Add uniform bucket-level IAM support to @swamp/gcp/storage

Problem

@swamp/gcp/storage/bucketaccesscontrols uses the GCS legacy ACL API. This means:

• Buckets must be created without uniform bucket-level access enabled
• Object-level ACLs can diverge from bucket ACLs — objects written without explicit ACL grants may not be readable by other members
• No Cloud Audit Log trail for ACL grants (unlike IAM bindings)
• GCP now recommends uniform bucket-level access for all new buckets

This makes @swamp/gcp/storage/bucketaccesscontrols unsuitable for shared data buckets (e.g. a shared @swamp/gcs-datastore used by a team), where the goal is granting roles/storage.objectAdmin at the bucket level via IAM.

Proposed Solution

Add support for bucket-level IAM bindings using the GCS IAM API (storage.buckets.getIamPolicy / storage.buckets.setIamPolicy). This could be:

• A new @swamp/gcp/storage/bucketiambindings model type, or
• A grant_iam_binding / set_iam_policy method on @swamp/gcp/storage/buckets

This would allow granting roles like roles/storage.objectAdmin and roles/storage.objectViewer on buckets with uniform bucket-level access enabled.

Alternatives

Keep using @swamp/gcp/storage/bucketaccesscontrols with ACL mode (not recommended for new buckets per GCP guidance).

Workaround

Add a custom grant_bucket_role method to a project-local IAM extension model.

---

Automoved by swampadmin from GitHub issue #15