new Iam(bucket)
Get and set IAM policies for your Cloud Storage bucket.
See Cloud Storage IAM Management See Granting, Changing, and Revoking Access See IAM Roles
Parameters:
| Name | Type | Description |
|---|---|---|
bucket |
Bucket |
The parent instance. |
Methods
getPolicy(optionsopt, callbackopt) → {Promise.<GetPolicyResponse>}
Get the IAM policy.
Parameters:
| Name | Type | Attributes | Description |
|---|---|---|---|
options |
GetPolicyOptions |
<optional> |
Request options. |
callback |
GetPolicyCallback |
<optional> |
Callback function. |
Returns:
| Type | Description |
|---|---|
| Promise.<GetPolicyResponse> |
Examples
```
const {Storage} = require('@google-cloud/storage');
const storage = new Storage();
const bucket = storage.bucket('my-bucket');
bucket.iam.getPolicy(
{requestedPolicyVersion: 3},
function(err, policy, apiResponse) {
},
);
//-
// If the callback is omitted, we'll return a Promise.
//-
bucket.iam.getPolicy({requestedPolicyVersion: 3})
.then(function(data) {
const policy = data[0];
const apiResponse = data[1];
});
```Example of retrieving a bucket's IAM policy:
/**
* TODO(developer): Uncomment the following lines before running the sample.
*/
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');
// Creates a client
const storage = new Storage();
async function viewBucketIamMembers() {
// For more information please read:
// https://cloud.google.com/storage/docs/access-control/iam
const results = await storage
.bucket(bucketName)
.iam.getPolicy({requestedPolicyVersion: 3});
const bindings = results[0].bindings;
console.log(`Bindings for bucket ${bucketName}:`);
for (const binding of bindings) {
console.log(` Role: ${binding.role}`);
console.log(' Members:');
const members = binding.members;
for (const member of members) {
console.log(` ${member}`);
}
const condition = binding.condition;
if (condition) {
console.log(' Condition:');
console.log(` Title: ${condition.title}`);
console.log(` Description: ${condition.description}`);
console.log(` Expression: ${condition.expression}`);
}
}
}
viewBucketIamMembers().catch(console.error);
setPolicy(policy, optionsopt, callback) → {Promise.<SetPolicyResponse>}
Set the IAM policy.
Parameters:
| Name | Type | Attributes | Description |
|---|---|---|---|
policy |
Policy |
The policy. |
|
options |
SetPolicyOptions |
<optional> |
Configuration options. |
callback |
SetPolicyCallback |
Callback function. |
Returns:
| Type | Description |
|---|---|
| Promise.<SetPolicyResponse> |
Throws:
-
If no policy is provided.
- Type
- Error
Examples
```
const {Storage} = require('@google-cloud/storage');
const storage = new Storage();
const bucket = storage.bucket('my-bucket');
const myPolicy = {
bindings: [
{
role: 'roles/storage.admin',
members:
['serviceAccount:myotherproject@appspot.gserviceaccount.com']
}
]
};
bucket.iam.setPolicy(myPolicy, function(err, policy, apiResponse) {});
//-
// If the callback is omitted, we'll return a Promise.
//-
bucket.iam.setPolicy(myPolicy).then(function(data) {
const policy = data[0];
const apiResponse = data[1];
});
```Example of adding to a bucket's IAM policy:
/**
* TODO(developer): Uncomment the following lines before running the sample.
*/
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// The role to grant
// const roleName = 'roles/storage.objectViewer';
// The members to grant the new role to
// const members = [
// 'user:jdoe@example.com',
// 'group:admins@example.com',
// ];
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');
// Creates a client
const storage = new Storage();
async function addBucketIamMember() {
// Get a reference to a Google Cloud Storage bucket
const bucket = storage.bucket(bucketName);
// For more information please read:
// https://cloud.google.com/storage/docs/access-control/iam
const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});
// Adds the new roles to the bucket's IAM policy
policy.bindings.push({
role: roleName,
members: members,
});
// Updates the bucket's IAM policy
await bucket.iam.setPolicy(policy);
console.log(
`Added the following member(s) with role ${roleName} to ${bucketName}:`
);
members.forEach(member => {
console.log(` ${member}`);
});
}
addBucketIamMember().catch(console.error);
Example of removing from a bucket's IAM policy:
/**
* TODO(developer): Uncomment the following lines before running the sample.
*/
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// The role to revoke
// const roleName = 'roles/storage.objectViewer';
// The members to revoke the roles from
// const members = [
// 'user:jdoe@example.com',
// 'group:admins@example.com',
// ];
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');
// Creates a client
const storage = new Storage();
async function removeBucketIamMember() {
// Get a reference to a Google Cloud Storage bucket
const bucket = storage.bucket(bucketName);
// For more information please read:
// https://cloud.google.com/storage/docs/access-control/iam
const [policy] = await bucket.iam.getPolicy({requestedPolicyVersion: 3});
// Finds and updates the appropriate role-member group, without a condition.
const index = policy.bindings.findIndex(
binding => binding.role === roleName && !binding.condition
);
const role = policy.bindings[index];
if (role) {
role.members = role.members.filter(
member => members.indexOf(member) === -1
);
// Updates the policy object with the new (or empty) role-member group
if (role.members.length === 0) {
policy.bindings.splice(index, 1);
} else {
policy.bindings.index = role;
}
// Updates the bucket's IAM policy
await bucket.iam.setPolicy(policy);
} else {
// No matching role-member group(s) were found
throw new Error('No matching role-member group(s) found.');
}
console.log(
`Removed the following member(s) with role ${roleName} from ${bucketName}:`
);
members.forEach(member => {
console.log(` ${member}`);
});
}
removeBucketIamMember().catch(console.error);
testPermissions(permissions, optionsopt, callbackopt) → {Promise.<TestIamPermissionsResponse>}
Test a set of permissions for a resource.
Parameters:
| Name | Type | Attributes | Description |
|---|---|---|---|
permissions |
string | Array.<string> |
The permission(s) to test for. |
|
options |
TestIamPermissionsOptions |
<optional> |
Configuration object. |
callback |
TestIamPermissionsCallback |
<optional> |
Callback function. |
Returns:
| Type | Description |
|---|---|
| Promise.<TestIamPermissionsResponse> |
Throws:
-
If permissions are not provided.
- Type
- Error
Example
```
const {Storage} = require('@google-cloud/storage');
const storage = new Storage();
const bucket = storage.bucket('my-bucket');
//-
// Test a single permission.
//-
const test = 'storage.buckets.delete';
bucket.iam.testPermissions(test, function(err, permissions, apiResponse) {
console.log(permissions);
// {
// "storage.buckets.delete": true
// }
});
//-
// Test several permissions at once.
//-
const tests = [
'storage.buckets.delete',
'storage.buckets.get'
];
bucket.iam.testPermissions(tests, function(err, permissions) {
console.log(permissions);
// {
// "storage.buckets.delete": false,
// "storage.buckets.get": true
// }
});
//-
// If the callback is omitted, we'll return a Promise.
//-
bucket.iam.testPermissions(test).then(function(data) {
const permissions = data[0];
const apiResponse = data[1];
});
```