Skip to content

Instantly share code, notes, and snippets.

  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Google Cloud Platform example to add IAM role restricting user to specific storage buckets with conditions
#!/usr/bin/env bash
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID} # workload identity domain
export GCP_REGION="us-central1"
export GCP_ZONE="us-central1-a"
export SHARED_BUCKET="mike-test-team-bucket1" # CHANGEME
export PRIVATE_BUCKET="mike-test-private-bucket1" # CHANGEME
# enable apis
gcloud services enable \
# create two storage buckets
gsutil mb -b on gs://${SHARED_BUCKET}
gsutil mb -b on gs://${PRIVATE_BUCKET}
# copy files to respective buckets
gsutil cp clouds.jpg gs://${SHARED_BUCKET}/
gsutil cp questions.jpg gs://${PRIVATE_BUCKET}/
# add IAM member to project, but restrict access to private bucket
gcloud beta projects add-iam-policy-binding $PROJECT_ID \
--member="user:${RESTRICTED_USER}" \
--role='roles/storage.objectViewer' \
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment