下表列出在指定資源上執行每個 Cloud Storage XML 方法所需的 Identity and Access Management (IAM) 權限。
| 方法 | 資源 | 子資源 | 必要的 IAM 權限1 |
|---|---|---|---|
DELETE |
bucket |
storage.buckets.delete |
|
DELETE |
object |
storage.objects.delete |
|
DELETE |
object |
uploadId |
storage.multipartUploads.abort |
GET |
storage.buckets.list |
||
GET |
bucket |
storage.objects.list |
|
GET |
bucket |
acls3 |
storage.buckets.getstorage.buckets.getIamPolicy |
GET |
bucket |
非 ACL 中繼資料 | storage.buckets.get |
GET |
bucket |
uploads |
storage.multipartUploads.list |
GET |
object |
storage.objects.get |
|
GET |
object |
acls3 |
storage.objects.getstorage.objects.getIamPolicy |
GET |
object |
encryption |
storage.objects.get |
GET |
object |
retention |
storage.objects.get |
GET |
object |
uploadId |
storage.multipartUploads.listParts |
HEAD |
bucket |
storage.buckets.get |
|
HEAD |
object |
storage.objects.get |
|
POST |
object |
storage.objects.createstorage.objects.delete4storage.objects.setRetention5 |
|
POST |
object |
uploadId |
storage.multipartUploads.createstorage.objects.createstorage.objects.delete4 |
POST |
object |
uploads |
storage.multipartUploads.createstorage.objects.createstorage.objects.setRetention5 |
PUT |
bucket |
storage.buckets.createstorage.buckets.enableObjectRetention6 |
|
PUT |
bucket |
acls3 |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
PUT |
bucket |
非 ACL 中繼資料 | storage.buckets.update |
PUT7 |
object |
storage.objects.createstorage.objects.get2storage.objects.delete4storage.objects.setRetention5 |
|
PUT |
object |
acls3 |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
PUT |
object |
compose |
storage.objects.createstorage.objects.getstorage.objects.delete4storage.objects.setRetention5 |
PUT |
object |
retention |
storage.objects.setRetentionstorage.objects.updatestorage.objects.overrideUnlockedRetention8 |
PUT |
object |
uploadId |
storage.multipartUploads.createstorage.objects.create |
1 如果您在要求中使用 x-goog-user-project 標頭或 userProject 查詢字串參數,則除了提出要求所需的一般 IAM 權限之外,還必須具有您所指定專案 ID 的 serviceusage.services.use 權限。
2 如果要求包含 x-goog-copy-source 標頭,則來源值區需要這項權限。
3 這個子資源不適用於已啟用統一值區層級存取權的值區。
4 只有在插入物件名稱與值區中現有物件名稱相同時,才需要這項權限。
5 只有在要求包含 x-goog-object-lock-mode 和 x-goog-object-lock-retain-until-date 標頭時,才需要這項權限。
6 只有在要求包含設為 true 的 x-goog-bucket-object-lock-enabled 標頭時,才需要這項權限。
7 如要發出與可續傳上傳相關聯的 PUT 要求,不需要任何權限。
8只有在要求包含設為 true 的 x-goog-bypass-governance-retention 標頭時,才需要這項權限。
後續步驟
- 如需查看 Cloud IAM 角色及其相關權限的清單,請參閱適用於 Cloud Storage 的 Cloud IAM 角色一文。