下表列出了在给定资源上运行每个 Cloud Storage JSON 方法所需的 Identity and Access Management (IAM) 权限。将 IAM 权限捆绑在一起即可创建角色。您向用户和群组授予角色。
对于只适用于已停用统一存储桶级访问权限的存储桶的其他方法,请参阅 ACL 方法表。
| 资源 | 方法 | 必需的 IAM 权限1 |
|---|---|---|
AnywhereCache |
create |
storage.anywhereCaches.create |
AnywhereCache |
disable |
storage.anywhereCaches.disable |
AnywhereCache |
get |
storage.anywhereCaches.get |
AnywhereCache |
list |
storage.anywhereCaches.list |
AnywhereCache |
pause |
storage.anywhereCaches.pause |
AnywhereCache |
resume |
storage.anywhereCaches.resume |
AnywhereCache |
update |
storage.anywhereCaches.update |
Buckets |
delete |
storage.buckets.delete |
Buckets |
get |
storage.buckets.getstorage.buckets.getIamPolicy2storage.buckets.getIpFilter13storage.anywhereCaches.get18 |
Buckets |
getIamPolicy |
storage.buckets.getIamPolicy |
Buckets |
insert |
storage.buckets.createstorage.buckets.enableObjectRetention3storage.buckets.setIpFilter14 |
Buckets |
list |
storage.buckets.liststorage.buckets.getIamPolicy2storage.buckets.getIpFilter13storage.anywhereCaches.list |
Buckets |
listChannels |
storage.buckets.get |
Buckets |
lockRetentionPolicy |
storage.buckets.update |
Buckets |
patch |
storage.buckets.updatestorage.buckets.getIamPolicy4storage.buckets.setIamPolicy5storage.buckets.setIpFilter14storage.buckets.getIpFilter13 |
Buckets |
relocate |
storage.buckets.relocate |
Buckets |
setIamPolicy |
storage.buckets.setIamPolicy |
Buckets |
testIamPermissions |
无 |
Buckets |
update |
storage.buckets.updatestorage.buckets.getIamPolicy4storage.buckets.setIamPolicy5storage.buckets.setIpFilter14storage.buckets.getIpFilter13storage.anywhereCaches.update |
DatasetConfigs |
delete |
storageinsights.datasetConfigs.delete |
DatasetConfigs |
get |
storageinsights.datasetConfigs.get |
DatasetConfigs |
insert |
storageinsights.datasetConfigs.create |
DatasetConfigs |
list |
storageinsights.datasetConfigs.list |
DatasetConfigs |
linkDataset |
storageinsights.datasetConfigs.linkDataset |
DatasetConfigs |
unlinkDataset |
storageinsights.datasetConfigs.unlinkDataset |
DatasetConfigs |
patch |
storageinsights.datasetConfigs.update |
Channels |
stop |
无 |
Folders |
get |
storage.folders.get |
Folders |
insert |
storage.folders.create |
Folders |
list |
storage.folders.list |
Folders |
rename |
storage.folders.renamestorage.folders.create |
Folders |
delete |
storage.folders.delete |
IntelligenceConfig |
getIntelligenceConfig |
storage.intelligenceConfigs.get |
IntelligenceConfig |
updateIntelligenceConfig |
storage.intelligenceConfigs.update |
Jobs |
create |
storagebatchoperations.jobs.create |
Jobs |
get |
storagebatchoperations.jobs.getstoragebatchoperations.operations.get |
Jobs |
list |
storagebatchoperations.jobs.liststoragebatchoperations.operations.list |
Jobs |
cancel |
storagebatchoperations.jobs.cancelstoragebatchoperations.operations.cancel |
Jobs |
delete |
storagebatchoperations.jobs.delete |
ManagedFolders |
delete |
storage.managedfolders.deletestorage.managedfolders.setIamPolicy10 |
ManagedFolders |
get |
storage.managedfolders.get |
ManagedFolders |
getIamPolicy |
storage.managedfolders.getIamPolicy |
ManagedFolders |
insert |
storage.managedfolders.create |
ManagedFolders |
list |
storage.managedfolders.list |
ManagedFolders |
update |
storage.managedfolders.update |
ManagedFolders |
setIamPolicy |
storage.managedfolders.setIamPolicy |
Notifications |
delete |
storage.buckets.update |
Notifications |
get |
storage.buckets.get |
Notifications |
insert |
storage.buckets.update |
Notifications |
list |
storage.buckets.get |
Objects |
bulkRestore |
storage.buckets.restorestorage.objects.createstorage.objects.delete11storage.objects.restorestorage.objects.setIamPolicy6,12 |
Objects |
compose |
storage.objects.getstorage.objects.createstorage.objects.delete7storage.objects.getIamPolicy2、6storage.objects.setRetention8storage.objects.createContext19 |
Objects |
copy |
storage.objects.getstorage.objects.createstorage.objects.deletestorage.objects.setRetentionstorage.objects.createContext19 |
Objects |
delete |
storage.objects.delete |
Objects |
get |
storage.objects.getstorage.objects.getIamPolicy2,6 |
Objects |
insert |
storage.objects.createstorage.objects.delete7storage.objects.setRetention8storage.objects.createContext19 |
Objects |
list |
storage.objects.liststorage.objects.getIamPolicy2,6 |
Objects |
move |
storage.objects.move15storage.objects.delete15storage.objects.get15storage.objects.createstorage.objects.delete16storage.folders.create17 |
Objects |
patch |
storage.objects.updatestorage.objects.setRetention8storage.objects.overrideUnlockedRetention9storage.objects.getIamPolicy4、6storage.objects.setIamPolicy5、6storage.objects.createContext20storage.objects.updateContext21storage.objects.deleteContext22 |
Objects |
restore |
storage.objects.createstorage.objects.delete7storage.objects.restorestorage.objects.getIamPolicy2,6storage.objects.setIamPolicy6,12 |
Objects |
rewrite |
storage.objects.getstorage.objects.createstorage.objects.deletestorage.objects.setRetentionstorage.objects.createContext19 |
Objects |
update |
storage.objects.updatestorage.objects.setRetention8storage.objects.overrideUnlockedRetention9storage.objects.getIamPolicy4、6storage.objects.setIamPolicy5、6storage.objects.createContext20storage.objects.updateContext21storage.objects.deleteContext22 |
Objects |
watchAll |
storage.buckets.update |
Projects.hmacKeys |
create |
storage.hmacKeys.create |
Projects.hmacKeys |
delete |
storage.hmacKeys.delete |
Projects.hmacKeys |
get |
storage.hmacKeys.get |
Projects.hmacKeys |
list |
storage.hmacKeys.list |
Projects.hmacKeys |
update |
storage.hmacKeys.update |
Projects.serviceAccount |
get |
resourceManager.projects.get |
ReportConfigs |
delete |
storageinsights.reportConfigs.delete |
ReportConfigs |
get |
storageinsights.reportConfigs.get |
ReportConfigs |
list |
storageinsights.reportConfigs.list |
ReportConfigs |
insert |
storageinsights.reportConfigs.create |
ReportConfigs |
update |
storageinsights.reportConfigs.update |
ReportDetails |
get |
storageinsights.reportDetails.get |
ReportDetails |
list |
storageinsights.reportDetails.list |
1 如果您在请求中使用 userProject 参数或 x-goog-user-project 标头,则除了发出请求所需的正常 IAM 权限之外,您还必须拥有所指定项目 ID 的 serviceusage.services.use 权限。
2 仅当您希望在 full 投影中包含 ACL 或 IAM 政策时,才需要此权限。如果您在没有这项权限的情况下发出 full 投影请求,那么只会收到部分投影。
3 仅当请求包含 enableObjectRetention 查询参数时,才需要此权限。
4 仅当您希望在响应中包含 ACL 时,才需要此权限。
5 如果您希望在请求中包含 ACL 或禁止公开访问设置更改,则需要此权限。
6 此权限不适用于启用了统一存储桶级访问权限的存储桶。
7 仅当请求会导致同名对象被覆盖时,才需要此权限。
8 如果请求正文包含 retention 属性或者对具有现有保留配置的对象发出 UPDATE 请求,则需要此权限。
9 仅当请求包含查询参数 overrideUnlockedRetention=true 时,才需要此权限。
10 仅当请求包含查询参数 allowNonEmpty=true 时,才需要此权限。
11 仅当请求包含查询参数 allowOverwrite=true 并且请求会导致同名对象被覆盖时,才需要此权限。
12 仅当请求包含查询参数 copySourceAcl=true 时,才需要此权限。
13 仅当您希望在 Buckets: get 请求中包含存储桶 IP 过滤规则时,才需要此权限。如果您没有此权限,那么只会收到部分投影。
14 仅当您想要创建、列出、删除和更新存储桶 IP 过滤规则时,才需要此权限。
15 如需在启用了分层命名空间的存储桶中移动对象,您需要拥有 storage.objects.delete 和 storage.objects.get 权限;或者,如果您想在不授予对象读取或删除权限的情况下移动对象,则需要拥有 storage.objects.move 权限。
16 仅当您想要替换对象时,才需要此权限。
17 仅当您想要自动创建任何缺少的父级文件夹时,才需要此权限。
18 仅当您想要返回使用 Anywhere Cache 创建的缓存时,才需要此权限。
19 仅当请求包含以下任一属性时,才需要此权限:用于合成对象的非空 destination.contexts.custom 属性;用于复制、插入或重写对象的非空 contexts.custom 属性。
20 仅当您想要向对象添加上下文时,才需要此权限。
21 仅当您想要更新对象的上下文时,才需要此权限。
22 仅当您想要删除对象的上下文时,才需要此权限。
与 ACL 相关的方法
下表列出了运行仅适用于管理 ACL 的 JSON 方法所需的 IAM 权限。这些方法仅适用于已停用统一存储分区级访问权限的存储分区。
| 资源 | 方法 | 必需的 IAM 权限1 |
|---|---|---|
BucketAccessControls |
delete |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
get |
storage.buckets.getstorage.buckets.getIamPolicy |
BucketAccessControls |
insert |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
list |
storage.buckets.getstorage.buckets.getIamPolicy |
BucketAccessControls |
patch |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
update |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
delete |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
get |
storage.buckets.getstorage.buckets.getIamPolicy |
DefaultObjectAccessControls |
insert |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
list |
storage.buckets.getstorage.buckets.getIamPolicy |
DefaultObjectAccessControls |
patch |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
update |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
ObjectAccessControls |
delete |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
get |
storage.objects.getstorage.objects.getIamPolicy |
ObjectAccessControls |
insert |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
list |
storage.objects.getstorage.objects.getIamPolicy |
ObjectAccessControls |
patch |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
update |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
1 如果您在请求中使用 userProject 参数或 x-goog-user-project 标头,则除了发出请求所需的正常 IAM 权限之外,您还必须拥有所指定项目 ID 的 serviceusage.services.use 权限。
后续步骤
如需查看角色及其所含权限的列表,请参阅适用于 Cloud Storage 的 IAM 角色。
在项目和存储桶级层分配 IAM 角色。