角色和權限

本頁面說明使用 Network Connectivity Center (NCC) 時需具備的 Identity and Access Management (IAM) 角色和權限。

大致來說,您需要下列項目:

請注意,如要在共用 VPC 網路中使用 NCC,您必須在主專案中擁有所有必要權限。中樞、輪輻和所有相關資源都必須位於主機專案中。

如要瞭解如何授予權限,請參閱「IAM 總覽」一文。

預先定義的角色

下表說明 NCC 的預先定義角色。

Role Permissions

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

  • networkconnectivity.serviceConnectionPolicies.create
  • networkconnectivity.serviceConnectionPolicies.delete
  • networkconnectivity.serviceConnectionPolicies.get
  • networkconnectivity.serviceConnectionPolicies.list
  • networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.groupAdmin)

Enables full access to group resources and read-only access to hub and spoke resources

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.*

  • networkconnectivity.groups.acceptSpoke
  • networkconnectivity.groups.acceptSpokeUpdate
  • networkconnectivity.groups.get
  • networkconnectivity.groups.getIamPolicy
  • networkconnectivity.groups.list
  • networkconnectivity.groups.rejectSpoke
  • networkconnectivity.groups.rejectSpokeUpdate
  • networkconnectivity.groups.setIamPolicy
  • networkconnectivity.groups.use

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.gatewayAdvertisedRoutes.*

  • networkconnectivity.gatewayAdvertisedRoutes.create
  • networkconnectivity.gatewayAdvertisedRoutes.delete
  • networkconnectivity.gatewayAdvertisedRoutes.get
  • networkconnectivity.gatewayAdvertisedRoutes.list
  • networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.groups.*

  • networkconnectivity.groups.acceptSpoke
  • networkconnectivity.groups.acceptSpokeUpdate
  • networkconnectivity.groups.get
  • networkconnectivity.groups.getIamPolicy
  • networkconnectivity.groups.list
  • networkconnectivity.groups.rejectSpoke
  • networkconnectivity.groups.rejectSpokeUpdate
  • networkconnectivity.groups.setIamPolicy
  • networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

  • networkconnectivity.hubRouteTables.get
  • networkconnectivity.hubRouteTables.getIamPolicy
  • networkconnectivity.hubRouteTables.list
  • networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

  • networkconnectivity.hubRoutes.get
  • networkconnectivity.hubRoutes.getIamPolicy
  • networkconnectivity.hubRoutes.list
  • networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

  • networkconnectivity.hubs.create
  • networkconnectivity.hubs.delete
  • networkconnectivity.hubs.get
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.listSpokes
  • networkconnectivity.hubs.queryStatus
  • networkconnectivity.hubs.setIamPolicy
  • networkconnectivity.hubs.update

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.hubs.queryStatus

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.multicloudDataTransferConfigAdmin)

Full access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.*

  • networkconnectivity.multicloudDataTransferConfigs.create
  • networkconnectivity.multicloudDataTransferConfigs.delete
  • networkconnectivity.multicloudDataTransferConfigs.get
  • networkconnectivity.multicloudDataTransferConfigs.list
  • networkconnectivity.multicloudDataTransferConfigs.update

networkconnectivity.multicloudDataTransferDestinations.*

  • networkconnectivity.multicloudDataTransferDestinations.create
  • networkconnectivity.multicloudDataTransferDestinations.delete
  • networkconnectivity.multicloudDataTransferDestinations.get
  • networkconnectivity.multicloudDataTransferDestinations.list
  • networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

  • networkconnectivity.multicloudDataTransferSupportedServices.get
  • networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.multicloudDataTransferConfigViewer)

Read-only access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.get

networkconnectivity.multicloudDataTransferConfigs.list

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

  • networkconnectivity.multicloudDataTransferSupportedServices.get
  • networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.multicloudDataTransferDestinationAdmin)

Access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.*

  • networkconnectivity.multicloudDataTransferDestinations.create
  • networkconnectivity.multicloudDataTransferDestinations.delete
  • networkconnectivity.multicloudDataTransferDestinations.get
  • networkconnectivity.multicloudDataTransferDestinations.list
  • networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

  • networkconnectivity.multicloudDataTransferSupportedServices.get
  • networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.multicloudDataTransferDestinationViewer)

Read-only access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

  • networkconnectivity.multicloudDataTransferSupportedServices.get
  • networkconnectivity.multicloudDataTransferSupportedServices.list

networkconnectivity.operations.get

networkconnectivity.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

  • networkconnectivity.regionalEndpoints.create
  • networkconnectivity.regionalEndpoints.delete
  • networkconnectivity.regionalEndpoints.get
  • networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceAgent)

Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.setLabels

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.forwardingRules.pscSetLabels

compute.forwardingRules.pscUpdate

compute.forwardingRules.setLabels

compute.instances.get

compute.interconnectAttachments.get

compute.networks.get

compute.networks.updatePolicy

compute.networks.use

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.subnetworks.create

compute.subnetworks.delete

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.setIamPolicy

compute.subnetworks.use

compute.vpnTunnels.get

dns.changes.create

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.list

dns.managedZones.update

dns.networks.bindPrivateDNSZone

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.list

networkconnectivity.internalRanges.create

networkconnectivity.internalRanges.delete

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.operations.get

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

  • networkconnectivity.serviceClasses.create
  • networkconnectivity.serviceClasses.delete
  • networkconnectivity.serviceClasses.get
  • networkconnectivity.serviceClasses.list
  • networkconnectivity.serviceClasses.update
  • networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

  • networkconnectivity.serviceConnectionMaps.create
  • networkconnectivity.serviceConnectionMaps.delete
  • networkconnectivity.serviceConnectionMaps.get
  • networkconnectivity.serviceConnectionMaps.list
  • networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.gatewayAdvertisedRoutes.*

  • networkconnectivity.gatewayAdvertisedRoutes.create
  • networkconnectivity.gatewayAdvertisedRoutes.delete
  • networkconnectivity.gatewayAdvertisedRoutes.get
  • networkconnectivity.gatewayAdvertisedRoutes.list
  • networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.transportAdmin)

Enables full access to Transport resources

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.remoteTransportProfiles.*

  • networkconnectivity.remoteTransportProfiles.get
  • networkconnectivity.remoteTransportProfiles.list

networkconnectivity.transports.*

  • networkconnectivity.transports.create
  • networkconnectivity.transports.delete
  • networkconnectivity.transports.get
  • networkconnectivity.transports.list
  • networkconnectivity.transports.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.transportViewer)

Enables view access to Transport resources

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.remoteTransportProfiles.*

  • networkconnectivity.remoteTransportProfiles.get
  • networkconnectivity.remoteTransportProfiles.list

networkconnectivity.transports.get

networkconnectivity.transports.list

resourcemanager.projects.get

resourcemanager.projects.list

其他必要權限

視您需要在 NCC 中執行的動作而定,您可能需要下列各節所述的權限。

建立 Spoke 的權限

如要建立 Spoke,您必須具備讀取 Spoke 資源類型的權限。例如:

  • 如果是 VPN 通道輪輻、VLAN 連結輪輻和路由器設備輪輻,則需要 compute.routers.get
  • 如要建立路由器設備 Spoke,您需要 compute.instances.get。 此外,您必須先在 Cloud Router 和路由器設備執行個體之間設定對等互連,才能使用路由器設備 Spoke。如要建立對等互連,您需要下列權限:
    • compute.instances.use
    • compute.routers.update
  • 如要建立 VLAN 連結輪輻,您需要compute.interconnectAttachments.get
  • 如要建立 VPN 通道輪輻,您需要 compute.vpnTunnels.get

  • 如要建立 VPC 輪輻,您必須具備下列權限:

    • compute.networks.use
    • compute.networks.get

  • 如要在與中樞相關聯的專案以外的專案中建立虛擬私有雲輪輻,您需要 networkconnectivity.groups.use

在 Google Cloud 控制台使用 NCC 的權限

如要在 Google Cloud 控制台中使用 NCC,您需要具備角色 (例如「Compute 網路檢視者」roles/compute.networkViewer),其中包含下表所述的權限。如要使用這些權限,請先建立自訂角色

工作

所需權限
前往「NCC」頁面
  • compute.projects.get
  • compute.networks.get
存取及使用「新增輪輻」頁面
  • compute.networks.list
  • compute.regions.list
  • compute.routers.list
  • compute.zones.list
  • compute.networks.get
新增 VLAN 連結輪輻
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.get
  • compute.networks.get
  • compute.routers.list
  • compute.routers.get
新增 VPN 通道輪輻
  • compute.forwardingRules.list
  • compute.networks.get
  • compute.routers.get
  • compute.routers.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
新增路由器設備輪輻
  • compute.instances.list
  • compute.instances.get
  • compute.networks.get
新增虛擬私有雲輪輻
  • compute.networks.use
  • compute.networks.get
  • compute.subnetworks.list

使用 VPC Service Controls 保護資源

如要進一步保護 NCC 資源,請使用 VPC Service Controls。

VPC Service Controls 可為資源提供額外的安全防護,協助降低資料遭竊風險。您可以使用 VPC Service Controls,將 NCC 資源放在服務範圍內。VPC Service Controls 隨後會保護這些資源,防止來自 perimeter 外部的要求存取。

如要進一步瞭解服務範圍,請參閱 VPC Service Controls 說明文件的「服務範圍設定」頁面。

後續步驟

如要進一步瞭解專案角色和 Google Cloud 資源,請參閱下列說明文件: