We can grant permission in a specific GCP storage bucket. It defines what service account (SA) has what roles (permission) to this bucket. Let me call it bucket level permission.
We can also grant permission of storage in GCP project IAM. It can define what SA (whether in the same or different projects) has what roles to all the buckets of the current project. Let me call it IAM level permission.
I have confusion about the difference btw. setting permission from bucket level and IAM level:
In the case that SA and the bucket are in the same project, does the service account's final permission equals to the subset or superset of the bucket level permission and IAM level permission? e.g. if bucket level grants storage.object.admin to the SA and IAM level grants storage.admin to the SA, then is the final permission the SA gets storage.object.admin (subset) or storage.admin? and is the permission for only this bucket or all buckets in the project?
Besides, in the case that SA (projectA) and the buckets (projectB) are in the different projects, is it true that we must add the SA as the principle of the projectB's IAM, otherwise, SA cannot access the bucket? besides, in this case, will the final permission SA get storage.object.admin or storage.admin only this bucket? Or will it get storage.admin permission to all buckets in projectB?
Yes In order to access the buckets of other projects using the Service Account which is created in different projects. You need to provide access to those Service Accounts using IAM in the project where you have storage buckets and to do that we recommend you to follow this document. Make sure you have given permission for only one bucket, not the entire project.
Follow Attach a service account to a resource in another project,
Additionally you can also refer the following documents for more information:
IAM hierarchy level(folder->Project->Bucket)