storage buckets that are hosting spam and phishing redirects html/javascript files
- Error while reading from Google storage parquets to clickhouse
- django-storages - Staticfiles storage key attribute error
- Open File from Uri using media picker in Android
- Refactor from requests HTTPAdapter to httpx HTTPTransport
- Does the Content Security Policy Standard support wildcard paths? If not, why doesn't it?
- How to create persistent docker containers on google cloud run instance?
- gcloud command not found - while installing Google Cloud SDK
- Getting error when uploading file from memory
- Google Cloud SDK Python Client: How to list files inside of a Cloud Storage bucket?
- How to get list_blobs to behave like gsutil
- Is it possible to query multiple files with one request in Google Cloud Storage?
- Delete a file from firebase storage using download url with Cloud Functions
- GCP Storage SignedUrl access denied in production
- Set metadata while uploading a new object using stream
- Why does Google Cloud Storage freeze when I try to upload a large folder (2.5GB of images)?
- How to properly assign publisher and subscriber roles to a dead-letter topic using terraform
- Error: Invalid HTTP method/URL pair when using getDownloadURL on a file produced by the Transcoder API
- Generate Signed URL with Prefix