How to grant access to only specific Google Cloud storage buckets using IAM conditions.


When backing up data to Google Cloud Storage, you need to create a service account for CubeBackup and authorize it to access data in your GCP bucket. By default, the CubeBackup configuration document will help you create a service account with a predefined Storage Object Admin role to simplify the creation process.

Using projects is a best-practice way to manage Google Cloud resources and service account permissions. We recommend that you create a new project for the cloud storage bucket and service account required in CubeBackup.

Fine-grained access control in Google Cloud storage bucket

If there are multiple Cloud Storage buckets under the same project, this Storage Object Admin will also be granted access to data in other buckets within the same project. If the data compliance policies of your company require more fine-grained access control than this, you can restrict CubeBackup's service account permissions to only a specific storage bucket using Google Cloud IAM conditions:

  1. Select IAM & Admin > Service Accounts from the left panel.
  2. Click + CREATE SERVICE ACCOUNT.
  3. Enter a valid Service account name and a Service account ID will be generated automatically. You can simply use the default one and click CREATE AND CONTINUE.
  4. Select Storage Object Admin as the role.
  5. Click the + ADD CONDITION link and a large box will slide out from the right.
  6. Enter a condition Title and switch to the CONDITION EDITOR tab, then copy and paste the following code (please replace "your-bucket-name" with the real bucket name). This will create a condition policy that restricts the permission of this storage account to the specific bucket only.

    resource.name.startsWith("projects/_/buckets/your-bucket-name/objects/")
  7. Click SAVE to go back to the Create service account dialog.

  8. Click DONE directly to skip the Grant users access to this service account step.

  9. On the Service accounts page, click the Email link of the service account you've just created.

  10. Select the KEYS tab of the service account and click ADD KEY > Create new key.

  11. Select JSON as the Key type and click CREATE.

  12. This will download a service account key file to your local machine. Then you can upload it as the Service account key in Step 2 of the CubeBackup configuration wizard.