使用 IAM 进行访问权限控制

Artifact Analysis 使用 Identity and Access Management (IAM) 根据您要执行的任务授予对特定资源的精细访问权限。

本页介绍了用于控制对 Artifact Analysis 的访问权限的权限。

准备工作

  1. 了解元数据存储概念
  2. 阅读如何授予、撤消和更改对资源的访问权限

元数据提供商和客户的 IAM 角色

Artifact Analysis 中的元数据管理涉及需要不同访问权限级别的两个实体:

  • 创建存储在备注中的元数据的提供商
  • 标识备注的发生实例客户

元数据提供商

Artifact Analysis 中的元数据提供商是资源元数据的编辑者。它可以创建备注,用于描述资源可能受到的影响。

我们建议您创建一个 Google Cloud 专门用于存储备注的项目。在该项目中,通过以下角色限制用户或服务账号的访问权限:

  • Container Analysis Notes Editor - -创建您的客户可以向其附加发生实例的备注。

  • Container Analysis Occurrences for Notes Viewer - 列出附加到备注的所有发生实例。

元数据客户

Artifact Analysis 中的元数据客户会将信息附加到元数据资源。它会创建发生实例,即针对项目中特定映像的备注的实例。

作为客户,为了能够将发生实例附加到备注并列出它们,请向您的用户或服务账号授予以下角色:

  • Container Analysis Occurrences Editor - 在客户项目中授予此角色以创建发生实例。

  • Container Analysis Notes Attacher - 在提供商项目中授予此角色以将发生实例附加到备注。

  • Container Analysis Occurrences Viewer - 在客户项目中授予此角色以列出该项目中的事件。

漏洞元数据

针对漏洞元数据提供的额外安全措施是 Artifact Analysis 允许提供商代表许多客户创建和管理漏洞发生实例。元数据客户无权写入自己项目中的第三方提供商漏洞发生实例。

例如,这意味着 Artifact Analysis 可以为项目中的映像创建漏洞发生实例,但您无法添加或移除 Artifact Analysis 检测到的任何漏洞信息。

这有助于防止在客户端操纵漏洞元数据,从而强制执行安全政策。

IAM 角色

下表列出了 Artifact Analysis IAM 角色及其具备的权限:

Role Permissions

(roles/containeranalysis.ServiceAgent)

Gives Container Analysis API the access it needs to function

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

containeranalysis.notes.list

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

pubsub.messageTransforms.validate

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.delete

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.objects.get

storage.objects.list

(roles/containeranalysis.admin)

Access to all Container Analysis resources.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.getIamPolicy

containeranalysis.notes.list

containeranalysis.notes.setIamPolicy

containeranalysis.notes.update

containeranalysis.occurrences.*

  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.getIamPolicy
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.setIamPolicy
  • containeranalysis.occurrences.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.notes.attacher)

Can attach Container Analysis Occurrences to Notes.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.get

(roles/containeranalysis.notes.editor)

Can edit Container Analysis Notes.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.notes.occurrences.viewer)

Can view all Container Analysis Occurrences attached to a Note.

containeranalysis.notes.get

containeranalysis.notes.listOccurrences

(roles/containeranalysis.notes.viewer)

Can view Container Analysis Notes.

containeranalysis.notes.get

containeranalysis.notes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.occurrences.editor)

Can edit Container Analysis Occurrences.

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.occurrences.viewer)

Can view Container Analysis Occurrences.

containeranalysis.occurrences.get

containeranalysis.occurrences.list

resourcemanager.projects.get

resourcemanager.projects.list