malachig
commented
1 year ago To test this we would add this command to the script that creates our bucket:
gsutil pap set enforced gs://BUCKET_NAME
Maybe somewhere around here: https://github.com/griffithlab/cloud-workflows/blob/2984870563dffa7709da3ff22c42492dfe4561eb/scripts/create_resources.sh#L69
As an extra safety measure on the project bucket that will be used to store data, experiment with adding the public access prevention flag:
https://cloud.google.com/storage/docs/using-public-access-prevention#command-line
Still to be determined. What IAM permissions are needed to remove this flag? Can we easily have a setup where a limited number of users can control this? This might require users to work with an admin during their project setup phase. Even having the flag set at least produces additional warnings and makes it slightly harder for a user to accidentally set a bucket to have public access.