Controllo dell'accesso con IAM

Questa pagina descrive le opzioni di controllo dell'accesso disponibili in Cloud Scheduler.

Panoramica

Cloud Scheduler utilizza Identity and Access Management (IAM) per controllo dell'accesso.

Per un'introduzione a IAM e alle sue funzionalità, consulta la panoramica di IAM. Per scoprire come concedere e revocare l'accesso, consulta Gestire l'accesso a progetti, cartelle e organizzazioni.

Per gli elenchi delle autorizzazioni e dei ruoli supportati da Cloud Scheduler, consulta le sezioni seguenti.

Abilita l'API Cloud Scheduler

Per visualizzare e assegnare i ruoli IAM per Cloud Scheduler, devi abilitare l'API Cloud Scheduler per il tuo progetto. Non potrai visualizzare i ruoli Cloud Scheduler nella console Google Cloud finché non avrai abilitato l'API.

Ruoli richiesti per abilitare le API

Per abilitare le API, devi disporre del ruolo IAM Amministratore utilizzo dei servizi (roles/serviceusage.serviceUsageAdmin), che include l'autorizzazione serviceusage.services.enable. Scopri come concedere i ruoli.

Abilitare l'API

Ruoli predefiniti

La tabella seguente elenca i ruoli IAM predefiniti di Cloud Scheduler con un elenco corrispondente di tutte le autorizzazioni incluse in ogni ruolo.

I ruoli predefiniti coprono la maggior parte dei casi d'uso tipici. Se il tuo caso d'uso non è coperto dai ruoli predefiniti, puoi creare un ruolo personalizzato IAM.

Ruoli Cloud Scheduler

Role Permissions

Role	Permissions
Cloud Scheduler Admin (`roles/cloudscheduler.admin`) Full access to jobs and executions. Note that a Cloud Scheduler Admin (or any custom role with the permission cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the project.	`appengine.applications.get` `cloudscheduler.` `cloudscheduler.jobs.create` `cloudscheduler.jobs.delete` `cloudscheduler.jobs.enable` `cloudscheduler.jobs.fullView` `cloudscheduler.jobs.get` `cloudscheduler.jobs.list` `cloudscheduler.jobs.pause` `cloudscheduler.jobs.run` `cloudscheduler.jobs.update` `cloudscheduler.locations.get` `cloudscheduler.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`
Cloud Scheduler Job Runner (`roles/cloudscheduler.jobRunner`) Access to run jobs.	`appengine.applications.get` `cloudscheduler.jobs.fullView` `cloudscheduler.jobs.run` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.*` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`
Cloud Scheduler Service Agent (`roles/cloudscheduler.serviceAgent`) Grants Cloud Scheduler Service Account access to manage resources. Warning: Do not grant service agent roles to any principals except service agents.	`iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `logging.logEntries.create` `logging.logEntries.route` `pubsub.topics.publish`
Cloud Scheduler Viewer (`roles/cloudscheduler.viewer`) Get and list access to jobs, executions, and locations.	`appengine.applications.get` `cloudscheduler.jobs.fullView` `cloudscheduler.jobs.get` `cloudscheduler.jobs.list` `cloudscheduler.locations.` `cloudscheduler.locations.get` `cloudscheduler.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.values.test`

Cloud Scheduler Admin

(roles/cloudscheduler.admin)

Full access to jobs and executions.

Note that a Cloud Scheduler Admin (or any custom role with the permission cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the project.

appengine.applications.get

cloudscheduler.*

cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.enable
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.jobs.pause
cloudscheduler.jobs.run
cloudscheduler.jobs.update
cloudscheduler.locations.get
cloudscheduler.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Cloud Scheduler Job Runner

(roles/cloudscheduler.jobRunner)

Access to run jobs.

appengine.applications.get

cloudscheduler.jobs.fullView

cloudscheduler.jobs.run

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Cloud Scheduler Service Agent

(roles/cloudscheduler.serviceAgent)

Grants Cloud Scheduler Service Account access to manage resources.

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

logging.logEntries.create

logging.logEntries.route

pubsub.topics.publish

Cloud Scheduler Viewer

(roles/cloudscheduler.viewer)

Get and list access to jobs, executions, and locations.

appengine.applications.get

cloudscheduler.jobs.fullView

cloudscheduler.jobs.get

cloudscheduler.jobs.list

cloudscheduler.locations.*

cloudscheduler.locations.get
cloudscheduler.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.analyze

serviceusage.consumerpolicy.get

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.services.get

serviceusage.services.list

serviceusage.values.test

Gestione IAM a livello di progetto

A livello di progetto, puoi concedere, modificare e revocare i ruoli IAM utilizzando la console Google Cloud , l'API IAM o Google Cloud CLI. Per istruzioni, vedi Gestisci l'accesso a progetti, cartelle e organizzazioni.

Controllo dell'accesso con IAM Mantieni tutto organizzato con le raccolte Salva e classifica i contenuti in base alle tue preferenze.

Panoramica

Abilita l'API Cloud Scheduler

Ruoli predefiniti

Ruoli Cloud Scheduler

Cloud Scheduler Admin

Cloud Scheduler Job Runner

Cloud Scheduler Service Agent

Cloud Scheduler Viewer

Gestione IAM a livello di progetto

Controllo dell'accesso con IAM