下表列出了运行 gcloud storage 命令所需的 Identity and Access Management (IAM) 权限。将 IAM 权限捆绑在一起即可创建角色。您可以向主账号授予角色。
如需查看有关使用通配符、--recursive 标志和 --billing-project 标志的说明,请参阅表格下面的各节内容。
| 命令 | 标志 | 所需的 IAM 权限 |
|---|---|---|
batch-operations jobs create | storagebatchoperations.jobs.create | |
batch-operations jobs cancel | storagebatchoperations.jobs.cancel | |
batch-operations jobs delete | storagebatchoperations.jobs.delete | |
batch-operations jobs get | storagebatchoperations.jobs.get | |
batch-operations jobs list | storagebatchoperations.jobs.list | |
buckets add-iam-policy-binding | storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update | |
buckets anywhere-caches create | storage.anywhereCaches.create | |
buckets anywhere-caches describe | storage.anywhereCaches.get | |
buckets anywhere-caches list | storage.anywhereCaches.list | |
buckets anywhere-caches update | storage.anywhereCaches.update | |
buckets anywhere-caches pause | storage.anywhereCaches.pause | |
buckets anywhere-caches resume | storage.anywhereCaches.resume | |
buckets anywhere-caches disable | storage.anywhereCaches.disable | |
buckets create | storage.buckets.create storage.buckets.setIpFilter15 | |
buckets delete | storage.buckets.delete | |
buckets describe | storage.buckets.getstorage.buckets.getIamPolicy1storage.buckets.getIpFilter16 | |
buckets get-iam-policy | storage.buckets.getstorage.buckets.getIamPolicy | |
buckets list | storage.buckets.liststorage.buckets.getIamPolicy1 | |
buckets notifications create | storage.buckets.getstorage.buckets.updatepubsub.topics.get(针对包含 Pub/Sub 主题的项目)pubsub.topics.create3(针对包含 Pub/Sub 主题的项目)pubsub.topics.getIamPolicy(针对接收通知的 Pub/Sub 主题)pubsub.topics.setIamPolicy3(针对接收通知的 Pub/Sub 主题) | |
buckets notifications create | --skip-topic-setup | storage.buckets.getstorage.buckets.update |
buckets notifications delete | storage.buckets.getstorage.buckets.update | |
buckets notifications describe | storage.buckets.get | |
buckets notifications list | storage.buckets.get | |
buckets relocate | storage.buckets.relocate | |
buckets remove-iam-policy-binding | storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update | |
buckets set-iam-policy | storage.buckets.setIamPolicystorage.buckets.update | |
buckets update | storage.buckets.updatestorage.buckets.setIpFilter15 | |
buckets update | --no-requester-pays | storage.buckets.updateresourcemanager.projects.createBillingAssignment2 |
buckets update | --recovery-point-objective--rpo--[no-]uniform-bucket-level-access | storage.buckets.getstorage.buckets.update |
buckets update | --clear-pap--clear-public-access-prevention--[no-]pap--[no-]public-access-prevention | storage.buckets.getstorage.buckets.updatestorage.buckets.setIamPolicy |
cat | storage.objects.getstorage.objects.list13 | |
cp | storage.objects.getstorage.objects.createstorage.objects.list4(针对目标存储桶) storage.objects.delete5storage.buckets.get12 | |
du | storage.objects.list | |
folders create | storage.folders.create | |
folders delete | storage.folders.delete | |
folders describe | storage.folders.get | |
folders list | storage.folders.list | |
folders rename | storage.folders.renamestorage.folders.create | |
hash | storage.objects.get | |
hmac create | storage.hmacKeys.create | |
hmac delete | storage.hmacKeys.delete | |
hmac describe | storage.hmacKeys.get | |
hmac list | storage.hmacKeys.list | |
hmac update | storage.hmacKeys.update | |
insights dataset-configs create | storageinsights.datasetConfigs.create | |
insights dataset-configs create-link | storageinsights.datasetConfigs.linkDataset | |
insights dataset-configs delete | storageinsights.datasetConfigs.delete | |
insights dataset-configs delete-link | storageinsights.datasetConfigs.unlinkDataset | |
insights dataset-configs describe | storageinsights.datasetConfigs.get | |
insights dataset-configs list | storageinsights.datasetConfigs.list | |
insights dataset-configs update | storageinsights.datasetConfigs.update | |
insights inventory-reports create | storageinsights.reportConfigs.create | |
insights inventory-reports delete | storageinsights.reportConfigs.delete | |
insights inventory-reports details list | storageinsights.reportDetails.list | |
insights inventory-reports details describe | storageinsights.reportDetails.get | |
insights inventory-reports list | storageinsights.reportConfigs.list | |
insights inventory-reports update | storageinsights.reportConfigs.getstorageinsights.reportConfigs.update | |
ls(用于列出存储桶) | storage.buckets.liststorage.buckets.getIamPolicy6 | |
ls(用于列出对象) | storage.objects.get7storage.objects.liststorage.objects.getIamPolicy8 | |
ls | --buckets | storage.buckets.getstorage.buckets.getIamPolicy6 |
storage intelligence-config enable | storage.intelligenceConfigs.update | |
storage-intelligence disable | storage.intelligenceConfigs.update | |
storage-intelligence describe | storage.intelligenceConfigs.get | |
storage-intelligence update | storage.intelligenceConfigs.update | |
mv | storage.objects.getstorage.objects.deletestorage.objects.createstorage.objects.list4storage.objects.delete5storage.buckets.get12 | |
objects compose | storage.objects.getstorage.objects.createstorage.objects.delete9 | |
objects describe | storage.objects.getstorage.objects.getIamPolicy8 | |
objects list | storage.objects.liststorage.objects.getIamPolicy8 | |
objects update | storage.objects.getstorage.objects.liststorage.objects.update | |
objects update | --storage-class--encryption-key--clear-encryption-key | storage.objects.getstorage.objects.liststorage.objects.createstorage.objects.delete |
objects update | --retention-mode--retain-until--clear-retention | storage.objects.getstorage.objects.liststorage.objects.updatestorage.objects.setRetentionstorage.objects.overrideUnlockedRetention11 |
operations cancel | storage.bucketOperations.cancel | |
operations describe | storage.bucketOperations.get | |
operations list | storage.bucketOperations.list | |
restore | storage.objects.createstorage.objects.delete9storage.objects.restore | |
restore | --async | storage.objects.createstorage.objects.delete14storage.objects.restorestorage.buckets.restore |
rm | storage.buckets.deletestorage.objects.deletestorage.objects.list | |
rsync | storage.objects.liststorage.objects.getstorage.objects.liststorage.objects.getstorage.objects.createstorage.objects.delete10storage.buckets.get12 | |
rsync | --dry-run | storage.objects.list(针对源和目标存储分区) |
service-agent | resourceManager.projects.get | |
sign-url | 无;但是,密钥包含在此命令中的服务账号必须有权执行编码到签名网址中的请求。 |
1 仅当您要在详细信息中添加 IAM 政策时,才需要此权限。
2 仅当您的请求中未包含结算项目时,才需要此权限。如需了解详情,请参阅请求者付款功能的使用和访问要求。
3 如果主题已存在且相关服务账号可以访问该主题,则不需要这些权限。
4仅当命令中的目标包含对象路径时,才需要此权限。
5 仅当您使用并行复合上传或者不使用 --no-clobber 标志但插入的对象与存储桶中已存在的对象具有相同的名称时,才需要此权限。
6 仅当您要在详细信息中添加 IAM 政策时,才需要此权限。
7 仅当使用 --fetch-encrypted-object-hashes 标志时,才需要此权限。
8 仅当您希望 IAM 政策包含在详细信息中时,才需要此权限,并且此权限不适用于启用了统一存储桶级访问权限的存储桶。
9 仅当此操作创建的对象与存储桶中已存在的对象具有相同的名称时,才需要此权限。
10 仅当您使用 --delete-unmatched-destination-objects 标志或者插入的对象与存储桶中已存在的对象具有相同的名称但具有不同的数据时,才需要此权限。
11只有当请求还要求您使用 --override-unlocked-retention 标志时,才需要此权限。
12如果 gcloud CLI 属性 storage/parallel_composite_upload_compatibility_check 设置为 True,则执行并行复合上传需要此权限。
13仅当您要使用正则表达式检索对象时,才需要此权限。
14 仅当请求包含 --allow-overwrite 标志并且操作创建的对象与存储桶中已存在的对象同名时,才需要此权限。
15 仅当请求包含 --ip-filter-file 标志以在存储桶中创建、更新或删除 IP 过滤规则时,才需要此权限。
16 仅当您希望在响应中获取存储桶的 IP 过滤条件配置时,才需要此权限。
--billing-project 顶级标志
如果您使用 --billing-project 全局标志指定应该用于结算请求费用的项目,则必须对指定的项目具有 serviceusage.services.use 权限。例如,在访问启用了请求者付款功能的存储桶时,会用到 --billing-project 标志。
通配符和递归标志
如果在命令中使用 URI 通配符选择多个对象,则您必须对包含这些对象的存储桶具有 storage.objects.list 权限。类似地,如果在命令中使用 URI 通配符选择多个存储桶,则您必须对包含这些存储桶的项目具有 storage.buckets.list 权限。
如果您使用 --recursive 标志,则除了使用的特定命令所需的权限之外,您还必须具有相关存储桶的 storage.objects.list 权限。
后续步骤
- 在项目和存储桶级层分配 IAM 角色。
- 查看包含 Cloud Storage 权限的 IAM 角色。