This page shows you how to grant and obtain access for Google Distributed Cloud (GDC) air-gapped storage buckets.
Before you begin
A project namespace manages bucket resources in the org admin cluster. You must have a project to work with buckets and objects.
Grant bucket access
You can provide bucket access to other users or service accounts by creating and applying RoleBindings with predefined Roles in the org admin cluster.
Predefined roles
project-bucket-object-viewer: This lets a user list all buckets in the project, list objects in those buckets, and read objects and object metadata. It does not let you write operations on objects. For example: uploading, overwriting, deleting.
project-bucket-object-admin: This lets a user list all buckets in the project, and write and read operations on objects. For example: uploading, overwriting, deleting.
project-bucket-admin: This lets users manage all buckets in the given namespace, as well as all the objects in those buckets.
To see a complete list of the permissions granted for the preceding Roles, see the preset Role permissions section.
Ask your Project IAM Admin to grant you permissions to create RoleBindings. The following is an example of creating a RoleBinding for granting access to a user and a service account:
Create a YAML file on your system, such as
rolebinding-object-admin-all-buckets.yaml.# Example file name: # rolebinding-object-admin-all-buckets.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: NAMESPACE_NAME name: readwrite-all-buckets roleRef: kind: Role name: project-bucket-object-admin apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount namespace: NAMESPACE_NAME name: SA_NAME - kind: User namespace: NAMESPACE_NAME name: bob@example.com apiGroup: rbac.authorization.k8s.io # Could be bob or bob@example.com based on your organization settings.Apply the YAML file:
kubectl apply \ -f rolebinding-object-admin-all-buckets.yaml
Obtain bucket access credentials
Once you grant access to a bucket, it creates the access credentials in a Secret.
The format of the secret name is object-storage-key-STORAGE_CLASS-SUBJECT_TYPE-SUBJECT_HASH.
- Values for
STORAGE_CLASSare:stdfor theStandardstorage class.
- Values for
SUBJECT_TYPEare:userfor User.safor ServiceAccount.
SUBJECT_HASHis the base32-encoded SHA256 hash of the subject name.
As an example, the user bob@foo.com has two secrets named:
object-storage-key-std-user-oy6jdqd6bxfoqcecn2ozv6utepr5bgh355vfku7th5pmejqubdja
Obtain user access
For a user subject, the Secret is in the object-storage-access-keys
namespace in the Organization cluster.
Run the following command to find the secret name:
kubectl auth can-i --list --namespace object-storage-access-keys | grep object-storage-key-You receive an output similar to the following:
secrets [] [object-storage-key-nl-user-oy6jdqd6bxfoqcecn2ozv6utepr5bgh355vfku7th5pmejqubdja,object-storage-key-std-user-oy6jdqd6bxfoqcecn2ozv6utepr5bgh355vfku7th5pmejqubdja] [get]Get the contents of the corresponding secret to access buckets in the
Standardstorage class:kubectl get -o yaml --namespace object-storage-access-keys secret object-storage-key-std-user-oy6jdqd6bxfoqcecn2ozv6utepr5bgh355vfku7th5pmejqubdjaYou receive an output similar to the following:
data: access-key-id: MEhYM08wWUMySjcyMkVKTFBKRU8= create-time: MjAyMi0wNy0yMiAwMTowODo1OS40MTQyMTE3MDMgKzAwMDAgVVRDIG09KzE5OTAuMzQ3OTE2MTc3 secret-access-key: Ump0MVRleVN4SmhCSVJhbmlnVDAwbTJZc0IvRlJVendqR0JuYVhiVA==Decode the access key ID and secret:
echo "MEhYM08wWUMySjcyMkVKTFBKRU8=" | base64 -d \ && echo \ && echo "Ump0MVRleVN4SmhCSVJhbmlnVDAwbTJZc0IvRlJVendqR0JuYVhiVA==" | base64 -dYou receive an output similar to the following:
0HX3O0YC2J722EJLPJEO Rjt1TeySxJhBIRanigT00m2YsB/FRUzwjGBnaXbTFollow the section, Configure the gdcloud CLI, with the resulting information.
Obtain service account access
For a service account (SA) subject, find the secret name from the user cluster.
For standard storage class, run the following command to get the secret name:
kubectl get -n=<PROJECT-NAME> serviceaccount <SA-NAME> -o json | jq -r '.secrets[] | select(.name | test("object-storage-key-std"))'Then, you can manually look through the listed secret names or use
grepto findobject-storage-key-(std|nl). For the latter option, run the following:kubectl get -n=<PROJECT-NAME> serviceaccount <SA-NAME> -o=jsonpath='{.secrets}{"\n"}' | grep object-storage-key-(std|nl)You can reference the Secret in your pod as environment variables or files.
Preset role permissions
project-bucket-object-viewer permissions
This role grants permissions to get and list objects and objects' metadata in the bucket.
A list of all object storage permissions the project-bucket-object-viewer verb grants are the following:
Bucket API permissions:
- get
- list
- watch
S3 object storage permissions:
- GetObject
- GetObjectAcl
- GetObjectLegalHold
- GetObjectRetention
- GetObjectTagging
- GetObjectVersion
- GetObjectVersionTagging
- ListBucket
- ListBucketVersions
- ListBucketMultipartUploads
- ListMultipartUploadParts
project-bucket-object-admin permissions
This role grants permissions to put and delete objects, and object versions and
tags in the bucket. Additionally, it also grants all permissions in the
project-bucket-object-viewer.
A list of all additional object storage permissions the Role grants are the following:
S3 Object storage permissions:
- AbortMultipartUpload
- DeleteObject
- DeleteObjectTagging
- DeleteObjectVersion
- DeleteObjectVersionTagging
- PutObject
- PutObjectTagging
- PutObjectVersionTagging
- PutOverwriteObject
- RestoreObject
project-bucket-admin permissions
This role grants permissions to create, update, or delete Bucket resources in
the project namespace. Additionally, it also grants all permissions in
project-bucket-object-admin.
A list of additional permissions the Role grants are the following:
Bucket API permissions:
- Create
- Update
- Delete