Mit Sammlungen den Überblick behalten
Sie können Inhalte basierend auf Ihren Einstellungen speichern und kategorisieren.
IAM für Bare-Metal-Lösung konfigurieren
Wenn Sie möchten, dass ein Hauptkonto, z. B. ein Google Cloud -Nutzer oder ein Dienstkonto, Zugriff auf die Ressourcen in Ihrer Bare-Metal-Lösungsumgebung erhält, müssen Sie ihm die entsprechenden Rollen und Berechtigungen erteilen. Wenn Sie Zugriff gewähren möchten, können Sie eine IAM-Richtlinie (Identity and Access Management) erstellen und vordefinierte Rollen speziell für die Bare-Metal-Lösung zuweisen.
Gewähren Sie Rollen mit ausreichenden Berechtigungen, damit Ihre Hauptkonten ihre Aufgabe erfüllen können, aber nicht mehr, damit Sie das Google CloudSicherheitsprinzip der geringsten Berechtigung befolgen können.
Vordefinierte Rollen für die Bare-Metal-Lösung
Jede IAM-Rolle für die Bare-Metal-Lösung enthält Berechtigungen, die dem Hauptkonto Zugriff auf bestimmte Ressourcen gewähren, wie in der folgenden Tabelle dargestellt.
Administrator of Bare Metal Solution Lun resources
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.operations.get
Luns Viewer
(roles/baremetalsolution.lunsviewer)
Viewer of Bare Metal Solution Lun resources
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.operations.get
Maintenance Events Admin
(roles/baremetalsolution.maintenanceeventsadmin)
Administrator of Bare Metal Solution maintenance events resources
baremetalsolution.maintenanceevents.*
baremetalsolution.maintenanceevents.addProposal
baremetalsolution.maintenanceevents.approve
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list
Maintenance Events Editor
(roles/baremetalsolution.maintenanceeventseditor)
Editor of Bare Metal Solution maintenance events resources
baremetalsolution.maintenanceevents.*
baremetalsolution.maintenanceevents.addProposal
baremetalsolution.maintenanceevents.approve
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list
Maintenance Events Viewer
(roles/baremetalsolution.maintenanceeventsviewer)
Viewer of Bare Metal Solution maintenance events resources
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list
Networks Admin
(roles/baremetalsolution.networksadmin)
Admin of Bare Metal Solution networks resources
baremetalsolution.networkquotas.list
baremetalsolution.networks.*
baremetalsolution.networks.create
baremetalsolution.networks.delete
baremetalsolution.networks.get
baremetalsolution.networks.list
baremetalsolution.networks.rename
baremetalsolution.networks.update
baremetalsolution.operations.get
baremetalsolution.pods.list
NFS Shares Admin
(roles/baremetalsolution.nfssharesadmin)
Administrator of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.*
baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.rename
baremetalsolution.nfsshares.update
baremetalsolution.operations.get
baremetalsolution.pods.list
NFS Shares Editor
(roles/baremetalsolution.nfsshareseditor)
Editor of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.*
baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.rename
baremetalsolution.nfsshares.update
baremetalsolution.operations.get
baremetalsolution.pods.list
NFS Shares Viewer
(roles/baremetalsolution.nfssharesviewer)
Viewer of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.operations.get
OS Images Viewer
(roles/baremetalsolution.osimagesviewer)
Viewer of Bare Metal Solution OS images resources
baremetalsolution.osimages.list
Bare Metal Solution Procurements Admin
(roles/baremetalsolution.procurementsadmin)
Administrator of Bare Metal Solution Procurements
baremetalsolution.pods.list
baremetalsolution.procurements.*
baremetalsolution.procurements.create
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
Bare Metal Solution Procurements Editor
(roles/baremetalsolution.procurementseditor)
Editor of Bare Metal Solution Procurements
baremetalsolution.pods.list
baremetalsolution.procurements.*
baremetalsolution.procurements.create
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
Bare Metal Solution Procurements Viewer
(roles/baremetalsolution.procurementsviewer)
Viewer of Bare Metal Solution Procurements
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
Bare Metal Solution Service Agent
(roles/baremetalsolution.serviceAgent)
Gives permission to manage network resources such as interconnect pairing keys, required for Bare Metal Solution.
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnects.get
compute.interconnects.list
compute.networks.get
compute.networks.list
compute.projects.get
resourcemanager.projects.get
Bare Metal Solution Storage Admin
(roles/baremetalsolution.storageadmin)
Administrator of Bare Metal Solution storage resources
baremetalsolution.luns.*
baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.evict
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.luns.update
baremetalsolution.nfsshares.*
baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.rename
baremetalsolution.nfsshares.update
baremetalsolution.operations.get
baremetalsolution.pods.list
baremetalsolution.snapshotschedulepolicies.*
baremetalsolution.snapshotschedulepolicies.create
baremetalsolution.snapshotschedulepolicies.delete
baremetalsolution.snapshotschedulepolicies.get
baremetalsolution.snapshotschedulepolicies.list
baremetalsolution.snapshotschedulepolicies.update
baremetalsolution.storageaggregatepools.list
baremetalsolution.volumequotas.list
baremetalsolution.volumes.*
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
baremetalsolution.volumes.evict
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumes.rename
baremetalsolution.volumes.resize
baremetalsolution.volumes.update
baremetalsolution.volumesnapshots.*
baremetalsolution.volumesnapshots.create
baremetalsolution.volumesnapshots.delete
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
baremetalsolution.volumesnapshots.restore
resourcemanager.projects.get
resourcemanager.projects.list
Bare Metal Solution Viewer
(roles/baremetalsolution.viewer)
Viewer of Bare Metal Solution resources
baremetalsolution.instancequotas.list
baremetalsolution.instances.get
baremetalsolution.instances.list
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list
baremetalsolution.networkquotas.list
baremetalsolution.networks.get
baremetalsolution.networks.list
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.operations.get
baremetalsolution.osimages.list
baremetalsolution.pods.list
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
baremetalsolution.snapshotschedulepolicies.get
baremetalsolution.snapshotschedulepolicies.list
baremetalsolution.sshKeys.list
baremetalsolution.storageaggregatepools.list
baremetalsolution.volumequotas.list
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
resourcemanager.projects.get
resourcemanager.projects.list
Volume Admin
(roles/baremetalsolution.volumesadmin)
Administrator of Bare Metal Solution volume resources
baremetalsolution.operations.get
baremetalsolution.pods.list
baremetalsolution.volumes.*
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
baremetalsolution.volumes.evict
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumes.rename
baremetalsolution.volumes.resize
baremetalsolution.volumes.update
Volumes Editor
(roles/baremetalsolution.volumeseditor)
Editor of Bare Metal Solution volumes resources
baremetalsolution.operations.get
baremetalsolution.pods.list
baremetalsolution.volumequotas.list
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumes.rename
baremetalsolution.volumes.resize
baremetalsolution.volumes.update
Snapshots Admin
(roles/baremetalsolution.volumesnapshotsadmin)
Administrator of Bare Metal Solution snapshots resources
baremetalsolution.operations.get
baremetalsolution.volumesnapshots.*
baremetalsolution.volumesnapshots.create
baremetalsolution.volumesnapshots.delete
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
baremetalsolution.volumesnapshots.restore
Snapshots Editor
(roles/baremetalsolution.volumesnapshotseditor)
Editor of Bare Metal Solution snapshots resources
baremetalsolution.operations.get
baremetalsolution.volumesnapshots.create
baremetalsolution.volumesnapshots.delete
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
Snapshots Viewer
(roles/baremetalsolution.volumesnapshotsviewer)
Viewer of Bare Metal Solution snapshots resources
baremetalsolution.operations.get
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
Volumes Viewer
(roles/baremetalsolution.volumessviewer)
Viewer of Bare Metal Solution volumes resources
baremetalsolution.operations.get
baremetalsolution.volumes.get
baremetalsolution.volumes.list
Wir empfehlen, die Rollen so anzuwenden:
Aufnahmeformular ausfüllen
Bare Metal Solution-Rollen: Administrator, Bearbeiter oder Instanzadministrator UND Compute-Netzwerkbetrachter
Einfache Rollen: Inhaber oder Bearbeiter
Server der Bare-Metal-Lösung neu starten
Bare-Metal-Lösungsrollen: Administrator oder Bearbeiter
Einfache Rollen: Inhaber oder Bearbeiter
Server auflisten oder Status anfragen
Bare-Metal-Lösungsrollen: Betrachter oder Instanzbetrachter
Einfache Rolle: Betrachter
Speicherkomponenten verwalten
Bare-Metal-Lösung-Rollen: Administrator, Bearbeiter oder Speicheradministrator
Einfache Rollen: Inhaber oder Bearbeiter
Netzwerkkomponenten verwalten
Bare-Metal-Lösung-Rollen: Administrator, Bearbeiter oder Netzwerkadministrator
Einfache Rollen: Inhaber oder Bearbeiter
Eine vollständige Liste der Rollen für Bare-Metal-Lösungen finden Sie unter Vordefinierte Rollen. Geben Sie dazu baremetalsolution. in das Suchfeld ein.
Eine vollständige Liste der Berechtigungen für Bare Metal Solution finden Sie unter Nach einer Berechtigung suchen. Geben Sie dazu baremetalsolution. in das Suchfeld ein.
IAM-Rolle erteilen
Fügen Sie eine IAM-Richtlinie hinzu, um einem Hauptkonto eine Rolle für Bare-Metal-Lösungen zuzuweisen. Die Rolle enthält Berechtigungen, die es dem Hauptkonto ermöglichen, bestimmte Aktionen auszuführen. So weisen Sie eine Rolle zu:
Console
Prüfen Sie, ob Sie eine Rolle mit den richtigen IAM-Berechtigungen haben, um anderen Rollen zuzuweisen, z. B. Inhaber, Projekt-IAM-Administrator oder Sicherheitsadministrator: Weitere Informationen zu dieser Anforderung finden Sie unter Erforderliche Rollen.
Rufen Sie in der Google Cloud Console die Seite „IAM-Berechtigungen“ auf.
Geben Sie unter Hauptkonten hinzufügen Ihre Nutzer ein. Sie können einzelne Nutzer, Google-Gruppen, Dienstkonten oder Google Workspace-Domains hinzufügen.
Wählen Sie unter Rollen zuweisen im Menü Rolle auswählen eine Rolle aus, die Sie den Hauptkonten zuweisen möchten.
Klicken Sie auf addWeitere Rolle hinzufügen, wenn Sie den Hauptkonten mehrere Rollen zuweisen möchten.
Klicken Sie auf Speichern.
Ihre Hauptkonten und die zugewiesenen Rollen werden auf der Statusseite IAM-Berechtigungen angezeigt.
gcloud
Prüfen Sie, ob Sie eine Rolle mit den richtigen IAM-Berechtigungen haben, um anderen Rollen zuzuweisen, z. B. Inhaber, Projekt-IAM-Administrator oder Sicherheitsadministrator: Weitere Informationen zu dieser Anforderung finden Sie unter Erforderliche Rollen.
Öffnen Sie ein Cloud Shell-Fenster in Ihrem Google Cloud -Projekt.
Fügen Sie im folgenden Befehl Ihre Google Cloud Projekt-ID, die E-Mail-Adresse des Google Cloud Kontos Ihres Hauptkontos und den gewünschten Bare-Metal-Lösung-Rollen-Pfad hinzu:
Kopieren Sie den Befehl und fügen Sie ihn in Ihr Cloud Shell-Fenster ein.
Drücken Sie die Eingabe- bzw. Returntaste.
In einigen Fällen wird das Fenster Cloud Shell autorisieren geöffnet, in dem Sie den API-Aufruf zulassen. Wenn Sie diese Option sehen, klicken Sie auf Autorisieren.
Wenn Sie die Befehle eingegeben haben, sieht die Ausgabe so aus:
[[["Leicht verständlich","easyToUnderstand","thumb-up"],["Mein Problem wurde gelöst","solvedMyProblem","thumb-up"],["Sonstiges","otherUp","thumb-up"]],[["Schwer verständlich","hardToUnderstand","thumb-down"],["Informationen oder Beispielcode falsch","incorrectInformationOrSampleCode","thumb-down"],["Benötigte Informationen/Beispiele nicht gefunden","missingTheInformationSamplesINeed","thumb-down"],["Problem mit der Übersetzung","translationIssue","thumb-down"],["Sonstiges","otherDown","thumb-down"]],["Zuletzt aktualisiert: 2025-08-29 (UTC)."],[[["\u003cp\u003eTo manage access to Bare Metal Solution resources, assign specific IAM roles and permissions to users or service accounts, following the principle of least privilege for security.\u003c/p\u003e\n"],["\u003cp\u003eSeveral predefined roles are available, such as Bare Metal Solution Admin, Editor, Instances Admin, and Viewer, each providing different levels of access to manage instances, networks, LUNs, and other resources.\u003c/p\u003e\n"],["\u003cp\u003eThe content recommends certain roles for various tasks, including using Bare Metal Solution Admin, Editor, or Instances Admin roles for intake forms, and Bare Metal Solution Viewer or Instances Viewer roles for listing and checking status.\u003c/p\u003e\n"],["\u003cp\u003eIAM roles can be granted through the Google Cloud console by navigating to the IAM permissions page and adding users with the desired roles, or by using the gcloud command-line tool with the \u003ccode\u003eadd-iam-policy-binding\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eThere are additional resources available online to check the predefine roles, search for a specific permission and check the required permissions when granting, changing or revoking access to resources.\u003c/p\u003e\n"]]],[],null,["# Configure IAM for Bare Metal Solution\n=====================================\n\nWhen you want a [principal](/iam/docs/overview#concepts_related_identity),\nsuch as a Google Cloud project user or service account, to gain access to\nthe resources in your Bare Metal Solution environment, you need to grant them\nappropriate roles and permissions. To grant access, you can create an\nIdentity and Access Management (IAM) policy and grant predefined roles specific to\nBare Metal Solution.\n\nGrant roles with enough permissions for your principals to be\nable do their job but no more, so that you can follow the Google Cloud\nsecurity principle of least privilege.\n\nPredefined roles for Bare Metal Solution\n----------------------------------------\n\nEach IAM role for Bare Metal Solution contains permissions that\ngive the principal access to specific resources as shown in the following table. \n\nWe recommend applying the roles as follows:\n\n- **Filling out an intake form**\n\n - Bare Metal Solution roles: Admin, Editor, or Instances Admin AND Compute Network Viewer\n - Basic roles: Owner or Editor\n- **Restarting a Bare Metal Solution server**\n\n - Bare Metal Solution roles: Admin or Editor\n - Basic roles: Owner or Editor\n- **Listing servers or requesting status**\n\n - Bare Metal Solution roles: Viewer or Instances Viewer\n - Basic role: Viewer\n- **Managing storage components**\n\n - Bare Metal Solution roles: Admin, Editor, or Storage Admin\n - Basic roles: Owner or Editor\n- **Managing networking components**\n\n - Bare Metal Solution roles: Admin, Editor, or Networks Admin\n - Basic roles: Owner or Editor\n\nFor a full list of Bare Metal Solution roles, see [Predefined roles](https://cloud.google.com/iam/docs/understanding-roles#predefined) and enter\n`baremetalsolution.` in the search box.\n\nFor a full list of Bare Metal Solution permissions, see [Search for a permission](https://cloud.google.com/iam/docs/permissions-reference#search) and enter\n`baremetalsolution.` in the search box.\n\nGrant an IAM role\n-----------------\n\nAdd an IAM policy to grant a Bare Metal Solution role to\na principal. The role contains permissions which enable the principal to perform\ncertain actions. To grant a role: \n\n### Console\n\n1. Make sure that you have a role that contains the proper\n IAM permissions to grant roles to others, such as\n **Owner** , **Project IAM Admin** , or\n **Security Admin** . For more information about this requirement, see\n [Required Roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access#required-permissions).\n\n2. In the Google Cloud console, go to the IAM\n permissions page.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n3. Click **Grant access**.\n\n4. Enter the following information:\n\n - For **Add principals**, enter your users. You can add individual\n users, Google groups, service accounts, or Google Workspace\n domains.\n\n - For **Assign roles** , choose a role from the **Select a role** menu\n to grant this role to the principals.\n\n - Click **addAdd another role** if\n you need to assign multiple roles to your principals.\n\n - Click **Save**.\n\n Your principals and their assigned roles appear in the [IAM\n permissions](https://console.cloud.google.com/iam-admin/iam) status page.\n\n### gcloud\n\n1. Make sure that you have a role that contains the proper IAM permissions\n to grant roles to others, such as **Owner** , **Project IAM Admin** , or\n **Security Admin** . For more information about this requirement, see\n [Required Roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access#required-permissions).\n\n2. Open a Cloud Shell window in your Google Cloud project.\n\n3. Add your Google Cloud project ID, email address for your\n principal's Google Cloud account, and the desired Bare Metal Solution\n role path into the following command:\n\n \u003cbr /\u003e\n\n ```\n gcloud projects add-iam-policy-binding PROJECT_ID \\\n --member=user:username@example.com \\\n --role=roles/baremetalsolution.admin\n \n ```\n\n \u003cbr /\u003e\n\n4. Copy the command and paste it into your Cloud Shell window.\n\n5. Press the **Enter** or **Return** key.\n\n6. In some cases, an **Authorize Cloud Shell** window opens, requesting\n you to allow an API call. If you see this, click **Authorize**.\n\n7. When you've entered the commands successfully, the output looks like\n this:\n\n \u003cbr /\u003e\n\n ```\n Updated IAM policy for project [PROJECT_ID].\n bindings:\n - members:\n - user:username@example.com\n role: roles/baremetalsolution.admin\n - members:\n - serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com\n role: roles/compute.serviceAgent\n - members:\n - serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com\n - serviceAccount:PROJECT_NUMBER@cloudservices.gserviceaccount.com\n role: roles/editor\n - members:\n - user:username@example.com\n role: roles/owner\n etag: ETAG_NUMBER\n version: 1\n \n ```\n\n \u003cbr /\u003e\n\nTo learn more about IAM, see [Identity and Access Management](/iam)."]]
