Halaman ini diterjemahkan oleh Cloud Translation API.

Kontrol akses dengan IAM

Lanjutan Standar

Halaman ini menjelaskan opsi kontrol akses yang tersedia untuk Anda di Eventarc.

Ringkasan

Eventarc menggunakan Identity and Access Management (IAM) untuk kontrol akses.

Untuk mengetahui pengantar tentang IAM dan fitur-fiturnya, lihat Ringkasan IAM.
Untuk mempelajari cara memberikan dan mencabut akses menggunakan kebijakan izin, lihat Mengelola akses ke project, folder, dan organisasi.

Untuk mengontrol akses publikasi di Eventarc Advanced menggunakan kebijakan akses, lihat Mengontrol akses publikasi.

Untuk mengetahui daftar izin dan peran yang didukung Eventarc, lihat bagian berikut.

Agen layanan Eventarc

Beberapa layanan Google Cloud memiliki agen layanan yang memungkinkan layanan mengakses resource Anda jika diberi izin yang sesuai. Jika API memerlukan agen layanan, maka Google Cloud membuat agen layanan di beberapa titik setelah Anda mengaktifkan dan menggunakan API.

Eventarc menggunakan model penyediaan yang membuat agen layanannya hanya saat pertama kali diperlukan—misalnya, saat Anda membuat resource Eventarc untuk pertama kalinya—dan bukan saat API diaktifkan pertama kali. Penyediaan agen layanan dan penerapan perubahan melalui sistem dapat memerlukan waktu beberapa menit. Untuk mengetahui informasi selengkapnya tentang penundaan ini, lihat Izin ditolak saat menggunakan agen layanan Eventarc.

Mengaktifkan Eventarc API

Untuk melihat dan menetapkan peran IAM untuk Eventarc, Anda harus mengaktifkan Eventarc API untuk project Anda. Anda tidak akan dapat melihat peran Eventarc di konsol Google Cloud hingga Anda mengaktifkan API.

Aktifkan Eventarc API dan Eventarc Publishing API:

Konsol

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the APIs

gcloud

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

gcloud services enable eventarc.googleapis.com eventarcpublishing.googleapis.com

Peran yang telah ditetapkan

Tabel berikut mencantumkan peran IAM bawaan Eventarc dengan daftar terkait semua izin yang disertakan dalam setiap peran.

Peran bawaan ini mencakup sebagian besar kasus penggunaan umum. Jika kasus penggunaan Anda tidak tercakup oleh peran bawaan, Anda dapat membuat peran IAM kustom.

Peran Eventarc

Role Permissions

Role	Permissions
Eventarc Admin (`roles/eventarc.admin`) Full control over all Eventarc resources. Lowest-level resources where you can grant this role: Project	`eventarc.*` `eventarc.channelConnections.create` `eventarc.channelConnections.delete` `eventarc.channelConnections.get` `eventarc.channelConnections.getIamPolicy` `eventarc.channelConnections.list` `eventarc.channelConnections.publish` `eventarc.channelConnections.setIamPolicy` `eventarc.channels.attach` `eventarc.channels.create` `eventarc.channels.delete` `eventarc.channels.get` `eventarc.channels.getIamPolicy` `eventarc.channels.list` `eventarc.channels.publish` `eventarc.channels.setIamPolicy` `eventarc.channels.undelete` `eventarc.channels.update` `eventarc.enrollments.create` `eventarc.enrollments.delete` `eventarc.enrollments.get` `eventarc.enrollments.getIamPolicy` `eventarc.enrollments.list` `eventarc.enrollments.setIamPolicy` `eventarc.enrollments.update` `eventarc.events.receiveAuditLogWritten` `eventarc.events.receiveEvent` `eventarc.googleApiSources.create` `eventarc.googleApiSources.delete` `eventarc.googleApiSources.get` `eventarc.googleApiSources.getIamPolicy` `eventarc.googleApiSources.list` `eventarc.googleApiSources.setIamPolicy` `eventarc.googleApiSources.update` `eventarc.googleChannelConfigs.get` `eventarc.googleChannelConfigs.update` `eventarc.kafkaSources.create` `eventarc.kafkaSources.delete` `eventarc.kafkaSources.get` `eventarc.kafkaSources.getIamPolicy` `eventarc.kafkaSources.list` `eventarc.kafkaSources.setIamPolicy` `eventarc.locations.get` `eventarc.locations.list` `eventarc.messageBuses.create` `eventarc.messageBuses.delete` `eventarc.messageBuses.get` `eventarc.messageBuses.getIamPolicy` `eventarc.messageBuses.list` `eventarc.messageBuses.publish` `eventarc.messageBuses.setIamPolicy` `eventarc.messageBuses.update` `eventarc.messageBuses.use` `eventarc.multiProjectSources.collectGoogleApiEvents` `eventarc.operations.cancel` `eventarc.operations.delete` `eventarc.operations.get` `eventarc.operations.list` `eventarc.pipelines.create` `eventarc.pipelines.delete` `eventarc.pipelines.get` `eventarc.pipelines.getIamPolicy` `eventarc.pipelines.list` `eventarc.pipelines.setIamPolicy` `eventarc.pipelines.update` `eventarc.providers.get` `eventarc.providers.list` `eventarc.triggers.create` `eventarc.triggers.delete` `eventarc.triggers.get` `eventarc.triggers.getIamPolicy` `eventarc.triggers.list` `eventarc.triggers.setIamPolicy` `eventarc.triggers.undelete` `eventarc.triggers.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Eventarc Connection Publisher ^Beta (`roles/eventarc.connectionPublisher`) Can publish events to Eventarc channel connections. Lowest-level resources where you can grant this role: Project	`eventarc.channelConnections.get` `eventarc.channelConnections.list` `eventarc.channelConnections.publish` `resourcemanager.projects.get` `resourcemanager.projects.list`
Eventarc Developer (`roles/eventarc.developer`) Access to read and write Eventarc resources. Lowest-level resources where you can grant this role: Project	`eventarc.channelConnections.create` `eventarc.channelConnections.delete` `eventarc.channelConnections.get` `eventarc.channelConnections.getIamPolicy` `eventarc.channelConnections.list` `eventarc.channelConnections.publish` `eventarc.channels.attach` `eventarc.channels.create` `eventarc.channels.delete` `eventarc.channels.get` `eventarc.channels.getIamPolicy` `eventarc.channels.list` `eventarc.channels.publish` `eventarc.channels.undelete` `eventarc.channels.update` `eventarc.enrollments.create` `eventarc.enrollments.delete` `eventarc.enrollments.get` `eventarc.enrollments.getIamPolicy` `eventarc.enrollments.list` `eventarc.enrollments.update` `eventarc.googleApiSources.create` `eventarc.googleApiSources.delete` `eventarc.googleApiSources.get` `eventarc.googleApiSources.getIamPolicy` `eventarc.googleApiSources.list` `eventarc.googleApiSources.update` `eventarc.googleChannelConfigs.` `eventarc.googleChannelConfigs.get` `eventarc.googleChannelConfigs.update` `eventarc.kafkaSources.create` `eventarc.kafkaSources.delete` `eventarc.kafkaSources.get` `eventarc.kafkaSources.getIamPolicy` `eventarc.kafkaSources.list` `eventarc.locations.` `eventarc.locations.get` `eventarc.locations.list` `eventarc.operations.` `eventarc.operations.cancel` `eventarc.operations.delete` `eventarc.operations.get` `eventarc.operations.list` `eventarc.pipelines.create` `eventarc.pipelines.delete` `eventarc.pipelines.get` `eventarc.pipelines.getIamPolicy` `eventarc.pipelines.list` `eventarc.pipelines.update` `eventarc.providers.` `eventarc.providers.get` `eventarc.providers.list` `eventarc.triggers.create` `eventarc.triggers.delete` `eventarc.triggers.get` `eventarc.triggers.getIamPolicy` `eventarc.triggers.list` `eventarc.triggers.undelete` `eventarc.triggers.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Eventarc Event Receiver (`roles/eventarc.eventReceiver`) Can receive events from all event providers. Lowest-level resources where you can grant this role: Project	`eventarc.events.*` `eventarc.events.receiveAuditLogWritten` `eventarc.events.receiveEvent`
Eventarc Message Bus Admin (`roles/eventarc.messageBusAdmin`) Full control over Message Buses resources.	`eventarc.messageBuses.create` `eventarc.messageBuses.delete` `eventarc.messageBuses.get` `eventarc.messageBuses.getIamPolicy` `eventarc.messageBuses.list` `eventarc.messageBuses.publish` `eventarc.messageBuses.update` `eventarc.messageBuses.use`
Eventarc Message Bus User (`roles/eventarc.messageBusUser`) Access to publish to or bind to a Message Bus.	`eventarc.messageBuses.get` `eventarc.messageBuses.list` `eventarc.messageBuses.publish` `eventarc.messageBuses.use`
Eventarc Event Collector ^Beta (`roles/eventarc.multiProjectEventCollector`) Can collect events from multiple projects in an org for a source resource.	`eventarc.multiProjectSources.collectGoogleApiEvents`
Eventarc Publisher ^Beta (`roles/eventarc.publisher`) Can publish events to Eventarc channels. Lowest-level resources where you can grant this role: Project	`eventarc.channels.get` `eventarc.channels.list` `eventarc.channels.publish` `resourcemanager.projects.get` `resourcemanager.projects.list`
Eventarc Service Agent (`roles/eventarc.serviceAgent`) Gives Eventarc service account access to managed resources. Warning: Do not grant service agent roles to any principals except service agents.	`cloudfunctions.functions.get` `compute.instanceGroupManagers.get` `compute.networkAttachments.get` `compute.networkAttachments.update` `compute.networkAttachments.use` `compute.regionOperations.get` `container.clusters.connect` `container.clusters.get` `container.deployments.create` `container.deployments.delete` `container.deployments.get` `container.deployments.list` `container.deployments.update` `container.namespaces.create` `container.namespaces.delete` `container.namespaces.get` `container.namespaces.list` `container.serviceAccounts.create` `container.serviceAccounts.delete` `container.serviceAccounts.get` `container.serviceAccounts.list` `container.services.get` `container.services.list` `dns.networks.targetWithPeeringZone` `eventarc.channels.publish` `eventarc.messageBuses.publish` `eventarc.operations.get` `iam.serviceAccounts.actAs` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `monitoring.timeSeries.create` `pubsub.subscriptions.consume` `pubsub.subscriptions.create` `pubsub.subscriptions.delete` `pubsub.subscriptions.get` `pubsub.subscriptions.list` `pubsub.subscriptions.update` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.delete` `pubsub.topics.get` `pubsub.topics.list` `pubsub.topics.publish` `pubsub.topics.update` `run.jobs.get` `run.services.get` `serviceusage.services.use` `storage.buckets.get` `storage.buckets.update` `workflows.workflows.get`
Eventarc Viewer (`roles/eventarc.viewer`) Can view the state of all Eventarc resources, including IAM policies. Lowest-level resources where you can grant this role: Project	`eventarc.channelConnections.get` `eventarc.channelConnections.getIamPolicy` `eventarc.channelConnections.list` `eventarc.channels.get` `eventarc.channels.getIamPolicy` `eventarc.channels.list` `eventarc.enrollments.get` `eventarc.enrollments.getIamPolicy` `eventarc.enrollments.list` `eventarc.googleApiSources.get` `eventarc.googleApiSources.getIamPolicy` `eventarc.googleApiSources.list` `eventarc.googleChannelConfigs.get` `eventarc.kafkaSources.get` `eventarc.kafkaSources.getIamPolicy` `eventarc.kafkaSources.list` `eventarc.locations.` `eventarc.locations.get` `eventarc.locations.list` `eventarc.messageBuses.get` `eventarc.messageBuses.getIamPolicy` `eventarc.messageBuses.list` `eventarc.messageBuses.use` `eventarc.multiProjectSources.collectGoogleApiEvents` `eventarc.operations.get` `eventarc.operations.list` `eventarc.pipelines.get` `eventarc.pipelines.getIamPolicy` `eventarc.pipelines.list` `eventarc.providers.` `eventarc.providers.get` `eventarc.providers.list` `eventarc.triggers.get` `eventarc.triggers.getIamPolicy` `eventarc.triggers.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Eventarc Admin

(roles/eventarc.admin)

Full control over all Eventarc resources.

Lowest-level resources where you can grant this role:

Project

eventarc.*

eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc.enrollments.getIamPolicy
eventarc.enrollments.list
eventarc.enrollments.setIamPolicy
eventarc.enrollments.update
eventarc.events.receiveAuditLogWritten
eventarc.events.receiveEvent
eventarc.googleApiSources.create
eventarc.googleApiSources.delete
eventarc.googleApiSources.get
eventarc.googleApiSources.getIamPolicy
eventarc.googleApiSources.list
eventarc.googleApiSources.setIamPolicy
eventarc.googleApiSources.update
eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update
eventarc.kafkaSources.create
eventarc.kafkaSources.delete
eventarc.kafkaSources.get
eventarc.kafkaSources.getIamPolicy
eventarc.kafkaSources.list
eventarc.kafkaSources.setIamPolicy
eventarc.locations.get
eventarc.locations.list
eventarc.messageBuses.create
eventarc.messageBuses.delete
eventarc.messageBuses.get
eventarc.messageBuses.getIamPolicy
eventarc.messageBuses.list
eventarc.messageBuses.publish
eventarc.messageBuses.setIamPolicy
eventarc.messageBuses.update
eventarc.messageBuses.use
eventarc.multiProjectSources.collectGoogleApiEvents
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc.pipelines.getIamPolicy
eventarc.pipelines.list
eventarc.pipelines.setIamPolicy
eventarc.pipelines.update
eventarc.providers.get
eventarc.providers.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Connection Publisher ^Beta

(roles/eventarc.connectionPublisher)

Can publish events to Eventarc channel connections.

Lowest-level resources where you can grant this role:

Project

eventarc.channelConnections.get

eventarc.channelConnections.list

eventarc.channelConnections.publish

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Developer

(roles/eventarc.developer)

Access to read and write Eventarc resources.

Lowest-level resources where you can grant this role:

Project

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.enrollments.create

eventarc.enrollments.delete

eventarc.enrollments.get

eventarc.enrollments.getIamPolicy

eventarc.enrollments.list

eventarc.enrollments.update

eventarc.googleApiSources.create

eventarc.googleApiSources.delete

eventarc.googleApiSources.get

eventarc.googleApiSources.getIamPolicy

eventarc.googleApiSources.list

eventarc.googleApiSources.update

eventarc.googleChannelConfigs.*

eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update

eventarc.kafkaSources.create

eventarc.kafkaSources.delete

eventarc.kafkaSources.get

eventarc.kafkaSources.getIamPolicy

eventarc.kafkaSources.list

eventarc.locations.*

eventarc.locations.get
eventarc.locations.list

eventarc.operations.*

eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list

eventarc.pipelines.create

eventarc.pipelines.delete

eventarc.pipelines.get

eventarc.pipelines.getIamPolicy

eventarc.pipelines.list

eventarc.pipelines.update

eventarc.providers.*

eventarc.providers.get
eventarc.providers.list

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Event Receiver

(roles/eventarc.eventReceiver)

Can receive events from all event providers.

Lowest-level resources where you can grant this role:

Project

eventarc.events.*

eventarc.events.receiveAuditLogWritten
eventarc.events.receiveEvent

Eventarc Message Bus Admin

(roles/eventarc.messageBusAdmin)

Full control over Message Buses resources.

eventarc.messageBuses.create

eventarc.messageBuses.delete

eventarc.messageBuses.get

eventarc.messageBuses.getIamPolicy

eventarc.messageBuses.list

eventarc.messageBuses.publish

eventarc.messageBuses.update

eventarc.messageBuses.use

Eventarc Message Bus User

(roles/eventarc.messageBusUser)

Access to publish to or bind to a Message Bus.

eventarc.messageBuses.get

eventarc.messageBuses.list

eventarc.messageBuses.publish

eventarc.messageBuses.use

Eventarc Event Collector ^Beta

(roles/eventarc.multiProjectEventCollector)

Can collect events from multiple projects in an org for a source resource.

eventarc.multiProjectSources.collectGoogleApiEvents

Eventarc Publisher ^Beta

(roles/eventarc.publisher)

Can publish events to Eventarc channels.

Lowest-level resources where you can grant this role:

Project

eventarc.channels.get

eventarc.channels.list

eventarc.channels.publish

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Service Agent

(roles/eventarc.serviceAgent)

Gives Eventarc service account access to managed resources.

cloudfunctions.functions.get

compute.instanceGroupManagers.get

compute.networkAttachments.get

compute.networkAttachments.update

compute.networkAttachments.use

compute.regionOperations.get

container.clusters.connect

container.clusters.get

container.deployments.create

container.deployments.delete

container.deployments.get

container.deployments.list

container.deployments.update

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.namespaces.list

container.serviceAccounts.create

container.serviceAccounts.delete

container.serviceAccounts.get

container.serviceAccounts.list

container.services.get

container.services.list

dns.networks.targetWithPeeringZone

eventarc.channels.publish

eventarc.messageBuses.publish

eventarc.operations.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

monitoring.timeSeries.create

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

run.jobs.get

run.services.get

serviceusage.services.use

storage.buckets.get

storage.buckets.update

workflows.workflows.get

Eventarc Viewer

(roles/eventarc.viewer)

Can view the state of all Eventarc resources, including IAM policies.

Lowest-level resources where you can grant this role:

Project

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.enrollments.get

eventarc.enrollments.getIamPolicy

eventarc.enrollments.list

eventarc.googleApiSources.get

eventarc.googleApiSources.getIamPolicy

eventarc.googleApiSources.list

eventarc.googleChannelConfigs.get

eventarc.kafkaSources.get

eventarc.kafkaSources.getIamPolicy

eventarc.kafkaSources.list

eventarc.locations.*

eventarc.locations.get
eventarc.locations.list

eventarc.messageBuses.get

eventarc.messageBuses.getIamPolicy

eventarc.messageBuses.list

eventarc.messageBuses.use

eventarc.multiProjectSources.collectGoogleApiEvents

eventarc.operations.get

eventarc.operations.list

eventarc.pipelines.get

eventarc.pipelines.getIamPolicy

eventarc.pipelines.list

eventarc.providers.*

eventarc.providers.get
eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

resourcemanager.projects.get

resourcemanager.projects.list

Pengelolaan IAM di level project

Di tingkat project, Anda dapat memberikan, mengubah, dan mencabut peran IAM menggunakan konsol Google Cloud , IAM API, atau Google Cloud CLI. Untuk mengetahui petunjuknya, lihat Mengelola akses ke project, folder, dan organisasi.

Kontrol akses dengan IAM Tetap teratur dengan koleksi Simpan dan kategorikan konten berdasarkan preferensi Anda.

Ringkasan

Agen layanan Eventarc

Mengaktifkan Eventarc API

Konsol

gcloud

Peran yang telah ditetapkan

Peran Eventarc

Eventarc Admin

Eventarc Connection Publisher Beta

Eventarc Developer

Eventarc Event Receiver

Eventarc Message Bus Admin

Eventarc Message Bus User

Eventarc Event Collector Beta

Eventarc Publisher Beta

Eventarc Service Agent

Eventarc Viewer

Pengelolaan IAM di level project

Kontrol akses dengan IAM

Eventarc Connection Publisher ^Beta

Eventarc Event Collector ^Beta

Eventarc Publisher ^Beta