I am running in circles trying to figure out a feasible solution to my issue.
I have a project that contains several buckets. There is one bucket in this project, we can call it sensitive-bucket, that I only want a single group to have read access to. My issue is that this bucket has several groups with a role assigned to it due to the hierarchal system. For example, a group named org-group may have the Storage Object Admin role at the organizational level which is inherited down to the sensitive-bucket, or resource, level. If it was only one "org-group" I feel like it would possibly be an easy fix, but unfortunately it's several.
With that being said, is there any hope for an easy solution to this? I am looking for some Halloween IAM magic that I can assign to a principal at the bucket level that will prevent other groups, even with the inherited appropriate permissions, to operate as intended. I have combed through documentation and have had no luck. To add to my frustration, some of the aforementioned groups are in our IaC while others were manually created. If there isn't untapped magical knowledge floating in the ether then I'm afraid I'll have a big task ahead of me.
I toyed with bucket IAM policies and bindings but had no success. I wanted to use a deny policy, for the resource level, but it doesn't seem to exist in GCP. Please help.