This page describes how to use Identity and Access Management (IAM) to manage access to Fault Injection Testing features.
Admins or Owners for your Google Cloud resources can grant Fault Injection Testing roles and permissions.
Admins are responsible to ensure users have the access they need and nothing more (principle of least privilege). Because Fault Injection Testing requires accounts to both configure and run experiments, least privilege is especially important – fault experimentation can cause unexpected outages if run on incorrect resources, or operated by unauthorized or untrained users.
Enable the APIs for Fault Injection Testing
To activate the Fault Injection Testing API for your project:
- Go to the API Library page for the Google Cloud console.
- Search for faulttesting and select the Fault Testing API.
- Select the Enable button.
A dialog showing the progress of the API activation appears.
Set required permissions
Fault Injection Testing provides the following roles:
Role name |
Description |
Permissions |
Fault Testing Admin/Operator |
Full access to fault testing resources. Operators must also have editor permissions to the affected Google Cloud resources. |
|
Fault Testing Viewer |
Read-only access to fault testing resources. |
|
Use the Google Cloud CLI to grant roles and permissions. To grant the
faulttesting.operator role, run the following command:
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member {USER|GROUP|SERVICE_ACCOUNT} \
--role roles/faulttesting.operator
An example of the syntax for adding faulttesting.operator to user
anon@example.com in projectexample-project` would look like this:
gcloud projects add-iam-policy-binding example-project --member=user:anon@example.com --role=roles/faulttesting.operator