下表列出在指定資源上執行每個 Cloud Storage JSON 方法所需的 Identity and Access Management (IAM) 權限。IAM 權限會組合為角色。將角色授予使用者和群組。
如要瞭解其他方法 (僅適用於停用統一 bucket 層級存取權的 bucket),請參閱 ACL 方法表格。
| 資源 | 方法 | 必要的 IAM 權限1 |
|---|---|---|
AnywhereCache |
create |
storage.anywhereCaches.create |
AnywhereCache |
disable |
storage.anywhereCaches.disable |
AnywhereCache |
get |
storage.anywhereCaches.get |
AnywhereCache |
list |
storage.anywhereCaches.list |
AnywhereCache |
pause |
storage.anywhereCaches.pause |
AnywhereCache |
resume |
storage.anywhereCaches.resume |
AnywhereCache |
update |
storage.anywhereCaches.update |
Buckets |
delete |
storage.buckets.delete |
Buckets |
get |
storage.buckets.getstorage.buckets.getIamPolicy2storage.buckets.getIpFilter13storage.anywhereCaches.get18 |
Buckets |
getIamPolicy |
storage.buckets.getIamPolicy |
Buckets |
insert |
storage.buckets.createstorage.buckets.enableObjectRetention3storage.buckets.setIpFilter14 |
Buckets |
list |
storage.buckets.liststorage.buckets.getIamPolicy2storage.buckets.getIpFilter13storage.anywhereCaches.list |
Buckets |
listChannels |
storage.buckets.get |
Buckets |
lockRetentionPolicy |
storage.buckets.update |
Buckets |
patch |
storage.buckets.updatestorage.buckets.getIamPolicy4storage.buckets.setIamPolicy5storage.buckets.setIpFilter14storage.buckets.getIpFilter13 |
Buckets |
relocate |
storage.buckets.relocate |
Buckets |
setIamPolicy |
storage.buckets.setIamPolicy |
Buckets |
testIamPermissions |
無 |
Buckets |
update |
storage.buckets.updatestorage.buckets.getIamPolicy4storage.buckets.setIamPolicy5storage.buckets.setIpFilter14storage.buckets.getIpFilter13storage.anywhereCaches.update |
DatasetConfigs |
delete |
storageinsights.datasetConfigs.delete |
DatasetConfigs |
get |
storageinsights.datasetConfigs.get |
DatasetConfigs |
insert |
storageinsights.datasetConfigs.create |
DatasetConfigs |
list |
storageinsights.datasetConfigs.list |
DatasetConfigs |
linkDataset |
storageinsights.datasetConfigs.linkDataset |
DatasetConfigs |
unlinkDataset |
storageinsights.datasetConfigs.unlinkDataset |
DatasetConfigs |
patch |
storageinsights.datasetConfigs.update |
Channels |
stop |
無 |
Folders |
get |
storage.folders.get |
Folders |
insert |
storage.folders.create |
Folders |
list |
storage.folders.list |
Folders |
rename |
storage.folders.renamestorage.folders.create |
Folders |
delete |
storage.folders.delete |
IntelligenceConfig |
getIntelligenceConfig |
storage.intelligenceConfigs.get |
IntelligenceConfig |
updateIntelligenceConfig |
storage.intelligenceConfigs.update |
Jobs |
create |
storagebatchoperations.jobs.create |
Jobs |
get |
storagebatchoperations.jobs.getstoragebatchoperations.operations.get |
Jobs |
list |
storagebatchoperations.jobs.liststoragebatchoperations.operations.list |
Jobs |
cancel |
storagebatchoperations.jobs.cancelstoragebatchoperations.operations.cancel |
Jobs |
delete |
storagebatchoperations.jobs.delete |
ManagedFolders |
delete |
storage.managedfolders.deletestorage.managedfolders.setIamPolicy10 |
ManagedFolders |
get |
storage.managedfolders.get |
ManagedFolders |
getIamPolicy |
storage.managedfolders.getIamPolicy |
ManagedFolders |
insert |
storage.managedfolders.create |
ManagedFolders |
list |
storage.managedfolders.list |
ManagedFolders |
update |
storage.managedfolders.update |
ManagedFolders |
setIamPolicy |
storage.managedfolders.setIamPolicy |
Notifications |
delete |
storage.buckets.update |
Notifications |
get |
storage.buckets.get |
Notifications |
insert |
storage.buckets.update |
Notifications |
list |
storage.buckets.get |
Objects |
bulkRestore |
storage.buckets.restorestorage.objects.createstorage.objects.delete11storage.objects.restorestorage.objects.setIamPolicy6,12 |
Objects |
compose |
storage.objects.getstorage.objects.createstorage.objects.delete7storage.objects.getIamPolicy2,6storage.objects.setRetention8 |
Objects |
copy |
storage.objects.getstorage.objects.createstorage.objects.deletestorage.objects.setRetention |
Objects |
delete |
storage.objects.delete |
Objects |
get |
storage.objects.getstorage.objects.getIamPolicy2,6 |
Objects |
insert |
storage.objects.createstorage.objects.delete7storage.objects.setRetention8 |
Objects |
list |
storage.objects.liststorage.objects.getIamPolicy2,6 |
Objects |
move |
storage.objects.move15storage.objects.delete15storage.objects.get15storage.objects.createstorage.objects.delete16storage.folders.create17 |
Objects |
patch |
storage.objects.updatestorage.objects.setRetention8storage.objects.overrideUnlockedRetention9storage.objects.getIamPolicy4,6storage.objects.setIamPolicy5,6 |
Objects |
restore |
storage.objects.createstorage.objects.delete7storage.objects.restorestorage.objects.getIamPolicy2,6storage.objects.setIamPolicy6,12 |
Objects |
rewrite |
storage.objects.getstorage.objects.createstorage.objects.deletestorage.objects.setRetention |
Objects |
update |
storage.objects.updatestorage.objects.setRetention8storage.objects.overrideUnlockedRetention9storage.objects.getIamPolicy4,6storage.objects.setIamPolicy5,6 |
Objects |
watchAll |
storage.buckets.update |
Projects.hmacKeys |
create |
storage.hmacKeys.create |
Projects.hmacKeys |
delete |
storage.hmacKeys.delete |
Projects.hmacKeys |
get |
storage.hmacKeys.get |
Projects.hmacKeys |
list |
storage.hmacKeys.list |
Projects.hmacKeys |
update |
storage.hmacKeys.update |
Projects.serviceAccount |
get |
resourceManager.projects.get |
ReportConfigs |
delete |
storageinsights.reportConfigs.delete |
ReportConfigs |
get |
storageinsights.reportConfigs.get |
ReportConfigs |
list |
storageinsights.reportConfigs.list |
ReportConfigs |
insert |
storageinsights.reportConfigs.create |
ReportConfigs |
update |
storageinsights.reportConfigs.update |
ReportDetails |
get |
storageinsights.reportDetails.get |
ReportDetails |
list |
storageinsights.reportDetails.list |
1 如果您在要求中使用 userProject 參數或x-goog-user-project 標頭,則除了提出要求所需的一般 IAM 權限之外,還必須具有您所指定專案 ID 的 serviceusage.services.use 權限。
2 只有當您要在 full 投影中納入 ACL 或 IAM 政策時,才需要這項權限。如果您沒有這項權限並要求 full 投影,那麼只會收到局部投影。
3 只有在要求包含 enableObjectRetention 查詢參數時,才需要這項權限。
4 只有在您要將 ACL 納入回應時,才需要這項權限。
5 只有在您要將 ACL 或禁止公開存取設定的變更納入要求時,才需要這項權限。
6 此權限不適用於已啟用統一值區層級存取權的值區。
7 只有在要求會導致同名物件遭到覆寫時,才需要這項權限。
8 如果要求主體包含 retention 屬性,或是要對現有保留設定的物件提出 UPDATE 要求,就必須具備這項權限。
9只有在要求包含查詢參數 overrideUnlockedRetention=true 時,才需要這項權限。
10只有在要求包含查詢參數 allowNonEmpty=true 時,才需要這項權限。
11 只有在要求包含查詢參數 allowOverwrite=true,且要求會導致同名物件遭到覆寫時,才需要這項權限。
12只有在要求包含查詢參數 copySourceAcl=true 時,才需要這項權限。
13 只有在您要將值區 IP 篩選規則納入 Buckets: get 要求時,才需要這項權限。如果您沒有這項權限,那麼只會收到局部投影。
14 只有在您要建立、列出、刪除及更新值區 IP 篩選規則時,才需要這項權限。
15 如要在啟用階層式命名空間的值區中移動物件,您需要 storage.objects.delete 和 storage.objects.get 權限,或是 storage.objects.move 權限 (如要在不授予物件讀取或刪除存取權的情況下移動物件)。
16 只有在要取代物件時,才需要這項權限。
17 只有在想自動建立任何缺少的上層資料夾時,才需要這項權限。
18 只有在您要傳回使用 Anywhere Cache 建立的快取時,才需要這項權限。
與 ACL 相關的方法
下表列出執行專門用於管理 ACL 的 JSON 方法時,所需的 IAM 權限。這些方法僅適用於停用統一值區層級存取權的值區。
| 資源 | 方法 | 必要的 IAM 權限1 |
|---|---|---|
BucketAccessControls |
delete |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
get |
storage.buckets.getstorage.buckets.getIamPolicy |
BucketAccessControls |
insert |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
list |
storage.buckets.getstorage.buckets.getIamPolicy |
BucketAccessControls |
patch |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
update |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
delete |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
get |
storage.buckets.getstorage.buckets.getIamPolicy |
DefaultObjectAccessControls |
insert |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
list |
storage.buckets.getstorage.buckets.getIamPolicy |
DefaultObjectAccessControls |
patch |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
update |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
ObjectAccessControls |
delete |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
get |
storage.objects.getstorage.objects.getIamPolicy |
ObjectAccessControls |
insert |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
list |
storage.objects.getstorage.objects.getIamPolicy |
ObjectAccessControls |
patch |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
update |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
1 如果您在要求中使用 userProject 參數或x-goog-user-project 標頭,則除了提出要求所需的一般 IAM 權限之外,還必須具有您所指定專案 ID 的 serviceusage.services.use 權限。
後續步驟
如需查看 Cloud IAM 角色及其相關權限的清單,請參閱適用於 Cloud Storage 的 Cloud IAM 角色一文。
在專案和 bucket 層級指派 IAM 角色。