How do you assign storage permissions to a group of GCP service accounts?

Question

How does one assign Google Cloud Storage bucket permissions to a group of users?

There's no bucket-level permissions that can be specified in roles, and there's no way to create a group as far as I can tell.

There appears to be a way to create a Google Group to do this but it seems totally ridiculous to create a discussion list to assign service accounts permissions.

Answer 1

The Google Groups is the recommended strategy when managing permissions of various users at the same time.

By tweaking the configuration, you can make it so no discussion can be created for the group, and its sole purpose can be to group users that require a specific set of permissions.

The following were the steps I took to create the group and set the permission to a Google Cloud Storage Bucket:

1. On the Create Group page, set the basic permissions, and create the group. Notice that if you do not want people to post or interact with it in any way, you can deselect the Post permissions for everyone.

2. You can then add users directly, or send invitations. Notice that you can choose to not send any group related emails here:

3. You can then head to the Storage section and add the Group email address to the permissions tab:

Answer 2

The Google Groups approach is the right one, You can create a group of users in Gsuite and assign the group permissions [1][2] in IAM. The groups should be accessible to in your GCS bucket role binding. For the discussion list, using it is not a requirement for the usability in IAM.

[1] https://support.google.com/a/answer/33343?hl=en

[2] https://cloud.google.com/iam/docs/faq#how_many_policies_can_i_have