Home > OS >  How do I check that a Google Cloud service account has a particular permission programmatically?
How do I check that a Google Cloud service account has a particular permission programmatically?

Time:05-28

I'm making an integration with a user-supplied GCS bucket. The user will give me a service account, and I want to verify that service account has object write permissions enabled to the bucket. I am failing to find documentation on a good way to do this. I expected there to be an easy way to check this in the GCS client library, but it doesn't seem as simple as myBucket.CanWrite(). What's the right way to do this? Do I need to have the bucket involved, or is there a way, given a service account json file, to just check that storage.objects.create exists on it?

CodePudding user response:

IAM permissions can be granted at org, folder, project and resource (e.g. GCS Bucket) level. You will need to be careful that you check correctly.

For permissions granted explicitly to the bucket:

  1. Use APIs Explorer to find Cloud Storage service
  2. Use Cloud Storage API reference to find the method
  3. Use BucketAccessControls:get to retrieve a member's (e.g. a Service Account's) permission (if any).

APIs Explorer used (sometimes) has code examples but, knowing the method, you can find the Go SDK.

The documentation includes a summary for ACLs using the List method, but I think you'll want to use Get (or equivalent).

NOTE I've not done this.

There doesn't appear to be a specific match to the underlying API's Get in the Go library.

From a Client, you can use Bucket method with a Bucket name to get a BucketHandle and then use the ACL method to retrieve the bucket's ACL (which should include the Service Account's email address and role, if any).

Or you can use the IAM method to get the bucket's IAM library's (!) Handle and then use the Policy method to get the resource's IAM Policy which will include the Service Account's email address and IAM role (if any).

CodePudding user response:

Because of DazWilkin answer, you can check the permission at different level and it can be difficult to clearly know if an account as a permission.

For that, Google Cloud released a service: IAM troubleshooter. It's part of Policy Intelligence suite that help your to understand, analyse and troubleshoot the IAM permissions.

You have the API to call in the documentation.

  • Related