使用 Cloud IAM 权限

本页面介绍如何使用 Cloud Identity and Access Management (Cloud IAM) 权限控制存储分区和对象的访问权限。您可以使用 Cloud IAM 来控制有权访问您的存储分区和对象的用户。如需详细了解适用于 Cloud Storage 的 Cloud IAM,请参阅 Cloud IAM 概览

如需了解如何以其他方式控制存储分区和对象的访问权限,请参阅访问权限控制概览。如需了解如何控制存储分区中各个对象的访问权限,请参阅访问控制列表

将 Cloud IAM 与存储分区搭配使用

以下各节展示了如何在存储分区上完成基本的 Cloud IAM 任务。

将成员添加到存储分区级层政策中

如需与 Cloud Storage 关联的角色列表,请参阅 Cloud IAM 角色。如需了解您向其授予 Cloud IAM 角色的实体,请参阅成员类型

控制台

  1. 在 Google Cloud Platform Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器
  2. 点击与存储分区(您要向该存储分区授予成员角色)关联的下拉菜单。

    下拉菜单显示为存储分区所在的行最右侧的三个垂直点。

  3. 选择修改存储分区权限

  4. 添加成员字段中,输入需要访问存储分区的一个或多个身份。

    “添加成员”对话框。

  5. 选择角色下拉菜单中选择一个或多个角色。您选择的角色将显示在窗格中,其中包含对角色授予的权限的简短说明。

  6. 点击添加

gsutil

使用 gsutil iam ch 命令,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

gsutil iam ch [MEMBER_TYPE]:[MEMBER_NAME]:[ROLE] gs://[BUCKET_NAME]

如需查看 [MEMBER_TYPE] 的可接受值的列表,请参阅 gsutil iam 参考页面。

代码示例

C++

如需了解更多信息,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name, std::string role,
   std::string member) {
  StatusOr<google::cloud::IamPolicy> policy =
      client.GetBucketIamPolicy(bucket_name);

  if (!policy) {
    throw std::runtime_error(policy.status().message());
  }

  policy->bindings.AddMember(role, member);

  StatusOr<google::cloud::IamPolicy> updated_policy =
      client.SetBucketIamPolicy(bucket_name, *policy);

  if (!updated_policy) {
    throw std::runtime_error(updated_policy.status().message());
  }

  std::cout << "Updated IAM policy bucket " << bucket_name
            << ". The new policy is " << *updated_policy << "\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

private void AddBucketIamMember(string bucketName,
    string role, string member)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName);
    Policy.BindingsData bindingToAdd = new Policy.BindingsData();
    bindingToAdd.Role = role;
    string[] members = { member };
    bindingToAdd.Members = members;
    policy.Bindings.Add(bindingToAdd);
    storage.SetBucketIamPolicy(bucketName, policy);
    Console.WriteLine($"Added {member} with role {role} "
        + $"to {bucketName}");
}

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().Policy(ctx)
if err != nil {
	return err
}
// Other valid prefixes are "serviceAccount:", "user:"
// See the documentation for more values.
// https://cloud.google.com/storage/docs/access-control/iam
policy.Add("group:cloud-logs@google.com", "roles/storage.objectViewer")
if err := bucket.IAM().SetPolicy(ctx, policy); err != nil {
	return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);

// Add identity to Bucket-level IAM role
Policy updatedPolicy =
    storage.setIamPolicy(bucketName, policy.toBuilder().addIdentity(role, identity).build());

if (updatedPolicy.getBindings().get(role).contains(identity)) {
  System.out.printf("Added %s with role %s to %s\n", identity, role, bucketName);
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const roleName = 'Role to grant, e.g. roles/storage.objectViewer';
// const members = [
//   'user:jdoe@example.com',    // Example members to grant
//   'group:admins@example.com', // the new role to
// ];

// Creates a client
const storage = new Storage();

// Get a reference to a Google Cloud Storage bucket
const bucket = storage.bucket(bucketName);

// Gets and updates the bucket's IAM policy
const [policy] = await bucket.iam.getPolicy();

// Adds the new roles to the bucket's IAM policy
policy.bindings.push({
  role: roleName,
  members: members,
});

// Updates the bucket's IAM policy
await bucket.iam.setPolicy(policy);

console.log(
  `Added the following member(s) with role ${roleName} to ${bucketName}:`
);

members.forEach(member => {
  console.log(`  ${member}`);
});

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Storage\StorageClient;

/**
 * Adds a new member / role IAM pair to a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * @param string $role the role you want to add a given member to.
 * @param string $member the member you want to give the new role for the Cloud
 * Storage bucket.
 *
 * @return void
 */
function add_bucket_iam_member($bucketName, $role, $member)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);

    $policy = $bucket->iam()->policy();

    $policy['bindings'][] = [
        'role' => $role,
        'members' => [$member]
    ];

    $bucket->iam()->setPolicy($policy);

    printf('User %s added to role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

def add_bucket_iam_member(bucket_name, role, member):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy()

    policy[role].add(member)

    bucket.set_iam_policy(policy)

    print('Added {} with role {} to {}.'.format(
         member, role, bucket_name))

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# project_id  = "Your Google Cloud project ID"
# bucket_name = "Your Google Cloud Storage bucket name"
# role        = "Bucket-level IAM role"
# member      = "Bucket-level IAM member"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id
bucket = storage.bucket bucket_name

bucket.policy do |policy|
  policy.add role, member
end

puts "Added #{member} with role #{role} to #{bucket_name}"

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 创建一个包含以下信息的 .json 文件,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

    {
    "bindings":[
    {
      "role": "[IAM_ROLE]",
      "members":[
        "[MEMBER_NAME]"
      ]
    }
    ]
    }

  3. 使用 cURL(附带 PUT setIamPolicy 请求)调用 JSON API,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

    curl -X PUT --data-binary @[JSON_FILE_NAME].json 
    -H "Authorization: Bearer [OAUTH2_TOKEN]"
    -H "Content-Type: application/json"
    "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

查看存储分区的 Cloud IAM 政策

控制台

  1. 在 Google Cloud Platform Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器
  2. 点击与存储分区(您要查看该存储分区的角色成员)关联的下拉菜单。

    下拉菜单显示为存储分区名称最右侧的三个垂直点。

  3. 选择修改存储分区权限

  4. 展开所需角色以查看已分配给该角色的成员。

  5. (可选)使用搜索栏,按角色或成员过滤结果。

    如果按成员进行搜索,结果中将显示成员分配到的每个角色。

gsutil

使用 gsutil iam get 命令,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

gsutil iam get gs://[BUCKET_NAME]

代码示例

C++

如需了解更多信息,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name) {
  StatusOr<google::cloud::IamPolicy> policy =
      client.GetBucketIamPolicy(bucket_name);

  if (!policy) {
    throw std::runtime_error(policy.status().message());
  }

  std::cout << "The IAM policy for bucket " << bucket_name << " is "
            << *policy << "\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

private void ViewBucketIamMembers(string bucketName)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName);
    foreach (var binding in policy.Bindings)
    {
        Console.WriteLine($"  Role: {binding.Role}");
        Console.WriteLine("  Members:");
        foreach (var member in binding.Members)
        {
            Console.WriteLine($"    {member}");
        }
    }
}

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

policy, err := c.Bucket(bucketName).IAM().Policy(ctx)
if err != nil {
	return nil, err
}
for _, role := range policy.Roles() {
	log.Printf("%q: %q", role, policy.Members(role))
}

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);

// Print Roles and its identities
Map<Role, Set<Identity>> policyBindings = policy.getBindings();
for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {
  System.out.printf("Role: %s Identities: %s\n", entry.getKey(), entry.getValue());
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

/**
 * TODO(developer): Uncomment the following line before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';

// Gets and displays the bucket's IAM policy
const results = await storage.bucket(bucketName).iam.getPolicy();

const policy = results[0].bindings;

// Displays the roles in the bucket's IAM policy
console.log(`Roles for bucket ${bucketName}:`);
policy.forEach(role => {
  console.log(`  Role: ${role.role}`);
  console.log(`  Members:`);

  const members = role.members;
  members.forEach(member => {
    console.log(`    ${member}`);
  });
});

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Storage\StorageClient;

/**
 * View Bucket IAM members for a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 *
 * @return void
 */
function view_bucket_iam_members($bucketName)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);

    $policy = $bucket->iam()->policy();

    printf('Printing Bucket IAM members for Bucket: %s' . PHP_EOL, $bucketName);
    printf(PHP_EOL);

    foreach ($policy['bindings'] as $binding) {
        printf('Role: %s' . PHP_EOL, $binding['role']);
        printf('Members:' . PHP_EOL);
        foreach ($binding['members'] as $member) {
            printf('  %s' . PHP_EOL, $member);
        }
        printf(PHP_EOL);
    }
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

def view_bucket_iam_members(bucket_name):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy()

    for role in policy:
        members = policy[role]
        print('Role: {}, Members: {}'.format(role, members))

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# project_id  = "Your Google Cloud project ID"
# bucket_name = "Your Google Cloud Storage bucket name"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id
bucket = storage.bucket bucket_name

policy = bucket.policy

policy.roles.each do |role, members|
  puts "Role: #{role} Members: #{members}"
end

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 使用 cURL(附带 GET getIamPolicy 请求)调用 JSON API,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

    curl -X GET 
    -H "Authorization: Bearer [OAUTH2_TOKEN]"
    "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

从存储分区级层政策中移除成员

控制台

  1. 在 Google Cloud Platform Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器
  2. 点击与存储分区(您要从该存储分区移除成员角色)关联的下拉菜单。

    下拉菜单显示为存储分区名称最右侧的三个垂直点。

  3. 选择修改存储分区权限

  4. 展开角色(包含要移除的成员)。

  5. 将光标悬停在该成员上,然后点击显示的回收站图标

    从项目中移除成员。

  6. 在出现的叠加窗口中,点击移除

gsutil

使用带有 -d 标志的 gsutil iam ch 命令,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

gsutil iam ch -d [MEMBER_TYPE]:[MEMBER_NAME] gs://[BUCKET_NAME]

如需查看 [MEMBER_TYPE] 的可接受值的列表,请参阅 gsutil iam 参考页面。

代码示例

C++

如需了解更多信息,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name, std::string role,
   std::string member) {
  StatusOr<google::cloud::IamPolicy> policy =
      client.GetBucketIamPolicy(bucket_name);
  if (!policy) {
    throw std::runtime_error(policy.status().message());
  }

  policy->bindings.RemoveMember(role, member);

  StatusOr<google::cloud::IamPolicy> updated_policy =
      client.SetBucketIamPolicy(bucket_name, *policy);

  if (!updated_policy) {
    throw std::runtime_error(updated_policy.status().message());
  }

  std::cout << "Updated IAM policy bucket " << bucket_name
            << ". The new policy is " << *updated_policy << "\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

private void RemoveBucketIamMember(string bucketName,
    string role, string member)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName);
    policy.Bindings.ToList().ForEach(response =>
    {
        if (response.Role == role)
        {
            // Remove the role/member combo from the IAM policy.
            response.Members = response.Members
                .Where(m => m != member).ToList();
            // Remove role if it contains no members.
            if (response.Members.Count == 0)
            {
                policy.Bindings.Remove(response);
            }
        }
    });
    // Set the modified IAM policy to be the current IAM policy.
    storage.SetBucketIamPolicy(bucketName, policy);
    Console.WriteLine($"Removed {member} with role {role} "
        + $"to {bucketName}");
}

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().Policy(ctx)
if err != nil {
	return err
}
// Other valid prefixes are "serviceAccount:", "user:"
// See the documentation for more values.
// https://cloud.google.com/storage/docs/access-control/iam
policy.Remove("group:cloud-logs@google.com", "roles/storage.objectViewer")
if err := bucket.IAM().SetPolicy(ctx, policy); err != nil {
	return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);

// Remove an identity from a Bucket-level IAM role
Policy updatedPolicy =
    storage.setIamPolicy(bucketName, policy.toBuilder().removeIdentity(role, identity).build());

if (updatedPolicy.getBindings().get(role) == null
    || !updatedPolicy.getBindings().get(role).contains(identity)) {
  System.out.printf("Removed %s with role %s from %s\n", identity, role, bucketName);
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const roleName = 'Role to grant, e.g. roles/storage.objectViewer';
// const members = [
//   'user:jdoe@example.com',    // Example members to grant
//   'group:admins@example.com', // the new role to
// ];

// Creates a client
const storage = new Storage();

// Get a reference to a Google Cloud Storage bucket
const bucket = storage.bucket(bucketName);

// Gets and updates the bucket's IAM policy
const [policy] = await bucket.iam.getPolicy();

// Finds and updates the appropriate role-member group
const index = policy.bindings.findIndex(role => role.role === roleName);
const role = policy.bindings[index];
if (role) {
  role.members = role.members.filter(
    member => members.indexOf(member) === -1
  );

  // Updates the policy object with the new (or empty) role-member group
  if (role.members.length === 0) {
    policy.bindings.splice(index, 1);
  } else {
    policy.bindings.index = role;
  }

  // Updates the bucket's IAM policy
  await bucket.iam.setPolicy(policy);
} else {
  // No matching role-member group(s) were found
  throw new Error('No matching role-member group(s) found.');
}

console.log(
  `Removed the following member(s) with role ${roleName} from ${bucketName}:`
);
members.forEach(member => {
  console.log(`  ${member}`);
});

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Core\Iam\PolicyBuilder;
use Google\Cloud\Storage\StorageClient;

/**
 * Removes a member / role IAM pair from a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * @param string $role the role you want to remove a given member from.
 * @param string $member the member you want to remove from the given role.
 *
 * @return void
 */
function remove_bucket_iam_member($bucketName, $role, $member)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);
    $policy = $bucket->iam()->policy();
    $policyBuilder = new PolicyBuilder($policy);
    $policyBuilder->removeBinding($role, [$member]);

    $bucket->iam()->setPolicy($policyBuilder->result());
    printf('User %s removed from role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

def remove_bucket_iam_member(bucket_name, role, member):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy()

    policy[role].discard(member)

    bucket.set_iam_policy(policy)

    print('Removed {} with role {} from {}.'.format(
        member, role, bucket_name))

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# project_id  = "Your Google Cloud project ID"
# bucket_name = "Your Google Cloud Storage bucket name"
# role        = "Bucket-level IAM role"
# member      = "Bucket-level IAM member"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id
bucket = storage.bucket bucket_name

bucket.policy do |policy|
  policy.remove role, member
end

puts "Removed #{member} with role #{role} from #{bucket_name}"

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 获取应用于项目的现有政策。要执行此操作,请使用 cURL(附带 GET getIamPolicy 请求)调用 JSON API,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

    curl -X GET 
    -H "Authorization: Bearer [OAUTH2_TOKEN]"
    "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

  3. 创建一个包含您在上一步中检索的政策的 .json 文件。

  4. 修改 .json 文件以从政策中移除该成员。

  5. 使用 cURL(附带 PUT setIamPolicy 请求)调用 JSON API,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

    curl -X PUT --data-binary @[JSON_FILE_NAME].json 
    -H "Authorization: Bearer [OAUTH2_TOKEN]"
    -H "Content-Type: application/json"
    "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

将 Cloud IAM 与项目搭配使用

以下各节展示了如何在项目上完成基本的 Cloud IAM 任务。请注意,与大多数 Cloud Storage 任务不同,这些任务使用单独的命令行命令 (gcloud) 和单独的端点 (cloudresourcemanager.googleapis.com)。

将成员添加到项目级层政策中

如需与 Cloud Storage 关联的角色列表,请参阅 Cloud IAM 角色。如需了解您向其授予 Cloud IAM 角色的实体,请参阅成员类型

控制台

  1. 在 Google Cloud Platform Console 中打开 IAM 和管理浏览器。
    打开“IAM 和管理”浏览器
  2. 选择要添加成员的项目。

    将成员添加到项目中。

  3. 添加成员对话框中,指定要授予访问权限的实体的名称。

    “添加成员”对话框。

  4. 选择角色下拉列表中,为团队成员设置适当的权限。

    您可以在项目存储空间子菜单中找到影响 Cloud Storage 存储分区和对象的角色。

  5. 点击添加

gsutil

项目级层 Cloud IAM 政策通过 gcloud 命令进行管理,该命令是 Google Cloud SDK 的一部分。要添加项目级层政策,请使用 gcloud beta projects add-iam-policy-binding

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 创建一个包含以下信息的 .json 文件,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

    {
    "policy": {
    "version": "0",
    "bindings": {
      "role": "[IAM_ROLE]",
      "members": "[MEMBER_NAME]"
    },
    }
    }

  3. 使用 cURL(附带 POST setIamPolicy 请求)调用 Resource Manager API,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

    curl -X POST --data-binary @[JSON_FILE_NAME].json 
    -H "Authorization: Bearer [OAUTH2_TOKEN]"
    -H "Content-Type: application/json"
    "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:setIamPolicy"

查看项目的 Cloud IAM 政策

控制台

  1. 在 Google Cloud Platform Console 中打开 IAM 和管理浏览器。
    打开“IAM 和管理”浏览器
  2. 选择要查看其政策的项目。

  3. 使用与各个角色关联的下拉列表查看哪些成员具有该角色,或使用搜索成员对话框过滤结果。

gsutil

项目级层 Cloud IAM 政策通过 gcloud 命令进行管理,该命令是 Google Cloud SDK 的一部分。要查看项目的 Cloud IAM 政策,请使用 gcloud beta projects get-iam-policy 命令。

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 使用 cURL(附带 POST getIamPolicy 请求)调用 Resource Manager API,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

    curl -X POST 
    -H "Authorization: Bearer [OAUTH2_TOKEN]"
    -H "Content-Length: 0"
    "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:getIamPolicy"

从项目级层政策中移除成员

控制台

  1. 在 Google Cloud Platform Console 中打开 IAM 和管理浏览器。
    打开“IAM 和管理”浏览器
  2. 选择要从中移除成员的项目。

    将成员添加到项目中。

  3. 搜索成员对话框中,指定要移除访问权限的成员的名称。

  4. 在搜索功能下方的结果中,将光标悬停在要移除的成员上,然后点击显示的回收站图标

    从项目中移除成员。

  5. 在出现的叠加窗口中,点击移除

gsutil

项目级层 Cloud IAM 政策通过 gcloud 命令进行管理,该命令是 Google Cloud SDK 的一部分。要移除项目级层政策,请使用 gcloud beta projects remove-iam-policy-binding

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 获取应用于项目的现有政策。要执行此操作,请使用 cURL(附带 POST getIamPolicy 请求)调用 Resource Manager API,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

    curl -X POST 
    -H "Authorization: Bearer [OAUTH2_TOKEN]"
    -H "Content-Length: 0"
    "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:getIamPolicy"

  3. 创建一个包含您在上一步中检索的政策的 .json 文件。

  4. 修改 .json 文件以从政策中移除该成员。

  5. 使用 cURL(附带 POST setIamPolicy 请求)调用 Resource Manager API,并将 [VALUES_IN_BRACKETS] 替换为适当的值:

    curl -X POST --data-binary @[JSON_FILE_NAME].json 
    -H "Authorization: Bearer [OAUTH2_TOKEN]"
    -H "Content-Type: application/json"
    "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:setIamPolicy"

后续步骤

此页内容是否有用?请给出您的反馈和评价:

发送以下问题的反馈:

此网页
Cloud Storage
需要帮助?请访问我们的支持页面