Introduction
When you setup a Databricks workspace on your Google Cloud Platform (GCP) account, you have access to the account's storage buckets by default. More complex use cases are likely to involve access to storage buckets that are owned by different GCP accounts.
This article shows you how to use the Google Cloud SDK gsutil commands to setup cross account read and write permission to storage buckets owned by different GCP accounts.
Before you can configure access to cross account storage buckets you must:
- Install gsutil as part of the Google Cloud CLI on your local machine.
- Have account credentials for the storage buckets you want to access.
Instructions
You should use service accounts to grant access to storage buckets owned by another account.
- <project-number-accountA> - The primary account.
- <project-number-accountB> - The secondary account with the storage buckets you want to access.
The project number is an automatically generated unique identifier for your project.
Please review the Google documentation on Identifying projects for more information.
Grant access to new objects in a cross account bucket
Use defacl to allow access to new objects created in a storage bucket that belongs to another account.
Enter the commands in your local shell or terminal window where gsutil is installed.
To grant your project's service accounts access to new objects created in a Cloud Storage bucket in another project, use the following gsutil defacl commands in your shell or terminal window.
gsutil defacl ch -u \ <project-number-accountA>-compute@developer.gserviceaccount.com:OWNER \ gs://<bucket> gsutil defacl ch -u \ service-<project-number-accountB>@trifacta-gcloud-prod.iam.gserviceaccount.com:OWNER \ gs://<bucket>
Grant access to the current objects in a cross account bucket
Use acl to allow access to current objects in a storage bucket that belongs to another account.
Enter the commands in your local shell or terminal window where gsutil is installed.
To grant your project's service accounts access to a Cloud Storage bucket and the current contents of the bucket in another project, use the following gsutil acl commands in your shell or terminal window
gsutil acl ch -u \ <project-number-accountA>-compute@developer.gserviceaccount.com:OWNER \ gs://<bucket> gsutil -m acl ch -r -u \ <project-number-accountA>-compute@developer.gserviceaccount.com:OWNER \ gs://<bucket> gsutil acl ch -u \ <project-number-accountB>@trifacta-gcloud-prod.iam.gserviceaccount.com:OWNER \ gs://<bucket> gsutil -m acl ch -r -u \ service-<project-number-accountB>@trifacta-gcloud-prod.iam.gserviceaccount.com:OWNER \ gs://<bucket>
Remove account access to a storage bucket
Use both defacl and acl to disconnect storage buckets that belong to other accounts from your service account.
Enter the commands in your local shell or terminal window where gsutil is installed.
If you have granted service account access to a bucket, you can run the following Google Cloud CLI gsutil acl commands to remove your project's service account ownership (read/write permission) to the bucket and its contents.
gsutil defacl ch -d \ <project-number-accountA>-compute@developer.gserviceaccount.com:OWNER \ gs://<bucket> gsutil defacl ch -d \ service-<project-number-accountB>@trifacta-gcloud-prod.iam.gserviceaccount.com:OWNER \ gs://<bucket> gsutil acl ch -d \ <project-number-accountA>-compute@developer.gserviceaccount.com \ gs://<bucket> gsutil -m acl ch -r -d \ <project-number-accountA>-compute@developer.gserviceaccount.com \ gs://<bucket> gsutil acl ch -d \ service-<project-number-accountB>@trifacta-gcloud-prod.iam.gserviceaccount.com \ gs://<bucket> gsutil -m acl ch -r -d \ service-<project-number-accountB>@trifacta-gcloud-prod.iam.gserviceaccount.com \ gs://<bucket>