使用 IAM 控管存取權

本頁說明 Eventarc 提供的存取控管選項。

總覽

Eventarc 使用 Identity and Access Management (IAM) 控管存取權。

如需 Eventarc 支援的權限與角色清單,請參閱以下各節。

Eventarc 服務代理

部分 Google Cloud 服務有服務代理,只要授予適當權限,服務就能存取您的資源。如果 API 需要服務代理程式,則 Google Cloud 會在您啟用及使用 API 後的某個時間點建立服務代理程式。

Eventarc 採用佈建模型,只會在首次需要時建立服務代理程式 (例如首次建立 Eventarc 資源時),而不是在首次啟用 API 時。佈建服務代理並透過系統傳播變更,可能需要幾分鐘的時間。如要進一步瞭解這項延遲,請參閱「權限遭拒錯誤」。

啟用 Eventarc API

如要查看及指派 Eventarc 的 IAM 角色,您必須為專案啟用 Eventarc API。您必須先啟用 API,才能在 Google Cloud 控制台中查看 Eventarc 角色。

控制台

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Eventarc and Eventarc Publishing APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Eventarc and Eventarc Publishing APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

    8.

gcloud

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。

  2. 安裝 Google Cloud CLI。

  3. 若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI

  4. 執行下列指令,初始化 gcloud CLI:

    gcloud init

  5. 建立或選取 Google Cloud 專案

    選取或建立專案所需的角色

    • 選取專案:選取專案時,不需要具備特定 IAM 角色,只要您已獲授角色,即可選取任何專案。
    • 建立專案:如要建立專案,您需要具備專案建立者角色 (roles/resourcemanager.projectCreator),其中包含 resourcemanager.projects.create 權限。瞭解如何授予角色

    • 建立 Google Cloud 專案:

      gcloud projects create PROJECT_ID

      PROJECT_ID 替換為您要建立的 Google Cloud 專案名稱。

    • 選取您建立的 Google Cloud 專案:

      gcloud config set project PROJECT_ID

      PROJECT_ID 替換為 Google Cloud 專案名稱。

  6. 確認專案已啟用計費功能 Google Cloud

  7. 啟用 Eventarc 和 Eventarc Publishing API:

    啟用 API 時所需的角色

    如要啟用 API,您需要具備服務使用情形管理員 IAM 角色 (roles/serviceusage.serviceUsageAdmin),其中包含 serviceusage.services.enable 權限。瞭解如何授予角色

    gcloud services enable eventarc.googleapis.com eventarcpublishing.googleapis.com

  8. 安裝 Google Cloud CLI。

  9. 若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI

  10. 執行下列指令,初始化 gcloud CLI:

    gcloud init

  11. 建立或選取 Google Cloud 專案

    選取或建立專案所需的角色

    • 選取專案:選取專案時,不需要具備特定 IAM 角色,只要您已獲授角色,即可選取任何專案。
    • 建立專案:如要建立專案,您需要具備專案建立者角色 (roles/resourcemanager.projectCreator),其中包含 resourcemanager.projects.create 權限。瞭解如何授予角色

    • 建立 Google Cloud 專案:

      gcloud projects create PROJECT_ID

      PROJECT_ID 替換為您要建立的 Google Cloud 專案名稱。

    • 選取您建立的 Google Cloud 專案:

      gcloud config set project PROJECT_ID

      PROJECT_ID 替換為 Google Cloud 專案名稱。

  12. 確認專案已啟用計費功能 Google Cloud

  13. 啟用 Eventarc 和 Eventarc Publishing API:

    啟用 API 時所需的角色

    如要啟用 API,您需要具備服務使用情形管理員 IAM 角色 (roles/serviceusage.serviceUsageAdmin),其中包含 serviceusage.services.enable 權限。瞭解如何授予角色

    gcloud services enable eventarc.googleapis.com eventarcpublishing.googleapis.com
    14.

預先定義的角色

下表列出 Eventarc 預先定義的 IAM 角色,以及各角色具備的所有權限對應清單。

預先定義的角色可因應許多一般用途。如果預先定義的角色無法滿足您的用途,可以建立 IAM 自訂角色

Eventarc 角色

Role Permissions

(roles/eventarc.admin)

Full control over all Eventarc resources.

Lowest-level resources where you can grant this role:

  • Project

eventarc.*

  • eventarc.channelConnections.create
  • eventarc.channelConnections.delete
  • eventarc.channelConnections.get
  • eventarc.channelConnections.getIamPolicy
  • eventarc.channelConnections.list
  • eventarc.channelConnections.publish
  • eventarc.channelConnections.setIamPolicy
  • eventarc.channels.attach
  • eventarc.channels.create
  • eventarc.channels.delete
  • eventarc.channels.get
  • eventarc.channels.getIamPolicy
  • eventarc.channels.list
  • eventarc.channels.publish
  • eventarc.channels.setIamPolicy
  • eventarc.channels.undelete
  • eventarc.channels.update
  • eventarc.enrollments.create
  • eventarc.enrollments.delete
  • eventarc.enrollments.get
  • eventarc.enrollments.getIamPolicy
  • eventarc.enrollments.list
  • eventarc.enrollments.setIamPolicy
  • eventarc.enrollments.update
  • eventarc.events.receiveAuditLogWritten
  • eventarc.events.receiveEvent
  • eventarc.googleApiSources.create
  • eventarc.googleApiSources.delete
  • eventarc.googleApiSources.get
  • eventarc.googleApiSources.getIamPolicy
  • eventarc.googleApiSources.list
  • eventarc.googleApiSources.setIamPolicy
  • eventarc.googleApiSources.update
  • eventarc.googleChannelConfigs.get
  • eventarc.googleChannelConfigs.update
  • eventarc.kafkaSources.create
  • eventarc.kafkaSources.delete
  • eventarc.kafkaSources.get
  • eventarc.kafkaSources.getIamPolicy
  • eventarc.kafkaSources.list
  • eventarc.kafkaSources.setIamPolicy
  • eventarc.locations.get
  • eventarc.locations.list
  • eventarc.messageBuses.create
  • eventarc.messageBuses.delete
  • eventarc.messageBuses.get
  • eventarc.messageBuses.getIamPolicy
  • eventarc.messageBuses.list
  • eventarc.messageBuses.publish
  • eventarc.messageBuses.setIamPolicy
  • eventarc.messageBuses.update
  • eventarc.messageBuses.use
  • eventarc.multiProjectSources.collectGoogleApiEvents
  • eventarc.operations.cancel
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.pipelines.create
  • eventarc.pipelines.delete
  • eventarc.pipelines.get
  • eventarc.pipelines.getIamPolicy
  • eventarc.pipelines.list
  • eventarc.pipelines.setIamPolicy
  • eventarc.pipelines.update
  • eventarc.providers.get
  • eventarc.providers.list
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.setIamPolicy
  • eventarc.triggers.undelete
  • eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.connectionPublisher)

Can publish events to Eventarc channel connections.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.get

eventarc.channelConnections.list

eventarc.channelConnections.publish

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.developer)

Access to read and write Eventarc resources.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.enrollments.create

eventarc.enrollments.delete

eventarc.enrollments.get

eventarc.enrollments.getIamPolicy

eventarc.enrollments.list

eventarc.enrollments.update

eventarc.googleApiSources.create

eventarc.googleApiSources.delete

eventarc.googleApiSources.get

eventarc.googleApiSources.getIamPolicy

eventarc.googleApiSources.list

eventarc.googleApiSources.update

eventarc.googleChannelConfigs.*

  • eventarc.googleChannelConfigs.get
  • eventarc.googleChannelConfigs.update

eventarc.kafkaSources.create

eventarc.kafkaSources.delete

eventarc.kafkaSources.get

eventarc.kafkaSources.getIamPolicy

eventarc.kafkaSources.list

eventarc.locations.*

  • eventarc.locations.get
  • eventarc.locations.list

eventarc.operations.*

  • eventarc.operations.cancel
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list

eventarc.pipelines.create

eventarc.pipelines.delete

eventarc.pipelines.get

eventarc.pipelines.getIamPolicy

eventarc.pipelines.list

eventarc.pipelines.update

eventarc.providers.*

  • eventarc.providers.get
  • eventarc.providers.list

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.eventReceiver)

Can receive events from all event providers.

Lowest-level resources where you can grant this role:

  • Project

eventarc.events.*

  • eventarc.events.receiveAuditLogWritten
  • eventarc.events.receiveEvent

(roles/eventarc.messageBusAdmin)

Full control over Message Buses resources.

eventarc.messageBuses.create

eventarc.messageBuses.delete

eventarc.messageBuses.get

eventarc.messageBuses.getIamPolicy

eventarc.messageBuses.list

eventarc.messageBuses.publish

eventarc.messageBuses.update

eventarc.messageBuses.use

(roles/eventarc.messageBusUser)

Access to publish to or bind to a Message Bus.

eventarc.messageBuses.get

eventarc.messageBuses.list

eventarc.messageBuses.publish

eventarc.messageBuses.use

(roles/eventarc.multiProjectEventCollector)

Can collect events from multiple projects in an org for a source resource.

eventarc.multiProjectSources.collectGoogleApiEvents

(roles/eventarc.publisher)

Can publish events to Eventarc channels.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channels.get

eventarc.channels.list

eventarc.channels.publish

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.serviceAgent)

Gives Eventarc service account access to managed resources.

cloudfunctions.functions.get

compute.instanceGroupManagers.get

compute.networkAttachments.get

compute.networkAttachments.update

compute.networkAttachments.use

compute.regionOperations.get

container.clusters.connect

container.clusters.get

container.deployments.create

container.deployments.delete

container.deployments.get

container.deployments.list

container.deployments.update

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.namespaces.list

container.serviceAccounts.create

container.serviceAccounts.delete

container.serviceAccounts.get

container.serviceAccounts.list

container.services.get

container.services.list

dns.networks.targetWithPeeringZone

eventarc.channels.publish

eventarc.messageBuses.publish

eventarc.operations.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

monitoring.timeSeries.create

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

run.jobs.get

run.services.get

serviceusage.services.use

storage.buckets.get

storage.buckets.update

workflows.workflows.get

(roles/eventarc.viewer)

Can view the state of all Eventarc resources, including IAM policies.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.enrollments.get

eventarc.enrollments.getIamPolicy

eventarc.enrollments.list

eventarc.googleApiSources.get

eventarc.googleApiSources.getIamPolicy

eventarc.googleApiSources.list

eventarc.googleChannelConfigs.get

eventarc.kafkaSources.get

eventarc.kafkaSources.getIamPolicy

eventarc.kafkaSources.list

eventarc.locations.*

  • eventarc.locations.get
  • eventarc.locations.list

eventarc.messageBuses.get

eventarc.messageBuses.getIamPolicy

eventarc.messageBuses.list

eventarc.messageBuses.use

eventarc.multiProjectSources.collectGoogleApiEvents

eventarc.operations.get

eventarc.operations.list

eventarc.pipelines.get

eventarc.pipelines.getIamPolicy

eventarc.pipelines.list

eventarc.providers.*

  • eventarc.providers.get
  • eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

resourcemanager.projects.get

resourcemanager.projects.list
如要進一步瞭解 Eventarc Standard 角色和權限,請參閱「所有角色和權限」。

專案層級的 IAM 管理

在專案層級中,您可以透過 Google Cloud 控制台、IAM API 或是 Google Cloud CLI 來授予、變更及撤銷 IAM 角色。如需操作說明,請參閱「管理專案、資料夾和機構的存取權」。