Google Storage Service Account
Create a service account to access a private bucketAuthentication to a Google Storage bucket is done by impersonating a Service Account. The Service Account has an associated JSON keyfile which is used to tell Google’s Cloud Platform we have been given access to the bucket.
Creating a Service Account
On your Google Cloud Platform control panel, navigate to APIs & Services > Credentials
In the section Service Accounts, let’s click on Manage service accounts. This takes us to
IAM & Admin > Service Accounts
Let’s click on Create Service Account
—
| field | value | description |
|---|---|---|
| Service account name | ixmage-serviceaccount |
Name your account |
| Service account ID | This is assigned by itself and we won’t override it | |
| Service account description | ixmage acct to read from storage | Something descriptive |
We are skipping optional steps (2) and (3)
Click on Done
Allowing Read access to Storage Objects
At this point, we have a service account in our GCP project, but it is not allowed to do anything. We need to add a role called Storage Object Viewer
To assign the role,
we need to head over to IAM & Admin > IAM and Add our service account with the proper permissions.
Let’s select our service account we just created, and then select the Storage Object Viewer role.
| field | value | description |
|---|---|---|
| New principals | ixmage-serviceaccount@... |
start typing the account name, and select it from the list |
| Select a role > Filter | storage object v.. |
You can use the Filter option to find the role quicklier |
| Select a role > Select | Storage Object Viewer |
Locate and click on the role |
and click Save
Now we have our service account ready to read images from our storage
The last step will be to grab the JSON keyfile that will allow ixmage to impersonate this service account.
JSON keyfile
Click on the newly-created account, and then switch to the KEYS tab
We are going to click on Add Key > Create new key and select Key type JSON
and click Create
A JSON file will be downloaded to your computer. The name will contain your project ID followed by a unique id. You can open this file in a text editor, and you can copy-paste its entire contents into the JSON keyfile textarea of your alias setup.
