Borra un miembro de la política de IAM para un bucket de Cloud Storage.
Explora más
Para obtener documentación detallada en la que se incluye esta muestra de código, consulta lo siguiente:
Muestra de código
C++
Si deseas obtener más información, consulta la documentación de referencia de la API de Cloud Storage C++.
namespace gcs = ::google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name,
std::string const& role, std::string const& member) {
auto policy = client.GetNativeBucketIamPolicy(
bucket_name, gcs::RequestedPolicyVersion(3));
if (!policy) throw std::move(policy).status();
policy->set_version(3);
std::vector<google::cloud::storage::NativeIamBinding> updated_bindings;
for (auto& binding : policy->bindings()) {
auto& members = binding.members();
if (binding.role() == role && !binding.has_condition()) {
members.erase(std::remove(members.begin(), members.end(), member),
members.end());
}
if (!members.empty()) {
updated_bindings.emplace_back(std::move(binding));
}
}
policy->bindings() = std::move(updated_bindings);
auto updated = client.SetNativeBucketIamPolicy(bucket_name, *policy);
if (!updated) throw std::move(updated).status();
std::cout << "Updated IAM policy bucket " << bucket_name
<< ". The new policy is " << *updated << "\n";
}C#
Si deseas obtener más información, consulta la documentación de referencia de la API de Cloud Storage C#.
using Google.Cloud.Storage.V1;
using System;
using System.Linq;
public class RemoveBucketIamMemberSample
{
public void RemoveBucketIamMember(
string bucketName = "your-unique-bucket-name",
string role = "roles/storage.objectViewer",
string member = "serviceAccount:dev@iam.gserviceaccount.com")
{
var storage = StorageClient.Create();
var policy = storage.GetBucketIamPolicy(bucketName, new GetBucketIamPolicyOptions
{
RequestedPolicyVersion = 3
});
// Set the policy schema version. For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.
policy.Version = 3;
foreach (var binding in policy.Bindings.Where(c => c.Role == role).ToList())
{
// Remove the role/member combo from the IAM policy.
binding.Members = binding.Members.Where(m => m != member).ToList();
// Remove role if it contains no members.
if (binding.Members.Count == 0)
{
policy.Bindings.Remove(binding);
}
}
// Set the modified IAM policy to be the current IAM policy.
storage.SetBucketIamPolicy(bucketName, policy);
Console.WriteLine($"Removed {member} with role {role} from {bucketName}");
}
}Go
Si deseas obtener más información, consulta la documentación de referencia de la API de Cloud Storage Go.
import (
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/iam"
"cloud.google.com/go/storage"
)
// removeBucketIAMMember removes the bucket IAM member.
func removeBucketIAMMember(w io.Writer, bucketName string) error {
// bucketName := "bucket-name"
ctx := context.Background()
client, err := storage.NewClient(ctx)
if err != nil {
return fmt.Errorf("storage.NewClient: %v", err)
}
defer client.Close()
ctx, cancel := context.WithTimeout(ctx, time.Second*10)
defer cancel()
bucket := client.Bucket(bucketName)
policy, err := bucket.IAM().Policy(ctx)
if err != nil {
return fmt.Errorf("Bucket(%q).IAM().Policy: %v", bucketName, err)
}
// Other valid prefixes are "serviceAccount:", "user:"
// See the documentation for more values.
// https://cloud.google.com/storage/docs/access-control/iam
// member string, role iam.RoleName
identity := "group:cloud-logs@google.com"
var role iam.RoleName = "roles/storage.objectViewer"
policy.Remove(identity, role)
if err := bucket.IAM().SetPolicy(ctx, policy); err != nil {
return fmt.Errorf("Bucket(%q).IAM().SetPolicy: %v", bucketName, err)
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.
fmt.Fprintf(w, "Removed %v with role %v from %v\n", identity, role, bucketName)
return nil
}
Java
Si deseas obtener más información, consulta la documentación de referencia de la API de Cloud Storage Java.
import com.google.cloud.Binding;
import com.google.cloud.Policy;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.util.ArrayList;
import java.util.List;
public class RemoveBucketIamMember {
public static void removeBucketIamMember(String projectId, String bucketName) {
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
// For more information please read:
// https://cloud.google.com/storage/docs/access-control/iam
Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();
Policy originalPolicy =
storage.getIamPolicy(bucketName, Storage.BucketSourceOption.requestedPolicyVersion(3));
String role = "roles/storage.objectViewer";
String member = "group:example@google.com";
// getBindingsList() returns an ImmutableList and copying over to an ArrayList so it's mutable.
List<Binding> bindings = new ArrayList(originalPolicy.getBindingsList());
// Remove role-member binding without a condition.
for (int index = 0; index < bindings.size(); index++) {
Binding binding = bindings.get(index);
boolean foundRole = binding.getRole().equals(role);
boolean foundMember = binding.getMembers().contains(member);
boolean bindingIsNotConditional = binding.getCondition() == null;
if (foundRole && foundMember && bindingIsNotConditional) {
bindings.set(index, binding.toBuilder().removeMembers(member).build());
break;
}
}
// Update policy to remove member
Policy.Builder updatedPolicyBuilder = originalPolicy.toBuilder();
updatedPolicyBuilder.setBindings(bindings).setVersion(3);
Policy updatedPolicy = storage.setIamPolicy(bucketName, updatedPolicyBuilder.build());
System.out.printf("Removed %s with role %s from %s\n", member, role, bucketName);
}
}Node.js
Si deseas obtener más información, consulta la documentación de referencia de la API de Cloud Storage Node.js.
/**
* TODO(developer): Uncomment the following lines before running the sample.
*/
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// The role to revoke
// const roleName = 'roles/storage.objectViewer';
// The members to revoke the roles from
// const members = [
// 'user:jdoe@example.com',
// 'group:admins@example.com',
// ];
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');
// Creates a client
const storage = new Storage();
async function removeBucketIamMember() {
// Get a reference to a Google Cloud Storage bucket
const bucket = storage.bucket(bucketName);
// For more information please read:
// https://cloud.google.com/storage/docs/access-control/iam
const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});
// Finds and updates the appropriate role-member group, without a condition.
const index = policy.bindings.findIndex(
binding => binding.role === roleName && !binding.condition
);
const role = policy.bindings[index];
if (role) {
role.members = role.members.filter(
member => members.indexOf(member) === -1
);
// Updates the policy object with the new (or empty) role-member group
if (role.members.length === 0) {
policy.bindings.splice(index, 1);
} else {
policy.bindings.index = role;
}
// Updates the bucket's IAM policy
await bucket.iam.setPolicy(policy);
} else {
// No matching role-member group(s) were found
throw new Error('No matching role-member group(s) found.');
}
console.log(
`Removed the following member(s) with role ${roleName} from ${bucketName}:`
);
members.forEach(member => {
console.log(` ${member}`);
});
}
removeBucketIamMember().catch(console.error);PHP
Si deseas obtener más información, consulta la documentación de referencia de la API de Cloud Storage PHP.
use Google\Cloud\Storage\StorageClient;
/**
* Removes a member / role IAM pair from a given Cloud Storage bucket.
*
* @param string $bucketName The name of your Cloud Storage bucket.
* (e.g. 'my-bucket')
* @param string $role The role from which the specified member should be removed.
* (e.g. 'roles/storage.objectViewer')
* @param string $member The member to be removed from the specified role.
* (e.g. 'group:example@google.com')
*/
function remove_bucket_iam_member(string $bucketName, string $role, string $member): void
{
$storage = new StorageClient();
$bucket = $storage->bucket($bucketName);
$iam = $bucket->iam();
$policy = $iam->policy(['requestedPolicyVersion' => 3]);
$policy['version'] = 3;
foreach ($policy['bindings'] as $i => $binding) {
// This example only removes member from bindings without a condition.
if ($binding['role'] == $role && !isset($binding['condition'])) {
$key = array_search($member, $binding['members']);
if ($key !== false) {
unset($binding['members'][$key]);
// If the last member is removed from the binding, clean up the
// binding.
if (count($binding['members']) == 0) {
unset($policy['bindings'][$i]);
// Ensure array keys are sequential, otherwise JSON encodes
// the array as an object, which fails when calling the API.
$policy['bindings'] = array_values($policy['bindings']);
} else {
// Ensure array keys are sequential, otherwise JSON encodes
// the array as an object, which fails when calling the API.
$binding['members'] = array_values($binding['members']);
$policy['bindings'][$i] = $binding;
}
$iam->setPolicy($policy);
printf('User %s removed from role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
return;
}
}
}
throw new \RuntimeException('No matching role-member group(s) found.');
}Python
Si deseas obtener más información, consulta la documentación de referencia de la API de Cloud Storage Python.
from google.cloud import storage
def remove_bucket_iam_member(bucket_name, role, member):
"""Remove member from bucket IAM Policy"""
# bucket_name = "your-bucket-name"
# role = "IAM role, e.g. roles/storage.objectViewer"
# member = "IAM identity, e.g. user: name@example.com"
storage_client = storage.Client()
bucket = storage_client.bucket(bucket_name)
policy = bucket.get_iam_policy(requested_policy_version=3)
for binding in policy.bindings:
print(binding)
if binding["role"] == role and binding.get("condition") is None:
binding["members"].discard(member)
bucket.set_iam_policy(policy)
print(f"Removed {member} with role {role} from {bucket_name}.")
Ruby
Si deseas obtener más información, consulta la documentación de referencia de la API de Cloud Storage Ruby.
def remove_bucket_iam_member bucket_name:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
# For more information please read: https://cloud.google.com/storage/docs/access-control/iam
require "google/cloud/storage"
storage = Google::Cloud::Storage.new
bucket = storage.bucket bucket_name
role = "roles/storage.objectViewer"
member = "group:example@google.com"
bucket.policy requested_policy_version: 3 do |policy|
policy.bindings.each do |binding|
if binding.role == role && binding.condition.nil?
binding.members.delete member
end
end
end
puts "Removed #{member} with role #{role} from #{bucket_name}"
end¿Qué sigue?
Para buscar y filtrar muestras de código para otros productos de Google Cloud, consulta el navegador de muestra de Google Cloud.