使用 Cloud IAM 权限

转到概念

本页面介绍如何使用 Cloud Identity and Access Management (Cloud IAM) 权限控制存储分区和对象的访问权限。您可以使用 Cloud IAM 来控制有权访问您的存储分区和对象的用户。

如需了解如何以其他方式控制存储分区和对象的访问权限,请参阅访问权限控制概览。如需了解如何控制存储分区中各个对象的访问权限,请参阅访问控制列表

对存储分区使用 Cloud IAM

以下各节展示了如何在存储分区上完成基本的 Cloud IAM 任务。

将成员添加到存储分区级层政策

如需与 Cloud Storage 关联的角色列表,请参阅 Cloud IAM 角色。 如需了解可授予 Cloud IAM 角色的实体,请参阅成员类型

控制台

  1. 在 Google Cloud Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器
  2. 点击您要授予角色的成员所属存储分区关联的存储分区溢出菜单 ()。

  3. 选择修改存储分区权限

  4. 添加成员字段中,输入需要访问您存储分区的一个或多个身份。

    “添加成员”对话框。

  5. 选择角色下拉菜单中选择一个或多个角色。 您选择的角色将显示在窗格中,其中包含对角色授予的权限的简短说明。

  6. 点击添加

请参阅问题排查,了解如何获取有关 Cloud Storage 浏览器中失败操作的详细错误信息。

gsutil

使用 gsutil iam ch 命令:

gsutil iam ch [MEMBER_TYPE]:[MEMBER_NAME]:[IAM_ROLE] gs://[BUCKET_NAME]

其中:

  • [MEMBER_TYPE] 是您要向其授予存储分区访问权限的成员类型,例如 user
  • [MEMBER_NAME] 是您要向其授予存储分区访问权限的成员的名称,例如 jane@gmail.com
  • [IAM_ROLE] 是您要向成员授予的 Cloud IAM 角色,例如 roles/storage.objectCreator
  • [BUCKET_NAME] 是您要向成员授予其访问权限的存储分区的名称,例如 my-bucket

如需查看更多示例以了解如何设置 [MEMBER_TYPE]:[MEMBER_NAME]:[IAM_ROLE] 格式,请参阅 gsutil iam ch 参考页面。

代码示例

C++

如需了解详情,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name,
   std::string const& role, std::string const& member) {
  auto policy = client.GetNativeBucketIamPolicy(
      bucket_name, gcs::RequestedPolicyVersion(3));

  if (!policy) throw std::runtime_error(policy.status().message());

  policy->set_version(3);
  for (auto& binding : policy->bindings()) {
    if (binding.role() != role || binding.has_condition()) {
      continue;
    }
    auto& members = binding.members();
    if (std::find(members.begin(), members.end(), member) == members.end()) {
      members.emplace_back(member);
    }
  }

  auto updated = client.SetNativeBucketIamPolicy(bucket_name, *policy);
  if (!updated) throw std::runtime_error(updated.status().message());

  std::cout << "Updated IAM policy bucket " << bucket_name
            << ". The new policy is " << *updated << "\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

        private void AddBucketIamMember(string bucketName,
            string role, string member)
        {
            var storage = StorageClient.Create();
            var policy = storage.GetBucketIamPolicy(bucketName, new GetBucketIamPolicyOptions()
            {
                RequestedPolicyVersion = 3
            });
            policy.Version = 3;

            Policy.BindingsData bindingToAdd = new Policy.BindingsData();
            bindingToAdd.Role = role;
            string[] members = { member };
            bindingToAdd.Members = members;
            policy.Bindings.Add(bindingToAdd);

            storage.SetBucketIamPolicy(bucketName, policy);
            Console.WriteLine($"Added {member} with role {role} "
                + $"to {bucketName}");
        }

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

ctx := context.Background()

ctx, cancel := context.WithTimeout(ctx, time.Second*10)
defer cancel()
bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().V3().Policy(ctx)
if err != nil {
	return err
}
// Other valid prefixes are "serviceAccount:", "user:"
// See the documentation for more values.
// https://cloud.google.com/storage/docs/access-control/iam
policy.Bindings = append(policy.Bindings, &iampb.Binding{
	Role:    "roles/storage.objectViewer",
	Members: []string{"group:cloud-logs@google.com"},
})
if err := bucket.IAM().V3().SetPolicy(ctx, policy); err != nil {
	return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

import com.google.cloud.Binding;
import com.google.cloud.Policy;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

public class AddBucketIamMember {
  /** Example of adding a member to the Bucket-level IAM */
  public static void addBucketIamMember(String projectId, String bucketName) {
    // The ID of your GCP project
    // String projectId = "your-project-id";

    // The ID of your GCS bucket
    // String bucketName = "your-unique-bucket-name";

    // For more information please read:
    // https://cloud.google.com/storage/docs/access-control/iam
    Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();

    Policy originalPolicy =
        storage.getIamPolicy(bucketName, Storage.BucketSourceOption.requestedPolicyVersion(3));

    String role = "roles/storage.objectViewer";
    String member = "group:example@google.com";

    // getBindingsList() returns an ImmutableList and copying over to an ArrayList so it's mutable.
    List<Binding> bindings = new ArrayList(originalPolicy.getBindingsList());

    // Create a new binding using role and member
    Binding.Builder newMemberBindingBuilder = Binding.newBuilder();
    newMemberBindingBuilder.setRole(role).setMembers(Arrays.asList(member));
    bindings.add(newMemberBindingBuilder.build());

    // Update policy to add member
    Policy.Builder updatedPolicyBuilder = originalPolicy.toBuilder();
    updatedPolicyBuilder.setBindings(bindings).setVersion(3);
    Policy updatedPolicy = storage.setIamPolicy(bucketName, updatedPolicyBuilder.build());

    System.out.printf("Added %s with role %s to %s\n", member, role, bucketName);
  }
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const roleName = 'Role to grant, e.g. roles/storage.objectViewer';
// const members = [
//   'user:jdoe@example.com',    // Example members to grant
//   'group:admins@example.com', // the new role to
// ];

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

async function addBucketIamMember() {
  // Get a reference to a Google Cloud Storage bucket
  const bucket = storage.bucket(bucketName);

  // Gets and updates the bucket's IAM policy
  const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});

  // Adds the new roles to the bucket's IAM policy
  policy.bindings.push({
    role: roleName,
    members: members,
  });

  // Updates the bucket's IAM policy
  await bucket.iam.setPolicy(policy);

  console.log(
    `Added the following member(s) with role ${roleName} to ${bucketName}:`
  );

  members.forEach(member => {
    console.log(`  ${member}`);
  });
}

addBucketIamMember().catch(console.error);

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Storage\StorageClient;

/**
 * Adds a new member / role IAM pair to a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * @param string $role the role you want to add a given member to.
 * @param string[] $members the member(s) you want to give the new role for the Cloud
 * Storage bucket.
 *
 * @return void
 */
function add_bucket_iam_member($bucketName, $role, $members)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);

    $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);
    $policy['version'] = 3;

    $policy['bindings'][] = [
        'role' => $role,
        'members' => $members
    ];

    $bucket->iam()->setPolicy($policy);

    printf('Added the following member(s) to role %s for bucket %s' . PHP_EOL, $role, $bucketName);
    foreach ($members as $member) {
        printf('    %s' . PHP_EOL, $member);
    }
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

from google.cloud import storage

def add_bucket_iam_member(bucket_name, role, member):
    """Add a new member to an IAM Policy"""
    # bucket_name = "your-bucket-name"
    # role = "IAM role, e.g. roles/storage.objectViewer"
    # member = "IAM identity, e.g. user: name@example.com"

    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy(requested_policy_version=3)

    policy.bindings.append({"role": role, "members": {member}})

    bucket.set_iam_policy(policy)

    print("Added {} with role {} to {}.".format(member, role, bucket_name))

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# bucket_name = "Your Google Cloud Storage bucket name"
# role        = "Bucket-level IAM role"
# member      = "Bucket-level IAM member"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket bucket_name

bucket.policy requested_policy_version: 3 do |policy|
  policy.bindings.insert role: role, members: [member]
end

puts "Added #{member} with role #{role} to #{bucket_name}"

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 创建一个包含以下信息的 .json 文件:

    {
      "bindings":[
        {
          "role": "[IAM_ROLE]",
          "members":[
            "[MEMBER_NAME]"
          ]
        }
      ]
    }

    其中:

    • [IAM_ROLE] 是您要向成员授予的 Cloud IAM 角色,例如 roles/storage.objectCreator
    • [MEMBER_NAME] 是您要向其授予存储分区访问权限的成员的名称,例如 jane@gmail.com

      如需查看更多示例以了解如何设置 [MEMBER_NAME] 格式,请参阅此处的成员部分。

  3. 使用 cURL,通过 PUT setIamPolicy 请求调用 JSON API

    curl -X PUT --data-binary @[JSON_FILE_NAME].json \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Type: application/json" \
      "https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

    其中:

    • [JSON_FILE_NAME] 是您在第 2 步中创建的文件的名称。
    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [BUCKET_NAME] 是您要向成员授予其访问权限的存储分区的名称,例如 my-bucket

查看存储分区的 Cloud IAM 政策

控制台

  1. 在 Google Cloud Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器
  2. 点击您要查看的角色成员所在存储分区关联的存储分区溢出菜单 ()。

  3. 选择修改存储分区权限

  4. 展开所需角色以查看已分配给该角色的成员。

  5. (可选)使用搜索栏,按角色或成员过滤结果。

    如果按成员进行搜索,结果中将显示成员分配到的每个角色。

gsutil

使用 gsutil iam get 命令:

gsutil iam get gs://[BUCKET_NAME]

其中,[BUCKET_NAME] 是您要查看其 Cloud IAM 政策的存储分区的名称,例如 my-bucket

代码示例

C++

如需了解详情,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name) {
  auto policy = client.GetNativeBucketIamPolicy(
      bucket_name, gcs::RequestedPolicyVersion(3));

  if (!policy) throw std::runtime_error(policy.status().message());
  std::cout << "The IAM policy for bucket " << bucket_name << " is "
            << *policy << "\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

        private void ViewBucketIamMembers(string bucketName)
        {
            var storage = StorageClient.Create();
            var policy = storage.GetBucketIamPolicy(bucketName, new GetBucketIamPolicyOptions()
            {
                RequestedPolicyVersion = 3
            });

            foreach (var binding in policy.Bindings)
            {
                Console.WriteLine($"  Role: {binding.Role}");
                Console.WriteLine("  Members:");
                foreach (var member in binding.Members)
                {
                    Console.WriteLine($"    {member}");
                }
                if (binding.Condition != null)
                {
                    Console.WriteLine($"Condition Title: {binding.Condition.Title}");
                    Console.WriteLine($"Condition Description: {binding.Condition.Description}");
                    Console.WriteLine($"Condition Expression: {binding.Condition.Expression}");
                }
            }
        }

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

ctx := context.Background()

ctx, cancel := context.WithTimeout(ctx, time.Second*10)
defer cancel()
policy, err := c.Bucket(bucketName).IAM().V3().Policy(ctx)
if err != nil {
	return nil, err
}
for _, binding := range policy.Bindings {
	log.Printf("%q: %q (condition: %v)", binding.Role, binding.Members, binding.Condition)
}

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

import com.google.cloud.Binding;
import com.google.cloud.Policy;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;

public class ListBucketIamMembers {
  public static void listBucketIamMembers(String projectId, String bucketName) {
    // The ID of your GCP project
    // String projectId = "your-project-id";

    // The ID of your GCS bucket
    // String bucketName = "your-unique-bucket-name";

    // For more information please read:
    // https://cloud.google.com/storage/docs/access-control/iam
    Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();

    Policy policy =
        storage.getIamPolicy(bucketName, Storage.BucketSourceOption.requestedPolicyVersion(3));

    // Print binding information
    for (Binding binding : policy.getBindingsList()) {
      System.out.printf("Role: %s Members: %s\n", binding.getRole(), binding.getMembers());

      // Print condition if one is set
      boolean bindingIsConditional = binding.getCondition() != null;
      if (bindingIsConditional) {
        System.out.printf("Condition Title: %s\n", binding.getCondition().getTitle());
        System.out.printf("Condition Description: %s\n", binding.getCondition().getDescription());
        System.out.printf("Condition Expression: %s\n", binding.getCondition().getExpression());
      }
    }
  }
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

/**
 * TODO(developer): Uncomment the following line before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

async function viewBucketIamMembers() {
  // Gets and displays the bucket's IAM policy
  // Gets and displays the bucket's IAM policy
  const results = await storage
    .bucket(bucketName)
    .iam.getPolicy({requestedPolicyVersion: 3});

  const bindings = results[0].bindings;

  // Displays the roles in the bucket's IAM policy
  console.log(`Bindings for bucket ${bucketName}:`);
  for (const binding of bindings) {
    console.log(`  Role: ${binding.role}`);
    console.log('  Members:');

    const members = binding.members;
    for (const member of members) {
      console.log(`    ${member}`);
    }

    const condition = binding.condition;
    if (condition) {
      console.log('  Condiiton:');
      console.log(`    Title: ${condition.title}`);
      console.log(`    Description: ${condition.description}`);
      console.log(`    Expression: ${condition.expression}`);
    }
  }
}

viewBucketIamMembers().catch(console.error);

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Storage\StorageClient;

/**
 * View Bucket IAM members for a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 *
 * @return void
 */
function view_bucket_iam_members($bucketName)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);

    $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);

    printf('Printing Bucket IAM members for Bucket: %s' . PHP_EOL, $bucketName);
    printf(PHP_EOL);

    foreach ($policy['bindings'] as $binding) {
        printf('Role: %s' . PHP_EOL, $binding['role']);
        printf('Members:' . PHP_EOL);
        foreach ($binding['members'] as $member) {
            printf('  %s' . PHP_EOL, $member);
        }

        if (isset($binding['condition'])) {
            $condition = $binding['condition'];
            printf('  with condition:' . PHP_EOL);
            printf('    Title: %s' . PHP_EOL, $condition['title']);
            printf('    Description: %s' . PHP_EOL, $condition['description']);
            printf('    Expression: %s' . PHP_EOL, $condition['expression']);
        }
        printf(PHP_EOL);
    }
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

from google.cloud import storage

def view_bucket_iam_members(bucket_name):
    """View IAM Policy for a bucket"""
    # bucket_name = "your-bucket-name"

    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy(requested_policy_version=3)

    for binding in policy.bindings:
        print("Role: {}, Members: {}".format(binding["role"], binding["members"]))

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# bucket_name = "Your Google Cloud Storage bucket name"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket bucket_name

policy = bucket.policy requested_policy_version: 3
policy.bindings.each do |binding|
  puts "Role: #{binding.role}"
  puts "Members: #{binding.members}"

  # if a conditional binding exists print the condition.
  if binding.condition
    puts "Condition Title: #{binding.condition.title}"
    puts "Condition Description: #{binding.condition.description}"
    puts "Condition Expression: #{binding.condition.expression}"
  end
end

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 使用 cURL,通过 GET getIamPolicy 请求调用 JSON API

    curl -X GET \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      "https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [BUCKET_NAME] 是您要查看其 Cloud IAM 政策的存储分区的名称,例如 my-bucket

从存储分区级层政策中移除成员

控制台

  1. 在 Google Cloud Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器
  2. 点击您要从中移除成员角色的存储分区关联的存储分区溢出菜单 ()。

  3. 选择修改存储分区权限

  4. 展开角色(包含要移除的成员)。

  5. 将光标悬停在该成员上,然后点击显示的回收站图标

    从项目中移除成员。

  6. 在出现的叠加窗口中,点击移除

请参阅问题排查,了解如何获取有关 Cloud Storage 浏览器中失败操作的详细错误信息。

gsutil

使用带有 -d 标志的 gsutil iam ch 命令:

gsutil iam ch -d [MEMBER_TYPE]:[MEMBER_NAME] gs://[BUCKET_NAME]

其中:

  • [MEMBER_TYPE] 是您要从政策中移除的成员的类型,例如 user
  • [MEMBER_NAME] 是您要从政策中移除的成员的名称,例如 jane@gmail.com
  • [BUCKET_NAME] 是您要从中移除成员访问权限的存储分区的名称,例如 my-bucket

如需查看更多示例以了解如何设置 [MEMBER_TYPE]:[MEMBER_NAME] 格式,请参阅 gsutil iam ch 参考页面。

代码示例

C++

如需了解详情,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name,
   std::string const& role, std::string const& member) {
  auto policy = client.GetNativeBucketIamPolicy(
      bucket_name, gcs::RequestedPolicyVersion(3));
  if (!policy) throw std::runtime_error(policy.status().message());

  policy->set_version(3);
  std::vector<google::cloud::storage::NativeIamBinding> updated_bindings;
  for (auto& binding : policy->bindings()) {
    auto& members = binding.members();
    if (binding.role() == role && !binding.has_condition()) {
      members.erase(std::remove(members.begin(), members.end(), member),
                    members.end());
    }
    if (!members.empty()) {
      updated_bindings.emplace_back(std::move(binding));
    }
  }
  policy->bindings() = std::move(updated_bindings);

  auto updated = client.SetNativeBucketIamPolicy(bucket_name, *policy);
  if (!updated) throw std::runtime_error(updated.status().message());

  std::cout << "Updated IAM policy bucket " << bucket_name
            << ". The new policy is " << *updated << "\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

private void RemoveBucketIamMember(string bucketName,
    string role, string member)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName, new GetBucketIamPolicyOptions()
    {
        RequestedPolicyVersion = 3
    });
    policy.Version = 3;
    policy.Bindings.ToList().ForEach(binding =>
    {
        if (binding.Role == role && binding.Condition == null)
        {
            // Remove the role/member combo from the IAM policy.
            binding.Members = binding.Members
                .Where(memberInList => memberInList != member).ToList();
            // Remove role if it contains no members.
            if (binding.Members.Count == 0)
            {
                policy.Bindings.Remove(binding);
            }
        }
    });
    // Set the modified IAM policy to be the current IAM policy.
    storage.SetBucketIamPolicy(bucketName, policy);
    Console.WriteLine($"Removed {member} with role {role} "
        + $"to {bucketName}");
}

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

ctx := context.Background()

ctx, cancel := context.WithTimeout(ctx, time.Second*10)
defer cancel()
bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().V3().Policy(ctx)
if err != nil {
	return err
}
// Other valid prefixes are "serviceAccount:", "user:"
// See the documentation for more values.
// https://cloud.google.com/storage/docs/access-control/iam
for _, binding := range policy.Bindings {
	// Only remove unconditional bindings matching role
	if binding.Role == "roles/storage.objectViewer" && binding.Condition == nil {
		// Filter out member.
		i := -1
		for j, member := range binding.Members {
			if member == "group:cloud-logs@google.com" {
				i = j
			}
		}

		if i == -1 {
			return errors.New("No matching binding group found.")
		} else {
			binding.Members = append(binding.Members[:i], binding.Members[i+1:]...)
		}
	}
}
if err := bucket.IAM().V3().SetPolicy(ctx, policy); err != nil {
	return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

import com.google.cloud.Binding;
import com.google.cloud.Policy;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.util.ArrayList;
import java.util.List;

public class RemoveBucketIamMember {
  public static void removeBucketIamMember(String projectId, String bucketName) {
    // The ID of your GCP project
    // String projectId = "your-project-id";

    // The ID of your GCS bucket
    // String bucketName = "your-unique-bucket-name";

    // For more information please read:
    // https://cloud.google.com/storage/docs/access-control/iam
    Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();

    Policy originalPolicy =
        storage.getIamPolicy(bucketName, Storage.BucketSourceOption.requestedPolicyVersion(3));

    String role = "roles/storage.objectViewer";
    String member = "group:example@google.com";

    // getBindingsList() returns an ImmutableList and copying over to an ArrayList so it's mutable.
    List<Binding> bindings = new ArrayList(originalPolicy.getBindingsList());

    // Remove role-member binding without a condition.
    for (int index = 0; index < bindings.size(); index++) {
      Binding binding = bindings.get(index);
      boolean foundRole = binding.getRole().equals(role);
      boolean foundMember = binding.getMembers().contains(member);
      boolean bindingIsNotConditional = binding.getCondition() == null;

      if (foundRole && foundMember && bindingIsNotConditional) {
        bindings.set(index, binding.toBuilder().removeMembers(member).build());
        break;
      }
    }

    // Update policy to remove member
    Policy.Builder updatedPolicyBuilder = originalPolicy.toBuilder();
    updatedPolicyBuilder.setBindings(bindings).setVersion(3);
    Policy updatedPolicy = storage.setIamPolicy(bucketName, updatedPolicyBuilder.build());

    System.out.printf("Removed %s with role %s from %s\n", member, role, bucketName);
  }
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const roleName = 'Role to grant, e.g. roles/storage.objectViewer';
// const members = [
//   'user:jdoe@example.com',    // Example members to grant
//   'group:admins@example.com', // the new role to
// ];

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

async function removeBucketIamMember() {
  // Get a reference to a Google Cloud Storage bucket
  const bucket = storage.bucket(bucketName);

  // Gets and updates the bucket's IAM policy
  const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});

  // Finds and updates the appropriate role-member group, without a condition.
  const index = policy.bindings.findIndex(
    binding => binding.role === roleName && !binding.condition
  );

  const role = policy.bindings[index];
  if (role) {
    role.members = role.members.filter(
      member => members.indexOf(member) === -1
    );

    // Updates the policy object with the new (or empty) role-member group
    if (role.members.length === 0) {
      policy.bindings.splice(index, 1);
    } else {
      policy.bindings.index = role;
    }

    // Updates the bucket's IAM policy
    await bucket.iam.setPolicy(policy);
  } else {
    // No matching role-member group(s) were found
    throw new Error('No matching role-member group(s) found.');
  }

  console.log(
    `Removed the following member(s) with role ${roleName} from ${bucketName}:`
  );
  members.forEach(member => {
    console.log(`  ${member}`);
  });
}

removeBucketIamMember().catch(console.error);

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Storage\StorageClient;

/**
 * Removes a member / role IAM pair from a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * @param string $role the role you want to remove a given member from.
 * @param string $member the member you want to remove from the given role.
 *
 * @return void
 */
function remove_bucket_iam_member($bucketName, $role, $member)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);
    $iam = $bucket->iam();
    $policy = $iam->policy(['requestedPolicyVersion' => 3]);
    $policy['version'] = 3;

    foreach ($policy['bindings'] as $i => $binding) {
        // This example only removes member from bindings without a condition.
        if ($binding['role'] == $role && !isset($binding['condition'])) {
            $key = array_search($member, $binding['members']);
            if ($key !== false) {
                unset($binding['members'][$key]);

                // If the last member is removed from the binding, clean up the
                // binding.
                if (count($binding['members']) == 0) {
                    unset($policy['bindings'][$i]);
                    // Ensure array keys are sequential, otherwise JSON encodes
                    // the array as an object, which fails when calling the API.
                    $policy['bindings'] = array_values($policy['bindings']);
                } else {
                    // Ensure array keys are sequential, otherwise JSON encodes
                    // the array as an object, which fails when calling the API.
                    $binding['members'] = array_values($binding['members']);
                    $policy['bindings'][$i] = $binding;
                }

                $iam->setPolicy($policy);
                printf('User %s removed from role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
                return;
            }
        }
    }

    throw new \RuntimeException('No matching role-member group(s) found.');
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

from google.cloud import storage

def remove_bucket_iam_member(bucket_name, role, member):
    """Remove member from bucket IAM Policy"""
    # bucket_name = "your-bucket-name"
    # role = "IAM role, e.g. roles/storage.objectViewer"
    # member = "IAM identity, e.g. user: name@example.com"

    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy(requested_policy_version=3)

    for binding in policy.bindings:
        print(binding)
        if binding["role"] == role and binding.get("condition") is None:
            binding["members"].discard(member)

    bucket.set_iam_policy(policy)

    print("Removed {} with role {} from {}.".format(member, role, bucket_name))

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# bucket_name = "Your Google Cloud Storage bucket name"
# role        = "Bucket-level IAM role"
# member      = "Bucket-level IAM member"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket bucket_name

bucket.policy requested_policy_version: 3 do |policy|
  policy.bindings.each do |binding|
    if binding.role == role && binding.condition.nil?
      binding.members.delete member
    end
  end
end

puts "Removed #{member} with role #{role} from #{bucket_name}"

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 获取应用于您项目的现有政策。为此,请使用 cURL,通过 GET getIamPolicy 请求调用 JSON API

    curl -X GET \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      "https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [BUCKET_NAME] 是您要查看其 Cloud IAM 政策的存储分区的名称,例如 my-bucket
  3. 创建一个包含您在上一步中检索的政策的 .json 文件。

  4. 修改 .json 文件以从政策中移除该成员。

  5. 使用 cURL,通过 PUT setIamPolicy 请求调用 JSON API

    curl -X PUT --data-binary @[JSON_FILE_NAME].json \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Type: application/json" \
      "https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

    其中:

    • [JSON_FILE_NAME] 是您在第 3 步中创建的文件的名称。
    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [BUCKET_NAME] 是您要从中移除成员访问权限的存储分区的名称,例如 my-bucket

在存储分区使用 Cloud IAM Conditions

以下各个部分介绍如何在存储分区中添加和移除 Cloud IAM Conditions。 如需查看存储分区的 Cloud IAM Conditions,请参阅查看存储分区的 Cloud IAM 政策。如需详细了解如何将 Cloud IAM Conditions 与 Cloud Storage 配合使用,请参阅条件

您必须先对存储分区启用统一存储分区级层访问权限,然后才能添加条件。

为存储分区设置新条件

控制台

  1. 在 Google Cloud Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器
  2. 点击与存储分区相关联的行最右侧的存储分区溢出菜单 ()。

  3. 选择修改存储分区权限

  4. 点击添加成员

  5. 对于新成员,填写您要向其授予存储分区访问权限的成员。

  6. 对于您要应用条件的每个角色:

    1. 选择要授予成员的角色

    2. 点击添加条件,以打开修改条件表单。

    3. 填写条件的标题说明字段为选填字段。

    4. 使用条件构建器直观地构建条件,或使用条件编辑器标签页输入 CEL 表达式

    5. 点击保存可返回添加成员表单。如需添加多个角色,请点击添加其他角色

  7. 点击保存

请参阅问题排查,了解如何获取有关 Cloud Storage 浏览器中失败操作的详细错误信息。

gsutil

  1. 使用 gsutil iam 命令将存储分区的 Cloud IAM 政策保存到临时 JSON 文件中。

    gsutil iam get gs://[BUCKET_NAME] > /tmp/policy.json

    其中 [BUCKET_NAME] 是您要检索其 Cloud IAM 政策的存储分区的名称。例如 my-bucket

  2. 在文本编辑器中编辑 /tmp/policy.json 文件,以便向 Cloud IAM 政策中的绑定添加新条件:

    {
      "version": [VERSION],
      "bindings": [
        {
          "role": "[IAM_ROLE]",
          "members": [
            "[MEMBER_NAME]"
          ],
          "condition": {
            "title": "[TITLE]",
            "description": "[DESCRIPTION]",
            "expression": "[EXPRESSION]"
          }
      ],
      "etag": "[ETAG]"
    }

    其中:

    • [VERSION]Cloud IAM 政策的版本,对于具有 Cloud IAM Conditions 的存储分区来说,该值需要为 3。
    • [IAM ROLE] 是应用条件的角色。例如 roles/storage.objectCreator
    • [MEMBER_NAME] 是应用条件的成员。例如 jane@gmail.com
    • [TITLE] 是条件的标题。例如 expires in 2019
    • [DESCRIPTION] 是条件的可选说明。例如 Permission revoked on New Year's
    • [EXPRESSION]基于特性的逻辑表达式。例如 request.time < timestamp(\"2019-01-01T00:00:00Z\")。如需查看表达式的更多示例,请参阅条件特性参考。 请注意,Cloud Storage 仅支持日期/时间资源类型资源名称特性。

    切勿修改 [ETAG]

  3. 使用 gsutil iam 为存储分区设置修改后的 Cloud IAM 政策。

    gsutil iam set /tmp/policy.json gs://[BUCKET_NAME]

代码示例

C++

如需了解详情,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name,
   std::string const& role, std::string const& member,
   std::string const& condition_title,
   std::string const& condition_description,
   std::string const& condition_expression) {
  auto policy = client.GetNativeBucketIamPolicy(
      bucket_name, gcs::RequestedPolicyVersion(3));
  if (!policy) throw std::runtime_error(policy.status().message());

  policy->set_version(3);
  policy->bindings().emplace_back(gcs::NativeIamBinding(
      role, {member},
      gcs::NativeExpression(condition_expression, condition_title,
                            condition_description)));

  auto updated = client.SetNativeBucketIamPolicy(bucket_name, *policy);
  if (!updated) throw std::runtime_error(updated.status().message());

  std::cout << "Updated IAM policy bucket " << bucket_name
            << ". The new policy is " << *updated << "\n";

  std::cout << "Added member " << member << " with role " << role << " to "
            << bucket_name << ":\n";
  std::cout << "with condition:\n"
            << "\t Title: " << condition_title << "\n"
            << "\t Description: " << condition_description << "\n"
            << "\t Expression: " << condition_expression << "\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

        private void AddBucketConditionalIamBinding(string bucketName,
            string role, string member, string title, string description, string expression)
        {
            var storage = StorageClient.Create();
            var policy = storage.GetBucketIamPolicy(bucketName, new GetBucketIamPolicyOptions()
            {
                RequestedPolicyVersion = 3
            });
            policy.Version = 3;

            Policy.BindingsData bindingToAdd = new Policy.BindingsData();
            bindingToAdd.Role = role;
            string[] members = { member };
            bindingToAdd.Members = members;
            bindingToAdd.Condition = new Expr()
            {
                Title = title,
                Description = description,
                Expression = expression
            };
            policy.Bindings.Add(bindingToAdd);

            storage.SetBucketIamPolicy(bucketName, policy);
            Console.WriteLine($"Added {member} with role {role} "
                + $"to {bucketName}");
        }

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

ctx := context.Background()

ctx, cancel := context.WithTimeout(ctx, time.Second*10)
defer cancel()
bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().V3().Policy(ctx)
if err != nil {
	return err
}

policy.Bindings = append(policy.Bindings, &iampb.Binding{
	Role:    role,
	Members: []string{member},
	Condition: &expr.Expr{
		Title:       title,
		Description: description,
		Expression:  expression,
	},
})

if err := bucket.IAM().V3().SetPolicy(ctx, policy); err != nil {
	return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

import com.google.cloud.Binding;
import com.google.cloud.Condition;
import com.google.cloud.Policy;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

public class AddBucketIamConditionalBinding {
  /** Example of adding a conditional binding to the Bucket-level IAM */
  public static void addBucketIamConditionalBinding(String projectId, String bucketName) {
    // The ID of your GCP project
    // String projectId = "your-project-id";

    // The ID of your GCS bucket
    // String bucketName = "your-unique-bucket-name";

    // For more information please read:
    // https://cloud.google.com/storage/docs/access-control/iam
    Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();

    Policy originalPolicy =
        storage.getIamPolicy(bucketName, Storage.BucketSourceOption.requestedPolicyVersion(3));

    String role = "roles/storage.objectViewer";
    String member = "group:example@google.com";

    // getBindingsList() returns an ImmutableList and copying over to an ArrayList so it's mutable.
    List<Binding> bindings = new ArrayList(originalPolicy.getBindingsList());

    // Create a condition
    String conditionTitle = "Title";
    String conditionDescription = "Description";
    String conditionExpression =
        "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")";
    Condition.Builder conditionBuilder = Condition.newBuilder();
    conditionBuilder.setTitle(conditionTitle);
    conditionBuilder.setDescription(conditionDescription);
    conditionBuilder.setExpression(conditionExpression);

    // Add condition to a binding
    Binding.Builder newBindingBuilder =
        Binding.newBuilder()
            .setRole(role)
            .setMembers(Arrays.asList(member))
            .setCondition(conditionBuilder.build());
    bindings.add(newBindingBuilder.build());

    // Update policy with new conditional binding
    Policy.Builder updatedPolicyBuilder = originalPolicy.toBuilder();
    updatedPolicyBuilder.setBindings(bindings).setVersion(3);
    Policy updatedPolicy = storage.setIamPolicy(bucketName, updatedPolicyBuilder.build());

    System.out.printf(
        "Added %s with role %s to %s with condition %s %s %s\n",
        member, role, bucketName, conditionTitle, conditionDescription, conditionExpression);
  }
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const roleName = 'Role to grant, e.g. roles/storage.objectViewer';
// const members = [
//   'user:jdoe@example.com',    // Example members to grant
//   'group:admins@example.com', // the new role to
// ];
// const title = 'Condition title.';
// const description = 'Conditon description.';
// const expression = 'Condition expression.';

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

async function addBucketConditionalBinding() {
  // Get a reference to a Google Cloud Storage bucket
  const bucket = storage.bucket(bucketName);

  // Gets and updates the bucket's IAM policy
  const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});

  // Set the policy's version to 3 to use condition in bindings.
  policy.version = 3;

  // Adds the new roles to the bucket's IAM policy
  policy.bindings.push({
    role: roleName,
    members: members,
    condition: {
      title: title,
      description: description,
      expression: expression,
    },
  });

  // Updates the bucket's IAM policy
  await bucket.iam.setPolicy(policy);

  console.log(
    `Added the following member(s) with role ${roleName} to ${bucketName}:`
  );

  members.forEach(member => {
    console.log(`  ${member}`);
  });

  console.log('with condition:');
  console.log(`  Title: ${title}`);
  console.log(`  Description: ${description}`);
  console.log(`  Expression: ${expression}`);
}

addBucketConditionalBinding().catch(console.error);

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Storage\StorageClient;

/**
 * Adds a conditional IAM binding to a bucket's IAM policy.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * @param string $role the role that will be given to members in this binding.
 * @param string[] $members the member(s) that is associated to this binding.
 * @param string $title condition's title
 * @param string $description condition's description
 * @param string $expression the condition specified in CEL expression language.
 *
 * To see how to express a condition in CEL, visit:
 * @see https://cloud.google.com/storage/docs/access-control/iam#conditions.
 *
 * @return void
 */
function add_bucket_conditional_iam_binding($bucketName, $role, $members, $title, $description, $expression)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);

    $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);

    $policy['version'] = 3;

    $policy['bindings'][] = [
        'role' => $role,
        'members' => $members,
        'condition' => [
            'title' => $title,
            'description' => $description,
            'expression' => $expression,
        ],
    ];

    $bucket->iam()->setPolicy($policy);

    printf('Added the following member(s) with role %s to %s:' . PHP_EOL, $role, $bucketName);
    foreach ($members as $member) {
        printf('    %s' . PHP_EOL, $member);
    }
    printf('with condition:' . PHP_EOL);
    printf('    Title: %s' . PHP_EOL, $title);
    printf('    Description: %s' . PHP_EOL, $description);
    printf('    Expression: %s' . PHP_EOL, $expression);
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

from google.cloud import storage

def add_bucket_conditional_iam_binding(
    bucket_name, role, title, description, expression, members
):
    """Add a conditional IAM binding to a bucket's IAM policy."""
    # bucket_name = "your-bucket-name"
    # role = "IAM role, e.g. roles/storage.objectViewer"
    # members = {"IAM identity, e.g. user: name@example.com}"
    # title = "Condition title."
    # description = "Condition description."
    # expression = "Condition expression."

    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy(requested_policy_version=3)

    # Set the policy's version to 3 to use condition in bindings.
    policy.version = 3

    policy.bindings.append(
        {
            "role": role,
            "members": members,
            "condition": {
                "title": title,
                "description": description,
                "expression": expression,
            },
        }
    )

    bucket.set_iam_policy(policy)

    print("Added the following member(s) with role {} to {}:".format(role, bucket_name))

    for member in members:
        print("    {}".format(member))

    print("with condition:")
    print("    Title: {}".format(title))
    print("    Description: {}".format(description))
    print("    Expression: {}".format(expression))

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# bucket_name = "Your Google Cloud Storage bucket name"
# role        = "Bucket-level IAM role"
# member      = "Bucket-level IAM member"
# title       = "Condition Title"
# description = "Condition Description"
# expression  = "Condition Expression"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket bucket_name

bucket.policy requested_policy_version: 3 do |policy|
  policy.version = 3
  policy.bindings.insert(
    role:      role,
    members:   member,
    condition: {
      title:       title,
      description: description,
      expression:  expression
    }
  )
end

puts "Added #{member} with role #{role} to #{bucket_name} with condition #{title} #{description} #{expression}"

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 使用 GET getIamPolicy 请求将存储分区的 Cloud IAM 政策保存到临时 JSON 文件中:

    curl \
    'https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam' \
    --header 'Authorization: Bearer [OAUTH2_TOKEN]' > /tmp/policy.json

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
  3. 在文本编辑器中编辑 /tmp/policy.json 文件,以便向 Cloud IAM 政策中的绑定添加新条件:

    {
          "version": [VERSION],
          "bindings": [
            {
              "role": "[IAM_ROLE]",
              "members": [
                "[MEMBER_NAME]"
              ],
              "condition": {
                "title": "[TITLE]",
                "description": "[DESCRIPTION]",
                "expression": "[EXPRESSION]"
              }
          ],
          "etag": "[ETAG]"
     }

    其中:

    • [VERSION]Cloud IAM 政策的版本,对于具有 Cloud IAM Conditions 的存储分区来说,该值需要为 3。
    • [IAM_ROLE] 是应用条件的角色。例如 roles/storage.objectCreator
    • [MEMBER_NAME] 是应用条件的成员。例如 jane@gmail.com
    • [TITLE] 是条件的标题。例如 expires in 2019
    • [DESCRIPTION] 是条件的可选说明。例如 Permission revoked on New Year's
    • [EXPRESSION]基于特性的逻辑表达式。例如 request.time < timestamp(\"2019-01-01T00:00:00Z\")。如需查看表达式的更多示例,请参阅条件特性参考。 请注意,Cloud Storage 仅支持日期/时间资源类型资源名称特性。

      切勿修改 [ETAG]

  4. 使用 PUT setIamPolicy 请求为存储分区设置修改后的 Cloud IAM 政策:

    curl -X PUT --data-binary @/tmp/policy.json \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Type: application/json" \
      "https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。

从存储分区中移除条件

控制台

  1. 在 Google Cloud Console 中打开 Cloud Storage 浏览器。
    打开 Cloud Storage 浏览器
  2. 点击与存储分区相关联的行最右侧的存储分区溢出菜单 ()。

  3. 选择修改存储分区权限

  4. 展开包含您要移除的条件的角色。

  5. 点击与条件相关联的成员对应的修改菜单 (“修改”菜单图标。)。

  6. 在显示的修改权限叠加层中,点击您希望删除的条件的名称。

  7. 在显示的修改条件叠加层中,点击删除,然后点击确认

  8. 点击保存

请参阅问题排查,了解如何获取有关 Cloud Storage 浏览器中失败操作的详细错误信息。

gsutil

  1. 使用 gsutil iam 命令将存储分区的 Cloud IAM 政策保存到临时 JSON 文件中。

    gsutil iam get gs://[BUCKET_NAME] > /tmp/policy.json
  2. 在文本编辑器中编辑 /tmp/policy.json 文件以从 Cloud IAM 政策中删除条件。

  3. 使用 gsutil iam 为存储分区设置修改后的 Cloud IAM 政策。

    gsutil iam set /tmp/policy.json gs://[BUCKET_NAME]

代码示例

C++

如需了解详情,请参阅 Cloud Storage C++ API 参考文档

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name,
   std::string const& role, std::string const& condition_title,
   std::string const& condition_description,
   std::string const& condition_expression) {
  auto policy = client.GetNativeBucketIamPolicy(
      bucket_name, gcs::RequestedPolicyVersion(3));
  if (!policy) throw std::runtime_error(policy.status().message());

  policy->set_version(3);
  auto& bindings = policy->bindings();
  auto e = std::remove_if(
      bindings.begin(), bindings.end(),
      [role, condition_title, condition_description,
       condition_expression](gcs::NativeIamBinding b) {
        return (b.role() == role && b.has_condition() &&
                b.condition().title() == condition_title &&
                b.condition().description() == condition_description &&
                b.condition().expression() == condition_expression);
      });
  if (e == bindings.end()) {
    std::cout << "No matching binding group found.\n";
    return;
  }
  bindings.erase(e);
  auto updated = client.SetNativeBucketIamPolicy(bucket_name, *policy);
  if (!updated) throw std::runtime_error(updated.status().message());

  std::cout << "Conditional binding was removed.\n";
}

C#

如需了解详情,请参阅 Cloud Storage C# API 参考文档

private void RemoveBucketConditionalIamBinding(string bucketName,
    string role, string title, string description, string expression)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName, new GetBucketIamPolicyOptions()
    {
        RequestedPolicyVersion = 3
    });
    policy.Version = 3;
    if (policy.Bindings.ToList().RemoveAll(binding => binding.Role == role
        && binding.Condition != null
        && binding.Condition.Title == title
        && binding.Condition.Description == description
        && binding.Condition.Expression == expression) > 0)
    {
        // Set the modified IAM policy to be the current IAM policy.
        storage.SetBucketIamPolicy(bucketName, policy);
        Console.WriteLine("Conditional Binding was removed.");
    }
    else
    {
        Console.WriteLine("No matching conditional binding found.");
    }
}

Go

如需了解详情,请参阅 Cloud Storage Go API 参考文档

ctx := context.Background()

ctx, cancel := context.WithTimeout(ctx, time.Second*10)
defer cancel()
bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().V3().Policy(ctx)
if err != nil {
	return err
}

// Find the index of the binding matching inputs
i := -1
for j, binding := range policy.Bindings {
	if binding.Role == role && binding.Condition != nil {
		condition := binding.Condition
		if condition.Title == title &&
			condition.Description == description &&
			condition.Expression == expression {
			i = j
		}
	}
}

if i == -1 {
	return errors.New("No matching binding group found.")
}

// Get a slice of the bindings, removing the binding at index i
policy.Bindings = append(policy.Bindings[:i], policy.Bindings[i+1:]...)

if err := bucket.IAM().V3().SetPolicy(ctx, policy); err != nil {
	return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.

Java

如需了解详情,请参阅 Cloud Storage Java API 参考文档

import com.google.cloud.Binding;
import com.google.cloud.Condition;
import com.google.cloud.Policy;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

public class RemoveBucketIamConditionalBinding {
  /** Example of removing a conditional binding to the Bucket-level IAM */
  public static void removeBucketIamConditionalBinding(String projectId, String bucketName) {
    // The ID of your GCP project
    // String projectId = "your-project-id";

    // The ID of your GCS bucket
    // String bucketName = "your-unique-bucket-name";

    // For more information please read:
    // https://cloud.google.com/storage/docs/access-control/iam
    Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();

    Policy originalPolicy =
        storage.getIamPolicy(bucketName, Storage.BucketSourceOption.requestedPolicyVersion(3));

    String role = "roles/storage.objectViewer";

    // getBindingsList() returns an ImmutableList and copying over to an ArrayList so it's mutable.
    List<Binding> bindings = new ArrayList(originalPolicy.getBindingsList());

    // Create a condition to compare against
    Condition.Builder conditionBuilder = Condition.newBuilder();
    conditionBuilder.setTitle("Title");
    conditionBuilder.setDescription("Description");
    conditionBuilder.setExpression(
        "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")");

    Iterator iterator = bindings.iterator();
    while (iterator.hasNext()) {
      Binding binding = (Binding) iterator.next();
      boolean foundRole = binding.getRole().equals(role);
      boolean conditionsEqual = conditionBuilder.build().equals(binding.getCondition());

      // Remove condition when the role and condition are equal
      if (foundRole && conditionsEqual) {
        iterator.remove();
        break;
      }
    }

    // Update policy to remove conditional binding
    Policy.Builder updatedPolicyBuilder = originalPolicy.toBuilder();
    updatedPolicyBuilder.setBindings(bindings).setVersion(3);
    Policy updatedPolicy = storage.setIamPolicy(bucketName, updatedPolicyBuilder.build());

    System.out.println("Conditional Binding was removed.");
  }
}

Node.js

如需了解详情,请参阅 Cloud Storage Node.js API 参考文档

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const roleName = 'Role to grant, e.g. roles/storage.objectViewer';
// const title = 'Condition title.';
// const description = 'Conditon description.';
// const expression = 'Condition expression.';

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

async function removeBucketConditionalBinding() {
  // Get a reference to a Google Cloud Storage bucket
  const bucket = storage.bucket(bucketName);

  // Gets and updates the bucket's IAM policy
  const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});

  // Set the policy's version to 3 to use condition in bindings.
  policy.version = 3;

  // Finds and removes the appropriate role-member group with specific condition.
  const index = policy.bindings.findIndex(
    binding =>
      binding.role === roleName &&
      binding.condition &&
      binding.condition.title === title &&
      binding.condition.description === description &&
      binding.condition.expression === expression
  );

  const binding = policy.bindings[index];
  if (binding) {
    policy.bindings.splice(index, 1);

    // Updates the bucket's IAM policy
    await bucket.iam.setPolicy(policy);

    console.log('Conditional Binding was removed.');
  } else {
    // No matching role-member group with specific condition were found
    throw new Error('No matching binding group found.');
  }
}

removeBucketConditionalBinding().catch(console.error);

PHP

如需了解详情,请参阅 Cloud Storage PHP API 参考文档

use Google\Cloud\Storage\StorageClient;

/**
 * Removes a conditional IAM binding from a bucket's IAM policy.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * @param string $role the role that will be given to members in this binding.
 * @param string $title condition's title
 * @param string $description condition's description
 * @param string $expression the condition specified in CEL expression language.
 *
 * To see how to express a condition in CEL, visit:
 * @see https://cloud.google.com/storage/docs/access-control/iam#conditions.
 *
 * @return void
 */
function remove_bucket_conditional_iam_binding($bucketName, $role, $title, $description, $expression)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);

    $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);

    $policy['version'] = 3;

    $key_of_conditional_binding = null;
    foreach ($policy['bindings'] as $key => $binding) {
        if ($binding['role'] == $role && isset($binding['condition'])) {
            $condition = $binding['condition'];
            if ($condition['title'] == $title
                 && $condition['description'] == $description
                 && $condition['expression'] == $expression) {
                $key_of_conditional_binding = $key;
                break;
            }
        }
    }

    if ($key_of_conditional_binding != null) {
        unset($policy['bindings'][$key_of_conditional_binding]);
        // Ensure array keys are sequential, otherwise JSON encodes
        // the array as an object, which fails when calling the API.
        $policy['bindings'] = array_values($policy['bindings']);
        $bucket->iam()->setPolicy($policy);
        print('Conditional Binding was removed.' . PHP_EOL);
    } else {
        print('No matching conditional binding found.' . PHP_EOL);
    }
}

Python

如需了解详情,请参阅 Cloud Storage Python API 参考文档

from google.cloud import storage

def remove_bucket_conditional_iam_binding(
    bucket_name, role, title, description, expression
):
    """Remove a conditional IAM binding from a bucket's IAM policy."""
    # bucket_name = "your-bucket-name"
    # role = "IAM role, e.g. roles/storage.objectViewer"
    # title = "Condition title."
    # description = "Condition description."
    # expression = "Condition expression."

    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy(requested_policy_version=3)

    # Set the policy's version to 3 to use condition in bindings.
    policy.version = 3

    condition = {
        "title": title,
        "description": description,
        "expression": expression,
    }
    policy.bindings = [
        binding
        for binding in policy.bindings
        if not (binding["role"] == role and binding.get("condition") == condition)
    ]

    bucket.set_iam_policy(policy)

    print("Conditional Binding was removed.")

Ruby

如需了解详情,请参阅 Cloud Storage Ruby API 参考文档

# bucket_name = "Your Google Cloud Storage bucket name"
# role        = "Bucket-level IAM role"
# title       = "Condition Title"
# description = "Condition Description"
# expression  = "Condition Expression"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket = storage.bucket bucket_name

bucket.policy requested_policy_version: 3 do |policy|
  policy.version = 3

  binding_to_remove = nil
  policy.bindings.each do |b|
    condition = {
      title:       title,
      description: description,
      expression:  expression
    }
    if (b.role == role) && (b.condition &&
      b.condition.title == title &&
      b.condition.description == description &&
      b.condition.expression == expression)
      binding_to_remove = b
    end
  end
  if binding_to_remove
    policy.bindings.remove binding_to_remove
    puts "Conditional Binding was removed."
  else
    puts "No matching conditional binding found."
  end
end

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 使用 GET getIamPolicy 请求将存储分区的 Cloud IAM 政策保存到临时 JSON 文件中:

    curl \
    'https://storage.googleapis.com/storage/v1/b/[BUCKET]/iam' \
    --header 'Authorization: Bearer [OAUTH2_TOKEN]' > /tmp/policy.json

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
  3. 在文本编辑器中编辑 /tmp/policy.json 文件以从 Cloud IAM 政策中删除条件。

  4. 使用 PUT setIamPolicy 请求为存储分区设置修改后的 Cloud IAM 政策:

    curl -X PUT --data-binary @/tmp/policy.json \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Type: application/json" \
      "https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [BUCKET_NAME] 是您要修改 IAM 政策的存储分区的名称。例如 my-bucket

对项目使用 Cloud IAM

以下各部分展示了如何在项目中完成基本的 Cloud IAM 任务。请注意,与大多数 Cloud Storage 任务相比,这些任务使用单独的命令行命令 gcloud 和单独的端点 cloudresourcemanager.googleapis.com

您必须具备 resourcemanager.projects.getIamPolicyresourcemanager.projects.setIamPolicy Cloud IAM 权限才能完成以下任务。

将成员添加到项目级层政策

如需与 Cloud Storage 关联的角色列表,请参阅 Cloud IAM 角色。 如需了解可授予 Cloud IAM 角色的实体,请参阅成员类型

控制台

  1. 在 Google Cloud Console 中打开 IAM 和管理浏览器。
    打开“IAM 和管理”浏览器
  2. 在顶栏的项目下拉菜单中,选择要添加成员的项目。

  3. 点击添加。系统会显示向项目添加成员,角色对话框。

  4. 新成员字段中,指定您要授予访问权限的实体的名称。

  5. 选择角色下拉菜单中,向成员授予适当的角色。

    您可以在项目存储空间子菜单中找到影响 Cloud Storage 存储分区和对象的角色。

  6. 点击保存

gsutil

项目级层 Cloud IAM 政策通过 gcloud 命令进行管理,该命令是 Google Cloud SDK 的一部分。如需添加项目级层政策,请使用 gcloud beta projects add-iam-policy-binding

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 创建一个包含以下信息的 .json 文件:

    {
      "policy": {
        "version": "0",
        "bindings": {
          "role": "[IAM_ROLE]",
          "members": "[MEMBER_NAME]"
        },
      }
    }

    其中:

    • [IAM_ROLE] 是您要向成员授予的 Cloud IAM 角色,例如 roles/storage.objectCreator
    • [MEMBER_NAME] 是您要向其授予项目访问权限的成员的类型和名称,例如 user:jane@gmail.com
  3. 使用 cURL,通过 POST setIamPolicy 请求调用 Resource Manager API

    curl -X POST --data-binary @[JSON_FILE_NAME].json \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Type: application/json" \
      "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_ID]:setIamPolicy"

    其中:

    • [JSON_FILE_NAME] 是您在第 2 步中创建的文件的名称。
    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [PROJECT_ID] 是您要授予成员访问权限的项目的 ID。例如 my-project

查看项目的 Cloud IAM 政策

控制台

  1. 在 Google Cloud Console 中打开 IAM 和管理浏览器。
    打开“IAM 和管理”浏览器
  2. 在顶栏的项目下拉菜单中,选择要查看的政策所属的项目。

  3. 查看项目权限的方法有两种:

    • 成员查看:查看与各个成员相关联的角色列,了解各成员具有哪些角色。
    • 角色查看:使用与各个角色相关联的下拉列表,查看哪些成员具有此角色。

gsutil

项目级层 Cloud IAM 政策通过 gcloud 命令进行管理,该命令是 Google Cloud SDK 的一部分。如需查看项目的 Cloud IAM 策略,请使用 gcloud beta projects get-iam-policy 命令。

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 使用 cURL,通过 POST getIamPolicy 请求调用 Resource Manager API

    curl -X POST \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Length: 0" \
      "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_ID]:getIamPolicy"

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [PROJECT_ID] 是您要授予成员访问权限的项目的 ID。例如 my-project

从项目级层政策中移除成员

控制台

  1. 在 Google Cloud Console 中打开 IAM 和管理浏览器。
    打开“IAM 和管理”浏览器
  2. 在顶栏的项目下拉菜单中,选择要移除成员的项目。

  3. 确保您正在按成员查看权限,并选择要移除的成员。

  4. 点击移除

  5. 在出现的叠加窗口中,点击确认

gsutil

项目级层 Cloud IAM 政策通过 gcloud 命令进行管理,该命令是 Google Cloud SDK 的一部分。如需移除项目级层政策,请使用 gcloud beta projects remove-iam-policy-binding

JSON

  1. OAuth 2.0 Playground 获取授权访问令牌。将 Playground 配置为使用您自己的 OAuth 凭据。
  2. 获取应用于您项目的现有政策。为此,请使用 cURL 通过 POST getIamPolicy 请求调用 Resource Manager API

    curl -X POST \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Length: 0" \
      "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_ID]:getIamPolicy"

    其中:

    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [PROJECT_ID] 是您要添加成员访问权限的项目的 ID。例如 my-project
  3. 创建一个包含您在上一步中检索的政策的 .json 文件。

  4. 修改 .json 文件以从政策中移除该成员。

  5. 使用 cURL,通过 POST setIamPolicy 请求调用 Resource Manager API

    curl -X POST --data-binary @[JSON_FILE_NAME].json \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Type: application/json" \
      "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_ID]:setIamPolicy"

    其中:

    • [JSON_FILE_NAME] 是您在第 2 步中创建的文件的名称。
    • [OAUTH2_TOKEN] 是您在第 1 步中生成的访问令牌。
    • [PROJECT_ID] 是您要授予成员访问权限的项目的 ID。例如 my-project

后续步骤