GCP等同于“拒绝". AWS策略中的权限 [英] GCP equivalent of "deny" permissions in aws policy

问题描述

是否有一种方法可以拒绝GCP自定义角色中的权限? 例如，这是AWS中的一项策略，它拒绝了对S3的一组操作: { "Sid":"DenyS3"， 效果":拒绝"， "Action":"s3:Get *"， 资源":"*" } 有没有办法在GCP中定义类似的自定义角色?

Is there a way to deny permissions in GCP custom role? For example, this is a policy in AWS that denies a set of actions on S3: { "Sid": "DenyS3", "Effect": "Deny", "Action": "s3:Get*", "Resource": "*" } Is there a way to define a similar custom role in GCP?

推荐答案

是否可以通过GCP自定义角色拒绝权限?

Is there a way to deny permissions in GCP custom role?

否，默认情况下，IAM角色是拒绝的，并且仅是加性的.

No, IAM roles are deny by default and are additive only.

如何仅获得特定图像名称的权限?

How do i get permissions only on a specific image name?

IAM角色的经典用例是将其分配给Google Project.这就是为什么角色向您授予该角色该类型的所有资源的权限.

The classic use case for IAM roles is to assign them to the Google Project. This is why a role grants you permission to all resources of that type for that role.

Google已开始发布基于身份的资源访问控制.这意味着您可以将具有角色的标识附加到单个资源而不是项目.对于支持此功能的资源，有一个右侧面板可让您设置权限.

Google has started to release Identity based access control on resources. This means that you can attach an identity with roles to individual resources instead of to the project. For resources that support this, there is a right-hand side panel that allows you to set permissions.

这篇关于GCP等同于“拒绝". AWS策略中的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！