[英]What permissions are needed for an service account to generate signed url for blobs on cloud storage in gcp
I would like to know exact permissions needed by a service account to be able to generate signed urls (GET and PUT) on any object in a specific bucket B1.我想知道服务帐户需要的确切权限才能在特定存储桶 B1 中的任何 object 上生成签名 url(GET 和 PUT)。 A terraform script is welcome.欢迎使用 terraform 脚本。 Currently I just use default app engine service account which has a lot of extra permissions目前我只使用默认的应用引擎服务帐户,它有很多额外的权限
To generate a GET signed url, your service account needs to have storage.objects.get
permission要生成 GET 签名 url,您的服务帐户需要具有storage.objects.get
权限
To generate a PUT signed url, your service account needs to have storage.objects.create
permission要生成 PUT 签名 url,您的服务帐户需要具有storage.objects.create
权限
So ideally I would create a new role - generate_signed_url
and grant these 2 permissions on that role.所以理想情况下,我会创建一个新角色 - generate_signed_url
并授予该角色的这两个权限。 Then assign that role to the service account that's being used to generate a signed url.然后将该角色分配给用于生成签名 url 的服务帐户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.