适用于 JSON 方法的 IAM 权限

下表列出了在给定资源上运行每个 Cloud Storage JSON 方法所需的 Identity and Access Management (IAM) 权限。将 IAM 权限捆绑在一起即可创建角色。您向用户和群组授予角色

对于只适用于已停用统一存储桶级访问权限的存储桶的其他方法,请参阅 ACL 方法表

资源 方法 必需的 IAM 权限1
Buckets delete storage.buckets.delete
Buckets get storage.buckets.get
storage.buckets.getIamPolicy2
storage.buckets.getIpFilter13
Buckets getIamPolicy storage.buckets.getIamPolicy
Buckets insert storage.buckets.create
storage.buckets.enableObjectRetention3
storage.buckets.setIpFilter14
Buckets list storage.buckets.list
storage.buckets.getIamPolicy2
storage.buckets.getIpFilter13
Buckets listChannels storage.buckets.get
Buckets lockRetentionPolicy storage.buckets.update
Buckets patch storage.buckets.update
storage.buckets.getIamPolicy4
storage.buckets.setIamPolicy5
storage.buckets.setIpFilter14
storage.buckets.getIpFilter13
Buckets setIamPolicy storage.buckets.setIamPolicy
Buckets testIamPermissions
Buckets update storage.buckets.update
storage.buckets.getIamPolicy4
storage.buckets.setIamPolicy5
storage.buckets.setIpFilter14
storage.buckets.getIpFilter13
Channels stop
Folders get storage.folders.get
Folders insert storage.folders.create
Folders list storage.folders.list
Folders rename storage.folders.rename(针对源文件夹)
storage.folders.create(针对目标文件夹)
Folders delete storage.folders.delete
ManagedFolders delete storage.managedfolders.delete
storage.managedfolders.setIamPolicy10
ManagedFolders get storage.managedfolders.get
ManagedFolders getIamPolicy storage.managedfolders.getIamPolicy
ManagedFolders insert storage.managedfolders.create
ManagedFolders list storage.managedfolders.list
ManagedFolders update storage.managedfolders.update
ManagedFolders setIamPolicy storage.managedfolders.setIamPolicy
Notifications delete storage.buckets.update
Notifications get storage.buckets.get
Notifications insert storage.buckets.update
Notifications list storage.buckets.get
Objects bulkRestore storage.buckets.restore
storage.objects.create
storage.objects.delete11
storage.objects.restore
storage.objects.setIamPolicy6,12
Objects compose storage.objects.get
storage.objects.create
storage.objects.delete7
storage.objects.getIamPolicy2,6
storage.objects.setRetention8
Objects copy storage.objects.get(针对源存储桶)
storage.objects.create(针对目标存储桶)
storage.objects.delete(针对目标存储桶)7
storage.objects.setRetention(针对目标存储桶)8
Objects delete storage.objects.delete
Objects get storage.objects.get
storage.objects.getIamPolicy2,6
Objects insert storage.objects.create
storage.objects.delete7
storage.objects.setRetention8
Objects list storage.objects.list
storage.objects.getIamPolicy2,6
Objects patch storage.objects.update
storage.objects.setRetention8
storage.objects.overrideUnlockedRetention9
storage.objects.getIamPolicy4、6
storage.objects.setIamPolicy5、6
Objects restore storage.objects.create
storage.objects.delete7
storage.objects.restore
storage.objects.getIamPolicy2,6
storage.objects.setIamPolicy6,12
Objects rewrite storage.objects.get(针对源存储桶)
storage.objects.create(针对目标存储桶)
storage.objects.delete(针对目标存储桶)7
storage.objects.setRetention(针对目标存储桶)8
Objects update storage.objects.update
storage.objects.setRetention8
storage.objects.overrideUnlockedRetention9
storage.objects.getIamPolicy4、6
storage.objects.setIamPolicy5、6
Objects watchAll storage.buckets.update
Projects.hmacKeys create storage.hmacKeys.create
Projects.hmacKeys delete storage.hmacKeys.delete
Projects.hmacKeys get storage.hmacKeys.get
Projects.hmacKeys list storage.hmacKeys.list
Projects.hmacKeys update storage.hmacKeys.update
Projects.serviceAccount get resourceManager.projects.get
ReportConfigs delete storageinsights.reportConfigs.delete
ReportConfigs get storageinsights.reportConfigs.get
ReportConfigs list storageinsights.reportConfigs.list
ReportConfigs insert storageinsights.reportConfigs.create
ReportConfigs update storageinsights.reportConfigs.update
ReportDetails get storageinsights.reportDetails.get
ReportDetails list storageinsights.reportDetails.list

1 如果您在请求中使用 userProject 参数或 x-goog-user-project 标头,则除了发出请求所需的正常 IAM 权限之外,您还必须拥有所指定项目 ID 的 serviceusage.services.use 权限。

2 仅当您希望在 full 投影中包含 ACL 或 IAM 政策时,才需要此权限。如果您在没有这项权限的情况下发出 full 投影请求,那么只会收到部分投影。

3 仅当请求包含 enableObjectRetention 查询参数时,才需要此权限。

4 仅当您希望在响应中包含 ACL 时,才需要此权限。

5 如果您希望在请求中包含 ACL 或禁止公开访问设置更改,则需要此权限。

6 此权限不适用于启用了统一存储桶级访问权限的存储桶。

7 仅当请求会导致同名对象被覆盖时,才需要此权限。

8 如果请求正文包含 retention 属性或者对具有现有保留配置的对象发出 UPDATE 请求,则需要此权限。

9 仅当请求包含查询参数 overrideUnlockedRetention=true 时,才需要此权限。

10 仅当请求包含查询参数 allowNonEmpty=true 时,才需要此权限。

11 仅当请求包含查询参数 allowOverwrite=true 且请求会导致同名对象被覆盖时,才需要此权限。

12 仅当请求包含查询参数 copySourceAcl=true 时,才需要此权限。

13 仅当您希望在 full 投影中包含存储桶 IP 过滤规则时,才需要此权限。如果您在没有这项权限的情况下发出 full 投影请求,那么只会收到部分投影。如果您想在响应中排除存储桶 IP 过滤规则,可以请求 noAcl 投影。

14 仅当您要创建、列出、删除和更新存储桶 IP 过滤规则时,才需要此权限。

与 ACL 相关的方法

下表列出了运行仅适用于管理 ACL 的 JSON 方法所需的 IAM 权限。这些方法仅适用于已停用统一存储桶级访问权限的存储桶。

资源 方法 必需的 IAM 权限1
BucketAccessControls delete storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls get storage.buckets.get
storage.buckets.getIamPolicy
BucketAccessControls insert storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls list storage.buckets.get
storage.buckets.getIamPolicy
BucketAccessControls patch storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls update storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls delete storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls get storage.buckets.get
storage.buckets.getIamPolicy
DefaultObjectAccessControls insert storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls list storage.buckets.get
storage.buckets.getIamPolicy
DefaultObjectAccessControls patch storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls update storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
ObjectAccessControls delete storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
ObjectAccessControls get storage.objects.get
storage.objects.getIamPolicy
ObjectAccessControls insert storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
ObjectAccessControls list storage.objects.get
storage.objects.getIamPolicy
ObjectAccessControls patch storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
ObjectAccessControls update storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update

1 如果您在请求中使用 userProject 参数或 x-goog-user-project 标头,则除了发出请求所需的正常 IAM 权限之外,您还必须拥有所指定项目 ID 的 serviceusage.services.use 权限。

后续步骤