이 페이지에서는 적절한 권한을 가진 사용자가 Google Distributed Cloud (GDC) 오프라인 프로젝트 내의 스토리지 버킷에 액세스할 수 있도록 액세스 권한을 관리하는 방법을 안내합니다. 여기에서는 역할 바인딩 및 사전 정의된 역할을 사용하여 사용자 및 서비스 계정 액세스 권한을 획득하고 부여하기 위한 기본 요건과 단계를 설명합니다. 이 정보를 통해 스토리지 리소스에 대한 액세스를 효과적으로 제어하고 보안과 운영 효율성을 모두 유지할 수 있습니다.
이 페이지는 GDC 오프라인 환경에서 스토리지 버킷의 액세스 설정을 관리하는 인프라 운영자 그룹의 IT 관리자 또는 애플리케이션 운영자 그룹의 개발자와 같은 사용자를 대상으로 합니다. 자세한 내용은 GDC 오프라인 문서 대상을 참고하세요.
시작하기 전에
프로젝트 네임스페이스는 관리 API 서버에서 버킷 리소스를 관리합니다. 버킷 및 객체로 작업하려면 프로젝트가 있어야 합니다.
버킷 액세스 권한 부여
관리 API 서버에서 사전 정의된 역할로 RoleBinding을 만들어 적용하면 다른 사용자나 서비스 계정에 버킷 액세스 권한을 제공할 수 있습니다.
사전 정의된 역할
project-bucket-object-viewer: 사용자가 프로젝트의 모든 버킷을 나열하고, 해당 버킷의 객체를 나열하고, 객체와 객체 메타데이터를 읽을 수 있습니다.
객체에 대한 쓰기 작업은 허용되지 않습니다. 예: 업로드, 덮어쓰기, 삭제 조직 및 해당 프로젝트 내의 이중 영역 버킷에 대한 읽기 전용 액세스 권한과 해당 버킷의 객체에 대한 읽기 전용 액세스 권한이 있습니다.
project-bucket-object-admin: 사용자가 프로젝트의 모든 버킷을 나열하고 객체에 대한 쓰기 및 읽기 작업을 실행할 수 있습니다. 예: 업로드, 덮어쓰기, 삭제 조직 및 해당 프로젝트 내의 이중 영역 버킷에 대한 읽기 전용 액세스 권한과 해당 버킷의 객체에 대한 읽기-쓰기 액세스 권한이 있습니다.
project-bucket-admin: 사용자가 지정된 네임스페이스의 모든 버킷과 해당 버킷의 모든 객체를 관리할 수 있습니다. 조직 및 해당 프로젝트 내의 이중 영역 버킷에 대한 읽기 전용 액세스 권한과 해당 버킷의 객체에 대한 읽기-쓰기 액세스 권한이 있습니다.
프로젝트 IAM 관리자에게 RoleBinding을 만들 권한을 부여해 달라고 요청하세요. 다음은 사용자 및 서비스 계정에 대한 액세스 권한을 부여하기 위해 RoleBinding을 만드는 예시입니다.
시스템에 rolebinding-object-admin-all-buckets.yaml과 같은 YAML 파일을 만듭니다.
# Example file name:# rolebinding-object-admin-all-buckets.yamlapiVersion:rbac.authorization.k8s.io/v1kind:RoleBindingmetadata:namespace:NAMESPACE_NAMEname:readwrite-all-bucketsroleRef:kind:Rolename:project-bucket-object-adminapiGroup:rbac.authorization.k8s.iosubjects:-kind:ServiceAccountnamespace:NAMESPACE_NAMEname:SA_NAME-kind:Usernamespace:NAMESPACE_NAMEname:bob@example.comapiGroup:rbac.authorization.k8s.io# Could be bob or bob@example.com based on your organization settings.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eThis page explains how to manage access to Google Distributed Cloud (GDC) air-gapped storage buckets, which requires a project namespace to manage bucket resources in the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eBucket access can be granted to users or service accounts by creating RoleBindings with predefined Roles like \u003ccode\u003eproject-bucket-object-viewer\u003c/code\u003e, \u003ccode\u003eproject-bucket-object-admin\u003c/code\u003e, or \u003ccode\u003eproject-bucket-admin\u003c/code\u003e in the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eThere are three main predefined roles, each with a different level of permission: \u003ccode\u003eproject-bucket-object-viewer\u003c/code\u003e for reading, \u003ccode\u003eproject-bucket-object-admin\u003c/code\u003e for read and write operations, and \u003ccode\u003eproject-bucket-admin\u003c/code\u003e for full bucket management, including objects within those buckets.\u003c/p\u003e\n"],["\u003cp\u003eOnce access is granted, credentials are created in a Secret, which can be found in the \u003ccode\u003eobject-storage-access-keys\u003c/code\u003e namespace for users, and in the project namespace for service accounts.\u003c/p\u003e\n"],["\u003cp\u003eTo obtain access credentials, users will use \u003ccode\u003ekubectl\u003c/code\u003e commands to find the corresponding secret name, get the secret contents, decode them, and then use the resultant information to configure the \u003ccode\u003egdcloud\u003c/code\u003e CLI.\u003c/p\u003e\n"]]],[],null,["# Grant and obtain storage bucket access for projects\n\nThis page guides you through how to manage access to storage buckets within Google Distributed Cloud (GDC) air-gapped projects, so the right people have the right permissions. It covers the prerequisites and steps for obtaining and granting user and service account access using role bindings and predefined roles. This information lets you effectively control access to your storage resources and maintain both security and operational efficiency.\n\nThis page is for audiences such as IT administrators within the infrastructure operator group or developers within the application operator group who manage access settings for storage buckets in GDC air-gapped environments. For more information, see [Audiences for GDC air-gapped documentation](/distributed-cloud/hosted/docs/latest/gdch/resources/audiences).\n\nBefore you begin\n----------------\n\nA project namespace manages bucket resources in the Management API server. You\nmust have a [project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/project-management) to work with buckets and objects.\n\nGrant bucket access\n-------------------\n\nYou can provide bucket access to other users or service accounts by creating\nand applying RoleBindings with predefined Roles in the Management API server.\n\n### Predefined roles\n\n- **project-bucket-object-viewer:** This lets a user list all buckets in the\n project, list objects in those buckets, and read objects and object metadata.\n It does not let you write operations on objects. For example: uploading,\n overwriting, deleting. Has read-only on dual-zone buckets within the organization and its projects, as well as read-only on the objects in those buckets.\n\n- **project-bucket-object-admin:** This lets a user list all buckets in the\n project, and write and read operations on objects. For example: uploading,\n overwriting, deleting. Has read-only on dual-zone buckets within the organization and its projects, as well as read-write on the objects in those buckets.\n\n- **project-bucket-admin:** This lets users manage all buckets in the given\n namespace, as well as all the objects in those buckets. Has read-only on dual-zone buckets within the organization and its projects, as well as read-write on the objects in those buckets.\n\nTo see a complete list of the permissions granted for the preceding Roles,\nsee the [preset Role permissions](#preset_role_permissions) section.\n\nAsk your Project IAM Admin to grant you permissions to create\nRoleBindings. The following is an example of creating a RoleBinding for granting access to a\nuser and a service account:\n\n1. Create a YAML file on your system, such as `rolebinding-object-admin-all-buckets.yaml`.\n\n # Example file name:\n # rolebinding-object-admin-all-buckets.yaml\n apiVersion: rbac.authorization.k8s.io/v1\n kind: RoleBinding\n metadata:\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eNAMESPACE_NAME\u003c/span\u003e\u003c/var\u003e\n name: readwrite-all-buckets\n roleRef:\n kind: Role\n name: project-bucket-object-admin\n apiGroup: rbac.authorization.k8s.io\n subjects:\n - kind: ServiceAccount\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eNAMESPACE_NAME\u003c/span\u003e\u003c/var\u003e\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSA_NAME\u003c/span\u003e\u003c/var\u003e\n - kind: User\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eNAMESPACE_NAME\u003c/span\u003e\u003c/var\u003e\n name: bob@example.com\n apiGroup: rbac.authorization.k8s.io\n # Could be bob or bob@example.com based on your organization settings.\n\n2. Apply the YAML file:\n\n kubectl apply \\\n -f rolebinding-object-admin-all-buckets.yaml\n\nObtain bucket access credentials\n--------------------------------\n\nOnce you grant access to a bucket, it creates the access credentials in a Secret.\n\nThe format of the secret name is `object-storage-key-`\u003cvar translate=\"no\"\u003eSTORAGE_CLASS\u003c/var\u003e`-`\u003cvar translate=\"no\"\u003eSUBJECT_TYPE\u003c/var\u003e`-`\u003cvar translate=\"no\"\u003eSUBJECT_HASH\u003c/var\u003e.\n\n- Values for \u003cvar translate=\"no\"\u003eSTORAGE_CLASS\u003c/var\u003e are:\n - `std` for the `Standard` storage class.\n- Values for \u003cvar translate=\"no\"\u003eSUBJECT_TYPE\u003c/var\u003e are:\n - `user` for User.\n - `sa` for ServiceAccount.\n- \u003cvar translate=\"no\"\u003eSUBJECT_HASH\u003c/var\u003e is the base32-encoded SHA256 hash of the subject name.\n\nAs an example, the user `bob@foo.com` has two secrets named:\n\n1. `object-storage-key-std-user-oy6jdqd6bxfoqcecn2ozv6utepr5bgh355vfku7th5pmejqubdja`\n\n### Obtain user access\n\nFor a user subject, the Secret is in the `object-storage-access-keys`\nnamespace in the Management API server.\n\n1. Run the following command to find the secret name:\n\n kubectl auth can-i --list --namespace object-storage-access-keys | grep object-storage-key-\n\n You receive an output similar to the following: \n\n secrets [] [object-storage-key-nl-user-oy6jdqd6bxfoqcecn2ozv6utepr5bgh355vfku7th5pmejqubdja,object-storage-key-std-user-oy6jdqd6bxfoqcecn2ozv6utepr5bgh355vfku7th5pmejqubdja] [get]\n\n2. Get the contents of the corresponding secret to access buckets in the `Standard` storage class:\n\n kubectl get -o yaml --namespace object-storage-access-keys secret object-storage-key-std-user-oy6jdqd6bxfoqcecn2ozv6utepr5bgh355vfku7th5pmejqubdja\n\n You receive an output similar to the following: \n\n data:\n access-key-id: MEhYM08wWUMySjcyMkVKTFBKRU8=\n create-time: MjAyMi0wNy0yMiAwMTowODo1OS40MTQyMTE3MDMgKzAwMDAgVVRDIG09KzE5OTAuMzQ3OTE2MTc3\n secret-access-key: Ump0MVRleVN4SmhCSVJhbmlnVDAwbTJZc0IvRlJVendqR0JuYVhiVA==\n\n3. Decode the access key ID and secret:\n\n echo \"MEhYM08wWUMySjcyMkVKTFBKRU8=\" | base64 -d \\\n && echo \\\n && echo \"Ump0MVRleVN4SmhCSVJhbmlnVDAwbTJZc0IvRlJVendqR0JuYVhiVA==\" | base64 -d\n\n You receive an output similar to the following: \n\n 0HX3O0YC2J722EJLPJEO\n Rjt1TeySxJhBIRanigT00m2YsB/FRUzwjGBnaXbT\n\n4. Follow the section, [Configure the gdcloud CLI](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/install-configure-storage-cli#gdcloud-storage-configure), with the resulting\n information.\n\n### Obtain service account access\n\n| **Note:** Users are not allowed to run workloads, which run as service accounts, in the Management API server where the service accounts' access key Secrets were initially created. Users won't be able to grant workloads access to those Secrets in the Management API server. Those Secrets will be propagated to the Project namespaces in the appropriate user clusters, where users will be able to access them (if they have the appropriate RBAC Roles within that Project).\n\nFor a service account (SA) subject, find the secret name from the user cluster.\n\n1. For standard storage class, run the following command to get the secret name:\n\n kubectl get -n=\u003cPROJECT-NAME\u003e serviceaccount \u003cSA-NAME\u003e -o json | jq -r '.secrets[] | select(.name | test(\"object-storage-key-std\"))'\n\n2. Then, you can manually look through the listed secret names or use `grep` to find `object-storage-key-(std|nl)`. For the latter option, run the following:\n\n kubectl get -n=\u003cPROJECT-NAME\u003e serviceaccount \u003cSA-NAME\u003e -o=jsonpath='{.secrets}{\"\\n\"}' | grep object-storage-key-(std|nl)\n\n3. You can reference the Secret in your pod as [environment variables](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [files](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod).\n\n### Preset role permissions\n\nNote that predefined roles are also available in the global API server for administrative and operational access to dual-zone buckets.\n\n#### project-bucket-object-viewer permissions\n\nThis role grants permissions to get and list objects and objects' metadata in\nthe bucket.\n\nA list of all object storage permissions the project-bucket-object-viewer verb\ngrants are the following:\n\n- **Bucket API permissions**:\n\n 1. get\n 2. list\n 3. watch\n- **S3 object storage permissions**:\n\n 1. GetObject\n 2. GetObjectAcl\n 3. GetObjectLegalHold\n 4. GetObjectRetention\n 5. GetObjectTagging\n 6. GetObjectVersion\n 7. GetObjectVersionTagging\n 8. ListBucket\n 9. ListBucketVersions\n 10. ListBucketMultipartUploads\n 11. ListMultipartUploadParts\n\n#### project-bucket-object-admin permissions\n\nThis role grants permissions to put and delete objects, and object versions and\ntags in the bucket. Additionally, it also grants all permissions in the\n`project-bucket-object-viewer`.\n\nA list of all additional object storage permissions the Role grants are the\nfollowing:\n\n- **S3 Object storage permissions**:\n\n 1. AbortMultipartUpload\n 2. DeleteObject\n 3. DeleteObjectTagging\n 4. DeleteObjectVersion\n 5. DeleteObjectVersionTagging\n 6. PutObject\n 7. PutObjectTagging\n 8. PutObjectVersionTagging\n 9. PutOverwriteObject\n 10. RestoreObject\n\n#### project-bucket-admin permissions\n\nThis role grants permissions to create, update, or delete Bucket resources in\nthe project namespace. Additionally, it also grants all permissions in\n`project-bucket-object-admin`.\n\nA list of additional permissions the Role grants are the following:\n\n- **Bucket API permissions**:\n\n 1. Create\n 2. Update\n 3. Delete"]]