0

Has anyone found a workaround to deny user to pull images from Google container registry with just Viewer role??? Iam policy constrain doesn't support Storage bucket deny yet. Wondering how to resolve this issue, while allow a user viewer role to view GCP resources.

Jim Morrison
  • 2,784
  • 1
  • 7
  • 11
Lee.Tan
  • 619
  • 2
  • 6
  • 18

2 Answers2

0

Members of the "viewer" group have permission to read objects in the artifacts bucket because they are readers in the legacy ACL for the bucket (and all new buckets, by default). So you have to fix it by changing the legacy ACL, rather than the IAM ACL:

  1. Go to https://console.cloud.google.com/storage/browser?project=your-project-123
  2. Edit bucket permissions on the artifacts bucket(s)enter image description here
  3. Remove "Viewers of project: your-project-123" from "Storage Legacy Bucket Reader"enter image description here

In the future perhaps this will become an IAM controlled feature (in which case a IAM custom role would be the solution).

David
  • 9,288
  • 1
  • 20
  • 52
  • Dave, thanks for taking the time to response. After removing both Storage Legacy Bucket Reader and Storage Legacy Bucket Owner permission, I'm still able to download the images from Google Container Registry with Viewer ONLY permission. A pretty scary flaw from GCP. – Lee.Tan Oct 11 '18 at 01:21
  • Are there any other buckets with 'artifact' in the name? e.g. `us.artifacts.your-project-123.appspot.com`? You might need to remove the legacy bucket reader permission from them all. – David Oct 11 '18 at 15:35
  • nope, I only have one bucket for that tested project. – Lee.Tan Oct 11 '18 at 20:27
0

Another solution would be to create a custom role. In that Custom Role, you could add all the permissions included in a Viewer role, and at the same time deny access to the Bucket by not granting the specific Bucket permissions.

Mahmoud Sharif
  • 1,085
  • 6
  • 12
  • but then deny access to the buckets would stop user with viewer role to view the data in the bucket right? – Lee.Tan Oct 17 '18 at 14:21
  • Yes, that is correct. You would have to create a customer role, with the same permission included in Viewer, but then remove the roles that grant him access to the bucket. – Mahmoud Sharif Oct 18 '18 at 00:52
  • Thanks. I think this is a good issue to let GCP know. There should be a way to allow user to view buckets and deny to download any container images. – Lee.Tan Oct 18 '18 at 15:40
  • You may let the GCP know by creating a new issue in the [Public Issue Tracker](https://cloud.google.com/support/docs/issue-trackers) A GCP specialist will review your request. – Mahmoud Sharif Oct 21 '18 at 20:35