Solved: Grant IAM Access to Organization - Page 2

NickK · 12-19-2023 01:12 PM

I would like to grant IAM read access to a storage bucket in one of my projects to all service accounts, users, etc. in my organization. I don't want to grant public access and therefore do not want to use allUsers or allAuthenticatedUsers. Is there a way to do this?

I understand I can create a group and add new service accounts to that group, however, I would prefer to not have to manage a group every time somebody builds a project.

I see there's "All principals in a Cloud Identity account (domain)" if using IAM v2 API and can specify a principle "principalSet://goog/cloudIdentityCustomerId/CLOUD_IDENTITY_CUSTOMER_ID" but have no idea how to actually use this or if IAM v2. principalSet is invalid if trying to use in an IAM binding (terraform).
https://cloud.google.com/iam/docs/principal-identifiers#v2

Thanks.

iamawaneendra

Hi Nick,

To grant IAM read access to a storage bucket for all users and service accounts in your organization without making it public or manually managing groups, you can use the IAM v2 API with the principalSet identifier:

Enable IAM API v2: Make sure the IAM API v2 is enabled in your Google Cloud project.
Get Your Cloud Identity Customer ID: Find your Cloud Identity Customer ID in your account settings.
Define the IAM Policy: Use the IAM v2 API to assign the roles/storage.objectViewer role to principalSet://goog/cloudIdentityCustomerId/YOUR_CLOUD_IDENTITY_CUSTOMER_ID.
Apply the Policy with Terraform: If Terraform doesn't directly support IAM v2 features, you might need to use workarounds like local-exec provisioners to apply your IAM policies via gcloud commands or API calls.
Test Access: Ensure the policy grants the correct access without exposing your resources publicly.

Hope it helps.

View solution in original post