Funções de IAM para o Cloud Storage

Este documento fornece informações sobre as funções e as autorizações da gestão de identidade e de acesso (IAM) para o Cloud Storage.

Funções predefinidas

A tabela seguinte descreve as funções de gestão de identidade e acesso (IAM) associadas ao Cloud Storage e apresenta as autorizações contidas em cada função. Salvo indicação em contrário, estas funções podem ser aplicadas a projetos, contentores ou pastas geridas. No entanto, pode conceder funções antigas apenas a contentores individuais.

Para saber como controlar o acesso aos contentores, consulte o artigo Use as autorizações da IAM. Para saber como controlar o acesso a pastas geridas, consulte o artigo Use a IAM para pastas geridas.

Role Permissions

(roles/storage.admin)

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

Lowest-level resources where you can grant this role:

  • Bucket

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

firebase.projects.get

monitoring.timeSeries.create

orgpolicy.policy.get

recommender.iamPolicyInsights.*

  • recommender.iamPolicyInsights.get
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

  • recommender.iamPolicyRecommendations.get
  • recommender.iamPolicyRecommendations.list
  • recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

  • recommender.storageBucketSoftDeleteInsights.get
  • recommender.storageBucketSoftDeleteInsights.list
  • recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

  • recommender.storageBucketSoftDeleteRecommendations.get
  • recommender.storageBucketSoftDeleteRecommendations.list
  • recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

storage.anywhereCaches.*

  • storage.anywhereCaches.create
  • storage.anywhereCaches.disable
  • storage.anywhereCaches.get
  • storage.anywhereCaches.list
  • storage.anywhereCaches.pause
  • storage.anywhereCaches.resume
  • storage.anywhereCaches.update

storage.bucketOperations.*

  • storage.bucketOperations.cancel
  • storage.bucketOperations.get
  • storage.bucketOperations.list

storage.buckets.*

  • storage.buckets.create
  • storage.buckets.createTagBinding
  • storage.buckets.delete
  • storage.buckets.deleteTagBinding
  • storage.buckets.enableObjectRetention
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.getIpFilter
  • storage.buckets.getObjectInsights
  • storage.buckets.list
  • storage.buckets.listEffectiveTags
  • storage.buckets.listTagBindings
  • storage.buckets.relocate
  • storage.buckets.restore
  • storage.buckets.setIamPolicy
  • storage.buckets.setIpFilter
  • storage.buckets.update

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.intelligenceConfigs.*

  • storage.intelligenceConfigs.get
  • storage.intelligenceConfigs.update

storage.managedFolders.*

  • storage.managedFolders.create
  • storage.managedFolders.delete
  • storage.managedFolders.get
  • storage.managedFolders.getIamPolicy
  • storage.managedFolders.list
  • storage.managedFolders.setIamPolicy

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.overrideUnlockedRetention
  • storage.objects.restore
  • storage.objects.setIamPolicy
  • storage.objects.setRetention
  • storage.objects.update

(roles/storage.bucketViewer)

Grants permission to view buckets and their metadata, excluding IAM policies.

storage.buckets.get

storage.buckets.list

(roles/storage.expressModeServiceInput)

Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.update

(roles/storage.expressModeServiceOutput)

Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.

storage.objects.delete

storage.objects.get

storage.objects.list

(roles/storage.expressModeUserAccess)

Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.

orgpolicy.policy.get

storage.buckets.get

storage.buckets.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.restore

storage.objects.update

(roles/storage.folderAdmin)

Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.*

  • storage.managedFolders.create
  • storage.managedFolders.delete
  • storage.managedFolders.get
  • storage.managedFolders.getIamPolicy
  • storage.managedFolders.list
  • storage.managedFolders.setIamPolicy

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.overrideUnlockedRetention
  • storage.objects.restore
  • storage.objects.setIamPolicy
  • storage.objects.setRetention
  • storage.objects.update

(roles/storage.hmacKeyAdmin)

Full control of Cloud Storage HMAC keys.

firebase.projects.get

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.hmacKeys.*

  • storage.hmacKeys.create
  • storage.hmacKeys.delete
  • storage.hmacKeys.get
  • storage.hmacKeys.list
  • storage.hmacKeys.update

(roles/storage.insightsCollectorService)

Read-only access to Cloud Storage Inventory metadata for Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.buckets.getObjectInsights

(roles/storage.legacyBucketOwner)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.anywhereCaches.*

  • storage.anywhereCaches.create
  • storage.anywhereCaches.disable
  • storage.anywhereCaches.get
  • storage.anywhereCaches.list
  • storage.anywhereCaches.pause
  • storage.anywhereCaches.resume
  • storage.anywhereCaches.update

storage.bucketOperations.*

  • storage.bucketOperations.cancel
  • storage.bucketOperations.get
  • storage.bucketOperations.list

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.enableObjectRetention

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.getIpFilter

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.relocate

storage.buckets.restore

storage.buckets.setIamPolicy

storage.buckets.setIpFilter

storage.buckets.update

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.*

  • storage.managedFolders.create
  • storage.managedFolders.delete
  • storage.managedFolders.get
  • storage.managedFolders.getIamPolicy
  • storage.managedFolders.list
  • storage.managedFolders.setIamPolicy

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

(roles/storage.legacyBucketReader)

Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.buckets.get

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.list

storage.objects.list

(roles/storage.legacyBucketWriter)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.buckets.get

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

(roles/storage.legacyObjectOwner)

Grants permission to view and edit objects and their metadata, including ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.objects.get

storage.objects.getIamPolicy

storage.objects.overrideUnlockedRetention

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

(roles/storage.legacyObjectReader)

Grants permission to view objects and their metadata, excluding ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.objects.get

(roles/storage.objectAdmin)

Grants full control of objects, including listing, creating, viewing, and deleting objects.

Lowest-level resources where you can grant this role:

  • Bucket

monitoring.timeSeries.create

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.overrideUnlockedRetention
  • storage.objects.restore
  • storage.objects.setIamPolicy
  • storage.objects.setRetention
  • storage.objects.update

(roles/storage.objectCreator)

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

Lowest-level resources where you can grant this role:

  • Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.create

storage.managedFolders.create

storage.multipartUploads.abort

storage.multipartUploads.create

storage.multipartUploads.listParts

storage.objects.create

(roles/storage.objectUser)

Access to create, read, update and delete objects and multipart uploads in GCS.

monitoring.timeSeries.create

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.move

storage.objects.restore

storage.objects.update

(roles/storage.objectViewer)

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

Lowest-level resources where you can grant this role:

  • Bucket

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

Funções predefinidas das Estatísticas de armazenamento

A tabela seguinte descreve as funções de IAM associadas ao Storage Insights e indica as autorizações contidas em cada função.

Role Permissions

(roles/storageinsights.admin)

Full access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.*

  • storageinsights.datasetConfigs.create
  • storageinsights.datasetConfigs.delete
  • storageinsights.datasetConfigs.get
  • storageinsights.datasetConfigs.linkDataset
  • storageinsights.datasetConfigs.list
  • storageinsights.datasetConfigs.unlinkDataset
  • storageinsights.datasetConfigs.update
  • storageinsights.locations.get
  • storageinsights.locations.list
  • storageinsights.operations.cancel
  • storageinsights.operations.delete
  • storageinsights.operations.get
  • storageinsights.operations.list
  • storageinsights.reportConfigs.create
  • storageinsights.reportConfigs.delete
  • storageinsights.reportConfigs.get
  • storageinsights.reportConfigs.list
  • storageinsights.reportConfigs.update
  • storageinsights.reportDetails.get
  • storageinsights.reportDetails.list

(roles/storageinsights.analyst)

Data access to Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.linkDataset

storageinsights.datasetConfigs.list

storageinsights.datasetConfigs.unlinkDataset

storageinsights.locations.*

  • storageinsights.locations.get
  • storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

  • storageinsights.reportDetails.get
  • storageinsights.reportDetails.list

(roles/storageinsights.serviceAgent)

Permissions for Insights to write reports into customer project

bigquery.datasets.create

serviceusage.services.use

storageinsights.reportDetails.list

(roles/storageinsights.viewer)

Read-only access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.list

storageinsights.locations.*

  • storageinsights.locations.get
  • storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

  • storageinsights.reportDetails.get
  • storageinsights.reportDetails.list

Funções básicas

As funções básicas são funções que existiam antes do IAM. Estas funções têm características únicas:

  • As funções básicas só podem ser concedidas para um projeto completo e não para contentores individuais no projeto. Tal como outras funções que concede para um projeto, as funções básicas aplicam-se a todos os contentores e objetos no projeto.

  • As funções básicas contêm autorizações adicionais para outros Google Cloud serviços que não são abordados nesta secção. Consulte as funções básicas para uma discussão geral das autorizações que as funções básicas concedem.

  • Cada função básica tem um valor de conveniência que lhe permite usar a função básica como se fosse um grupo. Quando usado desta forma, qualquer principal que tenha a função básica é considerado parte do grupo. Todos os membros do grupo têm acesso adicional aos recursos com base no acesso que o valor de conveniência tem.

    • É possível usar valores de conveniência quando conceder funções para contentores.

    • Os valores de conveniência podem ser usados quando define ACLs em objetos.

  • As funções básicas não concedem intrinsecamente todo o acesso aos recursos do Cloud Storage que os respetivos nomes implicam. Em vez disso, dão uma parte do acesso esperado intrinsecamente e o resto do acesso esperado através da utilização de valores de conveniência. Uma vez que os valores de conveniência podem ser adicionados ou removidos manualmente, como qualquer outro principal da IAM, é possível revogar o acesso que os principais poderiam esperar ter.

    Para uma discussão sobre o acesso adicional que os principais com funções básicas normalmente obtêm devido aos valores de conveniência, consulte o comportamento modificável.

Autorizações intrínsecas

A tabela seguinte descreve as autorizações do Cloud Storage que estão sempre associadas a cada função básica.

Função Descrição Autorizações do Cloud Storage
Leitor (roles/viewer) Concede autorização para listar contentores no projeto; ver metadados de contentores ao listar (excluindo LCAs); e listar e obter chaves HMAC no projeto. storage.buckets.getIpFilter
storage.buckets.list
storage.hmacKeys.get
storage.hmacKeys.list
Editor (roles/editor) Concede autorização para criar, listar e eliminar contentores no projeto; ver metadados de contentores ao listar (excluindo ACLs); e controlar chaves HMAC no projeto. storage.buckets.create
storage.buckets.delete
storage.buckets.getIpFilter
storage.buckets.list
storage.hmacKeys.*
Proprietário (roles/owner)

Concede autorização para criar, listar e eliminar contentores no projeto; ver metadados de contentores ao listar (excluindo ACLs); criar, eliminar e listar associações de etiquetas; e controlar chaves HMAC no projeto; ativar, desativar, atualizar e obter a configuração da Storage Intelligence num projeto, numa pasta ou numa organização.

De forma mais geral, os principais com esta função podem realizar tarefas administrativas, como alterar as funções dos principais para o projeto ou alterar a faturação. Google Cloud

storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.getIpFilter
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.setIpFilter
storage.hmacKeys.*
storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

Comportamento modificável

Os principais aos quais foram concedidas funções básicas têm frequentemente acesso adicional aos contentores e aos objetos de um projeto devido aos valores de conveniência. Quando um contentor é criado, os valores de conveniência recebem determinado acesso ao nível do contentor, mas pode editar posteriormente as políticas do IAM do contentor e as ACLs de objetos para remover ou alterar o acesso.

Quando cria um contentor com o acesso de nível de contentor uniforme ativado, o acesso seguinte é concedido através de valores de conveniência:

  • Os principais aos quais foi concedido o acesso roles/viewer obtêm as funções roles/storage.legacyBucketReader e roles/storage.legacyObjectReader para o contentor.

  • Os principais aos quais foi concedido o acesso roles/editor obtêm as funções roles/storage.legacyBucketOwner e roles/storage.legacyObjectOwner para o contentor.

  • Os principais aos quais foi concedido o acesso roles/owner obtêm as funções roles/storage.legacyBucketOwner e roles/storage.legacyObjectOwner para o contentor.

Quando cria um contentor que não tem o acesso uniforme ao nível do contentor ativado, é concedido o seguinte acesso através de valores de conveniência:

  • Os principais aos quais foi concedida a função roles/viewer obtêm a função roles/storage.legacyBucketReader para o contentor.

  • Os principais aos quais foi concedida a função roles/editor obtêm a função roles/storage.legacyBucketOwner para o contentor.

  • Os principais aos quais foi concedida a função roles/owner obtêm a função roles/storage.legacyBucketOwner para o contentor.

  • Além disso, o contentor tem uma Lista de controlo de acesso (LCA) de objetos predefinida. Esta ACL predefinida é frequentemente aplicada a novos objetos no contentor e concede frequentemente acesso adicional a valores de conveniência.

Funções personalizadas

Pode definir as suas próprias funções que contêm conjuntos de autorizações que especifica. Para tal, o IAM oferece funções personalizadas.

O que se segue?