Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
O controle de acesso no Cloud Build é feito usando o
gerenciamento de identidade e acesso (IAM, na sigla em inglês).
O IAM permite criar e gerenciar
permissões de Google Cloud recursos. O Cloud Build oferece um conjunto
específico de papéis predefinidos do IAM,
em que cada papel contém um conjunto de permissões. Você pode usar esses papéis para dar
acesso mais granular a recursos Google Cloud específicos e impedir o acesso
indesejado a outros recursos. Com o IAM, é possível adotar o
princípio de segurança do menor privilégio
para conceder apenas o acesso necessário aos recursos.
Nesta página, descrevemos os papéis e as permissões do Cloud Build.
Papéis predefinidos do Cloud Build
Com o IAM, todo método de API na API Cloud Build exige
que a identidade que faz a solicitação de API tenha as permissões apropriadas para usar
o recurso. Para conceder permissões, defina as políticas que concedem papéis a um principal (usuário, grupo ou conta de serviço). É possível conceder vários papéis a um
principal no mesmo recurso.
Na tabela abaixo, listamos os papéis do IAM do Cloud Build e
as permissões que eles incluem:
Role
Descrição
Permissões
Nome: roles/cloudbuild.builds.viewer Título: Leitor do Cloud Build
Nome: roles/cloudbuild.builds.approver Título: Aprovador do Cloud Build
Conceder acesso para aprovar ou
rejeitar builds pendentes
cloudbuild.builds.approve
cloudbuild.builds.get
cloudbuild.builds.list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Nome: roles/cloudbuild.builds.builder Título: Conta de serviço legada do Cloud Build
Quando você ativa a API
Cloud Build para um projeto,
a conta de serviço herdada do Cloud Build
é criada automaticamente no projeto
e recebe esse papel para os recursos
no projeto. A conta de serviço
legado do Cloud Build usa esse papel somente como
necessário para executar ações ao executar
a versão.
Nome: roles/cloudbuild.integrationsViewer Título: Visualizador de integrações do Cloud Build
Pode ver o Cloud Build
Conexões de host
cloudbuild.integrations.get
cloudbuild.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Nome:roles/cloudbuild.integrationsEditor Título: Editor de integrações do Cloud Build
Editar o controle do Cloud Build
Conexões de host
cloudbuild.integrations.get
cloudbuild.integrations.list
cloudbuild.integrations.update
resourcemanager.projects.get
resourcemanager.projects.list
Nome:roles/cloudbuild.integrationsOwner Título: Proprietário de integrações do Cloud Build
Controle total do Cloud Build
Conexões de host
cloudbuild.integrations.create
cloudbuild.integrations.delete
cloudbuild.integrations.get
cloudbuild.integrations.list
cloudbuild.integrations.update
compute.firewalls.create
compute.firewalls.get
compute.firewalls.list
compute.networks.get
compute.networks.updatePolicy
compute.regions.get
compute.subnetworks.get
compute.subnetworks.list
resourcemanager.projects.get
resourcemanager.projects.list
Nome:roles/cloudbuild.connectionViewer Título: Visualizador de conexões do Cloud Build
Pode conferir e listar conexões
e repositórios
resourcemanager.projects.get
resourcemanager.projects.list
cloudbuild.connections.get
cloudbuild.connections.fetchLinkableRepositories
cloudbuild.connections.list
cloudbuild.connections.getIamPolicy
cloudbuild.repositories.get
cloudbuild.repositories.list
Nome:roles/cloudbuild.connectionAdmin Título: Administrador de conexão do Cloud Build
Pode gerenciar conexões
e repositórios
resourcemanager.projects.get
resourcemanager.projects.list
cloudbuild.connections.get
cloudbuild.connections.fetchLinkableRepositories
cloudbuild.connections.list
cloudbuild.connections.create
cloudbuild.connections.update
cloudbuild.connections.delete
cloudbuild.connections.getIamPolicy
cloudbuild.connections.setIamPolicy
cloudbuild.repositories.get
cloudbuild.repositories.list
cloudbuild.repositories.create
cloudbuild.repositories.delete
Nome:roles/cloudbuild.readTokenAccessor Título: Acessador de token somente leitura do Cloud Build
Pode acessar a conexão e os repositórios dela,
e acessar o token somente leitura
cloudbuild.connections.get
cloudbuild.repositories.get
cloudbuild.repositories.accessReadToken
Nome:roles/cloudbuild.tokenAccessor Título: Acessador de token do Cloud Build
Pode acessar a conexão e os repositórios dela,
e acessar os tokens de leitura/gravação e somente leitura
cloudbuild.connections.get
cloudbuild.repositories.get
cloudbuild.repositories.accessReadToken
cloudbuild.repositories.accessReadWriteToken
Nome: roles/cloudbuild.workerPoolOwner Título: Proprietário do WorkerPool do Cloud Build
Controle total do pool particular
cloudbuild.workerpools.create
cloudbuild.workerpools.delete
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Nome:roles/cloudbuild.workerPoolEditor Título: Editor do Cloud Build WorkerPool
Pode atualizar pools particulares
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Nome: roles/cloudbuild.workerPoolViewer Título: Visualizador do Cloud Build WorkerPool
Pode ver piscinas privativas
cloudbuild.workerpools.get
cloudbuild.workerpools.list
resourcemanager.projects.get
resourcemanager.projects.list
Nome: roles/cloudbuild.workerPoolUser Título: Usuário do WorkerPool do Cloud Build
Pode executar builds no pool particular
cloudbuild.workerpools.use
Além dos papéis predefinidos do Cloud Build acima, os
papéis básicos de Leitor,
Editor e Proprietário também incluem permissões relacionadas ao Cloud Build.
No entanto, recomendamos que você conceda papéis predefinidos sempre que possível para obedecer ao princípio de segurança do menor privilégio.
A tabela abaixo lista os papéis básicos e os papéis do IAM
do Cloud Build
que eles incluem.
Para ver os registros de versão, você precisa de permissões adicionais, dependendo do armazenamento dos registros de versão no bucket padrão do Cloud Storage ou de um bucket do Cloud Storage especificado pelo usuário. Para mais informações sobre as permissões necessárias para ver os registros de versão, consulte Como armazenar e visualizar registros de versão.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-18 UTC."],[[["\u003cp\u003eCloud Build utilizes Identity and Access Management (IAM) to manage permissions for Google Cloud resources, allowing for granular control and adherence to the principle of least privilege.\u003c/p\u003e\n"],["\u003cp\u003eThere are several predefined Cloud Build IAM roles, including Viewer, Editor, Approver, and various roles for Integrations and WorkerPools, each with specific permissions to control different aspects of Cloud Build.\u003c/p\u003e\n"],["\u003cp\u003eBasic roles like Viewer, Editor, and Owner also include Cloud Build permissions, but using the specific Cloud Build predefined roles is recommended for enhanced security.\u003c/p\u003e\n"],["\u003cp\u003eCertain API methods within Cloud Build, such as \u003ccode\u003ebuilds.create\u003c/code\u003e and \u003ccode\u003ebuilds.get\u003c/code\u003e, require specific permissions, which are associated with particular Cloud Build roles like Editor or Viewer.\u003c/p\u003e\n"],["\u003cp\u003eThe Cloud Build legacy service account is automatically created when the API is enabled and is given permissions to run builds, and granting users roles with \u003ccode\u003ecloudbuild.builds.create\u003c/code\u003e permission will enable them to run builds as the service account.\u003c/p\u003e\n"]]],[],null,["# IAM roles and permissions\n\nAccess control in Cloud Build is controlled using\n[Identity and Access Management (IAM)](/iam).\nIAM enables you to create and manage\npermissions for Google Cloud resources. Cloud Build provides a specific\nset of [predefined IAM roles](/iam/docs/understanding-roles#role_types)\nwhere each role contains a set of permissions. You can use these roles to give\nmore granular access to specific Google Cloud resources and prevent unwanted\naccess to other resources. IAM lets you adopt the\n[security principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege),\nso you grant only the necessary access to your resources.\n\nThis page describes Cloud Build roles and permissions.\n\nPredefined Cloud Build roles\n----------------------------\n\nWith IAM, every API method in Cloud Build API requires\nthat the identity making the API request has the appropriate permissions to use\nthe resource. Permissions are granted by setting policies that grant roles to a\nprincipal (user, group, or service account). You can grant multiple roles to a\nprincipal on the same resource.\n\nThe table below lists the Cloud Build IAM roles and\nthe permissions that they include:\n\nIn addition to the above Cloud Build predefined roles, the\n[basic](/iam/docs/understanding-roles#basic) Viewer,\nEditor, and Owner roles also include permissions related to Cloud Build.\nHowever, we recommend that you grant predefined roles where possible to comply with the\n[security principle of least privilege](/iam/docs/using-iam-securely#least_privilege).\n\nThe table below lists the basic roles and the Cloud Build\nIAM roles\nthat they include.\n\n| **Note:** Owner, Editor, and Viewer include permissions for many other Google Cloud services. The Owner role is automatically granted to the original project creator.\n\nPermissions\n-----------\n\nThe following table lists the permissions that the caller must have to call each method:\n\n| **Caution:** `cloudbuild.builds.create` permission enables the user to run builds as the [Cloud Build legacy service account](/build/docs/cloud-build-service-account). This permission is included in Cloud Build Editor, Project Owner, and Project Editor roles. Granting a user any of these roles will enable them to run builds as the Cloud Build legacy service account. Depending on the IAM permissions granted to the user and the permissions of the Cloud Build legacy service account, this could enable the user escalated build-time privileges.\n\nPermissions to view build logs\n------------------------------\n\nTo view build logs, you require additional permissions depending on whether\nyou're storing your build logs in the default Cloud Storage bucket or in\na user-specified Cloud Storage bucket. For more information on permissions\nrequired to view build logs, see [Storing and viewing build logs](/build/docs/securing-builds/store-view-build-logs).\n\nWhat's next\n-----------\n\n- Learn about [the default Cloud Build service account](/build/docs/cloud-build-service-account).\n- Learn how to [configure access to Cloud Build resources](/build/docs/securing-builds/configure-access-to-resources).\n- Learn how to [configure access for Cloud Build service account](/build/docs/securing-builds/configure-access-for-cloud-build-service-account).\n- Learn about [IAM](/iam/docs)."]]
