Controlo de acesso com a IAM

Esta página descreve as opções de controlo de acesso disponíveis no Eventarc.

Vista geral

O Eventarc usa a gestão de identidade e de acesso (IAM) para o controlo de acesso.

Para ver listas das autorizações e funções suportadas pelo Eventarc, consulte as secções seguintes.

Agente de serviço do Eventarc

Alguns Google Cloud serviços têm agentes de serviço que permitem que o serviço aceda aos seus recursos se lhe forem concedidas as autorizações adequadas. Se uma API exigir um agente de serviço, o Google Cloud cria o agente de serviço em algum momento após a ativação e utilização da API. Google Cloud

O Eventarc usa um modelo de aprovisionamento que cria o respetivo agente de serviço apenas quando é necessário pela primeira vez, por exemplo, quando cria um recurso do Eventarc pela primeira vez, e não quando a API é ativada inicialmente. O aprovisionamento do agente de serviço e a propagação das alterações através do sistema podem demorar vários minutos. Para mais informações acerca deste atraso, consulte o artigo Autorização recusada ao usar o agente do serviço Eventarc.

Ative as APIs Eventarc

Para ver e atribuir funções da IAM para o Eventarc, tem de ativar as APIs Eventarc para o seu projeto. Não pode ver as funções do Eventarc na Google Cloud consola até ativar as APIs.

Ative a API Eventarc e a API Eventarc Publishing:

Consola

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the APIs

gcloud

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

gcloud services enable eventarc.googleapis.com eventarcpublishing.googleapis.com

Funções predefinidas

A tabela seguinte apresenta as funções de IAM predefinidas do Eventarc com uma lista correspondente de todas as autorizações que cada função inclui.

As funções predefinidas abordam os exemplos de utilização mais típicos. Se o seu exemplo de utilização não estiver coberto pelas funções predefinidas, pode criar uma função personalizada do IAM.

Funções do Eventarc

Role Permissions

(roles/eventarc.admin)

Full control over all Eventarc resources.

Lowest-level resources where you can grant this role:

  • Project

eventarc.*

  • eventarc.channelConnections.create
  • eventarc.channelConnections.delete
  • eventarc.channelConnections.get
  • eventarc.channelConnections.getIamPolicy
  • eventarc.channelConnections.list
  • eventarc.channelConnections.publish
  • eventarc.channelConnections.setIamPolicy
  • eventarc.channels.attach
  • eventarc.channels.create
  • eventarc.channels.delete
  • eventarc.channels.get
  • eventarc.channels.getIamPolicy
  • eventarc.channels.list
  • eventarc.channels.publish
  • eventarc.channels.setIamPolicy
  • eventarc.channels.undelete
  • eventarc.channels.update
  • eventarc.enrollments.create
  • eventarc.enrollments.delete
  • eventarc.enrollments.get
  • eventarc.enrollments.getIamPolicy
  • eventarc.enrollments.list
  • eventarc.enrollments.setIamPolicy
  • eventarc.enrollments.update
  • eventarc.events.receiveAuditLogWritten
  • eventarc.events.receiveEvent
  • eventarc.googleApiSources.create
  • eventarc.googleApiSources.delete
  • eventarc.googleApiSources.get
  • eventarc.googleApiSources.getIamPolicy
  • eventarc.googleApiSources.list
  • eventarc.googleApiSources.setIamPolicy
  • eventarc.googleApiSources.update
  • eventarc.googleChannelConfigs.get
  • eventarc.googleChannelConfigs.update
  • eventarc.kafkaSources.create
  • eventarc.kafkaSources.delete
  • eventarc.kafkaSources.get
  • eventarc.kafkaSources.getIamPolicy
  • eventarc.kafkaSources.list
  • eventarc.kafkaSources.setIamPolicy
  • eventarc.locations.get
  • eventarc.locations.list
  • eventarc.messageBuses.create
  • eventarc.messageBuses.delete
  • eventarc.messageBuses.get
  • eventarc.messageBuses.getIamPolicy
  • eventarc.messageBuses.list
  • eventarc.messageBuses.publish
  • eventarc.messageBuses.setIamPolicy
  • eventarc.messageBuses.update
  • eventarc.messageBuses.use
  • eventarc.multiProjectSources.collectGoogleApiEvents
  • eventarc.operations.cancel
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.pipelines.create
  • eventarc.pipelines.delete
  • eventarc.pipelines.get
  • eventarc.pipelines.getIamPolicy
  • eventarc.pipelines.list
  • eventarc.pipelines.setIamPolicy
  • eventarc.pipelines.update
  • eventarc.providers.get
  • eventarc.providers.list
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.setIamPolicy
  • eventarc.triggers.undelete
  • eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.connectionPublisher)

Can publish events to Eventarc channel connections.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.get

eventarc.channelConnections.list

eventarc.channelConnections.publish

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.developer)

Access to read and write Eventarc resources.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.enrollments.create

eventarc.enrollments.delete

eventarc.enrollments.get

eventarc.enrollments.getIamPolicy

eventarc.enrollments.list

eventarc.enrollments.update

eventarc.googleApiSources.create

eventarc.googleApiSources.delete

eventarc.googleApiSources.get

eventarc.googleApiSources.getIamPolicy

eventarc.googleApiSources.list

eventarc.googleApiSources.update

eventarc.googleChannelConfigs.*

  • eventarc.googleChannelConfigs.get
  • eventarc.googleChannelConfigs.update

eventarc.kafkaSources.create

eventarc.kafkaSources.delete

eventarc.kafkaSources.get

eventarc.kafkaSources.getIamPolicy

eventarc.kafkaSources.list

eventarc.locations.*

  • eventarc.locations.get
  • eventarc.locations.list

eventarc.operations.*

  • eventarc.operations.cancel
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list

eventarc.pipelines.create

eventarc.pipelines.delete

eventarc.pipelines.get

eventarc.pipelines.getIamPolicy

eventarc.pipelines.list

eventarc.pipelines.update

eventarc.providers.*

  • eventarc.providers.get
  • eventarc.providers.list

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.eventReceiver)

Can receive events from all event providers.

Lowest-level resources where you can grant this role:

  • Project

eventarc.events.*

  • eventarc.events.receiveAuditLogWritten
  • eventarc.events.receiveEvent

(roles/eventarc.messageBusAdmin)

Full control over Message Buses resources.

eventarc.messageBuses.create

eventarc.messageBuses.delete

eventarc.messageBuses.get

eventarc.messageBuses.getIamPolicy

eventarc.messageBuses.list

eventarc.messageBuses.publish

eventarc.messageBuses.update

eventarc.messageBuses.use

(roles/eventarc.messageBusUser)

Access to publish to or bind to a Message Bus.

eventarc.messageBuses.get

eventarc.messageBuses.list

eventarc.messageBuses.publish

eventarc.messageBuses.use

(roles/eventarc.multiProjectEventCollector)

Can collect events from multiple projects in an org for a source resource.

eventarc.multiProjectSources.collectGoogleApiEvents

(roles/eventarc.publisher)

Can publish events to Eventarc channels.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channels.get

eventarc.channels.list

eventarc.channels.publish

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.serviceAgent)

Gives Eventarc service account access to managed resources.

cloudfunctions.functions.get

compute.instanceGroupManagers.get

compute.networkAttachments.get

compute.networkAttachments.update

compute.networkAttachments.use

compute.regionOperations.get

container.clusters.connect

container.clusters.get

container.deployments.create

container.deployments.delete

container.deployments.get

container.deployments.list

container.deployments.update

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.namespaces.list

container.serviceAccounts.create

container.serviceAccounts.delete

container.serviceAccounts.get

container.serviceAccounts.list

container.services.get

container.services.list

dns.networks.targetWithPeeringZone

eventarc.channels.publish

eventarc.messageBuses.publish

eventarc.operations.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

monitoring.timeSeries.create

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

run.jobs.get

run.services.get

serviceusage.services.use

storage.buckets.get

storage.buckets.update

workflows.workflows.get

(roles/eventarc.viewer)

Can view the state of all Eventarc resources, including IAM policies.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.enrollments.get

eventarc.enrollments.getIamPolicy

eventarc.enrollments.list

eventarc.googleApiSources.get

eventarc.googleApiSources.getIamPolicy

eventarc.googleApiSources.list

eventarc.googleChannelConfigs.get

eventarc.kafkaSources.get

eventarc.kafkaSources.getIamPolicy

eventarc.kafkaSources.list

eventarc.locations.*

  • eventarc.locations.get
  • eventarc.locations.list

eventarc.messageBuses.get

eventarc.messageBuses.getIamPolicy

eventarc.messageBuses.list

eventarc.messageBuses.use

eventarc.multiProjectSources.collectGoogleApiEvents

eventarc.operations.get

eventarc.operations.list

eventarc.pipelines.get

eventarc.pipelines.getIamPolicy

eventarc.pipelines.list

eventarc.providers.*

  • eventarc.providers.get
  • eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

resourcemanager.projects.get

resourcemanager.projects.list

Gestão de IAM ao nível do projeto

Ao nível do projeto, pode conceder, alterar e revogar funções do IAM através da Google Cloud consola, da API IAM ou da CLI Google Cloud. Para ver instruções, consulte o artigo Faça a gestão do acesso a projetos, pastas e organizações.