Required storage roles / permissions

[maingoh]

What are the required minimal roles for the state store bucket ? I am especially interested in GCS roles.

[wjf3121]

Hi @maingoh, assuming the bucket is DATA_BUCKET and the dataDirectory is DATA_PREFIX, then the minimum permissions you need to grant to the role are:

• roles/storage.objectViewer to the entire bucket (conditioned by resource.name.startsWith("projects/_/buckets/DATA_BUCKET") || resource.name == "projects/_/buckets/DATA_BUCKET")
• roles/storage.objectAdmin to under the prefix of the bucket (conditioned by resource.name.startsWith("projects/_/buckets/DATA_BUCKET/objects/DATA_PREFIX")

Let me know if this answers you question, thanks!

[maingoh]

Thank you for the fast answer ! I will try this and let you know if I encounter any issue

[maingoh]

If the bucket is dedicated to risingwave it could be simplified to roles/storage.objectAdmin (with eventually a condition to resource.name.startsWith("projects/_/buckets/DATA_BUCKET") || resource.name == "projects/_/buckets/DATA_BUCKET" ?

I found this documentation, maybe we could improve it, or even here ?

[wjf3121]

If the bucket is dedicated to risingwave it could be simplified to roles/storage.objectAdmin (with eventually a condition to resource.name.startsWith("projects//buckets/DATA_BUCKET") || resource.name == "projects//buckets/DATA_BUCKET" ?

We haven't tested this case before but it looks correct to me.

I found this documentation, maybe we could improve it, or even here ?

We can surely do that. I will talk to the doc owner. Thanks for the suggestion!