Controlling access to Cloud Storage Bucket via IP rules

[Tom Gummery]

Hi folks. 

I am trying to limit access to a Cloud Storage bucket to certain IP ranges, but can't yet find a way to make this work. 

Situation: 

Bucket created and exposed via an HTTP Load Balancer as a backend bucket. 

The Load Balancer gets an external IP which doesn't seem to be affected by the VPC firewall rules, or via the Cloud Armor policy I have setup. 

I created a Cloud Armor Policy to allow access only from the source CIDR, but it will only allow me to apply the policy to HTTP load balanced backend service targets (Beta release) 

Targets are Google Cloud Platform resources that you want to control access to. For the Beta release, you can only use non-CDN HTTP(S) load balancer backend services as targets.

Help:

Can anybody suggest an easy way I can control access to a bucket via IP's? 

Ideally I'd be leveraging the GCP native 'expose bucket via load balancer' so I don't have to manage any services for it, but I could also provide a service within the VPC that is behind the firewall rules. However I don't know how I would link that service directly to the bucket like the native solution does. 

I do have a K8s cluster available if it could be part of the solution. 

Any pointers appreciated.  

Thanks, Tom

[Fady (Google Cloud Platform)]

Hello Tom,

As you mentioned, it is not currently possible to use a backend bucket of an HTTP(S) load balancer with Cloud Armor Security Policies. You may submit a feature request about it through issue tracker . At the moment, the only workaround I can think of is mounting the bucket as a filesystem to an instance, and direct the traffic to it. I hope this helps.