We have a storage bucket which has sensitive data stored in it, in the form of JSON files. For a PCI compliance, we have to make these files read only.
Versioning will be enabled on the bucket so Retention policy can not be used.
I tried keeping only one account in the bucket permissions with Read Only access, that (not really) partially serves the purpose. But any user with Editor or Owner role can edit the file permissions and change it back to Editable and modify the file.
How to restrict anyone and everyone to not be able to edit or modify the file GCP?
Is this technically possible with Google Cloud Platform?
If not, how to reduce access to a file as minimum as possible?
EDIT
I am not sure if we would compulsorily enable versioning, I will discuss this with the team (once they are available) and mention the same in the question.
So answers which consider "versioning will not be enabled" or ignore versioning completely, are also welcomed.
The following answer assumes that you will choose to disable versioning, as it is not compatible with retention policies.
You may want GCS's Bucket Lock feature. Placing a retention policy on a bucket ensures that all current and future objects in the bucket cannot be deleted or overwritten until they reach the age you define in the retention policy, which sounds like what you want. Once you have enabled it and verified that it works correctly with your workflow, you can lock the policy in place to irrevocably revoke your ability to remove objects before the specified retention date.
This is a serious decision for an existing bucket, so I'd read up on it before turning it on: https://cloud.google.com/storage/docs/bucket-lock
Once you've decided to enable it, you can do so from the console or by using gsutil:
gsutil retention set 1y gs://my-bucket-name # 1y = 1 year
Once you're happy and want to make it permanent:
gsutil retention lock gs://my-bucket-name
As mentioned at the top, this feature is incompatible with another object preservation option: versioning. However, this is usually not a problem, as the most common use case of versioning is to prevent accidental deletion, and if your goal is to prevent any possibility of deletion, versioning is unnecessary.