google-cloud-storageaccess-controlgoogle-cloud-iamconditional-binding

Conditional Binding for Objects in Google Cloud Storage Buckets


I am working with Google Cloud Storage (GCS) buckets and I need to set up conditional access control for objects in these buckets. Specifically, I want to give viewers access to objects in a certain folder structure, while restricting access to objects in another folder within the same bucket. Here's an example of the folder structure I'm dealing with:

In general, the structure follows this pattern:

I want to grant access to folder_1 objects for viewers, but deny access to any other objects within the same structure. For instance, users should be able to access objects under folder_1 like gs://bucket/23/10/01/folder_1/some_file.txt, but they should not have access to objects under another_folder like gs://bucket/23/10/01/another_folder/another_file.txt.

I understand that IAM policies can be used to manage access control, but I'm not sure how to set up a conditional binding that allows access based on the folder structure. Can someone please provide guidance on how to achieve this conditional access control in GCS? Are there any specific policies or rules I need to set up to accomplish this?

I've explored the following approaches:

Despite these attempts, I haven't been able to achieve the desired conditional access control based on folder structures. I'm now seeking guidance and insights from the Stack Overflow community on how to accomplish this task effectively.

Thank you in advance for your assistance!


Solution

  • Based on this documentation on Cloud Storage Object namespace:

    Object names reside in a flat namespace within a bucket. This means that:

    • Different buckets can have objects with the same name.
    • Objects don't reside within subdirectories in a bucket.

    This means that sub-directories or sub-folders don't really exist and it's just a visual representation of the folders/sub-folders for us to view it in the Google Cloud Console. This also means that we can't apply different or separate IAM policies for each object inside the Cloud Storage bucket.

    Here are some of the suggestions I could recommend for us to provide or restrict access for each object:

    You can also check this similar Stackoverflow link for reference.