堆栈内存溢出
  简体   繁体   English

GCP - 控制对 Google Cloud Storage 服务帐户的访问

[英]GCP - Controlling access to Service Account for Google Cloud Storage

 原文  2020-04-01 14:27:54       google-cloud-platform/ google-cloud-storage

问题描述

I am trying to upload a file using @google-cloud/storage client from Node.js.我正在尝试使用 Node.js 中的 @google-cloud/storage 客户端上传文件。 I have successfully created a Service Account with the role that gives it right to create (upload), delete (reupload the object with same name) and download an object on Cloud Storage.我已成功创建了一个服务帐户,其角色赋予它在 Cloud Storage 上创建(上传)、删除(重新上传同名对象)和下载对象的权利。 This has been made possible due to the Storage Object Admin role.由于存储对象管理员角色,这已成为可能。

When I assigned the Storage Object Creator role, I was not able to upload an image with the same name to the Storage.当我分配存储对象创建者角色时,我无法将同名的图像上传到存储。

What I actually require is, I need to give the upload and delete rights but not the download rights to the Node.js client.我真正需要的是,我需要给 Node.js 客户端上传和删除权限,而不是下载权限。

It would also be great if there would be a way to only allow .jpg files to be uploaded.如果有一种方法只允许上传 .jpg 文件,那就太好了。 I tried to add conditions with the credentials, but that did not help.我尝试使用凭据添加条件,但这没有帮助。

1 个解决方案

解决方案1
 0  2020-04-01 17:08:48

You have to create a custom role with the following permissions:您必须创建具有以下权限的自定义角色

resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
storage.objects.delete

Please keep in mind that the permission storage.objects.create gives you the opportunity to add new objects to a bucket but also the chance to download the object that you created.请记住, storage.objects.create权限让您有机会向存储桶添加新对象,同时也有机会下载您创建的对象。 According to my testing, with this custom role you will not be able to download files that you did created.根据我的测试,使用此自定义角色您将无法下载您创建的文件。 If you try, you will receive the following error message:如果您尝试,您将收到以下错误消息:

403 service account does not have storage.objects.list permission

I do not think you can forbid a customer to download the object that he created.我认为您不能禁止客户下载他创建的对象。

Regarding the condition part, you can create conditions on download ( resource.name.endsWith(".jpg" ) but I do not think you create conditions on upload.关于条件部分,您可以在下载时创建条件( resource.name.endsWith(".jpg" ),但我认为您不会在上传时创建条件。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 通过服务帐户访问 Google Cloud Storage - Google Cloud Storage access via service account 无法访问 Cloud 中的 Google Cloud Storage 服务帐户密钥文件 - Unable to access Google Cloud Storage service account key file in Cloud GCP - 存储服务帐户访问问题 - GCP - Storage Service Account Access Issue 授予服务帐户访问谷歌云存储中的一个存储桶的权限 - Give service account access to one bucket in google cloud storage 服务帐户没有对 Google Cloud Storage 的 storage.objects.get 访问权限 - service account does not have storage.objects.get access for Google Cloud Storage Google Cloud Platform (GCP):如何为服务帐户提供额外的角色? - Google Cloud Platform (GCP): How to give additional roles to service account? 如何在Google Cloud Function中使用GCP服务帐户? - How to use GCP service account in Google Cloud Function? 我获得存储权限的服务帐户没有对 Google Cloud Storage 存储桶的 storage.objects.list 访问权限 - My service account which was given storage permissions does not have storage.objects.list access to the Google Cloud Storage bucket 如何在Google云存储权限中将访问权限限制为仅服务帐户用户 - How to restrict access to only service account users in google cloud storage permissions 如何让 Google Cloud Platform 上的服务帐户访问 Firebase 存储? - How to let service account on Google Cloud Platform to have access to the Firebase Storage?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM