为裸金属解决方案配置 IAM

如果您希望主账号(例如 Google Cloud 项目用户或服务账号)获得裸金属解决方案环境中的资源的访问权限,则需要向它们授予适当的角色和权限。如需授予访问权限,您可以创建 Identity and Access Management (IAM) 政策并授予裸金属解决方案专用的预定义角色。

请遵循 Google Cloud安全最小权限原则,向主账号授予具有足够权限的角色,让主账号能够执行其工作,但无权执行其他操作。

裸金属解决方案的预定义角色

裸金属解决方案的每个 IAM 角色都包含一些权限,这些权限可授予主账号对特定资源的访问权限,如下表所示。

Role Permissions

(roles/baremetalsolution.admin)

Administrator of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.*

  • baremetalsolution.instances.attachNetwork
  • baremetalsolution.instances.attachVolume
  • baremetalsolution.instances.create
  • baremetalsolution.instances.detachLun
  • baremetalsolution.instances.detachNetwork
  • baremetalsolution.instances.detachVolume
  • baremetalsolution.instances.disableInteractiveSerialConsole
  • baremetalsolution.instances.enableInteractiveSerialConsole
  • baremetalsolution.instances.get
  • baremetalsolution.instances.list
  • baremetalsolution.instances.rename
  • baremetalsolution.instances.reset
  • baremetalsolution.instances.start
  • baremetalsolution.instances.stop
  • baremetalsolution.instances.update

baremetalsolution.luns.*

  • baremetalsolution.luns.create
  • baremetalsolution.luns.delete
  • baremetalsolution.luns.evict
  • baremetalsolution.luns.get
  • baremetalsolution.luns.list
  • baremetalsolution.luns.update

baremetalsolution.maintenanceevents.*

  • baremetalsolution.maintenanceevents.addProposal
  • baremetalsolution.maintenanceevents.approve
  • baremetalsolution.maintenanceevents.get
  • baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

  • baremetalsolution.networks.create
  • baremetalsolution.networks.delete
  • baremetalsolution.networks.get
  • baremetalsolution.networks.list
  • baremetalsolution.networks.rename
  • baremetalsolution.networks.update

baremetalsolution.nfsshares.*

  • baremetalsolution.nfsshares.create
  • baremetalsolution.nfsshares.delete
  • baremetalsolution.nfsshares.get
  • baremetalsolution.nfsshares.list
  • baremetalsolution.nfsshares.rename
  • baremetalsolution.nfsshares.update

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.pods.list

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.*

  • baremetalsolution.snapshotschedulepolicies.create
  • baremetalsolution.snapshotschedulepolicies.delete
  • baremetalsolution.snapshotschedulepolicies.get
  • baremetalsolution.snapshotschedulepolicies.list
  • baremetalsolution.snapshotschedulepolicies.update

baremetalsolution.sshKeys.*

  • baremetalsolution.sshKeys.create
  • baremetalsolution.sshKeys.delete
  • baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

  • baremetalsolution.volumes.create
  • baremetalsolution.volumes.delete
  • baremetalsolution.volumes.evict
  • baremetalsolution.volumes.get
  • baremetalsolution.volumes.list
  • baremetalsolution.volumes.rename
  • baremetalsolution.volumes.resize
  • baremetalsolution.volumes.update

baremetalsolution.volumesnapshots.*

  • baremetalsolution.volumesnapshots.create
  • baremetalsolution.volumesnapshots.delete
  • baremetalsolution.volumesnapshots.get
  • baremetalsolution.volumesnapshots.list
  • baremetalsolution.volumesnapshots.restore

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.editor)

Editor of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.*

  • baremetalsolution.instances.attachNetwork
  • baremetalsolution.instances.attachVolume
  • baremetalsolution.instances.create
  • baremetalsolution.instances.detachLun
  • baremetalsolution.instances.detachNetwork
  • baremetalsolution.instances.detachVolume
  • baremetalsolution.instances.disableInteractiveSerialConsole
  • baremetalsolution.instances.enableInteractiveSerialConsole
  • baremetalsolution.instances.get
  • baremetalsolution.instances.list
  • baremetalsolution.instances.rename
  • baremetalsolution.instances.reset
  • baremetalsolution.instances.start
  • baremetalsolution.instances.stop
  • baremetalsolution.instances.update

baremetalsolution.luns.*

  • baremetalsolution.luns.create
  • baremetalsolution.luns.delete
  • baremetalsolution.luns.evict
  • baremetalsolution.luns.get
  • baremetalsolution.luns.list
  • baremetalsolution.luns.update

baremetalsolution.maintenanceevents.*

  • baremetalsolution.maintenanceevents.addProposal
  • baremetalsolution.maintenanceevents.approve
  • baremetalsolution.maintenanceevents.get
  • baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

  • baremetalsolution.networks.create
  • baremetalsolution.networks.delete
  • baremetalsolution.networks.get
  • baremetalsolution.networks.list
  • baremetalsolution.networks.rename
  • baremetalsolution.networks.update

baremetalsolution.nfsshares.*

  • baremetalsolution.nfsshares.create
  • baremetalsolution.nfsshares.delete
  • baremetalsolution.nfsshares.get
  • baremetalsolution.nfsshares.list
  • baremetalsolution.nfsshares.rename
  • baremetalsolution.nfsshares.update

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.pods.list

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.*

  • baremetalsolution.snapshotschedulepolicies.create
  • baremetalsolution.snapshotschedulepolicies.delete
  • baremetalsolution.snapshotschedulepolicies.get
  • baremetalsolution.snapshotschedulepolicies.list
  • baremetalsolution.snapshotschedulepolicies.update

baremetalsolution.sshKeys.*

  • baremetalsolution.sshKeys.create
  • baremetalsolution.sshKeys.delete
  • baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

  • baremetalsolution.volumes.create
  • baremetalsolution.volumes.delete
  • baremetalsolution.volumes.evict
  • baremetalsolution.volumes.get
  • baremetalsolution.volumes.list
  • baremetalsolution.volumes.rename
  • baremetalsolution.volumes.resize
  • baremetalsolution.volumes.update

baremetalsolution.volumesnapshots.*

  • baremetalsolution.volumesnapshots.create
  • baremetalsolution.volumesnapshots.delete
  • baremetalsolution.volumesnapshots.get
  • baremetalsolution.volumesnapshots.list
  • baremetalsolution.volumesnapshots.restore

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.instancesadmin)

Admin of Bare Metal Solution Instance resources

baremetalsolution.instances.*

  • baremetalsolution.instances.attachNetwork
  • baremetalsolution.instances.attachVolume
  • baremetalsolution.instances.create
  • baremetalsolution.instances.detachLun
  • baremetalsolution.instances.detachNetwork
  • baremetalsolution.instances.detachVolume
  • baremetalsolution.instances.disableInteractiveSerialConsole
  • baremetalsolution.instances.enableInteractiveSerialConsole
  • baremetalsolution.instances.get
  • baremetalsolution.instances.list
  • baremetalsolution.instances.rename
  • baremetalsolution.instances.reset
  • baremetalsolution.instances.start
  • baremetalsolution.instances.stop
  • baremetalsolution.instances.update

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.pods.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.instancesviewer)

Viewer of Bare Metal Solution Instance resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.get

baremetalsolution.instances.list

baremetalsolution.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.lunsadmin)

Administrator of Bare Metal Solution Lun resources

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.operations.get

(roles/baremetalsolution.lunsviewer)

Viewer of Bare Metal Solution Lun resources

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.operations.get

(roles/baremetalsolution.maintenanceeventsadmin)

Administrator of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.*

  • baremetalsolution.maintenanceevents.addProposal
  • baremetalsolution.maintenanceevents.approve
  • baremetalsolution.maintenanceevents.get
  • baremetalsolution.maintenanceevents.list

(roles/baremetalsolution.maintenanceeventseditor)

Editor of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.*

  • baremetalsolution.maintenanceevents.addProposal
  • baremetalsolution.maintenanceevents.approve
  • baremetalsolution.maintenanceevents.get
  • baremetalsolution.maintenanceevents.list

(roles/baremetalsolution.maintenanceeventsviewer)

Viewer of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.get

baremetalsolution.maintenanceevents.list

(roles/baremetalsolution.networksadmin)

Admin of Bare Metal Solution networks resources

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

  • baremetalsolution.networks.create
  • baremetalsolution.networks.delete
  • baremetalsolution.networks.get
  • baremetalsolution.networks.list
  • baremetalsolution.networks.rename
  • baremetalsolution.networks.update

baremetalsolution.operations.get

baremetalsolution.pods.list

(roles/baremetalsolution.nfssharesadmin)

Administrator of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.*

  • baremetalsolution.nfsshares.create
  • baremetalsolution.nfsshares.delete
  • baremetalsolution.nfsshares.get
  • baremetalsolution.nfsshares.list
  • baremetalsolution.nfsshares.rename
  • baremetalsolution.nfsshares.update

baremetalsolution.operations.get

baremetalsolution.pods.list

(roles/baremetalsolution.nfsshareseditor)

Editor of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.*

  • baremetalsolution.nfsshares.create
  • baremetalsolution.nfsshares.delete
  • baremetalsolution.nfsshares.get
  • baremetalsolution.nfsshares.list
  • baremetalsolution.nfsshares.rename
  • baremetalsolution.nfsshares.update

baremetalsolution.operations.get

baremetalsolution.pods.list

(roles/baremetalsolution.nfssharesviewer)

Viewer of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.get

baremetalsolution.nfsshares.list

baremetalsolution.operations.get

(roles/baremetalsolution.osimagesviewer)

Viewer of Bare Metal Solution OS images resources

baremetalsolution.osimages.list

(roles/baremetalsolution.procurementsadmin)

Administrator of Bare Metal Solution Procurements

baremetalsolution.pods.list

baremetalsolution.procurements.*

  • baremetalsolution.procurements.create
  • baremetalsolution.procurements.get
  • baremetalsolution.procurements.list

baremetalsolution.skus.list

(roles/baremetalsolution.procurementseditor)

Editor of Bare Metal Solution Procurements

baremetalsolution.pods.list

baremetalsolution.procurements.*

  • baremetalsolution.procurements.create
  • baremetalsolution.procurements.get
  • baremetalsolution.procurements.list

baremetalsolution.skus.list

(roles/baremetalsolution.procurementsviewer)

Viewer of Bare Metal Solution Procurements

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

(roles/baremetalsolution.serviceAgent)

Gives permission to manage network resources such as interconnect pairing keys, required for Bare Metal Solution.

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnects.get

compute.interconnects.list

compute.networks.get

compute.networks.list

compute.projects.get

resourcemanager.projects.get

(roles/baremetalsolution.storageadmin)

Administrator of Bare Metal Solution storage resources

baremetalsolution.luns.*

  • baremetalsolution.luns.create
  • baremetalsolution.luns.delete
  • baremetalsolution.luns.evict
  • baremetalsolution.luns.get
  • baremetalsolution.luns.list
  • baremetalsolution.luns.update

baremetalsolution.nfsshares.*

  • baremetalsolution.nfsshares.create
  • baremetalsolution.nfsshares.delete
  • baremetalsolution.nfsshares.get
  • baremetalsolution.nfsshares.list
  • baremetalsolution.nfsshares.rename
  • baremetalsolution.nfsshares.update

baremetalsolution.operations.get

baremetalsolution.pods.list

baremetalsolution.snapshotschedulepolicies.*

  • baremetalsolution.snapshotschedulepolicies.create
  • baremetalsolution.snapshotschedulepolicies.delete
  • baremetalsolution.snapshotschedulepolicies.get
  • baremetalsolution.snapshotschedulepolicies.list
  • baremetalsolution.snapshotschedulepolicies.update

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

  • baremetalsolution.volumes.create
  • baremetalsolution.volumes.delete
  • baremetalsolution.volumes.evict
  • baremetalsolution.volumes.get
  • baremetalsolution.volumes.list
  • baremetalsolution.volumes.rename
  • baremetalsolution.volumes.resize
  • baremetalsolution.volumes.update

baremetalsolution.volumesnapshots.*

  • baremetalsolution.volumesnapshots.create
  • baremetalsolution.volumesnapshots.delete
  • baremetalsolution.volumesnapshots.get
  • baremetalsolution.volumesnapshots.list
  • baremetalsolution.volumesnapshots.restore

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.viewer)

Viewer of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.get

baremetalsolution.instances.list

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.maintenanceevents.get

baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.get

baremetalsolution.networks.list

baremetalsolution.nfsshares.get

baremetalsolution.nfsshares.list

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.pods.list

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.get

baremetalsolution.snapshotschedulepolicies.list

baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.get

baremetalsolution.volumes.list

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.volumesadmin)

Administrator of Bare Metal Solution volume resources

baremetalsolution.operations.get

baremetalsolution.pods.list

baremetalsolution.volumes.*

  • baremetalsolution.volumes.create
  • baremetalsolution.volumes.delete
  • baremetalsolution.volumes.evict
  • baremetalsolution.volumes.get
  • baremetalsolution.volumes.list
  • baremetalsolution.volumes.rename
  • baremetalsolution.volumes.resize
  • baremetalsolution.volumes.update

(roles/baremetalsolution.volumeseditor)

Editor of Bare Metal Solution volumes resources

baremetalsolution.operations.get

baremetalsolution.pods.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.create

baremetalsolution.volumes.delete

baremetalsolution.volumes.get

baremetalsolution.volumes.list

baremetalsolution.volumes.rename

baremetalsolution.volumes.resize

baremetalsolution.volumes.update

(roles/baremetalsolution.volumesnapshotsadmin)

Administrator of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.*

  • baremetalsolution.volumesnapshots.create
  • baremetalsolution.volumesnapshots.delete
  • baremetalsolution.volumesnapshots.get
  • baremetalsolution.volumesnapshots.list
  • baremetalsolution.volumesnapshots.restore

(roles/baremetalsolution.volumesnapshotseditor)

Editor of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.create

baremetalsolution.volumesnapshots.delete

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

(roles/baremetalsolution.volumesnapshotsviewer)

Viewer of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

(roles/baremetalsolution.volumessviewer)

Viewer of Bare Metal Solution volumes resources

baremetalsolution.operations.get

baremetalsolution.volumes.get

baremetalsolution.volumes.list

我们建议按如下所示应用角色:

  • 填写登记表

    • 裸金属解决方案角色:Admin、Editor 或 Instances Admin AND Compute Network Viewer
    • 基本角色:Owner 或 Editor

  • 重启 Bare Metal 解决方案服务器

    • 裸金属解决方案角色:Admin 或 Editor
    • 基本角色:Owner 或 Editor

  • 列出服务器或请求状态

    • 裸金属解决方案角色:Viewer 或 Instances Viewer
    • 基本角色:Viewer

  • 管理存储组件

    • 裸金属解决方案角色:Admin、Editor 或 Storage Admin
    • 基本角色:Owner 或 Editor

  • 管理网络组件

    • 裸金属解决方案角色:Admin、Editor 或 Networks Admin
    • 基本角色:Owner 或 Editor

如需查看裸金属解决方案角色的完整列表,请参阅预定义角色并在搜索框中输入 baremetalsolution.

如需查看裸金属解决方案权限的完整列表,请参阅搜索权限并在搜索框中输入 baremetalsolution.

授予 IAM 角色

添加 IAM 政策以向主账号授予裸金属解决方案角色。该角色包含使主账号能够执行特定操作的权限。授予角色:

控制台

  1. 确保您拥有的角色包含适当的 IAM 权限,可向其他角色授予角色,例如 OwnerProject IAM AdminSecurity Admin。如需详细了解此要求,请参阅所需角色

  2. 在 Google Cloud 控制台中,进入 IAM 权限页面。

    转到 IAM

  3. 点击授予使用权限

  4. 请输入以下信息:

    • 添加主账号部分,输入您的用户。您可以添加单个用户、Google 群组、服务账号或 Google Workspace 网域。

    • 对于分配角色,从选择角色菜单中选择一个角色,以将此角色授予主账号。

    • 如果您需要为主账号分配多个角色,点击 添加其他角色

    • 点击保存

    您的主账号及其分配的角色会显示在 IAM 权限状态页面中。

gcloud

  1. 确保您拥有的角色包含适当的 IAM 权限,可向其他角色授予角色,例如 OwnerProject IAM AdminSecurity Admin。如需详细了解此要求,请参阅所需角色

  2. 在 Google Cloud 项目中打开 Cloud Shell 窗口。

  3. 将您的 Google Cloud 项目 ID、主账号的 Google Cloud 电子邮件地址和所需的 Bare Metal 解决方案角色路径添加到以下命令中:

    gcloud projects add-iam-policy-binding PROJECT_ID \
 --member=user:username@example.com \
 --role=roles/baremetalsolution.admin

  4. 复制该命令并将其粘贴到 Cloud Shell 窗口中。

  5. Enter 键或 Return 键。

  6. 在某些情况下,系统会打开为 Cloud Shell 提供授权窗口,要求您允许 API 调用。如果您看到此窗口,请点击授权

  7. 成功输入命令后,输出将如下所示:

    Updated IAM policy for project [PROJECT_ID].
  bindings:
  - members:
   - user:username@example.com
   role: roles/baremetalsolution.admin
  - members:
   - serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com
   role: roles/compute.serviceAgent
  - members:
   - serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com
   - serviceAccount:PROJECT_NUMBER@cloudservices.gserviceaccount.com
   role: roles/editor
  - members:
   - user:username@example.com
   role: roles/owner
  etag: ETAG_NUMBER
  version: 1

如需详细了解 IAM,请参阅 Identity and Access Management