I would like to grant IAM read access to a storage bucket in one of my projects to all service accounts, users, etc. in my organization. I don’t want to grant public access and therefore do not want to use allUsers or allAuthenticatedUsers. Is there a way to do this?
I understand I can create a group and add new service accounts to that group, however, I would prefer to not have to manage a group every time somebody builds a project.
I see there’s “All principals in a Cloud Identity account (domain)” if using IAM v2 API and can specify a principle “principalSet://goog/cloudIdentityCustomerId/CLOUD_IDENTITY_CUSTOMER_ID” but have no idea how to actually use this or if IAM v2. principalSet is invalid if trying to use in an IAM binding (terraform). https://cloud.google.com/iam/docs/principal-identifiers#v2
Let me add a little more context of what I’m really trying to accomplish. I would like to use a storage bucket to house a GCE startup script that I am referencing from a module that builds a very specific type of VM. A member of our DevOps team would use the module in their Terraform code to build a VM. There’s no way to predict the project or service account they would be assigning to the VM. If there is a way to allow access to all GCE instances in my organization (either by scope or some sort of impersonation) that may work too. Basically, I need GCE compute resources to be able to read from the bucket during system startup. Therefore, the data is somewhat sensitive and I don’t want to allow public access (allUsers) or all authenticated access (allAuthenticatedUsers) unless I can restrict to only authenticated users / service accounts associated with my organization.
To grant IAM read access to a storage bucket for all users and service accounts in your organization without making it public or manually managing groups, you can use the IAM v2 API with the principalSet identifier:
Enable IAM API v2: Make sure the IAM API v2 is enabled in your Google Cloud project.
Get Your Cloud Identity Customer ID: Find your Cloud Identity Customer ID in your account settings.
Define the IAM Policy: Use the IAM v2 API to assign the roles/storage.objectViewer role to principalSet://goog/cloudIdentityCustomerId/YOUR_CLOUD_IDENTITY_CUSTOMER_ID.
Apply the Policy with Terraform: If Terraform doesn’t directly support IAM v2 features, you might need to use workarounds like local-exec provisioners to apply your IAM policies via gcloud commands or API calls.
Test Access: Ensure the policy grants the correct access without exposing your resources publicly.
According the Docs the IAM v2 principal identifiers are just for deny policies. I tried with both a project and a bucket IAM binding and it wasn’t possible using the format principal identifier format principalSet://goog/cloudIdentityCustomerId/<>.
We are facing the same problem. We want to share a bucket containing the service catalogue solutions with all the projects (service accounts) within the organisation. But maintain a group is too much.
Hopefully, someone from Google can see and review this.