Google uses AI technology to translate content into your preferred language. AI translations can contain errors.

Permissões e papéis do IAM

Nesta página, descrevemos as contas de serviço, os papéis e as permissões do Cloud Deploy.

O acesso no Cloud Deploy é controlado usando Identity and Access Management (IAM). O IAM permite criar e gerenciar permissões para Google Cloud recursos. O Cloud Deploy oferece um conjunto específico de papéis predefinidos do IAM , em que cada papel contém um conjunto de permissões. Você pode usar esses papéis para dar acesso mais detalhado a recursos específicos Google Cloud e impedir o acesso indesejado a outros recursos. Com o IAM, é possível adotar o princípio de segurança de privilégio mínimo, para conceder apenas o acesso necessário aos recursos.

Consulte Como usar o IAM para restringir o acesso ao Cloud Deploy para saber mais sobre os recursos avançados de segurança do controle de acesso.

Contas de serviço no Cloud Deploy

Por padrão, o Cloud Deploy é executado usando a conta de serviço padrão do Compute Engine. Para mais informações sobre como configurar essa conta de serviço para uso com o Cloud Deploy ou escolher uma conta diferente, consulte a documentação da conta de serviço de execução do Cloud Deploy.

Saiba mais sobre como o Cloud Deploy usa contas de serviço.

Papéis predefinidos do Cloud Deploy

Com o IAM, todo método de API na API Cloud Deploy exige que a identidade que faz a solicitação de API tenha as permissões apropriadas para usar o recurso. As permissões são concedidas por meio da definição de políticas que concedem papéis a um principal (usuário, grupo ou conta de serviço) do projeto. É possível conceder vários papéis a um principal no mesmo recurso.

A documentação do IAM inclui uma referência pesquisável de todos os papéis predefinidos.

A tabela a seguir lista os papéis do IAM do Cloud Deploy e as permissões que eles incluem:

Role Permissions

Role	Permissions
Cloud Deploy Admin (`roles/clouddeploy.admin`) Full control of Cloud Deploy resources.	`clouddeploy.*` `clouddeploy.automationRuns.cancel` `clouddeploy.automationRuns.get` `clouddeploy.automationRuns.list` `clouddeploy.automations.create` `clouddeploy.automations.delete` `clouddeploy.automations.get` `clouddeploy.automations.list` `clouddeploy.automations.update` `clouddeploy.config.get` `clouddeploy.customTargetTypes.create` `clouddeploy.customTargetTypes.delete` `clouddeploy.customTargetTypes.get` `clouddeploy.customTargetTypes.getIamPolicy` `clouddeploy.customTargetTypes.list` `clouddeploy.customTargetTypes.setIamPolicy` `clouddeploy.customTargetTypes.update` `clouddeploy.deliveryPipelines.create` `clouddeploy.deliveryPipelines.createTagBinding` `clouddeploy.deliveryPipelines.delete` `clouddeploy.deliveryPipelines.deleteTagBinding` `clouddeploy.deliveryPipelines.get` `clouddeploy.deliveryPipelines.getIamPolicy` `clouddeploy.deliveryPipelines.list` `clouddeploy.deliveryPipelines.listEffectiveTags` `clouddeploy.deliveryPipelines.listTagBindings` `clouddeploy.deliveryPipelines.setIamPolicy` `clouddeploy.deliveryPipelines.update` `clouddeploy.deployPolicies.create` `clouddeploy.deployPolicies.delete` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.getIamPolicy` `clouddeploy.deployPolicies.list` `clouddeploy.deployPolicies.override` `clouddeploy.deployPolicies.setIamPolicy` `clouddeploy.deployPolicies.update` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.jobRuns.terminate` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.abandon` `clouddeploy.releases.create` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.advance` `clouddeploy.rollouts.approve` `clouddeploy.rollouts.cancel` `clouddeploy.rollouts.create` `clouddeploy.rollouts.get` `clouddeploy.rollouts.ignoreJob` `clouddeploy.rollouts.list` `clouddeploy.rollouts.retryJob` `clouddeploy.rollouts.rollback` `clouddeploy.targets.create` `clouddeploy.targets.createTagBinding` `clouddeploy.targets.delete` `clouddeploy.targets.deleteTagBinding` `clouddeploy.targets.get` `clouddeploy.targets.getIamPolicy` `clouddeploy.targets.list` `clouddeploy.targets.listEffectiveTags` `clouddeploy.targets.listTagBindings` `clouddeploy.targets.setIamPolicy` `clouddeploy.targets.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Editor (`roles/clouddeploy.editor`) Editor role for Cloud Deploy	`clouddeploy.automationRuns.` `clouddeploy.automationRuns.cancel` `clouddeploy.automationRuns.get` `clouddeploy.automationRuns.list` `clouddeploy.automations.` `clouddeploy.automations.create` `clouddeploy.automations.delete` `clouddeploy.automations.get` `clouddeploy.automations.list` `clouddeploy.automations.update` `clouddeploy.config.get` `clouddeploy.customTargetTypes.create` `clouddeploy.customTargetTypes.delete` `clouddeploy.customTargetTypes.get` `clouddeploy.customTargetTypes.getIamPolicy` `clouddeploy.customTargetTypes.list` `clouddeploy.customTargetTypes.update` `clouddeploy.deliveryPipelines.create` `clouddeploy.deliveryPipelines.delete` `clouddeploy.deliveryPipelines.get` `clouddeploy.deliveryPipelines.getIamPolicy` `clouddeploy.deliveryPipelines.list` `clouddeploy.deliveryPipelines.listEffectiveTags` `clouddeploy.deliveryPipelines.listTagBindings` `clouddeploy.deliveryPipelines.update` `clouddeploy.deployPolicies.create` `clouddeploy.deployPolicies.delete` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.getIamPolicy` `clouddeploy.deployPolicies.list` `clouddeploy.deployPolicies.override` `clouddeploy.deployPolicies.update` `clouddeploy.jobRuns.` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.jobRuns.terminate` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.` `clouddeploy.releases.abandon` `clouddeploy.releases.create` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.*` `clouddeploy.rollouts.advance` `clouddeploy.rollouts.approve` `clouddeploy.rollouts.cancel` `clouddeploy.rollouts.create` `clouddeploy.rollouts.get` `clouddeploy.rollouts.ignoreJob` `clouddeploy.rollouts.list` `clouddeploy.rollouts.retryJob` `clouddeploy.rollouts.rollback` `clouddeploy.targets.create` `clouddeploy.targets.delete` `clouddeploy.targets.get` `clouddeploy.targets.getIamPolicy` `clouddeploy.targets.list` `clouddeploy.targets.listEffectiveTags` `clouddeploy.targets.listTagBindings` `clouddeploy.targets.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Viewer (`roles/clouddeploy.viewer`) Can view Cloud Deploy resources.	`clouddeploy.automationRuns.get` `clouddeploy.automationRuns.list` `clouddeploy.automations.get` `clouddeploy.automations.list` `clouddeploy.config.get` `clouddeploy.customTargetTypes.get` `clouddeploy.customTargetTypes.getIamPolicy` `clouddeploy.customTargetTypes.list` `clouddeploy.deliveryPipelines.get` `clouddeploy.deliveryPipelines.getIamPolicy` `clouddeploy.deliveryPipelines.list` `clouddeploy.deliveryPipelines.listEffectiveTags` `clouddeploy.deliveryPipelines.listTagBindings` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.getIamPolicy` `clouddeploy.deployPolicies.list` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.locations.*` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.get` `clouddeploy.rollouts.list` `clouddeploy.targets.get` `clouddeploy.targets.getIamPolicy` `clouddeploy.targets.list` `clouddeploy.targets.listEffectiveTags` `clouddeploy.targets.listTagBindings` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Approver (`roles/clouddeploy.approver`) Permission to approve or reject rollouts.	`clouddeploy.config.get` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.rollouts.approve` `clouddeploy.rollouts.get` `clouddeploy.rollouts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Custom Target Type Admin (`roles/clouddeploy.customTargetTypeAdmin`) Permission to manage CustomTargetType resources	`clouddeploy.config.get` `clouddeploy.customTargetTypes.*` `clouddeploy.customTargetTypes.create` `clouddeploy.customTargetTypes.delete` `clouddeploy.customTargetTypes.get` `clouddeploy.customTargetTypes.getIamPolicy` `clouddeploy.customTargetTypes.list` `clouddeploy.customTargetTypes.setIamPolicy` `clouddeploy.customTargetTypes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Developer (`roles/clouddeploy.developer`) Permission to manage deployment configuration without permission to access operational resources, such as targets.	`clouddeploy.automationRuns.get` `clouddeploy.automationRuns.list` `clouddeploy.automations.get` `clouddeploy.automations.list` `clouddeploy.config.get` `clouddeploy.deliveryPipelines.create` `clouddeploy.deliveryPipelines.createTagBinding` `clouddeploy.deliveryPipelines.delete` `clouddeploy.deliveryPipelines.deleteTagBinding` `clouddeploy.deliveryPipelines.get` `clouddeploy.deliveryPipelines.getIamPolicy` `clouddeploy.deliveryPipelines.list` `clouddeploy.deliveryPipelines.listEffectiveTags` `clouddeploy.deliveryPipelines.listTagBindings` `clouddeploy.deliveryPipelines.update` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.list` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.*` `clouddeploy.releases.abandon` `clouddeploy.releases.create` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.get` `clouddeploy.rollouts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Runner (`roles/clouddeploy.jobRunner`) Permission to execute Cloud Deploy work without permission to deliver to a target.	`clouddeploy.config.get` `logging.logEntries.create` `storage.objects.create` `storage.objects.get` `storage.objects.list`
Cloud Deploy Operator (`roles/clouddeploy.operator`) Permission to manage deployment configuration.	`clouddeploy.automationRuns.` `clouddeploy.automationRuns.cancel` `clouddeploy.automationRuns.get` `clouddeploy.automationRuns.list` `clouddeploy.automations.` `clouddeploy.automations.create` `clouddeploy.automations.delete` `clouddeploy.automations.get` `clouddeploy.automations.list` `clouddeploy.automations.update` `clouddeploy.config.get` `clouddeploy.customTargetTypes.get` `clouddeploy.customTargetTypes.getIamPolicy` `clouddeploy.customTargetTypes.list` `clouddeploy.deliveryPipelines.create` `clouddeploy.deliveryPipelines.createTagBinding` `clouddeploy.deliveryPipelines.delete` `clouddeploy.deliveryPipelines.deleteTagBinding` `clouddeploy.deliveryPipelines.get` `clouddeploy.deliveryPipelines.getIamPolicy` `clouddeploy.deliveryPipelines.list` `clouddeploy.deliveryPipelines.listEffectiveTags` `clouddeploy.deliveryPipelines.listTagBindings` `clouddeploy.deliveryPipelines.update` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.getIamPolicy` `clouddeploy.deployPolicies.list` `clouddeploy.jobRuns.` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.jobRuns.terminate` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.` `clouddeploy.releases.abandon` `clouddeploy.releases.create` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.advance` `clouddeploy.rollouts.cancel` `clouddeploy.rollouts.create` `clouddeploy.rollouts.get` `clouddeploy.rollouts.ignoreJob` `clouddeploy.rollouts.list` `clouddeploy.rollouts.retryJob` `clouddeploy.rollouts.rollback` `clouddeploy.targets.create` `clouddeploy.targets.createTagBinding` `clouddeploy.targets.delete` `clouddeploy.targets.deleteTagBinding` `clouddeploy.targets.get` `clouddeploy.targets.getIamPolicy` `clouddeploy.targets.list` `clouddeploy.targets.listEffectiveTags` `clouddeploy.targets.listTagBindings` `clouddeploy.targets.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Policy Admin (`roles/clouddeploy.policyAdmin`) Permission to manage Deploy Policies.	`clouddeploy.deployPolicies.` `clouddeploy.deployPolicies.create` `clouddeploy.deployPolicies.delete` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.getIamPolicy` `clouddeploy.deployPolicies.list` `clouddeploy.deployPolicies.override` `clouddeploy.deployPolicies.setIamPolicy` `clouddeploy.deployPolicies.update` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.*` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Policy Overrider (`roles/clouddeploy.policyOverrider`) Permission to override Deploy Policies.	`clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.list` `clouddeploy.deployPolicies.override` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Releaser (`roles/clouddeploy.releaser`) Permission to create Cloud Deploy releases and rollouts.	`clouddeploy.config.get` `clouddeploy.customTargetTypes.get` `clouddeploy.deliveryPipelines.get` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.create` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.advance` `clouddeploy.rollouts.cancel` `clouddeploy.rollouts.create` `clouddeploy.rollouts.get` `clouddeploy.rollouts.list` `clouddeploy.rollouts.rollback` `clouddeploy.targets.get` `resourcemanager.projects.get` `resourcemanager.projects.list`

Cloud Deploy Admin

(roles/clouddeploy.admin)

Full control of Cloud Deploy resources.

clouddeploy.*

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list
clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update
clouddeploy.config.get
clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.setIamPolicy
clouddeploy.customTargetTypes.update
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.createTagBinding
clouddeploy.deliveryPipelines.delete
clouddeploy.deliveryPipelines.deleteTagBinding
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.listEffectiveTags
clouddeploy.deliveryPipelines.listTagBindings
clouddeploy.deliveryPipelines.setIamPolicy
clouddeploy.deliveryPipelines.update
clouddeploy.deployPolicies.create
clouddeploy.deployPolicies.delete
clouddeploy.deployPolicies.get
clouddeploy.deployPolicies.getIamPolicy
clouddeploy.deployPolicies.list
clouddeploy.deployPolicies.override
clouddeploy.deployPolicies.setIamPolicy
clouddeploy.deployPolicies.update
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.jobRuns.terminate
clouddeploy.locations.get
clouddeploy.locations.list
clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.advance
clouddeploy.rollouts.approve
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.list
clouddeploy.rollouts.retryJob
clouddeploy.rollouts.rollback
clouddeploy.targets.create
clouddeploy.targets.createTagBinding
clouddeploy.targets.delete
clouddeploy.targets.deleteTagBinding
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.listEffectiveTags
clouddeploy.targets.listTagBindings
clouddeploy.targets.setIamPolicy
clouddeploy.targets.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Editor

(roles/clouddeploy.editor)

Editor role for Cloud Deploy

clouddeploy.automationRuns.*

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list

clouddeploy.automations.*

clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update

clouddeploy.config.get

clouddeploy.customTargetTypes.create

clouddeploy.customTargetTypes.delete

clouddeploy.customTargetTypes.get

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.customTargetTypes.update

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.listEffectiveTags

clouddeploy.deliveryPipelines.listTagBindings

clouddeploy.deliveryPipelines.update

clouddeploy.deployPolicies.create

clouddeploy.deployPolicies.delete

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.getIamPolicy

clouddeploy.deployPolicies.list

clouddeploy.deployPolicies.override

clouddeploy.deployPolicies.update

clouddeploy.jobRuns.*

clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.jobRuns.terminate

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.releases.*

clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list

clouddeploy.rollouts.*

clouddeploy.rollouts.advance
clouddeploy.rollouts.approve
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.list
clouddeploy.rollouts.retryJob
clouddeploy.rollouts.rollback

clouddeploy.targets.create

clouddeploy.targets.delete

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.listEffectiveTags

clouddeploy.targets.listTagBindings

clouddeploy.targets.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Viewer

(roles/clouddeploy.viewer)

Can view Cloud Deploy resources.

clouddeploy.automationRuns.get

clouddeploy.automationRuns.list

clouddeploy.automations.get

clouddeploy.automations.list

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.listEffectiveTags

clouddeploy.deliveryPipelines.listTagBindings

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.getIamPolicy

clouddeploy.deployPolicies.list

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.get

clouddeploy.operations.list

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.listEffectiveTags

clouddeploy.targets.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Approver

(roles/clouddeploy.approver)

Permission to approve or reject rollouts.

clouddeploy.config.get

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.rollouts.approve

clouddeploy.rollouts.get

clouddeploy.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Custom Target Type Admin

(roles/clouddeploy.customTargetTypeAdmin)

Permission to manage CustomTargetType resources

clouddeploy.config.get

clouddeploy.customTargetTypes.*

clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.setIamPolicy
clouddeploy.customTargetTypes.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Developer

(roles/clouddeploy.developer)

Permission to manage deployment configuration without permission to access operational resources, such as targets.

clouddeploy.automationRuns.get

clouddeploy.automationRuns.list

clouddeploy.automations.get

clouddeploy.automations.list

clouddeploy.config.get

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.createTagBinding

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.deleteTagBinding

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.listEffectiveTags

clouddeploy.deliveryPipelines.listTagBindings

clouddeploy.deliveryPipelines.update

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.list

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.releases.*

clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list

clouddeploy.rollouts.get

clouddeploy.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Runner

(roles/clouddeploy.jobRunner)

Permission to execute Cloud Deploy work without permission to deliver to a target.

clouddeploy.config.get

logging.logEntries.create

storage.objects.create

storage.objects.get

storage.objects.list

Cloud Deploy Operator

(roles/clouddeploy.operator)

Permission to manage deployment configuration.

clouddeploy.automationRuns.*

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list

clouddeploy.automations.*

clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.createTagBinding

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.deleteTagBinding

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.listEffectiveTags

clouddeploy.deliveryPipelines.listTagBindings

clouddeploy.deliveryPipelines.update

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.getIamPolicy

clouddeploy.deployPolicies.list

clouddeploy.jobRuns.*

clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.jobRuns.terminate

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.releases.*

clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.ignoreJob

clouddeploy.rollouts.list

clouddeploy.rollouts.retryJob

clouddeploy.rollouts.rollback

clouddeploy.targets.create

clouddeploy.targets.createTagBinding

clouddeploy.targets.delete

clouddeploy.targets.deleteTagBinding

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.listEffectiveTags

clouddeploy.targets.listTagBindings

clouddeploy.targets.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Policy Admin

(roles/clouddeploy.policyAdmin)

Permission to manage Deploy Policies.

clouddeploy.deployPolicies.*

clouddeploy.deployPolicies.create
clouddeploy.deployPolicies.delete
clouddeploy.deployPolicies.get
clouddeploy.deployPolicies.getIamPolicy
clouddeploy.deployPolicies.list
clouddeploy.deployPolicies.override
clouddeploy.deployPolicies.setIamPolicy
clouddeploy.deployPolicies.update

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Policy Overrider

(roles/clouddeploy.policyOverrider)

Permission to override Deploy Policies.

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.list

clouddeploy.deployPolicies.override

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Releaser

(roles/clouddeploy.releaser)

Permission to create Cloud Deploy releases and rollouts.

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.deliveryPipelines.get

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.releases.create

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.rollouts.rollback

clouddeploy.targets.get

resourcemanager.projects.get

resourcemanager.projects.list

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

Role	Permissions
Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Gives Cloud Deploy Service Account access to managed resources. Warning: Do not grant service agent roles to any principals except service agents.	`cloudbuild.builds.create` `cloudbuild.builds.get` `cloudbuild.builds.list` `cloudbuild.builds.update` `cloudbuild.workerpools.use` `iam.serviceAccounts.actAs` `iam.serviceAccounts.getAccessToken` `logging.logEntries.create` `pubsub.topics.get` `pubsub.topics.publish` `servicemanagement.services.report` `serviceusage.services.use` `storage.buckets.create` `storage.buckets.get` `storage.objects.get`

Cloud Deploy Service Agent

(roles/clouddeploy.serviceAgent)

Gives Cloud Deploy Service Account access to managed resources.

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.workerpools.use

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

logging.logEntries.create

pubsub.topics.get

pubsub.topics.publish

servicemanagement.services.report

serviceusage.services.use

storage.buckets.create

storage.buckets.get

storage.objects.get

Além dos papéis predefinidos do Cloud Deploy, os papéis de Leitor, Editor e Proprietário básicos também incluem permissões relacionadas ao Cloud Deploy. No entanto, recomendamos que você conceda papéis predefinidos sempre que possível para obedecer ao princípio de segurança do menor privilégio.

Permissões

A tabela a seguir lista as permissões que o solicitante precisa ter para chamar cada método:

Método de API	Permissão necessária	Descrição
`automations.create()`	`clouddeploy.automations.create`	Crie um novo recurso de automação.
`automations.delete()`	`clouddeploy.automations.delete`	Exclua um recurso de automação atual.
`automations.get()`	`clouddeploy.automations.get`	Recupere detalhes de um recurso de automação individual.
`automations.list()`	`clouddeploy.automations.list`	Liste recursos de automação e os respectivos metadados.
`automations.update()`	`clouddeploy.automations.update`	Atualize um recurso de automação atual.
`automationRuns.cancel()`	`clouddeploy.automationRuns.cancel`	Cancele uma automação em execução.
`automationRuns.get()`	`clouddeploy.automationRuns.get`	Recupere detalhes de uma execução de automação individual.
`automationRuns.list()`	`clouddeploy.automationRuns.list`	Liste execuções de automação e os respectivos metadados.
`customTargetTypes.create()`	`clouddeploy.customTargetTypes.create`	Crie um recurso de tipo de destino personalizado.
`customTargetTypes.delete()`	`clouddeploy.customTargetTypes.delete`	Exclua um recurso de tipo de destino personalizado.
`customTargetTypes.get()`	`clouddeploy.customTargetTypes.get`	Recupere detalhes de um tipo de destino personalizado.
`customTargetTypes.getIamPolicy()`	`clouddeploy.customTargetTypes.getIamPolicy`	Receba a política do IAM para um recurso de tipo de destino personalizado.
`customTargetTypes.list()`	`clouddeploy.customTargetTypes.list`	Liste os tipos de destino personalizados disponíveis e os respectivos metadados.
`customTargetTypes.patch()`	`clouddeploy.customTargetTypes.patch`	Atualize um tipo de destino personalizado.
`customTargetTypes.setIamPolicy()`	`clouddeploy.customTargetTypes.setIamPolicy`	Defina a política do IAM para um recurso de tipo de destino personalizado.
`deliveryPipelines.create()`	`clouddeploy.deliveryPipelines.create`	Crie um novo recurso de pipeline de entrega.
`deliveryPipelines.delete()`	`clouddeploy.deliveryPipelines.delete`	Exclua um recurso de pipeline de entrega atual.
`deliveryPipelines.get()`	`clouddeploy.deliveryPipelines.get`	Recupere detalhes de um pipeline de entrega individual.
`deliveryPipelines.getIamPolicy()`	`clouddeploy.deliveryPipelines.getIamPolicy`	Receba a política do IAM para um recurso de pipeline de entrega.
`deliveryPipelines.list()`	`clouddeploy.deliveryPipelines.list`	Liste pipelines de entrega e respectivos metadados.
`deliveryPipelines.rollbackTarget()`	`clouddeploy.rollouts.rollback`	Reverte um destino.
`deliveryPipelines.setIamPolicy()`	`clouddeploy.deliveryPipelines.setIamPolicy`	Defina a política do IAM para um recurso de pipeline de entrega.
`deliveryPipelines.update()`	`clouddeploy.deliveryPipelines.update`	Atualiza um recurso de pipeline de entrega atual.
`deployPolicies.create()`	`clouddeploy.deployPolicies.create`	Crie um recurso de política de implantação.
`deployPolicies.delete()`	`clouddeploy.deployPolicies.delete`	Exclua um recurso de política de implantação.
`deployPolicies.get()`	`clouddeploy.deployPolicies.get`	Recupere detalhes de um recurso de política de implantação.
`deployPolicies.list()`	`clouddeploy.deployPolicies.list`	Liste as políticas de implantação disponíveis e os respectivos metadados.
`jobRuns.get()`	`clouddeploy.jobRuns.get`	Recupere um recurso `JobRuns`.
`jobRuns.list()`	`clouddeploy.jobRuns.list`	Liste recursos `JobRuns` e os respectivos metadados.
`jobRuns.terminate()`	`clouddeploy.jobRuns.terminate`	Encerre uma execução de job em andamento.
`operations.cancel()`	`clouddeploy.operations.cancel`	Cancelar uma operação de longa duração.
`operation.delete()`	`clouddeploy.operations.delete`	Excluir uma operação de longa duração.
`operations.get()`	`clouddeploy.operations.get`	Receba uma operação específica de longa duração (por exemplo, para retornar o status da criação de uma versão).
`operations.list()`	`clouddeploy.operations.list`	Listar operações de longa duração.
`releases.abandon()`	`clouddeploy.releases.abandon`	Abandone uma versão e impeça outros lançamentos.
`releases.create()`	`clouddeploy.releases.create`	Crie um novo recurso de lançamento. O autor da chamada também requer a permissão `iam.serviceAccounts.actAs` na conta de serviço usada para renderizar o manifesto.
`releases.get()`	`clouddeploy.releases.get`	Recuperar detalhes de uma versão.
`releases.list()`	`clouddeploy.releases.list`	Listar versões e metadados.
`rollouts.advance()`	`clouddeploy.rollouts.advance`	Avance um lançamento para a próxima fase.
`rollouts.approve()`	`clouddeploy.rollouts.approve`	Aprove ou recuse um lançamento com o estado de aprovação `required`.
`rollouts.cancel()`	`clouddeploy.rollouts.cancel`	Cancele um lançamento.
`rollouts.create()`	`clouddeploy.rollouts.create`	Crie um novo recurso de lançamento ou promova uma versão. O autor da chamada também requer a permissão `iam.serviceAccounts.actAs` no projeto ou na conta de serviço usada para implantar.
`rollouts.get()`	`clouddeploy.rollouts.get`	Recuperar detalhes de um lançamento individual
`rollouts.ignoreJob()`	`clouddeploy.rollouts.ignoreJob`	Ignore um job com falha.
`rollouts.list()`	`clouddeploy.rollouts.list`	Listar lançamentos e metadados.
`rollouts.retryJob()`	`clouddeploy.rollouts.retryJob`	Repete um job com falha.
`rollouts.advance()`, `rollouts.approve()`, `rollouts.cancel()`, `rollouts.create()`, `rollouts.ignoreJob()`, `rollouts.retryJob()`, `deliveryPipelines.rollbackTarget()`, `jobRuns.terminate()`	`clouddeploy.deployPolicies.override`	Substitua um recurso de política de implantação.
`deployPolicies.update()`	`clouddeploy.deployPolicies.update`	Atualize um recurso de política de implantação.
`targets.create()`	`clouddeploy.targets.create`	Crie um novo recurso de destino.
`targets.delete()`	`clouddeploy.targets.delete`	Exclua um recurso de destino existente.
`targets.get()`	`clouddeploy.targets.get`	Recuperar detalhes de um destino individual.
`targets.getIamPolicy()`	`clouddeploy.targets.getIamPolicy`	Recebe a política do IAM para um recurso de destino.
`targets.list()`	`clouddeploy.targets.list`	Listar destinos e os respectivos metadados.
`targets.setIamPolicy()`	`clouddeploy.targets.setIamPolicy`	Define a política do IAM para um recurso de destino.
`targets.update()`	`clouddeploy.targets.update`	Atualize um recurso de destino existente.

Como usar o IAM para restringir ações nos recursos do Cloud Deploy

É possível proteger os recursos do Cloud Deploy usando o IAM das seguintes maneiras:

APIs meta do IAM

Use setIamPolicy nos recursos do Cloud Deploy para restringir ações nesses recursos.
IAM condicional

Aplique políticas de acesso programaticamente, incluindo as condições sob as quais conceder ou negar acesso.

É possível usar essas políticas e condições para restringir as seguintes ações nos recursos do Cloud Deploy:

Criar um pipeline ou um destino de entrega

Você pode conceder esse acesso a usuários ou grupos específicos.
Atualizar ou excluir um pipeline de entrega específico

Você pode conceder esse acesso a usuários ou grupos específicos.
Criar uma versão para um pipeline de entrega específico

Você pode conceder esse acesso a usuários ou grupos específicos.
Atualizar ou excluir uma segmentação específica

Você pode conceder esse acesso a usuários ou grupos específicos.
Criar ou aprovar um lançamento ou promover uma versão

É possível conceder esse acesso a usuários ou grupos específicos de um determinado pipeline de destino ou entrega.

Também é possível definir uma condição que limite esse acesso em um período especificado.

A seguir

Saiba mais sobre IAM.
Saiba mais sobre como usar condições no IAM.
Saiba mais sobre as contas de serviço do Cloud Deploy.

Permissões e papéis do IAM Mantenha tudo organizado com as coleções Salve e categorize o conteúdo com base nas suas preferências.

Contas de serviço no Cloud Deploy

Papéis predefinidos do Cloud Deploy

Cloud Deploy Admin

Cloud Deploy Editor

Cloud Deploy Viewer

Cloud Deploy Approver

Cloud Deploy Custom Target Type Admin

Cloud Deploy Developer

Cloud Deploy Runner

Cloud Deploy Operator

Cloud Deploy Policy Admin

Cloud Deploy Policy Overrider

Cloud Deploy Releaser

Service agent roles

Cloud Deploy Service Agent

Permissões

Como usar o IAM para restringir ações nos recursos do Cloud Deploy

A seguir

Permissões e papéis do IAM