2

I have an external identity provider that supports OpenID Connect (OIDC) and want to access Google Cloud Storage(GCS) directly, using a short-lived access token. So I'm using workload identity federation in order to provide a credential from my external identity provider and get a federated token in exchange.

I have created the workload identity pool and provider and connected a service account to it, which has write access to a certain bucket in GCS.

How can I differentiate the access to specific folder in the bucket according to the token provided from my external identity provider? For example for userA to have access only to folderA in the bucket. Can I do this using one service account?

Any help would be highly appreciated.

elli
  • 497
  • 1
  • 3
  • 10

1 Answers1

3

The folders don't exist on Cloud Storage, it's a blob storage, all the object are stored at the bucket level. For human readability and representation, the / are the folder separator, by convention.

Therefore, because directory doesn't exist, you can't grant any permission on it. The finer granularity is the bucket.

In your use case, you can't grant a write access at folder level, but you can create 1 bucket per user and therefore grant the impersonated service account on the bucket.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Thank you for your answer! Ok so how can I add this dynamic role to the service account so as users to have access only to their own buckets? Assuming that the token of the user would have an id that could map to the bucket dynamically. Could you give me an example? Sorry I'm new to this. – elli Jan 29 '22 at 17:11
  • @eli - your original question has been answered. For a new question, post a new question. Do not use comments for Q/A sessions. – John Hanley Jan 30 '22 at 21:08