Setting up Cloud Permissions

This section details how to utilize cloud identity management (also called Identity and Access Management-IAM) and ensure authorized access to objects and buckets.

It's important to note that these policies cannot be managed through the XML API.

Creating Bucket Permissions

The following sections contain instructions for basic cloud access management tasks when working with buckets.

Adding principals to bucket-level policies

Refer to IAM roles associated with Cloud storage and Principal Types for entities that grant these roles.

For a list of roles associated with Cloud Storage, see IAM Roles. For information on entities to which you grant IAM roles, see Principal Types.

First, navigate to the Cloud Console and then to the Cloud Storage browser page.

Select the Bucket overflow menu corresponding to the bucket in which you wish to designate a principal role.

Choose Edit access.

Click the + Add principal button.

In the New principals field, enter all identities that require access to the selected bucket.

Choose a role or roles from the options available in the Select a role drop-down menu. The roles you choose appear in the pane with a short description of their associated cloud permissions.

Click Save.

It is recommended to set the minimum permissions possible in order to grant principal access. For example, if a team member only needs to read a bucket's stored objects without making changes, choose the Storage Object Viewer role. In contrast, if the team member needs read and write access to objects in the bucket, but not full control of the bucket itself, select Storage Object Admin.

Reviewing a Bucket's Permissions

Within the Cloud console, go to the Cloud Storage Browser page.

Select the bucket policy you want to view and then click the Bucket overflow menu.

Choose Edit access.

Expand the selected role to see the principals already granted to the role via cloud user management.

You can also use the search bar to filter results by role or principal.

When searching by principal, your results display each role granted to the selected principal.

Not all roles always appear in the bucket permissions window. If roles are granted at the project level, they won't show up in the bucket permission window even if users with that role have bucket access. Navigate to the IAM and Admin screen to see project-level permissions.

Remove a Principal's Permissions from a Bucket

From the Cloud console, navigate to the Cloud Storage Browser page.

Find the bucket from which you want to remove a principal's role and click the Bucket overflow menu.

Choose Edit access.

Expand the role containing the principal to be removed.

Click on the trash icon.

An overlay window will appear; click Remove.

It may take roughly a minute or longer for access revocation to fully take effect. When removing a user's access via cloud-based access control, the change is immediately reflected in metadata. However, there is a short window of time where the user may still retain access.

Adding Permissions to Buckets

This section details the adding and removal of access control in cloud computing.

Before adding conditions, you must first enable uniform bucket-level access.

Designate a New Bucket Condition

Go to the Cloud Storage Browser page in the Cloud console.

Go to Browser.

Click the Bucket overflow menu on the far right of the bucket's row.

Open Edit access.

Click Add principal.

For New principals, specify the principals whom you want to grant access to a bucket.

For each role you wish to apply a condition, select a Role to grant the principals.

Click Add condition to open the Edit condition form.

Fill out the Title of the condition. There is also an optional Description field.

To create a Condition visually, use the Condition Builder. Alternately, the Condition Editor tab lets you enter the CEL expression.

Click Save to go back to the Add principal form. To add more than one role, click Add another role.

Click Save.

Bucket Condition Removal

In the Cloud console, go to the Cloud Storage Browser page.

Click the Bucket overflow menu on the rightmost end of the row associated with the bucket.

Choose Edit access.

Expand the role that contains the condition you want removed.

Click the Edit menu for the principal associated with the condition.

In the Edit access overlay, click on the name of the condition you want deleted.

In the Edit condition overlay, click Delete then click Confirm.

Click Save.

Utilizing Cloud Identity Management in Projects

The next sections contain instructions for completing basic IAM tasks on projects. Note that these tasks use a different command line command and endpoint than many other Cloud Storage tasks.

The cloud permissions needed to complete these tasks are the resourcemanager.projects.getIam Policy and resourcemanager.projects.setIam Policy.

Adding a Principal to a Policy

Open the IAM & Admin browser in the Cloud console.

In the project drop-down menu at the top, choose the project to which you want to add a new principal.

Click Add and the Add principals/roles to project dialog box appears.

In the New principals field, type the name of the entity to which you are granting access.

Expand the Select a role drop down and grant the desired role to the principal.

Note: Roles that impact Cloud Storage buckets and objects are listed in the Project and Storage submenus.

Click Save.

Viewing a Project's IAM Policy

Open the IAM and Admin browser within the Cloud console.

From the top bar, open the project drop-down menu and select the project whose policy you want to view.

You can choose View by Principals which shows the Role column associated with individual principals and the roles granted to each principal.

Another option is to view by Roles. Use the drop-down menu associated with specific roles to see which principals have each type of role.

Policy Principal Removal

Start the IAM and Admin browser in the Cloud console.

From the top bar on the project drop-down menu, choose the project from which you want to remove a principal.

Ensure that you are viewing permissions by Principals and select the principals you want to remove.

Click Remove.

In the new overlay window, click Confirm.

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00