SFTP Gateway Support

3.0

Granular GCS Permissions for Enterprise Customers

Overview

Enterprise customers often require granular permissions for Google Cloud Storage (GCS) instead of using the broad Storage Admin role. This guide provides a detailed list of GCS permissions necessary for managing storage without over-provisioning access.

Recommended GCS Permissions

Below is a refined set of permissions that allow controlled access to GCS while minimizing unnecessary privileges:

Bucket-Level Permissions

  • storage.buckets.create – Create new buckets.
  • storage.buckets.get – View bucket metadata.
  • storage.buckets.list – List all buckets.
  • storage.buckets.update – Modify bucket settings.

Multipart Upload Permissions (for large file uploads)

  • storage.multipartUploads.abort – Cancel ongoing multipart uploads.
  • storage.multipartUploads.create – Initiate a multipart upload.
  • storage.multipartUploads.list – View active multipart uploads.
  • storage.multipartUploads.listParts – View uploaded parts of a multipart file.

Object-Level Permissions

  • storage.objects.create – Upload new objects.
  • storage.objects.delete – Delete objects.
  • storage.objects.get – Read object metadata and content.
  • storage.objects.list – List objects within a bucket.
  • storage.objects.update – Modify object metadata.

Implementing Granular Permissions

Instead of using the Storage Admin role, you can create a custom IAM role with only the necessary permissions.

Steps to Create a Custom IAM Role in GCP

  1. Navigate to IAM & Admin in the Google Cloud Console.
  2. Click Roles in the left panel.
  3. Click Create Role.
  4. Enter a Name and Description.
  5. Under Permissions, add the above-listed permissions.
  6. Click Create to save the role.
  7. Assign the role to a service account or user group.

Steps to Assign the Custom Role to a Service Account

  1. Navigate to IAM & Admin in the Google Cloud Console.
  2. Click IAM in the left panel.
  3. Find the service account you want to assign the role to.
  4. Click Edit under the Permissions column.
  5. Click Add another role.
  6. Select the Custom Role you created earlier.
  7. Click Save to apply the changes.

Steps to Verify Permissions

  1. Navigate to Cloud Storage in the Google Cloud Console.
  2. Select a bucket that the service account has access to.
  3. Try uploading, listing, and deleting objects based on assigned permissions.
  4. If permission errors occur, adjust the custom role as needed.
PreviousNext