Um exemplo de como definir uma condição startsWith com as bibliotecas de cliente.
Mais informações
Para ver a documentação detalhada que inclui este exemplo de código, consulte:
Exemplo de código
C#
Para mais informações, consulte a documentação de referência da API Cloud Storage para C#.
using Google.Apis.Storage.v1.Data;
using Google.Cloud.Storage.V1;
using System;
using System.Collections.Generic;
public class AddBucketConditionalIamBindingSample
{
/// <summary>
/// Adds a conditional Iam policy to a bucket.
/// </summary>
/// <param name="bucketName">The name of the bucket.</param>
/// <param name="role">The role that members may assume.</param>
/// <param name="member">The identifier of the member who may assume the provided role.</param>
/// <param name="title">Title for the expression.</param>
/// <param name="description">Description of the expression.</param>
/// <param name="expression">Describes the conditions that need to be met for the policy to be applied.
/// It's represented as a string using Common Expression Language syntax.</param>
public Policy AddBucketConditionalIamBinding(
string bucketName = "your-unique-bucket-name",
string role = "roles/storage.objectViewer",
string member = "serviceAccount:dev@iam.gserviceaccount.com",
string title = "title",
string description = "description",
string expression = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")")
{
var storage = StorageClient.Create();
var policy = storage.GetBucketIamPolicy(bucketName, new GetBucketIamPolicyOptions
{
RequestedPolicyVersion = 3
});
// Set the policy schema version. For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.
policy.Version = 3;
Policy.BindingsData bindingToAdd = new Policy.BindingsData
{
Role = role,
Members = new List<string> { member },
Condition = new Expr
{
Title = title,
Description = description,
Expression = expression
}
};
policy.Bindings.Add(bindingToAdd);
var bucketIamPolicy = storage.SetBucketIamPolicy(bucketName, policy);
Console.WriteLine($"Added {member} with role {role} " + $"to {bucketName}");
return bucketIamPolicy;
}
}
C++
Para mais informações, consulte a documentação de referência da API Cloud Storage para C++.
//! [native add bucket conditional iam binding]
namespace gcs = ::google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name,
std::string const& role, std::string const& member,
std::string const& condition_title,
std::string const& condition_description,
std::string const& condition_expression) {
auto policy = client.GetNativeBucketIamPolicy(
bucket_name, gcs::RequestedPolicyVersion(3));
if (!policy) throw std::runtime_error(policy.status().message());
policy->set_version(3);
policy->bindings().emplace_back(gcs::NativeIamBinding(
role, {member},
gcs::NativeExpression(condition_expression, condition_title,
condition_description)));
auto updated = client.SetNativeBucketIamPolicy(bucket_name, *policy);
if (!updated) throw std::runtime_error(updated.status().message());
std::cout << "Updated IAM policy bucket " << bucket_name
<< ". The new policy is " << *updated << "\n";
std::cout << "Added member " << member << " with role " << role << " to "
<< bucket_name << ":\n";
std::cout << "with condition:\n"
<< "\t Title: " << condition_title << "\n"
<< "\t Description: " << condition_description << "\n"
<< "\t Expression: " << condition_expression << "\n";
}
//! [native add bucket conditional iam binding]
Go
Para mais informações, consulte a documentação de referência da API Cloud Storage para Go.
ctx := context.Background()
ctx, cancel := context.WithTimeout(ctx, time.Second*10)
defer cancel()
bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().V3().Policy(ctx)
if err != nil {
return err
}
policy.Bindings = append(policy.Bindings, &iampb.Binding{
Role: role,
Members: []string{member},
Condition: &expr.Expr{
Title: title,
Description: description,
Expression: expression,
},
})
if err := bucket.IAM().V3().SetPolicy(ctx, policy); err != nil {
return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.
Java
Para mais informações, consulte a documentação de referência da API Cloud Storage para Java.
import com.google.cloud.Binding;
import com.google.cloud.Condition;
import com.google.cloud.Policy;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
public class AddBucketIamConditionalBinding {
/** Example of adding a conditional binding to the Bucket-level IAM */
public static void addBucketIamConditionalBinding(String projectId, String bucketName) {
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
// For more information please read:
// https://cloud.google.com/storage/docs/access-control/iam
Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();
Policy originalPolicy =
storage.getIamPolicy(bucketName, Storage.BucketSourceOption.requestedPolicyVersion(3));
String role = "roles/storage.objectViewer";
String member = "group:example@google.com";
// Create a condition
String conditionTitle = "Title";
String conditionDescription = "Description";
String conditionExpression =
"resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")";
Condition.Builder conditionBuilder = Condition.newBuilder();
conditionBuilder.setTitle(conditionTitle);
conditionBuilder.setDescription(conditionDescription);
conditionBuilder.setExpression(conditionExpression);
// getBindingsList() returns an ImmutableList, we copy over to an ArrayList so it's mutable
List<Binding> bindings = new ArrayList(originalPolicy.getBindingsList());
// Add condition to a binding
Binding.Builder newBindingBuilder =
Binding.newBuilder()
.setRole(role)
.setMembers(Arrays.asList(member))
.setCondition(conditionBuilder.build());
bindings.add(newBindingBuilder.build());
// Update policy with new conditional binding
Policy.Builder updatedPolicyBuilder = originalPolicy.toBuilder();
updatedPolicyBuilder.setBindings(bindings).setVersion(3);
storage.setIamPolicy(bucketName, updatedPolicyBuilder.build());
System.out.printf(
"Added %s with role %s to %s with condition %s %s %s\n",
member, role, bucketName, conditionTitle, conditionDescription, conditionExpression);
}
}
Node.js
Para mais informações, consulte a documentação de referência da API Cloud Storage para Node.js.
/**
* TODO(developer): Uncomment the following lines before running the sample.
*/
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// The role to grant
// const roleName = 'roles/storage.objectViewer';
// The members to grant the new role to
// const members = [
// 'user:jdoe@example.com',
// 'group:admins@example.com',
// ];
// Create a condition
// const title = 'Title';
// const description = 'Description';
// const expression = 'resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")';
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');
// Creates a client
const storage = new Storage();
async function addBucketConditionalBinding() {
// Get a reference to a Google Cloud Storage bucket
const bucket = storage.bucket(bucketName);
// Gets and updates the bucket's IAM policy
const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});
// Set the policy's version to 3 to use condition in bindings.
policy.version = 3;
// Adds the new roles to the bucket's IAM policy
policy.bindings.push({
role: roleName,
members: members,
condition: {
title: title,
description: description,
expression: expression,
},
});
// Updates the bucket's IAM policy
await bucket.iam.setPolicy(policy);
console.log(
`Added the following member(s) with role ${roleName} to ${bucketName}:`
);
members.forEach(member => {
console.log(` ${member}`);
});
console.log('with condition:');
console.log(` Title: ${title}`);
console.log(` Description: ${description}`);
console.log(` Expression: ${expression}`);
}
addBucketConditionalBinding().catch(console.error);
PHP
Para mais informações, consulte a documentação de referência da API Cloud Storage para PHP.
use Google\Cloud\Storage\StorageClient;
/**
* Adds a conditional IAM binding to a bucket's IAM policy.
*
* @param string $bucketName The name of your Cloud Storage bucket.
* @param string $role The role that will be given to members in this binding.
* @param string[] $members The member(s) associated with this binding.
* @param string $title The title of the condition.
* @param string $description The description of the condition.
* @param string $expression The condition specified in CEL expression language.
*
* To see how to express a condition in CEL, visit:
* @see https://cloud.google.com/storage/docs/access-control/iam#conditions.
*/
function add_bucket_conditional_iam_binding($bucketName, $role, array $members, $title, $description, $expression)
{
// $bucketName = 'my-bucket';
// $role = 'roles/storage.objectViewer';
// $members = ['group:example@google.com'];
// $title = 'Title';
// $description = 'Condition Description';
// $expression = 'resource.name.startsWith("projects/_/buckets/bucket-name/objects/prefix-a-")';
$storage = new StorageClient();
$bucket = $storage->bucket($bucketName);
$policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);
$policy['version'] = 3;
$policy['bindings'][] = [
'role' => $role,
'members' => $members,
'condition' => [
'title' => $title,
'description' => $description,
'expression' => $expression,
],
];
$bucket->iam()->setPolicy($policy);
printf('Added the following member(s) with role %s to %s:' . PHP_EOL, $role, $bucketName);
foreach ($members as $member) {
printf(' %s' . PHP_EOL, $member);
}
printf('with condition:' . PHP_EOL);
printf(' Title: %s' . PHP_EOL, $title);
printf(' Description: %s' . PHP_EOL, $description);
printf(' Expression: %s' . PHP_EOL, $expression);
}
Python
Para mais informações, consulte a documentação de referência da API Cloud Storage para Python.
from google.cloud import storage
def add_bucket_conditional_iam_binding(
bucket_name, role, title, description, expression, members
):
"""Add a conditional IAM binding to a bucket's IAM policy."""
# bucket_name = "your-bucket-name"
# role = "IAM role, e.g. roles/storage.objectViewer"
# members = {"IAM identity, e.g. user: name@example.com}"
# title = "Condition title."
# description = "Condition description."
# expression = "Condition expression."
storage_client = storage.Client()
bucket = storage_client.bucket(bucket_name)
policy = bucket.get_iam_policy(requested_policy_version=3)
# Set the policy's version to 3 to use condition in bindings.
policy.version = 3
policy.bindings.append(
{
"role": role,
"members": members,
"condition": {
"title": title,
"description": description,
"expression": expression,
},
}
)
bucket.set_iam_policy(policy)
print("Added the following member(s) with role {} to {}:".format(role, bucket_name))
for member in members:
print(" {}".format(member))
print("with condition:")
print(" Title: {}".format(title))
print(" Description: {}".format(description))
print(" Expression: {}".format(expression))
Ruby
Para mais informações, consulte a documentação de referência da API Cloud Storage para Ruby.
def add_bucket_conditional_iam_binding bucket_name:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
require "google/cloud/storage"
storage = Google::Cloud::Storage.new
bucket = storage.bucket bucket_name
role = "roles/storage.objectViewer"
member = "group:example@google.com"
title = "Title"
description = "Description"
expression = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
bucket.policy requested_policy_version: 3 do |policy|
policy.version = 3
policy.bindings.insert(
role: role,
members: member,
condition: {
title: title,
description: description,
expression: expression
}
)
end
puts "Added #{member} with role #{role} to #{bucket_name} with condition #{title} #{description} #{expression}"
end
A seguir
Para pesquisar e filtrar exemplos de código de outros produtos do Google Cloud, consulte o navegador de exemplos do Google Cloud.