Google Cloud Deployment Manager:如何在创建存储桶时设置IAM

时间:2017-06-22 18:03:31

标签: deployment google-cloud-platform google-cloud-storage google-deployment-manager

我使用Google Cloud Deployment Manager创建了一个存储桶(见下文),但忽略了权限部分,我找不到使用Google Cloud Deployment Manager设置IAM的任何示例。你能帮忙吗?

    resources:
    - name: {{ env["name"] }}
      type: storage.v1.bucket
      properties:
        kind: storage#bucket
        location: eu
        storageClass: MULTI_REGIONAL
        iam-policy:
          bindings:
          - role: roles/storage.objectViewer
            members:
            - allUsers

2 个答案:

答案 0 :(得分:2)

现在可以使用IAM绑定装饰Deployment Manager对象。这样的事情应该有效:

- name: <BUCKETNAME>
  type: storage.v1.bucket
  properties:
    storageClass: REGIONAL
    location: us-west1
  accessControl:
    gcpIamPolicy:
      bindings:
      - role: roles/storage.objectViewer
        members:
        - "serviceAccount:<YOURSERVICEACCOUNT>"
      - role: roles/storage.legacyBucketOwner
        members:
        - "projectEditor:<YOURPROJECT>"
        - "projectOwner:<YOURPROJECT>"
      - role: roles/storage.legacyBucketReader
        members:
        - "projectViewer:<YOURPROJECT>"

有关详细信息,请参阅https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources。请注意,IAM绑定是相关的,但与存储区ACL和/或对象ACL不同。有关GCS访问控制的详细信息,请参阅https://cloud.google.com/storage/docs/access-control/

另请注意,您需要在上述示例中包含完整的IAM绑定集。

答案 1 :(得分:0)

您可以设置2个级别的访问权限 - 存储桶级别&amp;对象级别。尝试这样的事情:

 resources:
    - name: {{ env["name"] }}
      type: storage.v1.bucket
      properties:
        kind: storage#bucket
        location: eu
        storageClass: MULTI_REGIONAL
        acl:
        - role: READER
          entity: allUsers  # maybe allAuthenticatedUsers?
        defaultObjectAcl:
        - entity: allUsers  # maybe allAuthenticatedUsers?
          role: READER
相关问题
最新问题