0

How can I limit the Oauth2 scope when logging in with my user principal using (non service account):

gcloud auth login

Background: I created a Gsuite Takeout, got the Takeout Bucket. Now I want to download all the files, but I want to give gcloud read-only permissions to Google Storage. Creating a service account with limited scope seems not to work, since a Takeout Bucket seems somehow "special" - any more details on that?

Improve this question

3 Answers 3

Reset to default
1

Based on your description, my understanding of your use case is that you would like to limit permissions to Cloud Storage to avoid misuse of your credentials, please correct me if I am wrong. But the ‘takeout’ operation requires an admin account, which consists of comprehensive permissions so it seems to be conflicting.

You may use 'gcloud auth revoke' after the takeout and other operations, in order to disallow access via the gcloud CLI by your account.

Hope it helps.

Improve this answer
0

I am not very familiar with Gsuite Takeout, but I have seen my fare share on Google Cloud Storage. There is something that is bothering me here, are you trying to limit your own gsuite account? A do not understand very well the purpose of giving your account read only permissions to GCS. I have found this post where the use of gsutil and your account is suggested. But please, do elaborate on your use case.

I look forward to your reply.

Improve this answer
1
  • Hi, Yes I try to limit my own gsuite account :) I want to download the Takeouts on a PC where I do not need to have full-scope OAuth2 credentials for my Gsuite Admin laying around.. Does that make my usecase more clear? Commented Apr 3, 2020 at 5:24
0

When you use Google Takeout, Google creates a Google Cloud Storage bucket and places the exported data on that bucket. The bucket is owned by Google and the user you exported with is granted read-only access to the data. Since the bucket is owned by Google, no one other than the initiating user has read access to the bucket (others being able to read your data would be bad). This is why your service account didn't work.

gcloud always requests the full cloud.platform OAuth scope which gives it full permissions for Cloud Storage. The Takeout bucket itself only granted you read permission but any other buckets you have read-write access to will be read-write accessible by gcloud.

To achieve what you are asking you'll need to write a script that interacts with Cloud Storage API and only uses the devstorage.read_only scope. There are also third party tools like rsync and GAM which support downloading Takeout files from a bucket with read-only access.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.