[awinograd]

This definitely seems like an improvement over the existing permissions system, but still seems to lack the granularity in resources to do things like per-bucket permissions in GCS.

It's a little silly to have to give a machine full read access to GCS if it just needs to download some packages/binaries but doesn't need access to things like database backups.

[tonfa]

Can't you already do that? https://cloud.google.com/storage/docs/access-control?hl=en

[awinograd]

My understanding of the docs is you cannot do that level of fine grained access control for a given gce instance. You can only give it a gcs scope of read, write, or both