Forked from pydevops/gcp-iam-restrict-user-bucket.sh
Created
November 13, 2021 14:04
-
-
Save versionsix/e5bb1c095e3c0e753587d8d8bef95416 to your computer and use it in GitHub Desktop.
Google Cloud Platform example to add IAM role restricting user to specific storage buckets with conditions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| export PROJECT_ID=$(gcloud config get-value project) | |
| export PROJECT_USER=$(gcloud config get-value core/account) # set current user | |
| export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)") | |
| export IDNS=${PROJECT_ID}.svc.id.goog # workload identity domain | |
| export GCP_REGION="us-central1" | |
| export GCP_ZONE="us-central1-a" | |
| export SHARED_BUCKET="mike-test-team-bucket1" # CHANGEME | |
| export PRIVATE_BUCKET="mike-test-private-bucket1" # CHANGEME | |
| export RESTRICTED_USER="CHANGEME" | |
| # enable apis | |
| gcloud services enable compute.googleapis.com \ | |
| storage.googleapis.com | |
| # create two storage buckets | |
| gsutil mb -b on gs://${SHARED_BUCKET} | |
| gsutil mb -b on gs://${PRIVATE_BUCKET} | |
| # copy files to respective buckets | |
| gsutil cp clouds.jpg gs://${SHARED_BUCKET}/ | |
| gsutil cp questions.jpg gs://${PRIVATE_BUCKET}/ | |
| # add IAM member to project, but restrict access to private bucket | |
| gcloud beta projects add-iam-policy-binding $PROJECT_ID \ | |
| --member="user:${RESTRICTED_USER}" \ | |
| --role='roles/storage.objectViewer' \ | |
| --condition="expression=resource.name.startsWith(\"projects/$PROJECT_ID/buckets/$SHARED_BUCKET\"),title=no-private-bucket" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment