Currently deployments use service accounts with project-level `storage.admin` permissions, meaning a compromised Wordpress site has the potential to delete all storage bucket contents across both projects.
These permissions need to be reduced to per-bucket roles rather than project roles, see https://cloud.google.com/storage/docs/access-control/iam#project-level_roles_vs_bucket-level_roles
GCS buckets affected:
- planet4-nro-stateless
- planet4-nro-db-backup
- planet4-nro-images-backup
Tasks:
- apply per-bucket `roles/storage.admin` permissions for each listed bucket, for each service account - https://cloud.google.com/storage/docs/access-control/iam-roles
- remove global `storage.admin` role from IAM service account - https://console.cloud.google.com/iam-admin/iam?organizationId=644593243610&project=planet4-production
- Confirm service account can no longer affect files outside it's own buckets