3

我已经使用 Google Cloud Deployment Manager(见下文)创建了一个存储桶,但权限部分被忽略了,并且在使用 Google Cloud Deployment Manager 时我找不到任何设置 IAM 的示例。你能帮我吗?

    resources:
    - name: {{ env["name"] }}
      type: storage.v1.bucket
      properties:
        kind: storage#bucket
        location: eu
        storageClass: MULTI_REGIONAL
        iam-policy:
          bindings:
          - role: roles/storage.objectViewer
            members:
            - allUsers
4

2 回答 2

4

您现在可以使用 IAM 绑定来装饰部署管理器对象。像这样的东西应该工作:

- name: <BUCKETNAME>
  type: storage.v1.bucket
  properties:
    storageClass: REGIONAL
    location: us-west1
  accessControl:
    gcpIamPolicy:
      bindings:
      - role: roles/storage.objectViewer
        members:
        - "serviceAccount:<YOURSERVICEACCOUNT>"
      - role: roles/storage.legacyBucketOwner
        members:
        - "projectEditor:<YOURPROJECT>"
        - "projectOwner:<YOURPROJECT>"
      - role: roles/storage.legacyBucketReader
        members:
        - "projectViewer:<YOURPROJECT>"

有关详细信息,请参阅https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources。请注意,IAM 绑定与存储桶 ACL 和/或对象 ACL 相关但不同。有关 GCS 访问控制的更多信息,请参阅https://cloud.google.com/storage/docs/access-control/

另请注意,您将希望在上述示例中包含完整的 IAM 绑定集。

于 2018-06-03T18:14:48.593 回答
0

您可以设置 2 个访问级别 - 存储桶级别和对象级别。尝试这样的事情:

 resources:
    - name: {{ env["name"] }}
      type: storage.v1.bucket
      properties:
        kind: storage#bucket
        location: eu
        storageClass: MULTI_REGIONAL
        acl:
        - role: READER
          entity: allUsers  # maybe allAuthenticatedUsers?
        defaultObjectAcl:
        - entity: allUsers  # maybe allAuthenticatedUsers?
          role: READER
于 2017-06-29T14:25:39.077 回答