使用 Cloud IAM 权限

本页面介绍如何使用 Cloud Identity and Access Management (Cloud IAM) 权限控制存储分区和对象的访问权限。您可以使用 Cloud IAM 来控制有权访问您的存储分区和对象的用户。如需详细了解适用于 Cloud Storage 的 Cloud IAM,请参阅 Cloud IAM 概览

如需了解如何以其他方式控制存储分区和对象的访问权限,请参阅访问权限控制概览。如需了解如何控制存储分区中各个对象的访问权限,请参阅访问控制列表

对存储分区使用 Cloud IAM

以下各节展示了如何在存储分区上完成基本的 Cloud IAM 任务。

将成员添加到存储分区级层政策

如需与 Cloud Storage 关联的角色列表,请参阅 Cloud IAM 角色。 如需了解可授予 Cloud IAM 角色的实体,请参阅成员类型

Console

  1. 在 Google Cloud Platform Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器

  2. 针对您要向成员授予其某一角色的存储分区,点击与之关联的下拉菜单。

    下拉菜单显示为存储分区所在的行最右侧的三个垂直点。

  3. 选择修改存储分区权限

  4. 添加成员字段中,输入需要访问您存储分区的一个或多个身份。

    “添加成员”对话框。

  5. 选择角色下拉菜单中选择一个或多个角色。 您选择的角色将显示在窗格中,其中包含对角色授予的权限的简短说明。

  6. 点击添加

gsutil

使用 gsutil iam ch 命令:

gsutil iam ch [MEMBER_TYPE]:[MEMBER_NAME]:[IAM_ROLE] gs://[BUCKET_NAME]

其中:

  • [MEMBER_TYPE] 是您要向其授予存储分区访问权限的成员类型,例如 user
  • [MEMBER_NAME] 是您要向其授予存储分区访问权限的成员的名称,例如 jane@gmail.com
  • [IAM_ROLE] 是您要向成员授予的 IAM 角色,例如 roles/storage.objectCreator
  • [BUCKET_NAME] 是您要向成员授予其访问权限的存储分区的名称,例如 my-bucket

如需查看更多示例以了解如何设置 [MEMBER_TYPE]:[MEMBER_NAME]:[IAM_ROLE] 格式,请参阅 gsutil iam ch 参考页面。

代码示例

C++

如需了解详情,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name, std::string role,
   std::string member) {
  auto policy = client.GetNativeBucketIamPolicy(bucket_name);

  if (!policy) {
    throw std::runtime_error(policy.status().message());
  }

  for (auto& binding : policy->bindings()) {
    if (binding.role() != role) {
      continue;
    }
    auto& members = binding.members();
    if (std::find(members.begin(), members.end(), member) == members.end()) {
      members.emplace_back(member);
    }
  }

  auto updated_policy = client.SetNativeBucketIamPolicy(bucket_name, *policy);

  if (!updated_policy) {
    throw std::runtime_error(updated_policy.status().message());
  }

  std::cout << "Updated IAM policy bucket " << bucket_name
            << ". The new policy is " << *updated_policy << "\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

private void AddBucketIamMember(string bucketName,
    string role, string member)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName);
    Policy.BindingsData bindingToAdd = new Policy.BindingsData();
    bindingToAdd.Role = role;
    string[] members = { member };
    bindingToAdd.Members = members;
    policy.Bindings.Add(bindingToAdd);
    storage.SetBucketIamPolicy(bucketName, policy);
    Console.WriteLine($"Added {member} with role {role} "
        + $"to {bucketName}");
}

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().Policy(ctx)
if err != nil {
	return err
}
// Other valid prefixes are "serviceAccount:", "user:"
// See the documentation for more values.
// https://cloud.google.com/storage/docs/access-control/iam
policy.Add("group:cloud-logs@google.com", "roles/storage.objectViewer")
if err := bucket.IAM().SetPolicy(ctx, policy); err != nil {
	return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);

// Add identity to Bucket-level IAM role
Policy updatedPolicy =
    storage.setIamPolicy(bucketName, policy.toBuilder().addIdentity(role, identity).build());

if (updatedPolicy.getBindings().get(role).contains(identity)) {
  System.out.printf("Added %s with role %s to %s\n", identity, role, bucketName);
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const roleName = 'Role to grant, e.g. roles/storage.objectViewer';
// const members = [
//   'user:jdoe@example.com',    // Example members to grant
//   'group:admins@example.com', // the new role to
// ];

// Creates a client
const storage = new Storage();

// Get a reference to a Google Cloud Storage bucket
const bucket = storage.bucket(bucketName);

// Gets and updates the bucket's IAM policy
const [policy] = await bucket.iam.getPolicy();

// Adds the new roles to the bucket's IAM policy
policy.bindings.push({
  role: roleName,
  members: members,
});

// Updates the bucket's IAM policy
await bucket.iam.setPolicy(policy);

console.log(
  `Added the following member(s) with role ${roleName} to ${bucketName}:`
);

members.forEach(member => {
  console.log(`  ${member}`);
});

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Storage\StorageClient;

/**
 * Adds a new member / role IAM pair to a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * @param string $role the role you want to add a given member to.
 * @param string $member the member you want to give the new role for the Cloud
 * Storage bucket.
 *
 * @return void
 */
function add_bucket_iam_member($bucketName, $role, $member)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);

    $policy = $bucket->iam()->policy();

    $policy['bindings'][] = [
        'role' => $role,
        'members' => [$member]
    ];

    $bucket->iam()->setPolicy($policy);

    printf('User %s added to role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

def add_bucket_iam_member(bucket_name, role, member):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy()

    policy[role].add(member)

    bucket.set_iam_policy(policy)

    print('Added {} with role {} to {}.'.format(
         member, role, bucket_name))

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# project_id  = "Your Google Cloud project ID"
# bucket_name = "Your Google Cloud Storage bucket name"
# role        = "Bucket-level IAM role"
# member      = "Bucket-level IAM member"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id
bucket = storage.bucket bucket_name

bucket.policy do |policy|
  policy.add role, member
end

puts "Added #{member} with role #{role} to #{bucket_name}"

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。

  2. 创建一个包含以下信息的 .json 文件:

    {
  "bindings":[
    {
      "role": "[IAM_ROLE]",
      "members":[
        "[MEMBER_NAME]"
      ]
    }
  ]
}

    其中:

    • [IAM_ROLE] 是您要向成员授予的 IAM 角色,例如 roles/storage.objectCreator

    • [MEMBER_NAME] 是您要向其授予存储分区访问权限的成员的名称,例如 jane@gmail.com

      如需查看更多示例以了解如何设置 [MEMBER_NAME] 格式,请参阅此处的成员部分。

  3. 使用 cURL,通过 PUT setIamPolicy 请求调用 JSON API

    curl -X PUT --data-binary @[JSON_FILE_NAME].json \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  -H "Content-Type: application/json" \
  "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

    其中:

    • [JSON_FILE_NAME] 是您在第 2 步中创建的文件的名称。
    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [BUCKET_NAME] 是您要向成员授予其访问权限的存储分区的名称,例如 my-bucket

查看存储分区的 Cloud IAM 政策

Console

  1. 在 Google Cloud Platform Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器

  2. 针对您要查看角色成员的存储分区,点击与之关联的下拉菜单。

    下拉菜单显示为存储分区名称最右侧的三个垂直点。

  3. 选择修改存储分区权限

  4. 展开所需角色以查看已分配给该角色的成员。

  5. (可选)使用搜索栏,按角色或成员过滤结果。

    如果按成员进行搜索,结果中将显示成员被分配的各个角色。

gsutil

使用 gsutil iam get 命令:

gsutil iam get gs://[BUCKET_NAME]

其中,[BUCKET_NAME] 是您要查看其 Cloud IAM 政策的存储分区的名称,例如 my-bucket

代码示例

C++

如需了解详情,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name) {
  auto policy = client.GetNativeBucketIamPolicy(bucket_name);

  if (!policy) {
    throw std::runtime_error(policy.status().message());
  }

  std::cout << "The IAM policy for bucket " << bucket_name << " is "
            << *policy << "\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

private void ViewBucketIamMembers(string bucketName)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName);
    foreach (var binding in policy.Bindings)
    {
        Console.WriteLine($"  Role: {binding.Role}");
        Console.WriteLine("  Members:");
        foreach (var member in binding.Members)
        {
            Console.WriteLine($"    {member}");
        }
    }
}

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

policy, err := c.Bucket(bucketName).IAM().Policy(ctx)
if err != nil {
	return nil, err
}
for _, role := range policy.Roles() {
	log.Printf("%q: %q", role, policy.Members(role))
}

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);

// Print Roles and its identities
Map<Role, Set<Identity>> policyBindings = policy.getBindings();
for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {
  System.out.printf("Role: %s Identities: %s\n", entry.getKey(), entry.getValue());
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

/**
 * TODO(developer): Uncomment the following line before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';

// Gets and displays the bucket's IAM policy
const results = await storage.bucket(bucketName).iam.getPolicy();

const policy = results[0].bindings;

// Displays the roles in the bucket's IAM policy
console.log(`Roles for bucket ${bucketName}:`);
policy.forEach(role => {
  console.log(`  Role: ${role.role}`);
  console.log(`  Members:`);

  const members = role.members;
  members.forEach(member => {
    console.log(`    ${member}`);
  });
});

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Storage\StorageClient;

/**
 * View Bucket IAM members for a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 *
 * @return void
 */
function view_bucket_iam_members($bucketName)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);

    $policy = $bucket->iam()->policy();

    printf('Printing Bucket IAM members for Bucket: %s' . PHP_EOL, $bucketName);
    printf(PHP_EOL);

    foreach ($policy['bindings'] as $binding) {
        printf('Role: %s' . PHP_EOL, $binding['role']);
        printf('Members:' . PHP_EOL);
        foreach ($binding['members'] as $member) {
            printf('  %s' . PHP_EOL, $member);
        }
        printf(PHP_EOL);
    }
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

def view_bucket_iam_members(bucket_name):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy()

    for role in policy:
        members = policy[role]
        print('Role: {}, Members: {}'.format(role, members))

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# project_id  = "Your Google Cloud project ID"
# bucket_name = "Your Google Cloud Storage bucket name"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id
bucket = storage.bucket bucket_name

policy = bucket.policy

policy.roles.each do |role, members|
  puts "Role: #{role} Members: #{members}"
end

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。

  2. 使用 cURL,通过 GET getIamPolicy 请求调用 JSON API

    curl -X GET \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [BUCKET_NAME] 是您要查看其 Cloud IAM 政策的存储分区的名称,例如 my-bucket

从存储分区级层政策中移除成员

Console

  1. 在 Google Cloud Platform Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器

  2. 针对您要从中移除某成员的角色的存储分区,点击与之关联的下拉菜单。

    下拉菜单显示为存储分区名称最右侧的三个垂直点。

  3. 选择修改存储分区权限

  4. 展开角色(包含要移除的成员)。

  5. 将光标悬停在该成员上,然后点击显示的回收站图标

    从项目中移除成员。

  6. 在出现的叠加窗口中,点击移除

gsutil

使用带有 -d 标志的 gsutil iam ch 命令:

gsutil iam ch -d [MEMBER_TYPE]:[MEMBER_NAME] gs://[BUCKET_NAME]

其中:

  • [MEMBER_TYPE] 是您要从政策中移除的成员的类型,例如 user
  • [MEMBER_NAME] 是您要从政策中移除的成员的名称,例如 jane@gmail.com
  • [BUCKET_NAME] 是您要从中移除成员访问权限的存储分区的名称,例如 my-bucket

如需查看更多示例以了解如何设置 [MEMBER_TYPE]:[MEMBER_NAME] 格式,请参阅 gsutil iam ch 参考页面。

代码示例

C++

如需了解详情,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name, std::string role,
   std::string member) {
  auto policy = client.GetNativeBucketIamPolicy(bucket_name);
  if (!policy) {
    throw std::runtime_error(policy.status().message());
  }

  std::vector<google::cloud::storage::NativeIamBinding> updated_bindings;
  for (auto& binding : policy->bindings()) {
    auto& members = binding.members();
    if (binding.role() == role) {
      members.erase(std::remove(members.begin(), members.end(), member),
                    members.end());
    }
    if (!members.empty()) {
      updated_bindings.emplace_back(std::move(binding));
    }
  }
  policy->bindings() = std::move(updated_bindings);

  auto updated_policy = client.SetNativeBucketIamPolicy(bucket_name, *policy);

  if (!updated_policy) {
    throw std::runtime_error(updated_policy.status().message());
  }

  std::cout << "Updated IAM policy bucket " << bucket_name
            << ". The new policy is " << *updated_policy << "\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

private void RemoveBucketIamMember(string bucketName,
    string role, string member)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName);
    policy.Bindings.ToList().ForEach(response =>
    {
        if (response.Role == role)
        {
            // Remove the role/member combo from the IAM policy.
            response.Members = response.Members
                .Where(m => m != member).ToList();
            // Remove role if it contains no members.
            if (response.Members.Count == 0)
            {
                policy.Bindings.Remove(response);
            }
        }
    });
    // Set the modified IAM policy to be the current IAM policy.
    storage.SetBucketIamPolicy(bucketName, policy);
    Console.WriteLine($"Removed {member} with role {role} "
        + $"to {bucketName}");
}

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().Policy(ctx)
if err != nil {
	return err
}
// Other valid prefixes are "serviceAccount:", "user:"
// See the documentation for more values.
// https://cloud.google.com/storage/docs/access-control/iam
policy.Remove("group:cloud-logs@google.com", "roles/storage.objectViewer")
if err := bucket.IAM().SetPolicy(ctx, policy); err != nil {
	return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);

// Remove an identity from a Bucket-level IAM role
Policy updatedPolicy =
    storage.setIamPolicy(bucketName, policy.toBuilder().removeIdentity(role, identity).build());

if (updatedPolicy.getBindings().get(role) == null
    || !updatedPolicy.getBindings().get(role).contains(identity)) {
  System.out.printf("Removed %s with role %s from %s\n", identity, role, bucketName);
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const roleName = 'Role to grant, e.g. roles/storage.objectViewer';
// const members = [
//   'user:jdoe@example.com',    // Example members to grant
//   'group:admins@example.com', // the new role to
// ];

// Creates a client
const storage = new Storage();

// Get a reference to a Google Cloud Storage bucket
const bucket = storage.bucket(bucketName);

// Gets and updates the bucket's IAM policy
const [policy] = await bucket.iam.getPolicy();

// Finds and updates the appropriate role-member group
const index = policy.bindings.findIndex(role => role.role === roleName);
const role = policy.bindings[index];
if (role) {
  role.members = role.members.filter(
    member => members.indexOf(member) === -1
  );

  // Updates the policy object with the new (or empty) role-member group
  if (role.members.length === 0) {
    policy.bindings.splice(index, 1);
  } else {
    policy.bindings.index = role;
  }

  // Updates the bucket's IAM policy
  await bucket.iam.setPolicy(policy);
} else {
  // No matching role-member group(s) were found
  throw new Error('No matching role-member group(s) found.');
}

console.log(
  `Removed the following member(s) with role ${roleName} from ${bucketName}:`
);
members.forEach(member => {
  console.log(`  ${member}`);
});

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Core\Iam\PolicyBuilder;
use Google\Cloud\Storage\StorageClient;

/**
 * Removes a member / role IAM pair from a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * @param string $role the role you want to remove a given member from.
 * @param string $member the member you want to remove from the given role.
 *
 * @return void
 */
function remove_bucket_iam_member($bucketName, $role, $member)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);
    $policy = $bucket->iam()->policy();
    $policyBuilder = new PolicyBuilder($policy);
    $policyBuilder->removeBinding($role, [$member]);

    $bucket->iam()->setPolicy($policyBuilder->result());
    printf('User %s removed from role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

def remove_bucket_iam_member(bucket_name, role, member):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy()

    policy[role].discard(member)

    bucket.set_iam_policy(policy)

    print('Removed {} with role {} from {}.'.format(
        member, role, bucket_name))

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# project_id  = "Your Google Cloud project ID"
# bucket_name = "Your Google Cloud Storage bucket name"
# role        = "Bucket-level IAM role"
# member      = "Bucket-level IAM member"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id
bucket = storage.bucket bucket_name

bucket.policy do |policy|
  policy.remove role, member
end

puts "Removed #{member} with role #{role} from #{bucket_name}"

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。

  2. 获取应用于您项目的现有政策。为此,请使用 cURL,通过 GET getIamPolicy 请求调用 JSON API

    curl -X GET \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [BUCKET_NAME] 是您要查看其 Cloud IAM 政策的存储分区的名称,例如 my-bucket

  3. 创建一个包含您在上一步中检索的政策的 .json 文件。

  4. 修改 .json 文件以从政策中移除该成员。

  5. 使用 cURL,通过 PUT setIamPolicy 请求调用 JSON API

    curl -X PUT --data-binary @[JSON_FILE_NAME].json \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  -H "Content-Type: application/json" \
  "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

    其中:

    • [JSON_FILE_NAME] 是您在第 3 步中创建的文件的名称。
    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [BUCKET_NAME] 是您要从中移除成员访问权限的存储分区的名称,例如 my-bucket

对项目使用 Cloud IAM

以下各部分展示了如何在项目中完成基本的 Cloud IAM 任务。请注意,与大多数 Cloud Storage 任务相比,这些任务使用单独的命令行命令 gcloud 和单独的端点 cloudresourcemanager.googleapis.com

将成员添加到项目级层政策

如需与 Cloud Storage 关联的角色列表,请参阅 Cloud IAM 角色。 如需了解可授予 Cloud IAM 角色的实体,请参阅成员类型

Console

  1. 在 Google Cloud Platform Console 中打开 IAM 和管理浏览器。
    打开“IAM 和管理”浏览器

  2. 选择要添加成员的项目。

    将成员添加到项目中。

  3. 添加成员对话框中,指定要授予访问权限的实体的名称。

    “添加成员”对话框。

  4. 选择角色下拉列表中,为团队成员设置适当的权限。

    您可以在项目和存储空间子菜单中找到影响 Cloud Storage 存储分区和对象的角色。

  5. 点击添加

gsutil

项目级层 Cloud IAM 政策通过 gcloud 命令进行管理,该命令是 Google Cloud SDK 的一部分。如需添加项目级层政策,请使用 gcloud beta projects add-iam-policy-binding

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。

  2. 创建一个包含以下信息的 .json 文件:

    {
  "policy": {
    "version": "0",
    "bindings": {
      "role": "[IAM_ROLE]",
      "members": "[MEMBER_NAME]"
    },
  }
}

    其中:

    • [IAM_ROLE] 是您要向成员授予的 IAM 角色,例如 roles/storage.objectCreator
    • [MEMBER_NAME] 是您要向其授予项目访问权限的成员的类型和名称,例如 user:jane@gmail.com

  3. 使用 cURL,通过 POST setIamPolicy 请求调用 Resource Manager API

    curl -X POST --data-binary @[JSON_FILE_NAME].json \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  -H "Content-Type: application/json" \
  "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:setIamPolicy"

    其中:

    • [JSON_FILE_NAME] 是您在第 2 步中创建的文件的名称。
    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [PROJECT_NAME] 是您要向成员授予其访问权限的项目的名称,例如 my-project

查看项目的 Cloud IAM 政策

Console

  1. 在 Google Cloud Platform Console 中打开 IAM 和管理浏览器。
    打开“IAM 和管理”浏览器

  2. 选择要查看其政策的项目。

  3. 使用与各个角色关联的下拉列表查看哪些成员具有该角色,或使用搜索成员对话框过滤结果。

gsutil

项目级层 Cloud IAM 政策通过 gcloud 命令进行管理,该命令是 Google Cloud SDK 的一部分。如需查看项目的 Cloud IAM 策略,请使用 gcloud beta projects get-iam-policy 命令。

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。

  2. 使用 cURL,通过 POST getIamPolicy 请求调用 Resource Manager API

    curl -X POST \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  -H "Content-Length: 0" \
  "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:getIamPolicy"

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [PROJECT_NAME] 是您要向成员授予其访问权限的项目的名称,例如 my-project

从项目级层政策中移除成员

Console

  1. 在 Google Cloud Platform Console 中打开 IAM 和管理浏览器。
    打开“IAM 和管理”浏览器

  2. 选择要从中移除成员的项目。

    将成员添加到项目中。

  3. 搜索成员对话框中,指定要移除其访问权限的成员的名称。

  4. 在搜索功能下方的结果中,将光标悬停在要移除的成员上,然后点击显示的回收站图标

    从项目中移除成员。

  5. 在出现的叠加窗口中,点击移除

gsutil

项目级层 Cloud IAM 政策通过 gcloud 命令进行管理,该命令是 Google Cloud SDK 的一部分。如需添加项目级层政策,请使用 gcloud beta projects remove-iam-policy-binding

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。

  2. 获取应用于您项目的现有政策。为此,请使用 cURL 通过 POST getIamPolicy 请求调用 Resource Manager API

    curl -X POST \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  -H "Content-Length: 0" \
  "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:getIamPolicy"

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [PROJECT_NAME] 是要添加成员访问权限的项目的名称,例如 my-project

  3. 创建一个包含您在上一步中检索的政策的 .json 文件。

  4. 修改 .json 文件以从政策中移除该成员。

  5. 使用 cURL,通过 POST setIamPolicy 请求调用 Resource Manager API

    curl -X POST --data-binary @[JSON_FILE_NAME].json \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  -H "Content-Type: application/json" \
  "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:setIamPolicy"

    其中:

    • [JSON_FILE_NAME] 是您在第 2 步中创建的文件的名称。
    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [PROJECT_NAME] 是您要向成员授予其访问权限的项目的名称,例如 my-project

后续步骤

此页内容是否有用?请给出您的反馈和评价:

发送以下问题的反馈:

此网页
文档反馈
Cloud Storage
产品反馈
需要帮助?请访问我们的支持页面