角色与权限

Google Cloud 提供 Identity and Access Management (IAM),可让您授予对特定Google Cloud 资源更细化的访问权限,并防止对其他资源进行不必要的访问。本页面介绍了 Service Directory API 角色。如需详细了解 IAM,请参阅 IAM 文档

借助 IAM,您可以采用最小权限原则,因此您只需授予对您的资源的必要访问权限即可。

通过 IAM,您可以设置 IAM 政策,以控制哪些人对哪些资源具有什么访问权限。您可以使用 IAM 政策向用户授予特定角色,给予用户某些权限。

权限和角色

每种 Service Directory API 方法都要求调用者拥有必要的 IAM 权限。您可以通过为用户、群组或服务账号授予角色来分配权限。除了 Owner、Editor 和 Viewer 这些基本角色之外,您还可以向项目的用户授予 Service Directory API 角色。

权限

您可以在 Service Directory API 参考文档中了解每种方法所需的权限。

角色

Role Permissions

(roles/servicedirectory.admin)

Full control of all Service Directory resources and permissions.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.*

  • servicedirectory.endpoints.create
  • servicedirectory.endpoints.delete
  • servicedirectory.endpoints.get
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.endpoints.setIamPolicy
  • servicedirectory.endpoints.update

servicedirectory.locations.*

  • servicedirectory.locations.get
  • servicedirectory.locations.list

servicedirectory.namespaces.*

  • servicedirectory.namespaces.associatePrivateZone
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.namespaces.get
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.namespaces.setIamPolicy
  • servicedirectory.namespaces.update

servicedirectory.networks.attach

servicedirectory.services.*

  • servicedirectory.services.bind
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicedirectory.services.get
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicedirectory.services.resolve
  • servicedirectory.services.setIamPolicy
  • servicedirectory.services.update

(roles/servicedirectory.editor)

Edit Service Directory resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.create

servicedirectory.endpoints.delete

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.endpoints.update

servicedirectory.locations.*

  • servicedirectory.locations.get
  • servicedirectory.locations.list

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.namespaces.update

servicedirectory.networks.attach

servicedirectory.services.bind

servicedirectory.services.create

servicedirectory.services.delete

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

servicedirectory.services.update

(roles/servicedirectory.viewer)

View Service Directory resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.locations.*

  • servicedirectory.locations.get
  • servicedirectory.locations.list

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

(roles/servicedirectory.networkAttacher)

Gives access to attach VPC Networks to Service Directory Endpoints

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.networks.attach

(roles/servicedirectory.pscAuthorizedService)

Gives access to VPC Networks via Service Directory

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.networks.access

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

(roles/servicedirectory.serviceAgent)

Give the Service Directory service agent access to Cloud Platform resources.

container.clusters.get

gkehub.features.get

gkehub.gateway.delete

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.locations.*

  • gkehub.locations.get
  • gkehub.locations.list

gkehub.memberships.get

gkehub.memberships.list

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.create

servicedirectory.endpoints.delete

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.endpoints.update

servicedirectory.locations.*

  • servicedirectory.locations.get
  • servicedirectory.locations.list

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.namespaces.update

servicedirectory.networks.attach

servicedirectory.services.bind

servicedirectory.services.create

servicedirectory.services.delete

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

servicedirectory.services.update

使用 Google Cloud 控制台控制访问权限

您可以使用 Google Cloud 控制台来管理注册表的访问权限控制。

要在项目级别设置访问控制,请执行以下操作:

控制台

  1. 在 Google Cloud 控制台中,前往 IAM 页面。

    转到 IAM

  2. 从顶部的下拉菜单中选择您的项目。

  3. 点击添加

  4. 新的主账号中,输入新主账号的电子邮件地址。

  5. 从下拉菜单中选择所需的角色:servicedirectory.adminservicedirectory.editorservicedirectory.viewer

  6. 点击保存

  7. 验证该主账号是否拥有您授予的角色。

Service Directory 区域会替换 IAM 限制

将命名空间分配给 Service Directory 区域后,服务名称将对有权查询专用区域的任何网络上的所有客户端可见。DNS 没有 IAM 访问权限控制,因为 DNS 协议不提供身份验证功能。

后续步骤

  • 如需详细了解 Identity and Access Management,请参阅 IAM 文档
  • 如需了解 Service Directory,请参阅概览