适用于 XML 请求的 IAM 权限

下表列出了在给定资源上运行每个 Cloud Storage XML 方法所需的 Identity and Access Management (IAM) 权限。

方法 资源 子资源 必需的 IAM 权限1
DELETE bucket storage.buckets.delete
DELETE object storage.objects.delete
DELETE object uploadId storage.multipartUploads.abort
GET storage.buckets.list
GET bucket storage.objects.list
GET bucket acls3 storage.buckets.get
storage.buckets.getIamPolicy
GET bucket 非 ACL 元数据 storage.buckets.get
GET bucket uploads storage.multipartUploads.list
GET object storage.objects.get
GET object acls3 storage.objects.get
storage.objects.getIamPolicy
GET object encryption storage.objects.get
GET object retention storage.objects.get
GET object uploadId storage.multipartUploads.listParts
HEAD bucket storage.buckets.get
HEAD object storage.objects.get
POST object storage.objects.create
storage.objects.delete4
storage.objects.setRetention5
POST object uploadId storage.multipartUploads.create
storage.objects.create
storage.objects.delete4
POST object uploads storage.multipartUploads.create
storage.objects.create
storage.objects.setRetention5
PUT bucket storage.buckets.create
storage.buckets.enableObjectRetention6
PUT bucket acls3 storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
PUT bucket 非 ACL 元数据 storage.buckets.update
PUT7 object storage.objects.create
storage.objects.get2
storage.objects.delete4
storage.objects.setRetention5
PUT object acls3 storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
PUT object compose storage.objects.create
storage.objects.get
storage.objects.delete4
storage.objects.setRetention5
PUT object retention storage.objects.setRetention
storage.objects.update
storage.objects.overrideUnlockedRetention8
PUT object uploadId storage.multipartUploads.create
storage.objects.create

1 如果您在请求中使用 x-goog-user-project 标头userProject 查询字符串参数,则除了发出请求所需的正常 IAM 权限之外,您还必须拥有所指定项目 ID 的 serviceusage.services.use 权限。

2 如果请求包含 x-goog-copy-source 标头,则访问源存储分区需要此权限。

3 此子资源不适用于启用了统一存储分区级访问权限的存储分区。

4 只有在插入的对象与存储分区中现有的对象名称相同时,才需要这项权限。

5 仅当请求包含 x-goog-object-lock-modex-goog-object-lock-retain-until-date 标头时,才需要此权限。

6 仅当请求包含设置为 truex-goog-bucket-object-lock-enabled 标头时,才需要此权限。

7 无需任何权限即可发出与可续传上传关联的 PUT 请求。

8 仅当请求包含设置为 truex-goog-bypass-governance-retention 标头时,才需要此权限。

后续步骤