英文:
Is there any way in google cloud storage where bucket is not public but it objects are public
问题
我正在使用一个 Golang 存储客户端,并且传递了 ACL 规则。
cloudObj := StorageClient.Bucket(BucketName).Object(fileName).NewWriter(ctx)
cloudObj.ACL = append(cloudObj.ACL, storage.ACLRule{Entity: storage.AllUsers, Role: storage.RoleReader})
在这里,我的存储桶是私有的,但是在上传文件后,当我尝试打开文件链接时,它显示 AccessDenied。不确定我做错了什么地方。
英文:
I am using a golang storage client and also passing the ACL Rule.
cloudObj := StorageClient.Bucket(BucketName).Object(fileName).NewWriter(ctx)
cloudObj.ACL = append(cloudObj.ACL, storage.ACLRule{Entity: storage.AllUsers, Role: storage.RoleReader})
Here my bucket is private but after uploading the file when I try to open the file link it says AccessDenied. Not sure where I am making it wrong.
答案1
得分: 1
是的,可以将您的对象设置为公开,同时使用私有存储桶。您可以通过使用签名 URL和签名策略文档来轻松实现这一点,以满足您的特定需求(使用户能够执行操作,例如查看文件或上传文件,并具有公开访问权限,而不会危及存储桶的安全性)。
但是,即使已设置了访问控制列表(ACL),您也无法公开访问对象,如果:
- 存储您的对象的存储桶受到公开访问预防的限制。
- 您的存储桶使用了统一存储桶级别访问。统一存储桶级别访问策略有两个后果:
- 它取消了存储桶和对象级别的ACL的使用,因此无法创建新的ACL,并且如果有的话,先前在对象上创建的ACL将被撤销。
- 它强制要求您的存储桶在与存储桶相关的所有操作(如查看、列出和创建对象)中仅使用IAM权限。因此,通过IAM是唯一授予访问权限的方式。
您可以使用以下命令检查存储桶是否启用了统一存储桶级别访问:
gsutil uniformbucketlevelaccess get gs://BUCKET_NAME // 其中BUCKET_NAME是相关存储桶的名称。
如果启用了统一存储桶级别访问,响应将如下所示:
> gs://my-bucket/的统一存储桶级别访问设置:
> 启用状态:True
> 锁定时间:LOCK_DATE
因此,为了满足您的要求,您需要为存储桶设置细粒度权限,这样您就可以同时使用IAM和访问控制列表(ACL)来管理权限。您可以在存储桶级别和每个单独对象级别指定访问权限并应用权限。
以下是设置对象ACL为公开(逐个设置或批量设置)的示例代码和gsutil命令,即使存储桶是私有的,您也可以使用它们使对象公开可读。
如果要使存储桶中的单个对象公开可读,请参考这个Go代码示例和以下gsutil命令:gsutil acl ch -u AllUsers:R gs://BUCKET_NAME/OBJECT_NAME
。
如果要使存储桶中的所有对象公开可读,请参考这个Go代码示例和以下gsutil命令:gsutil iam ch allUsers:objectViewer gs://BUCKET_NAME
。
英文:
Yes, it is possible to have your objects public with a private bucket. You can easily do that by using either Signed URLs and Signed Policy Documents for the specific requirements that I see you need (giving your users the ability to perform an operation, either view a file or upload a file with public access without compromising your bucket security)
Also you will not be able to access an object publicly even though the ACL has been set :
- If the bucket, in which your object is stored in, is subject to
public access prevention. - If your bucket uses uniform bucket-level access. This uniform
bucket-level-access policy has two consequences:- It cancels the use of ACL both at bucket and object level, so new ACL cannot be created and previously created ACL on your objects, if
any, are revoked. - It enforces your buckets to require IAM permissions only in all the operations relating to buckets such as viewing, listing and creating
objects. Therefore the only way to grant access is through IAM.
- It cancels the use of ACL both at bucket and object level, so new ACL cannot be created and previously created ACL on your objects, if
You can check if your bucket has uniform bucket level access using :
gsutil uniformbucketlevelaccess get gs://BUCKET_NAME // where BUCKET_NAME is the name of the relevant bucket.
If uniform bucket-level access is enabled, the response looks like:
> Uniform bucket-level access setting for gs://my-bucket/:
> Enabled: True
> LockedTime: LOCK_DATE
So, in order to meet your requirement, you have to set Fine grained permissions to your bucket, that way you can use IAM and Access Control Lists (ACLs) together to manage permissions. You can specify access and apply permissions at both the bucket level and per individual object.
This is the way to set the ACLs for your object to public (individually or all at once) in spite of having your bucket private.
Have a look at this Go code example and this gsutil command gsutil acl ch -u AllUsers:R gs://BUCKET_NAME/OBJECT_NAME
if making individual objects publicly readable in your bucket.
Have a look at this Go code example and this gsutil command gsutil iam ch allUsers:objectViewer gs://BUCKET_NAME
if making all objects publicly readable in your bucket.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论