适用于 Cloud Storage 的 IAM 角色

本文档介绍了 Cloud Storage 的 Identity and Access Management (IAM) 角色和权限。

预定义角色

下表介绍了与 Cloud Storage 关联的 Identity and Access Management (IAM) 角色,并列出了每个角色具有的权限。除非另有说明,否则这些角色可以应用于项目、存储桶,也可以应用于托管式文件夹。但是,您只能针对各个存储桶授予旧版角色

如需了解如何控制对存储桶的访问权限,请参阅使用 IAM 权限。如需了解如何控制对托管文件夹的访问权限,请参阅对托管文件夹使用 IAM

Role Permissions

(roles/storage.admin)

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

Lowest-level resources where you can grant this role:

  • Bucket

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

firebase.projects.get

monitoring.timeSeries.create

orgpolicy.policy.get

recommender.iamPolicyInsights.*

  • recommender.iamPolicyInsights.get
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

  • recommender.iamPolicyRecommendations.get
  • recommender.iamPolicyRecommendations.list
  • recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

  • recommender.storageBucketSoftDeleteInsights.get
  • recommender.storageBucketSoftDeleteInsights.list
  • recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

  • recommender.storageBucketSoftDeleteRecommendations.get
  • recommender.storageBucketSoftDeleteRecommendations.list
  • recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

storage.anywhereCaches.*

  • storage.anywhereCaches.create
  • storage.anywhereCaches.disable
  • storage.anywhereCaches.get
  • storage.anywhereCaches.list
  • storage.anywhereCaches.pause
  • storage.anywhereCaches.resume
  • storage.anywhereCaches.update

storage.bucketOperations.*

  • storage.bucketOperations.cancel
  • storage.bucketOperations.get
  • storage.bucketOperations.list

storage.buckets.*

  • storage.buckets.create
  • storage.buckets.createTagBinding
  • storage.buckets.delete
  • storage.buckets.deleteTagBinding
  • storage.buckets.enableObjectRetention
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.getIpFilter
  • storage.buckets.getObjectInsights
  • storage.buckets.list
  • storage.buckets.listEffectiveTags
  • storage.buckets.listTagBindings
  • storage.buckets.relocate
  • storage.buckets.restore
  • storage.buckets.setIamPolicy
  • storage.buckets.setIpFilter
  • storage.buckets.update

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.intelligenceConfigs.*

  • storage.intelligenceConfigs.get
  • storage.intelligenceConfigs.update

storage.managedFolders.*

  • storage.managedFolders.create
  • storage.managedFolders.delete
  • storage.managedFolders.get
  • storage.managedFolders.getIamPolicy
  • storage.managedFolders.list
  • storage.managedFolders.setIamPolicy

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.overrideUnlockedRetention
  • storage.objects.restore
  • storage.objects.setIamPolicy
  • storage.objects.setRetention
  • storage.objects.update

(roles/storage.bucketViewer)

Grants permission to view buckets and their metadata, excluding IAM policies.

storage.buckets.get

storage.buckets.list

(roles/storage.expressModeServiceInput)

Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.update

(roles/storage.expressModeServiceOutput)

Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.

storage.objects.delete

storage.objects.get

storage.objects.list

(roles/storage.expressModeUserAccess)

Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.

orgpolicy.policy.get

storage.buckets.get

storage.buckets.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.restore

storage.objects.update

(roles/storage.folderAdmin)

Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.*

  • storage.managedFolders.create
  • storage.managedFolders.delete
  • storage.managedFolders.get
  • storage.managedFolders.getIamPolicy
  • storage.managedFolders.list
  • storage.managedFolders.setIamPolicy

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.overrideUnlockedRetention
  • storage.objects.restore
  • storage.objects.setIamPolicy
  • storage.objects.setRetention
  • storage.objects.update

(roles/storage.hmacKeyAdmin)

Full control of Cloud Storage HMAC keys.

firebase.projects.get

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.hmacKeys.*

  • storage.hmacKeys.create
  • storage.hmacKeys.delete
  • storage.hmacKeys.get
  • storage.hmacKeys.list
  • storage.hmacKeys.update

(roles/storage.insightsCollectorService)

Read-only access to Cloud Storage Inventory metadata for Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.buckets.getObjectInsights

(roles/storage.legacyBucketOwner)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.anywhereCaches.*

  • storage.anywhereCaches.create
  • storage.anywhereCaches.disable
  • storage.anywhereCaches.get
  • storage.anywhereCaches.list
  • storage.anywhereCaches.pause
  • storage.anywhereCaches.resume
  • storage.anywhereCaches.update

storage.bucketOperations.*

  • storage.bucketOperations.cancel
  • storage.bucketOperations.get
  • storage.bucketOperations.list

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.enableObjectRetention

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.getIpFilter

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.relocate

storage.buckets.restore

storage.buckets.setIamPolicy

storage.buckets.setIpFilter

storage.buckets.update

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.*

  • storage.managedFolders.create
  • storage.managedFolders.delete
  • storage.managedFolders.get
  • storage.managedFolders.getIamPolicy
  • storage.managedFolders.list
  • storage.managedFolders.setIamPolicy

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

(roles/storage.legacyBucketReader)

Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.buckets.get

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.list

storage.objects.list

(roles/storage.legacyBucketWriter)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.buckets.get

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

(roles/storage.legacyObjectOwner)

Grants permission to view and edit objects and their metadata, including ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.objects.get

storage.objects.getIamPolicy

storage.objects.overrideUnlockedRetention

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

(roles/storage.legacyObjectReader)

Grants permission to view objects and their metadata, excluding ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.objects.get

(roles/storage.objectAdmin)

Grants full control of objects, including listing, creating, viewing, and deleting objects.

Lowest-level resources where you can grant this role:

  • Bucket

monitoring.timeSeries.create

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.overrideUnlockedRetention
  • storage.objects.restore
  • storage.objects.setIamPolicy
  • storage.objects.setRetention
  • storage.objects.update

(roles/storage.objectCreator)

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

Lowest-level resources where you can grant this role:

  • Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.create

storage.managedFolders.create

storage.multipartUploads.abort

storage.multipartUploads.create

storage.multipartUploads.listParts

storage.objects.create

(roles/storage.objectUser)

Access to create, read, update and delete objects and multipart uploads in GCS.

monitoring.timeSeries.create

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.move

storage.objects.restore

storage.objects.update

(roles/storage.objectViewer)

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

Lowest-level resources where you can grant this role:

  • Bucket

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

预定义的存储空间分析角色

下表介绍了与存储空间分析相关联的 IAM 角色,并列出了每个角色具有的权限。

Role Permissions

(roles/storageinsights.admin)

Full access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.*

  • storageinsights.datasetConfigs.create
  • storageinsights.datasetConfigs.delete
  • storageinsights.datasetConfigs.get
  • storageinsights.datasetConfigs.linkDataset
  • storageinsights.datasetConfigs.list
  • storageinsights.datasetConfigs.unlinkDataset
  • storageinsights.datasetConfigs.update
  • storageinsights.locations.get
  • storageinsights.locations.list
  • storageinsights.operations.cancel
  • storageinsights.operations.delete
  • storageinsights.operations.get
  • storageinsights.operations.list
  • storageinsights.reportConfigs.create
  • storageinsights.reportConfigs.delete
  • storageinsights.reportConfigs.get
  • storageinsights.reportConfigs.list
  • storageinsights.reportConfigs.update
  • storageinsights.reportDetails.get
  • storageinsights.reportDetails.list

(roles/storageinsights.analyst)

Data access to Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.linkDataset

storageinsights.datasetConfigs.list

storageinsights.datasetConfigs.unlinkDataset

storageinsights.locations.*

  • storageinsights.locations.get
  • storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

  • storageinsights.reportDetails.get
  • storageinsights.reportDetails.list

(roles/storageinsights.serviceAgent)

Permissions for Insights to write reports into customer project

bigquery.datasets.create

serviceusage.services.use

storageinsights.reportDetails.list

(roles/storageinsights.viewer)

Read-only access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.list

storageinsights.locations.*

  • storageinsights.locations.get
  • storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

  • storageinsights.reportDetails.get
  • storageinsights.reportDetails.list

基本角色

基本角色指在引入 IAM 之前就已存在的角色。这些角色具有独特的特征:

  • 您只能针对整个项目授予基本角色,不能针对项目中的各存储分区。与您为项目授予的其他角色一样,基本角色适用于项目中的所有存储分区和对象。

  • 基本角色包含本部分中未介绍的其他 Google Cloud服务的额外权限。请参阅基本角色,了解基本角色授予的权限的一般性论述。

  • 每个基本角色都有一个便利值,您可以通过这些角色使用基本角色,将其视为组。以这种方式使用时,任何具有基本角色的主账号都将被视为组的成员。根据便利值所具有的访问权限,组中的每个人都将获得额外的资源访问权限。

    • 在为存储分区授予角色时,可以使用便利值。

    • 在对象上设置 ACL 时,可以使用便利值。

  • 基本角色本身并不提供其名称所暗示的对 Cloud Storage 资源的所有访问权限。相反,它们本身提供一部分预期访问权限,而通过使用预期值提供其余的预期访问权限。由于与任何其他 IAM 主账号一样,用户可以手动添加或移除便利值,因此可以撤消主账号可能期望具有的访问权限。

    便利值通常会导致具有基本角色的主账号获得额外的访问权限,如需了解这方面的探讨,请参阅可修改的行为

固有权限

下表介绍始终与各基本角色关联的 Cloud Storage 权限。

角色 说明 Cloud Storage 权限
Viewer (roles/viewer) 授予以下权限:列出项目中的存储桶;列出时查看存储桶元数据(不包括 ACL);列出和获取项目中的 HMAC 密钥。 storage.buckets.getIpFilter
storage.buckets.list
storage.hmacKeys.get
storage.hmacKeys.list
Editor (roles/editor) 授予以下权限:创建、列出和删除项目中的存储桶;列出时查看存储桶元数据(不包括 ACL);控制项目中的 HMAC 密钥。 storage.buckets.create
storage.buckets.delete
storage.buckets.getIpFilter
storage.buckets.list
storage.hmacKeys.*
Owner (roles/owner)

授予以下权限:创建、列出和删除项目中的存储桶;列出时查看存储桶元数据(不包括 ACL);创建、删除和列出标记绑定;控制项目中的 HMAC 密钥;在项目、文件夹或组织中启用、停用、更新和获取 Storage Intelligence 配置。

在 Google Cloud 中,具有此角色的主账号通常可以执行管理任务,例如,更改主账号在项目中的角色或更改结算功能。

 storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.getIpFilter
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.setIpFilter
storage.hmacKeys.*
storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

可修改的行为

由于便利值,被授予基本角色的主账号通常拥有对项目的存储桶和对象的额外访问权限。创建存储桶后,系统会为便利值授予某些存储桶级层访问权限,但您稍后可以修改存储桶 IAM 政策和对象 ACL 来移除或更改访问权限。

创建启用了统一存储桶级访问权限的存储桶时,系统会通过便利值授予以下访问权限:

  • 被授予 roles/viewer 的主账号获得存储桶的 roles/storage.legacyBucketReaderroles/storage.legacyObjectReader 角色。

  • 被授予 roles/editor 的主账号获得存储桶的 roles/storage.legacyBucketOwnerroles/storage.legacyObjectOwner 角色。

  • 被授予 roles/owner 的主账号获得存储桶的 roles/storage.legacyBucketOwnerroles/storage.legacyObjectOwner 角色。

创建未启用统一存储桶级访问权限的存储桶时,系统会通过便利值授予以下访问权限:

  • 被授予 roles/viewer 的主账号拥有存储桶的 roles/storage.legacyBucketReader 角色。

  • 被授予 roles/editor 的主账号拥有存储桶的 roles/storage.legacyBucketOwner 角色。

  • 被授予 roles/owner 的主账号拥有存储桶的 roles/storage.legacyBucketOwner 角色。

  • 此外,存储桶具有默认对象访问控制列表 (ACL)。此默认 ACL 通常应用于存储桶中的新对象,并且通常授予对便利值的其他访问权限。

自定义角色

您可能希望定义自己的角色,其中包含您指定的组权限组。为此,IAM 提供了自定义角色

后续步骤