A security team needs to enforce that only requests originating from a corporate IP range (203.0.113.0/24) can access a Cloud Storage bucket containing sensitive data. They have created a custom IAM role with storage.objects.get permission and attached a condition that requires the request to have a specific IP address. However, some legitimate users outside the IP range are unable to access the data. What is the most likely cause?
Trap 1: Users must use a VPN to be assigned a corporate IP, but some are…
If they are not using corporate IP, they should be denied; this behavior is expected, not a cause of unexpected denial.
Trap 2: The condition uses the attribute 'request.network' instead of…
Both can be used, but the correct attribute is 'source.ip'; however, the issue is more fundamental.
Trap 3: The bucket ACL is set to deny all access by default.
IAM conditions take precedence over ACLs; the issue is with the IAM condition, not ACL.
- A
Users must use a VPN to be assigned a corporate IP, but some are not connected.
Why wrong: If they are not using corporate IP, they should be denied; this behavior is expected, not a cause of unexpected denial.
- B
The condition uses the attribute 'request.network' instead of 'source.ip'.
Why wrong: Both can be used, but the correct attribute is 'source.ip'; however, the issue is more fundamental.
- C
The bucket ACL is set to deny all access by default.
Why wrong: IAM conditions take precedence over ACLs; the issue is with the IAM condition, not ACL.
- D
The IAM condition evaluates after authentication, and users are already authenticated; the condition is not restricting based on source IP correctly because the condition is on the user's identity, not the request's source IP.
IAM conditions can restrict by source IP, but if misconfigured (e.g., using wrong attribute or not applying to the correct principal), they may not work; the most likely cause is that the condition is not properly written to check the source IP.