Isolate Service Account Permissions to access Google Cloud Storage
In the event you need to limit permissioning to Google Cloud Storage (GCS), this article describes how to isolate Google Cloud Platform (GCP) Service Account permissions using Custom Roles within your GCP project.
Claravine requires three permissions to read/write to your GCS Bucket:
To limit permissions so that Claravine only writes to a specified bucket, you can create two custom roles with one assigned permission and assign that to the Service Account in IAM. The end result is the buckets will be visible in Claravine to designated admins and managers; however, you limit the writing access to that given storage bucket. Follow the steps below to complete this process:
Step 1. Create Your Service Account
Create your Service Account in the IAM & Admin section in GCP. Go to Service Accounts and click Create Service Account. Fill out applicable fields; however, disregard the optional section to “Grant this service account access to project”.
Step 2. Create Two Custom Roles
We want to create two custom Roles with one assigned permission.
To complete this step, we will do this process twice.
- Go to Roles in IAM Admin, click Create Role. Give your Role a title to describe permissions (i.e., Custom Role - GCS - IAM Role - storage.buckets.list), fill in your description and decide what Role launch stage best fits your company. Click Add Permissions.
- For the first Role, search for “storage.buckets.list”, select this permission and click Add.
- For the second Role, search for “storage.object.create”, select this permission and click Add.
- Click Create.
The screenshots show an example of each of your custom Roles.
Step 3. Apply Custom Roles to Service Account
Apply custom Roles to Service Account.
For the first custom Role with storage.buckets.list permission, the role is applied to the Service Account in IAM & Admin (project level).
Go to IAM under IAM & Admin, click Add, and add your Service Account you created in Step 1. Under Select a role, use the dropdown to select your custom Role for storage.buckets.list and click Save.
For the second custom Role, go to the Bucket you want to connect with Claravine, select Permissions and add your Service Account from Step One. Select the custom Role with the storage.objects.create permissions and click Save. This will isolate write permissions to only the designated Bucket.
Step 4. Create a Key
In Service Accounts in IAM & Admin, and select your created Service Account from Step One. Create a key and download the JSON file.
Step 5. Connect Your Service Account to Claravine
Connect your Service Account to Claravine. Go to Claravine and add the Account (Settings --> Integrations --> Accounts) by selecting the blue + sign, give your Account a name for Claravine usage, give a description (optional), select the Google Cloud Storage tile, and select Upload to add your JSON file. Click Save.
After this process is complete, only your designated admins and/or managers of Claravine have access to the account integration and outbound data integrations.
Lastly, the admin will see all Buckets associated to the GCP project listed in Settings → Template → Outbound Integration; however, if there is not storage.objects.create privileges on that bucket, the file will not write back to the bucket.
The screenshots below illustrate the final integration.
Screenshot: storage.buckets.list shows list of available buckets in project:
Screenshot: Initially, the Service Account did not have storage.objects.create permissions on Bucket "bug-bash-testing" , file did not send:
Screenshot: Service Account with specific permissions for storage.objects.create added to Bucket "bug-bash-testing", file sent:
Interested to learn more?
Read more about Claravine's partnership with Google Cloud: Claravine joins Google Cloud Partner Advantage program