Add a Principal to Google Cloud Storage Bucket

Add a service account as principal to your Google Cloud Storage bucket.

1. In Google Cloud Storage Platform click Cloud Storage.

2. Under Cloud Storage, click Browser.

3. Click your bucket name, and click the Permissions tab.

4. Under Permissions, for View by, select PRINCIPALS.

   For source connection, add the service account with these roles as principals:

   • Storage Legacy Bucket Reader

   • Storage Legacy Object Reader

   For target connection, choose one of these configuration methods:

   • Option A: Add the service account with the Storage Object User role as principal.

   • Option B: Ensure these permissions are added to the service account:

     • storage.multipartUploads.abort

     • storage.multipartUploads.create

     • storage.multipartUploads.list

     • storage.multipartUploads.listParts

     • storage.objects.create

     • storage.objects.delete

     • storage.objects.get

     • storage.objects.list

     If you are using a Customer Managed Key (CMK), you must also add these permissions:

     • cloudkms.cryptoKeyVersions.useToEncrypt

     • cloudkms.cryptoKeyVersions.useToDecrypt

   For both options, the permissions listed in Option B must be allowlisted in VPC service controls.