Google Cloud: Least Privilege Access Setup
Learn how to configure IAM roles and service accounts with minimal permissions for secure Google Cloud Storage access with Cloney.
Overview
When connecting your Google Cloud Storage (GCS) buckets to Cloney for data migration, it's essential to follow the principle of least privilege. This guide walks you through creating a service account with only the permissions necessary for Cloney to read from or write to your GCS buckets.
Always use dedicated service accounts with minimal IAM roles. Never use owner or editor roles for migration tasks.
Prerequisites
- A Google Cloud account with Owner or IAM Admin access
- A GCP project with Cloud Storage enabled
- The name of the GCS bucket(s) you want to connect
- Knowledge of whether you need read-only (source) or write (destination) access
Step 1: Access the IAM Console
- Sign in to the Google Cloud Console
- Select your project from the project dropdown
- Navigate to IAM & Admin → Service Accounts
- Click Create Service Account
Step 2: Create a Service Account
- Enter a descriptive name (e.g.,
cloney-migration-sa) - Add a description: "Service account for Cloney cloud migration"
- Click Create and Continue
- Skip the "Grant this service account access to project" step for now (we'll set bucket-level permissions)
- Click Done
Step 3: Set Bucket-Level Permissions (Source - Read Only)
If your GCS bucket will be used as a source for migration, grant these permissions:
- Go to Cloud Storage → Buckets
- Click on your source bucket name
- Go to the Permissions tab
- Click Grant Access
- Enter your service account email (e.g.,
cloney-migration-sa@your-project.iam.gserviceaccount.com) - Assign the role: Storage Object Viewer (
roles/storage.objectViewer) - Click Save
Storage Object Viewer grants storage.objects.get and storage.objects.list permissions - exactly what's needed to read objects.
Step 4: Set Bucket-Level Permissions (Destination - Write)
If your GCS bucket will be used as a destination for migration, grant these permissions:
- Go to Cloud Storage → Buckets
- Click on your destination bucket name
- Go to the Permissions tab
- Click Grant Access
- Enter your service account email
- Assign the role: Storage Object Admin (
roles/storage.objectAdmin) - Click Save
Storage Object Admin is required for write operations. It grants create, delete, and overwrite permissions on objects within the bucket only.
Step 5: Generate Service Account Key
- Go back to IAM & Admin → Service Accounts
- Click on the service account you created
- Go to the Keys tab
- Click Add Key → Create new key
- Select JSON as the key type
- Click Create
- The JSON key file will be downloaded automatically - store it securely
You can now use this JSON key file in Cloney to connect your Google Cloud Storage bucket securely.
Alternative: Custom IAM Role
For even more granular control, create a custom IAM role with specific permissions:
title: "Cloney Migration Role" description: "Custom role for Cloney cloud migration" stage: "GA" includedPermissions: # For source buckets (read) - storage.objects.get - storage.objects.list - storage.buckets.get # For destination buckets (write) - add these if needed - storage.objects.create - storage.objects.delete - storage.multipartUploads.create - storage.multipartUploads.abort - storage.multipartUploads.listParts
Permission Reference
| Permission | Purpose | Required For |
|---|---|---|
storage.objects.get | Read object data | Source |
storage.objects.list | List bucket contents | Source & Destination |
storage.buckets.get | Get bucket metadata | Source & Destination |
storage.objects.create | Write new objects | Destination |
storage.objects.delete | Delete/overwrite objects | Destination |
storage.multipartUploads.* | Handle large file uploads | Destination |
Ready to Start Your Migration?
Create your Cloney account and begin migrating your data securely today.