any way to enable GCP service account access to specific folder in GCS bucket?

Question

we have one bucket contain data of multi clients, separated by "folders" (of course its not really folders, but keys..) we want to sync data from each folder to the clients bucket, by rsync, for that the client supply us a "service-account" with access to his bucket, the problem is, how can we restrict that service-account to read only from the specific folder?

e.g.

my_bucket/client1/data

my_bucket/client2/data

client1-service-account should be able to list+read from: my_bucket/client1/*

Answer 1

You can use Google Storage ACL to allow an email (user email or service account email) to access to a subset of files into a bucket.

HOWEVER, directory doesn't exist in Google Cloud Storage. The real name is "prefix" or "path". Indeed, if you no longer have file with a certain "prefix", it disappear, without explicit deletion. I means, it's not a resource and thus you can't set ACL on a directory, only on BLOB.

Therefore, if you add files in a directory, you also have to set the correct ACL on these files (or reset the ACL on the whole prefix). The ACL aren't inherited for the new files.

Answer 2

found some workaround:

instead of using the customers service-accounts, we will use our own service-accounts, and give the customer to grant write permission to their bucket, so the customer will not have access to our bucket. it doesn't cover all the requirements, but it something..