Jump to Content
Developers & Practitioners

You make the rules with authentication controls for Cloud Storage

March 19, 2021
https://storage.googleapis.com/gweb-cloudblog-publish/images/csb-authentication.max-700x700.jpeg
Jenny Brown

Developer Relations Engineer

If you'd rather listen to this post in podcast form, check out Google Cloud Reader

Once you’ve got your data into Cloud Storage, it’s time for an important conversation about authentication. In this post, we’ll review some critical components for determining who has access to that data.

Let’s go back in time, to when you first created a bucket. You'll need to decide whether you want to apply permissions using uniform or fine-grained access. We have some recommendations, so let’s dive in.

Uniform bucket-level access

In general, we recommend using uniform bucket-level access because this method allows you to use Identity and Access Management (IAM) to manage permissions for all of the objects in a bucket.
https://storage.googleapis.com/gweb-cloudblog-publish/images/access_control.max-500x500.png

This may mean rethinking how you were picturing your storage approach, and that’s totally fine—we’ve got plenty of documentation to help you along the way.

For now, let’s look at an example:

Let's imagine you run a dog daycare, and you take photos of the dogs everyday, so their owners can log in and see what their pet has been up to. Pretty basic stuff, but pet parents love to see it.

If you have a bucket where you're storing all of the photos, then you would need to set the permissions for each individual photo, so that you aren't sharing Ruthie or Remi's photos with Willow's owner.

If, however, you create a bucket for each owner, then you can grant permissions for that bucket, lowering the risk of data exposure.

https://storage.googleapis.com/gweb-cloudblog-publish/images/uniform_access_control.max-600x600.png

Now, if Willow's owner adds a second person to the account, one permission change will share all of Willow's adorable photos!

https://storage.googleapis.com/gweb-cloudblog-publish/images/uniform_access_control_2.max-600x600.png

That's because IAM aims to make authentication easier by giving you full control and visibility.

Cloud IAM provides a unified view into the security control of your entire organization, across your various Google Cloud services; meaning there's one place to check for granting and reviewing permissions for employees, dog owners, visitors, other franchise locations, etc. This eases some of the operational burden, for sure—especially when you’re looking after dozens of dogs.

So, that's how uniform access works for Cloud Storage, and if you need more examples, check out this documentation.

Fine-grained access

If you know you're going to need to manage permissions at the object level for a given bucket, then you can select fine-grained access. The fine-grained option enables you to use IAM and Access Control Lists (ACLs) together to manage permissions.

It’s good to note that this option is primarily for integrations that rely on legacy access control systems for interoperability with other services, and that using fine-grained controls with ACLs will limit your ability to use other features like Cloud Audit Logs and other IAM conditions.

Additionally, once you enable uniform bucket-level access, you have 90 days to switch back to fine-grained access before uniform bucket-level access becomes permanent. For more details, including recommended bucket architecture, check out this documentation.

Additional authentication options

Beyond choosing between uniform and fine-grained access when creating your bucket, you also have options for specialized control situations.

Signed URLs (query string authentication) let you grant read or write access to an object, through a link, for a specified set amount of time, regardless of whether or not the individual has a Google account. You can create signed URLs with your own program, or using gsutil or Client Libraries.

Signed Policy Documents specify what can be uploaded to a bucket, with more control over upload characteristics than signed URLs, like size or content type. Signed policy documents can also be used by website owners to allow visitors or organization members to upload files to Cloud Storage.

Credential Access Boundaries restrict the permissions that are available to an OAuth 2.0 access token, allowing you to downscope the permissions on a given bucket for a given user. This enables you to give members a distinct set of permissions for each session.

https://storage.googleapis.com/gweb-cloudblog-publish/images/secure_cloud.max-600x600.png

Access managed!

Now that you’ve got your authentication controls up and running, you can breathe a little easier. We’ll be taking a deeper dive into Cloud Storage Security options in some other posts, so stay tuned! 

Learn more about your storage options in Cloud Storage Bytes, or check out the documentation for more information, including tutorials.

Posted in