Ruoli IAM per Cloud Storage

Questo documento fornisce informazioni sui ruoli e sulle autorizzazioni di Identity and Access Management (IAM) per Cloud Storage.

Ruoli predefiniti

La tabella seguente descrive i ruoli Identity and Access Management (IAM) associati a Cloud Storage ed elenca le autorizzazioni contenute in ciascun ruolo. Se non diversamente specificato, questi ruoli possono essere applicati a progetti, bucket o cartelle gestite. Tuttavia, puoi concedere ruoli legacy solo a singoli bucket.

Per scoprire come controllare l'accesso ai bucket, consulta Utilizzare le autorizzazioni IAM. Per scoprire come controllare l'accesso alle cartelle gestite, consulta Utilizzare IAM per le cartelle gestite.

Role Permissions

(roles/storage.admin)

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

Lowest-level resources where you can grant this role:

  • Bucket

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

firebase.projects.get

orgpolicy.policy.get

recommender.iamPolicyInsights.*

  • recommender.iamPolicyInsights.get
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

  • recommender.iamPolicyRecommendations.get
  • recommender.iamPolicyRecommendations.list
  • recommender.iamPolicyRecommendations.update

recommender.storageBucketSoftDeleteInsights.*

  • recommender.storageBucketSoftDeleteInsights.get
  • recommender.storageBucketSoftDeleteInsights.list
  • recommender.storageBucketSoftDeleteInsights.update

recommender.storageBucketSoftDeleteRecommendations.*

  • recommender.storageBucketSoftDeleteRecommendations.get
  • recommender.storageBucketSoftDeleteRecommendations.list
  • recommender.storageBucketSoftDeleteRecommendations.update

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.projects.get

resourcemanager.projects.list

storage.anywhereCaches.*

  • storage.anywhereCaches.create
  • storage.anywhereCaches.disable
  • storage.anywhereCaches.get
  • storage.anywhereCaches.list
  • storage.anywhereCaches.pause
  • storage.anywhereCaches.resume
  • storage.anywhereCaches.update

storage.bucketOperations.*

  • storage.bucketOperations.cancel
  • storage.bucketOperations.get
  • storage.bucketOperations.list

storage.buckets.*

  • storage.buckets.create
  • storage.buckets.createTagBinding
  • storage.buckets.delete
  • storage.buckets.deleteTagBinding
  • storage.buckets.enableObjectRetention
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.getIpFilter
  • storage.buckets.getObjectInsights
  • storage.buckets.list
  • storage.buckets.listEffectiveTags
  • storage.buckets.listTagBindings
  • storage.buckets.relocate
  • storage.buckets.restore
  • storage.buckets.setIamPolicy
  • storage.buckets.setIpFilter
  • storage.buckets.update

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.intelligenceConfigs.*

  • storage.intelligenceConfigs.get
  • storage.intelligenceConfigs.update

storage.managedFolders.*

  • storage.managedFolders.create
  • storage.managedFolders.delete
  • storage.managedFolders.get
  • storage.managedFolders.getIamPolicy
  • storage.managedFolders.list
  • storage.managedFolders.setIamPolicy

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.overrideUnlockedRetention
  • storage.objects.restore
  • storage.objects.setIamPolicy
  • storage.objects.setRetention
  • storage.objects.update

(roles/storage.bucketViewer)

Grants permission to view buckets and their metadata, excluding IAM policies.

storage.buckets.get

storage.buckets.list

(roles/storage.expressModeServiceInput)

Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.update

(roles/storage.expressModeServiceOutput)

Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.

storage.objects.delete

storage.objects.get

storage.objects.list

(roles/storage.expressModeUserAccess)

Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.

orgpolicy.policy.get

storage.buckets.get

storage.buckets.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.restore

storage.objects.update

(roles/storage.folderAdmin)

Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.*

  • storage.managedFolders.create
  • storage.managedFolders.delete
  • storage.managedFolders.get
  • storage.managedFolders.getIamPolicy
  • storage.managedFolders.list
  • storage.managedFolders.setIamPolicy

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.overrideUnlockedRetention
  • storage.objects.restore
  • storage.objects.setIamPolicy
  • storage.objects.setRetention
  • storage.objects.update

(roles/storage.hmacKeyAdmin)

Full control of Cloud Storage HMAC keys.

firebase.projects.get

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.hmacKeys.*

  • storage.hmacKeys.create
  • storage.hmacKeys.delete
  • storage.hmacKeys.get
  • storage.hmacKeys.list
  • storage.hmacKeys.update

(roles/storage.insightsCollectorService)

Read-only access to Cloud Storage Inventory metadata for Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.buckets.getObjectInsights

(roles/storage.legacyBucketOwner)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.anywhereCaches.*

  • storage.anywhereCaches.create
  • storage.anywhereCaches.disable
  • storage.anywhereCaches.get
  • storage.anywhereCaches.list
  • storage.anywhereCaches.pause
  • storage.anywhereCaches.resume
  • storage.anywhereCaches.update

storage.bucketOperations.*

  • storage.bucketOperations.cancel
  • storage.bucketOperations.get
  • storage.bucketOperations.list

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.enableObjectRetention

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.getIpFilter

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.relocate

storage.buckets.restore

storage.buckets.setIamPolicy

storage.buckets.setIpFilter

storage.buckets.update

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.*

  • storage.managedFolders.create
  • storage.managedFolders.delete
  • storage.managedFolders.get
  • storage.managedFolders.getIamPolicy
  • storage.managedFolders.list
  • storage.managedFolders.setIamPolicy

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

(roles/storage.legacyBucketReader)

Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.buckets.get

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.list

storage.objects.list

(roles/storage.legacyBucketWriter)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.buckets.get

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

(roles/storage.legacyObjectOwner)

Grants permission to view and edit objects and their metadata, including ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.objects.get

storage.objects.getIamPolicy

storage.objects.overrideUnlockedRetention

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

(roles/storage.legacyObjectReader)

Grants permission to view objects and their metadata, excluding ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.objects.get

(roles/storage.objectAdmin)

Grants full control of objects, including listing, creating, viewing, and deleting objects.

Lowest-level resources where you can grant this role:

  • Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.overrideUnlockedRetention
  • storage.objects.restore
  • storage.objects.setIamPolicy
  • storage.objects.setRetention
  • storage.objects.update

(roles/storage.objectCreator)

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

Lowest-level resources where you can grant this role:

  • Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.create

storage.managedFolders.create

storage.multipartUploads.abort

storage.multipartUploads.create

storage.multipartUploads.listParts

storage.objects.create

(roles/storage.objectUser)

Access to create, read, update and delete objects and multipart uploads in GCS.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.*

  • storage.folders.create
  • storage.folders.delete
  • storage.folders.get
  • storage.folders.list
  • storage.folders.rename

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.move

storage.objects.restore

storage.objects.update

(roles/storage.objectViewer)

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

Lowest-level resources where you can grant this role:

  • Bucket

resourcemanager.projects.get

resourcemanager.projects.list

storage.folders.get

storage.folders.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

Ruoli predefiniti di Storage Insights

La tabella seguente descrive i ruoli IAM associati a Storage Insights ed elenca le autorizzazioni contenute in ciascun ruolo.

Role Permissions

(roles/storageinsights.admin)

Full access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.*

  • storageinsights.datasetConfigs.create
  • storageinsights.datasetConfigs.delete
  • storageinsights.datasetConfigs.get
  • storageinsights.datasetConfigs.linkDataset
  • storageinsights.datasetConfigs.list
  • storageinsights.datasetConfigs.unlinkDataset
  • storageinsights.datasetConfigs.update
  • storageinsights.locations.get
  • storageinsights.locations.list
  • storageinsights.operations.cancel
  • storageinsights.operations.delete
  • storageinsights.operations.get
  • storageinsights.operations.list
  • storageinsights.reportConfigs.create
  • storageinsights.reportConfigs.delete
  • storageinsights.reportConfigs.get
  • storageinsights.reportConfigs.list
  • storageinsights.reportConfigs.update
  • storageinsights.reportDetails.get
  • storageinsights.reportDetails.list

(roles/storageinsights.analyst)

Data access to Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.linkDataset

storageinsights.datasetConfigs.list

storageinsights.datasetConfigs.unlinkDataset

storageinsights.locations.*

  • storageinsights.locations.get
  • storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

  • storageinsights.reportDetails.get
  • storageinsights.reportDetails.list

(roles/storageinsights.serviceAgent)

Permissions for Insights to write reports into customer project

bigquery.datasets.create

serviceusage.services.use

storageinsights.reportDetails.list

(roles/storageinsights.viewer)

Read-only access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.list

storageinsights.locations.*

  • storageinsights.locations.get
  • storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

  • storageinsights.reportDetails.get
  • storageinsights.reportDetails.list

Ruoli di base

Google Cloud

I ruoli di base sono ruoli esistenti prima di IAM. Questi ruoli hanno caratteristiche uniche:

  • I ruoli di base possono essere concessi solo per un intero progetto, non per singoli bucket all'interno del progetto. Come gli altri ruoli che concedi per un progetto, i ruoli di base si applicano a tutti i bucket e gli oggetti del progetto.

  • I ruoli di base contengono autorizzazioni aggiuntive per altri Google Cloud servizi non trattati in questa sezione. Consulta la sezione Ruoli di base per una discussione generale delle autorizzazioni concesse dai ruoli di base.

  • Ogni ruolo di base ha un valore di praticità che ti consente di utilizzare il ruolo di base come se fosse un gruppo. Se utilizzato in questo modo, qualsiasi entità con il ruolo di base viene considerata parte del gruppo. Tutti i membri del gruppo ottengono un accesso aggiuntivo alle risorse in base all'accesso del valore di convenienza.

    • I valori di convenienza possono essere utilizzati quando vengono concessi ruoli per i bucket.

    • I valori di convenienza possono essere utilizzati per impostare gli elenchi di controllo degli accessi sugli oggetti.

  • I ruoli di base non concedono intrinsecamente tutto l'accesso alle risorse Cloud Storage che i loro nomi implicano. Invece, forniscono una parte dell'accesso previsto in modo intrinseco e il resto dell'accesso previsto tramite l'utilizzo di valori di convenienza. Poiché i valori di praticità possono essere aggiunti o rimossi manualmente come qualsiasi altro principal IAM, è possibile revocare l'accesso che i principal potrebbero altrimenti aspettarsi di avere.

    Per una discussione sull'accesso aggiuntivo che le entità con ruoli di base in genere ottengono a causa dei valori di convenienza, vedi comportamento modificabile.

Autorizzazioni intrinseche

La tabella seguente descrive le autorizzazioni Cloud Storage sempre associate a ogni ruolo di base.

Ruolo Descrizione Autorizzazioni di Cloud Storage
Visualizzatore (roles/viewer) Concede l'autorizzazione per elencare i bucket nel progetto, visualizzare i metadati del bucket durante l'elenco (esclusi gli ACL) ed elencare e ottenere le chiavi HMAC nel progetto. storage.buckets.getIpFilter
storage.buckets.list
storage.hmacKeys.get
storage.hmacKeys.list
Editor (roles/editor) Concede l'autorizzazione per creare, elencare ed eliminare bucket nel progetto; visualizzare i metadati del bucket durante l'elenco (esclusi gli ACL) e controllare le chiavi HMAC nel progetto. storage.buckets.create
storage.buckets.delete
storage.buckets.getIpFilter
storage.buckets.list
storage.hmacKeys.*
Proprietario (roles/owner)

Concede l'autorizzazione per creare, elencare ed eliminare bucket nel progetto; visualizzare i metadati del bucket durante l'elenco (esclusi gli ACL); creare, eliminare ed elencare le associazioni di tag; controllare le chiavi HMAC nel progetto; attivare, disattivare, aggiornare e ottenere la configurazione di Storage Intelligence in un progetto, una cartella o un'organizzazione.

In Google Cloud in generale, le entità con questo ruolo possono eseguire attività amministrative come modificare i ruoli delle entità per il progetto o modificare la fatturazione.

 storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.getIpFilter
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.setIpFilter
storage.hmacKeys.*
storage.intelligenceConfigs.get
storage.intelligenceConfigs.update

Comportamento modificabile

Le entità a cui sono stati concessi ruoli di base spesso hanno accesso aggiuntivo ai bucket e agli oggetti di un progetto a causa dei valori di convenienza. Quando viene creato un bucket, ai valori di convenienza viene concesso un determinato accesso a livello di bucket, ma in un secondo momento puoi modificare i criteri IAM del bucket e gli ACL degli oggetti per rimuovere o modificare l'accesso.

Quando crei un bucket con l'accesso uniforme a livello di bucket abilitato, il seguente accesso viene concesso tramite valori di convenienza:

  • Alle entità a cui è stato concesso roles/viewer vengono assegnati i ruoli roles/storage.legacyBucketReader e roles/storage.legacyObjectReader per il bucket.

  • Alle entità a cui è stato concesso roles/editor vengono assegnati i ruoli roles/storage.legacyBucketOwner e roles/storage.legacyObjectOwner per il bucket.

  • Alle entità a cui è stato concesso roles/owner vengono assegnati i ruoli roles/storage.legacyBucketOwner e roles/storage.legacyObjectOwner per il bucket.

Quando crei un bucket per cui non è abilitato l'accesso uniforme a livello di bucket, viene concesso il seguente accesso utilizzando valori pratici:

  • Le entità a cui è stato concesso roles/viewer ottengono il ruolo roles/storage.legacyBucketReader per il bucket.

  • Le entità a cui è stato concesso roles/editor ottengono il ruolo roles/storage.legacyBucketOwner per il bucket.

  • Le entità a cui è stato concesso roles/owner ottengono il ruolo roles/storage.legacyBucketOwner per il bucket.

  • Inoltre, il bucket ha un elenco di controllo dell'accesso (ACL) degli oggetti predefinito. Questo ACL predefinito viene spesso applicato ai nuovi oggetti nel bucket e spesso concede un accesso aggiuntivo ai valori di convenienza.

Ruoli personalizzati

Potresti voler definire ruoli personalizzati che contengano bundle di autorizzazioni che specifichi. Per supportare questa funzionalità, IAM offre ruoli personalizzati.

Passaggi successivi