I created a service user:
gcloud iam service-accounts create test01 --display-name "test01"
And I gave him full access to Cloud Storage:
gcloud projects add-iam-policy-binding project-name \
--member serviceAccount:test01@project-name.iam.gserviceaccount.com \
--role roles/storage.admin
This code works:
from google.cloud import storage
client = storage.Client()
buckets = list(client.list_buckets())
print(buckets)
bucket = client.get_bucket('bucket-name')
print list(bucket.list_blobs())
But my project has multiple buckets for different environments, and for security reasons I want to add access for only one bucket per user.
In the documentation I found this text:
When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.
How to apply roles/storage.admin to an individual bucket?
Update:
I tried ACL, and there is a problem: I add access to user:
gsutil iam ch \
serviceAccount:test01@project-name.iam.gserviceaccount.com:legacyBucketOwner \
gs://bucket-name
User can list all files, add files, create files, view his own files.
But user can't view files of other users.
Update 2:
I updated default ACL:
gsutil defacl ch -u \
test01@project-name.iam.gserviceaccount.com:OWNER gs://bucket-name
I waited a lot of time, created another file by another user, and it's still inaccessible by test01.
Solution:
I made it from scratch, and it works:
gsutil mb -p example-logs -c regional -l EUROPE-WEST2 gs://example-dev
gcloud iam service-accounts create test-dev --display-name "test-dev"
gcloud iam service-accounts create test-second --display-name "test-second"
# download 2 json keys from https://console.cloud.google.com/iam-admin/serviceaccounts
gsutil iam ch serviceAccount:test-dev@example-logs.iam.gserviceaccount.com:legacyBucketOwner gs://example-dev
gsutil iam ch serviceAccount:test-second@example-logs.iam.gserviceaccount.com:legacyBucketOwner gs://example-dev
gsutil defacl ch -u test-dev@example-logs.iam.gserviceaccount.com:OWNER gs://example-dev
In order for a user to work with a bucket, that user must be granted authority to work with that bucket. This is achieved with permissions. Permissions can be bundled into roles and we can give a user a role which means that the user will have that role.
For example, a user can be given the role "Storage Admin" and will then be able to perform work against all buckets in your project.
If that is too much, then you can choose NOT to give the user "Storage Admin" and then it will not be allowed to access any bucket. Obviously that is too restrictive. What you can then do is pick the individual buckets that you wish the user to access and, for each of those buckets, change the permissions of THOSE buckets. Within the permissions of a bucket you can name users and roles. For just THAT bucket, the named user will have the named role.
For more details see Creating and Managing Access Control Lists (ACLs).