How do we add groups to allow access the Bucket ?

Hello Ajay,

You have 2 questions that I will try to address question by question:

Suppose we have group Dev, Test, Ops, and I have create a Bucket. I want to give permission to all the Dev to access and use that bucket.

You can do this from the console, command line using GSUtil by running the following. Now the

gsutil iam ch [MEMBER_TYPE]:[MEMBER_NAME]:[IAM_ROLE] gs://[BUCKET_NAME]

Where:

[MEMBER_TYPE] is the type of member to which you are granting bucket access. For example, user.

[MEMBER_NAME] is the name of the member to which you are granting bucket access. For example, jane@gmail.com.

[IAM_ROLE] is the IAM role you are granting to the member. For example, roles/storage.objectCreator.

[BUCKET_NAME] is the name of the bucket you are granting the member access to. For example, my-bucket.

I think this should work gsutil iam ch group:readers@example.com:objectCreator gs://ex-bucket

Now for your second question:

If I want only some services like Cloud function, or VM instances only can access the bucket. How do we set them in GCP ?

What you want to do is to remove all IAM acess to the bucket, then give the required permissons to your compute resource. For this purpose Service Accounts might be practical. So you specify a service account that your VM/(compute Resource) will use and only that service account will be able to access the bucket. 

If you want granular control on the access of the buckets you can also consider ACL (Access Control List) and control what user/group/service account have what permissions over an  OBJECT

I encourage you to read the following:

https://cloud.google.com/storage/docs/access-control/using-iam-permissions

https://cloud.google.com/storage/docs/gsutil/commands/iam#ch-examples

https://cloud.google.com/storage/docs/access-control/lists

Hope this helps.