我想设置bucket bucket_A上服务帐户sa-email.com的权限。
如何使用地形配置如下?
- sa-email.com可以在bucket_A中创建文件
- sa-email.com无法删除bucket_A中的文件
更新:
现在在我的项目中,sa电子邮件是存储对象管理员。
resource "google_project_iam_member" "aaaa" {
member = "sa-email.com"
project = "pid"
role = "roles/storage.objectAdmin"
}
我的项目大约有20桶
我只想将权限更改为一个bucket
我必须使用google_storage_bucket_iam_member来设置20个bucket吗
有没有办法只做一点更新?
更新2:
我的解决方案
google_project_iam_member with"条件";
resource "google_project_iam_member" "aaaa" {
member = "sa-email.com"
project = "pid"
role = "roles/storage.objectAdmin"
condition {
title = " bucket can delete "
expression = "!resource.name.startsWith("projects/_/buckets/bucket_can_not_delete")"
}
}
resource "google_project_iam_member" "bbbb" {
member = "sa-email.com"
project = "pid"
role = "roles/storage.objectCreator"
condition {
title = " bucket can not delete "
expression = "resource.name.startsWith("projects/_/buckets/bucket_can_not_delete")"
}
}
如果您需要一些帮助,而不是寻找一个万无一失的解决方案,那么您通常必须添加一个错误。
你只需要存储.objects.create权限,你不需要指定它。如果它没有权限,就不能删除它。这意味着存储对象创建者的角色在这里满足了您的需求,正如谷歌文档中所描述的:
允许用户创建对象。不授予查看、删除或替换对象的权限。您需要使用以下资源:
resource "google_storage_bucket_iam_member" "bucket_A" {
bucket = "bucket_A"
role = "roles/storage.objectCreator"
member = var.service_accounts
depends_on = [google_storage_bucket.bucket_A]
}
其中var.service_account是您的sa-email.com,因为它可能与环境有关,或者您可以将其添加为字符串。