2

Amazon STS offers the ability to take an IAM token and create a limited subset of the abilities of that token for other use. The subset of abilities can be by time (expiring in N hours) and by allowed operations (e.g. read one S3 bucket but not all the S3 buckets the original token can read).

Because this is done using the S3 ARN format which which supports wildcards in the S3 key name, that means it's possible to create a sub-token that can read part of an S3 bucket.

Looking through Google Cloud Storage's's access control docs I couldn't find the equivalent of this functionality in GCS.

To be more specific, I'd like to create a bucket with these four objects:

/folder1/file1
/folder1/file2
/folder2/file3
/folder2/file4

And given a token with permissions to access all files indefinitely, produced a limited subset of the token with permissions to view just the objects in /folder2/* (so /folder2/file3 and /folder2/file4) for N hours.

Is this possible in GCS like it is in S3/STS?

Andrew
  • 3,272
  • 2
  • 25
  • 26

1 Answers1

1

Currently, in GCP there are no tokens with a limited subset of the abilities of another token.

The most similar thing to what you are asking are Signed URLs, since they allow access time-limited access to Cloud Storage objects.

I don't know why you need them to have abilities that are a subset to the ones of another token, but in your case you could just create Signed URLs with permissions to view the objects in /folder2/*

rilla
  • 782
  • 6
  • 18
  • 1
    Do signed URLs support wildcards, or would the objects need to be listed out? In my actual application there can be O(10k) objects in the folder. – Andrew Aug 30 '18 at 15:47
  • Creation of Signed URLs does support wildcards, but each URL only provides access to one file, so if you create them with wildcards, you will get back as many URLs as objects matching the pattern. – rilla Aug 31 '18 at 09:21