Allow Bucket Level Permissions on GCP Service Accounts (Google Cloud Storage Integration)

ereid7 · June 28, 2022, 6:40pm

Currently, to be able to integrate with Google Cloud Storage, we are required to create a GCP Service Account with 'storage.admin' role on the entire project.

This is a security concern - we would like to be able to integrate with GCP Cloud Storage, with a service account that only has 'storage.admin' role for a specific bucket.

Why doesn't retool allow the option to configure a GCP Service Account with only permissions to a specified bucket?

In this case, retool should only allow this resource to access the bucket defined in the resource.

Kabirdas · July 6, 2022, 12:31am

Hey @ereid7!

Can you try setting up a resource with a GCP Service Account that only has Storage Object Admin permissions on your bucket and then ignore the following error when running "Test connection":

It looks like, after doing so you should still be able to query the bucket your service account has permissions on.

ereid7 · July 11, 2022, 10:59pm

I have created a ticket for our dev-ops team to update our GCP service account via terraform. I will report back once the permissions have been updated.