下表列出了在给定资源上运行每个 Cloud Storage XML 方法所需的 Identity and Access Management (IAM) 权限。
| 方法 | 资源 | 子资源 | 必需的 IAM 权限1 |
|---|---|---|---|
DELETE |
bucket |
storage.buckets.delete |
|
DELETE |
object |
storage.objects.delete |
|
DELETE |
object |
uploadId |
storage.multipartUploads.abort |
GET |
storage.buckets.list |
||
GET |
bucket |
storage.objects.list |
|
GET |
bucket |
acls3 |
storage.buckets.getstorage.buckets.getIamPolicy |
GET |
bucket |
非 ACL 元数据 | storage.buckets.get |
GET |
bucket |
uploads |
storage.multipartUploads.list |
GET |
object |
storage.objects.get |
|
GET |
object |
acls3 |
storage.objects.getstorage.objects.getIamPolicy |
GET |
object |
encryption |
storage.objects.get |
GET |
object |
retention |
storage.objects.get |
GET |
object |
uploadId |
storage.multipartUploads.listParts |
HEAD |
bucket |
storage.buckets.get |
|
HEAD |
object |
storage.objects.get |
|
POST |
object |
storage.objects.createstorage.objects.delete4storage.objects.setRetention5 |
|
POST |
object |
uploadId |
storage.multipartUploads.createstorage.objects.createstorage.objects.delete4 |
POST |
object |
uploads |
storage.multipartUploads.createstorage.objects.createstorage.objects.setRetention5 |
PUT |
bucket |
storage.buckets.createstorage.buckets.enableObjectRetention6 |
|
PUT |
bucket |
acls3 |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
PUT |
bucket |
非 ACL 元数据 | storage.buckets.update |
PUT7 |
object |
storage.objects.createstorage.objects.get2storage.objects.delete4storage.objects.setRetention5 |
|
PUT |
object |
acls3 |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
PUT |
object |
compose |
storage.objects.createstorage.objects.getstorage.objects.delete4storage.objects.setRetention5 |
PUT |
object |
retention |
storage.objects.setRetentionstorage.objects.updatestorage.objects.overrideUnlockedRetention8 |
PUT |
object |
uploadId |
storage.multipartUploads.createstorage.objects.create |
1 如果您在请求中使用 x-goog-user-project 标头或 userProject 查询字符串参数,则除了发出请求所需的正常 IAM 权限之外,您还必须拥有所指定项目 ID 的 serviceusage.services.use 权限。
2 如果请求包含 x-goog-copy-source 标头,则访问源存储分区需要此权限。
3 此子资源不适用于启用了统一存储分区级访问权限的存储分区。
4 只有在插入的对象与存储分区中现有的对象名称相同时,才需要这项权限。
5 仅当请求包含 x-goog-object-lock-mode 和 x-goog-object-lock-retain-until-date 标头时,才需要此权限。
6 仅当请求包含设置为 true 的 x-goog-bucket-object-lock-enabled 标头时,才需要此权限。
7 无需任何权限即可发出与可续传上传关联的 PUT 请求。
8 仅当请求包含设置为 true 的 x-goog-bypass-governance-retention 标头时,才需要此权限。
后续步骤
- 如需查看角色及其所含权限的列表,请参阅适用于 Cloud Storage 的 IAM 角色。