I am working with Google Cloud Storage (GCS) buckets and I need to set up conditional access control for objects in these buckets. Specifically, I want to give viewers access to objects in a certain folder structure, while restricting access to objects in another folder within the same bucket. Here's an example of the folder structure I'm dealing with:
gs://bucket/23/10/01/folder_1gs://bucket/23/10/02/folder_1
In general, the structure follows this pattern:
gs://bucket/{year}/{month}/{day}/folder_1
I want to grant access to folder_1 objects for viewers, but deny access to any other objects within the same structure. For instance, users should be able to access objects under folder_1 like gs://bucket/23/10/01/folder_1/some_file.txt, but they should not have access to objects under another_folder like gs://bucket/23/10/01/another_folder/another_file.txt.
I understand that IAM policies can be used to manage access control, but I'm not sure how to set up a conditional binding that allows access based on the folder structure. Can someone please provide guidance on how to achieve this conditional access control in GCS? Are there any specific policies or rules I need to set up to accomplish this?
I've explored the following approaches:
IAM Policies: I started by creating IAM policies for my GCS bucket. I tried to set permissions on individual objects within the bucket, but I couldn't find a straightforward way to conditionally grant access based on the folder structure.
Wildcard in IAM Conditions: I attempted to use wildcards in the conditions of my IAM policies, hoping to match the folder structure. For example, I tried conditions like
resource.name.startsWith("gs://bucket/*/folder_1/"), but it didn't seem to work as expected.Google Cloud Storage Bucket Policy: I looked into creating a bucket policy to enforce certain access rules, but I couldn't find a way to specify conditional access based on folder structures.
Despite these attempts, I haven't been able to achieve the desired conditional access control based on folder structures. I'm now seeking guidance and insights from the Stack Overflow community on how to accomplish this task effectively.
Thank you in advance for your assistance!
Based on this documentation on Cloud Storage Object namespace:
This means that sub-directories or sub-folders don't really exist and it's just a visual representation of the folders/sub-folders for us to view it in the Google Cloud Console. This also means that we can't apply different or separate IAM policies for each object inside the Cloud Storage bucket.
Here are some of the suggestions I could recommend for us to provide or restrict access for each object:
You can also check this similar Stackoverflow link for reference.