How to create a simple policy that grants read access to a specific user for a storage bucket in Cloud IAM?

To create a simple policy granting read access to a specific user for a storage bucket in Google Cloud Platform (GCP) using Cloud Identity and Access Management (IAM), it is necessary to understand the fundamental concepts of GCP’s resource hierarchy, IAM roles, role bindings, and the principles of least privilege. This explanation provides comprehensive guidance, including policy structure, practical examples, and the rationale behind each step, with a focus on didactic clarity and technical accuracy.

1. Understanding Cloud IAM and GCP Storage Buckets

Google Cloud IAM provides a unified access control system for managing permissions across all GCP resources. IAM policies are used to specify who (identity) has what access (role) to which resource. In the context of Cloud Storage, buckets are top-level containers for objects (files). Granting read access to a bucket allows a user to view and list objects within that bucket, but not modify or delete them.

2. Structure of an IAM Policy

An IAM policy is expressed as a JSON (or YAML) document consisting of one or more bindings. Each binding associates a role with one or more members (identities). The basic structure is as follows:

json
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:exampleuser@example.com"
      ]
    }
  ]
}

– `role`: Specifies the level of access being granted. For read access to storage buckets, the predefined role `roles/storage.objectViewer` is appropriate.
– `members`: Specifies the identities to which the role is assigned. Identities can be individual users, groups, service accounts, or domains.

3. Predefined IAM Roles for Cloud Storage

Google Cloud provides several predefined roles for Cloud Storage. The most relevant roles for controlling access to storage buckets are:

– `roles/storage.objectViewer`: Grants read-only access to objects and their metadata, including listing objects in a bucket.
– `roles/storage.objectCreator`: Grants permission to upload objects without the ability to overwrite or delete existing objects.
– `roles/storage.objectAdmin`: Grants full control over objects, including read, write, and delete permissions.

For the purpose of granting read access, `roles/storage.objectViewer` should be used to ensure that the user can only view and list objects, adhering to the principle of least privilege.

4. Assigning the Role to a Specific User

Suppose you want to grant a user, with the email `alice@example.com`, read access to the storage bucket `my-data-bucket`. There are several methods to apply the policy: via the Google Cloud Console, the `gcloud` command-line tool, or by directly editing the IAM policy using the REST API.

a. Using the Google Cloud Console

1. Navigate to the Cloud Storage section of the GCP Console.
2. Click on the bucket name (`my-data-bucket`).
3. Go to the "Permissions" tab.
4. Click “Grant Access.”
5. In the "New principals" field, enter the user's email address: `alice@example.com`.
6. In the "Role" dropdown, select “Storage Object Viewer” (`roles/storage.objectViewer`).
7. Click “Save.”

b. Using the `gcloud` Command-Line Tool

The following command can be used to add `alice@example.com` as a Storage Object Viewer for the bucket:

bash
gcloud storage buckets add-iam-policy-binding gs://my-data-bucket \
    --member="user:alice@example.com" \
    --role="roles/storage.objectViewer"

Alternatively, for older versions or using `gsutil`:

bash
gsutil iam ch user:alice@example.com:objectViewer gs://my-data-bucket

c. Using the REST API or Direct JSON Policy

You can retrieve the current IAM policy, modify it to include the binding, and then set it back.

– Retrieve the current policy:

bash
gcloud storage buckets get-iam-policy gs://my-data-bucket > policy.json

– Edit `policy.json` to add the following binding if it does not already exist:

json
{
  "role": "roles/storage.objectViewer",
  "members": [
    "user:alice@example.com"
  ]
}

– Update the policy:

bash
gcloud storage buckets set-iam-policy gs://my-data-bucket policy.json

5. Policy Lifecycle and Precedence

IAM policies are evaluated at the resource level and propagate down the resource hierarchy. Setting a policy at the bucket level affects only that bucket and its objects, not other buckets or projects. It is advisable to grant permissions at the lowest possible resource level to avoid unnecessary privilege escalation.

If a user is granted multiple roles through different bindings (e.g., as an individual and as a member of a group), the sum of all permissions is effective. There are no explicit deny rules in IAM; permissions are only granted through allow rules.

6. Best Practices and Security Considerations

– Principle of Least Privilege: Only assign the minimum set of permissions required to perform the intended actions. In this scenario, `roles/storage.objectViewer` is appropriate for read-only access.
– Audit and Monitoring: Regularly review IAM policies through the Cloud Console, `gcloud` CLI, or automated tools. GCP’s Cloud Audit Logs can help track policy changes and access attempts.
– Use of Groups: If multiple users require similar access, consider assigning roles to Google Groups instead of individual users, simplifying management.
– Service Accounts: For applications or automated processes needing access, use service accounts with appropriately scoped roles rather than user accounts.
– Policy Versioning and Documentation: Document changes to IAM policies and maintain version history where possible, especially in collaborative or regulated environments.

7. Example Scenario

Suppose you are a GCP administrator responsible for a project called `data-analysis-project`. You are tasked with granting a data analyst, Bob (`bob@example.com`), read-only access to the `customer-reports` bucket. The steps would be:

1. Identify the user: `bob@example.com`.
2. Identify the bucket: `customer-reports`.
3. Assign the `roles/storage.objectViewer` role to the user at the bucket level.

Using `gcloud` CLI:

bash
gcloud storage buckets add-iam-policy-binding gs://customer-reports \
    --member="user:bob@example.com" \
    --role="roles/storage.objectViewer"

After this, Bob will be able to list objects in the `customer-reports` bucket and download them, but he will not be able to upload, modify, or delete any objects.

8. IAM Policy Example: Full JSON

A complete example of a bucket IAM policy that grants read access to two users (`alice@example.com` and `bob@example.com`) is as follows:

json
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "user:bob@example.com"
      ]
    }
  ],
  "etag": "CAE="
}

The `etag` is used by GCP to prevent concurrent modification conflicts. Every time you update the policy, a new `etag` is generated.

9. Troubleshooting and Validation

After applying the policy, validate access by having the user attempt to list or download objects from the bucket. For example, Bob can use the `gsutil` tool:

bash
gsutil ls gs://customer-reports

If access is denied, check the following:

– Ensure the bucket name is correct.
– Confirm the IAM policy includes the correct user and role.
– Verify that the user is authenticating with the correct Google account.
– Allow a few minutes for policy propagation, though changes are typically effective immediately.

10. Didactic Value and Learning Outcomes

This exercise reinforces several foundational concepts in cloud security and access control:

– Understanding the hierarchical structure of GCP resources and where to apply IAM controls for granularity and security.
– Differentiating between roles and understanding the implications of each permission set.
– Practicing the creation, modification, and validation of IAM policies using both graphical and command-line tools.
– Applying the principle of least privilege and recognizing its importance in minimizing security risks.
– Familiarity with troubleshooting access issues, which is a critical skill for effective cloud resource management.

These skills are widely transferable across cloud platforms, as IAM concepts are common to most major cloud providers, though the specific implementation details vary.

Other recent questions and answers regarding Access control with Cloud IAM:

• How can users enhance their understanding of IAM through Qwiklabs?
• How does Cloud IAM assist in compliance processes for organizations?
• What are the benefits of integrating Cloud IAM with G Suite?
• How does Cloud IAM simplify access control management across GCP resources?
• What are the three key components of IAM in Google Cloud Platform?

More questions and answers:

• Field: Cloud Computing
• Programme: EITC/CL/GCP Google Cloud Platform (go to the certification programme)
• Lesson: GCP labs (go to related lesson)
• Topic: Access control with Cloud IAM (go to related topic)