Google Cloud Deployment Manager:创建bucket时如何设置IAM
我已经用Google Cloud Deployment Manager(见下文)创建了一个bucket,但是权限部分被忽略,并且我找不到在使用Google Cloud Deployment Manager时打开IAM的任何示例。你能帮忙吗Google Cloud Deployment Manager:创建bucket时如何设置IAM,deployment,google-cloud-platform,google-cloud-storage,google-deployment-manager,Deployment,Google Cloud Platform,Google Cloud Storage,Google Deployment Manager,我已经用Google Cloud Deployment Manager(见下文)创建了一个bucket,但是权限部分被忽略,并且我找不到在使用Google Cloud Deployment Manager时打开IAM的任何示例。你能帮忙吗 resources: - name: {{ env["name"] }} type: storage.v1.bucket properties: kind: storage#bucket
resources:
- name: {{ env["name"] }}
type: storage.v1.bucket
properties:
kind: storage#bucket
location: eu
storageClass: MULTI_REGIONAL
iam-policy:
bindings:
- role: roles/storage.objectViewer
members:
- allUsers
您可以设置两个访问级别-bucket级别和object级别。试着这样做:
resources:
- name: {{ env["name"] }}
type: storage.v1.bucket
properties:
kind: storage#bucket
location: eu
storageClass: MULTI_REGIONAL
acl:
- role: READER
entity: allUsers # maybe allAuthenticatedUsers?
defaultObjectAcl:
- entity: allUsers # maybe allAuthenticatedUsers?
role: READER
现在,您可以使用IAM绑定装饰部署管理器对象。像这样的方法应该会奏效:
- name: <BUCKETNAME>
type: storage.v1.bucket
properties:
storageClass: REGIONAL
location: us-west1
accessControl:
gcpIamPolicy:
bindings:
- role: roles/storage.objectViewer
members:
- "serviceAccount:<YOURSERVICEACCOUNT>"
- role: roles/storage.legacyBucketOwner
members:
- "projectEditor:<YOURPROJECT>"
- "projectOwner:<YOURPROJECT>"
- role: roles/storage.legacyBucketReader
members:
- "projectViewer:<YOURPROJECT>"
-名称:
类型:storage.v1.bucket
特性:
存储类别:区域
地点:美国西部1号
访问控制:
GCP政策:
绑定:
-角色:角色/storage.objectViewer
成员:
-“服务帐户:”
-角色:角色/storage.legacyBucketOwner
成员:
-“项目编辑器:”
-“项目所有者:”
-角色:角色/storage.legacyBucketReader
成员:
-“项目查看器:”
有关更多信息,请参阅。请注意,IAM绑定是相关的,但不同于bucket ACL和/或对象ACL。有关地面军事系统访问控制的更多信息,请参阅
还要注意的是,您希望在上述示例中包括完整的IAM绑定集。我非常确定这使用ACL模型而不是IAM模型作为权限。这太棒了
projectOwner
和projectEditor
记录在中,但从文档中不清楚它们是否应在gcpIamPolicy
中明确设置。顺便说一句,我们可以使用projectOwner:{{env['project']}}
来参数化它们。