IAM 角色和权限

Cloud Build 中的访问控制使用 Identity and Access Management (IAM) 进行控制。通过 IAM,您可以创建和管理对 Google Cloud 资源的权限。Cloud Build 提供一组特定预定义的 IAM 角色,其中每个角色都包含一组权限。您可以使用这些角色以更精细的方式授予对特定 Google Cloud 资源的访问权限,并防止对其他资源进行不必要的访问。IAM 允许您采用最小权限安全原则,因此您只需授予对您的资源的必要访问权限即可。

本页面介绍了 Cloud Build 角色和权限。

预定义的 Cloud Build 角色

使用 IAM 时,Cloud Build API 中的每个 API 方法都会要求发出 API 请求的身份拥有适当的资源使用权限。您可以通过设置向主账号(用户、群组或服务账号)授予角色的政策来授予权限。您可以就同一资源授予某个主账号多个角色。

下表列出了 Cloud Build IAM 角色及其具备的权限:

角色 说明 权限
名称roles/cloudbuild.builds.viewer
称谓:Cloud Build Viewer 		可以查看 Cloud Build

资源

 cloudbuild.builds.get

cloudbuild.builds.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list
名称roles/cloudbuild.builds.editor
称谓:Cloud Build Editor 		拥有 Cloud Build 的完全控制权

资源

 cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list
名称roles/cloudbuild.builds.approver
称谓:Cloud Build Approver 		提供批准或

拒绝待处理的构建的权限

 cloudbuild.builds.approve

cloudbuild.builds.get

cloudbuild.builds.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list
名称roles/cloudbuild.builds.builder
称谓:Cloud Build 旧版 Service Account 		当您为项目启用
Cloud Build API 时,
Cloud Build 旧版服务账号
会自动在项目中创建
并获得适用于项目中
资源的此角色。Cloud Build
旧版服务账号仅在
执行构建时将此角色用作执行操作所需的
如需查看
该角色包含的权限列表,
请参阅默认 Cloud Build 服务账号
名称roles/cloudbuild.integrationsViewer
称谓:Cloud Build Integrations Viewer 		可以查看 Cloud Build

主机连接

 cloudbuild.integrations.get

cloudbuild.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list
名称roles/cloudbuild.integrationsEditor
称谓:Cloud Build Integrations Editor 		有权修改 Cloud Build 的控制权

主机连接

 cloudbuild.integrations.get

cloudbuild.integrations.list

cloudbuild.integrations.update

resourcemanager.projects.get

resourcemanager.projects.list
名称roles/cloudbuild.integrationsOwner
称谓:Cloud Build Integrations Owner 		拥有 Cloud Build 的完全控制权

主机连接

 cloudbuild.integrations.create

cloudbuild.integrations.delete

cloudbuild.integrations.get

cloudbuild.integrations.list

cloudbuild.integrations.update

compute.firewalls.create

compute.firewalls.get

compute.firewalls.list

compute.networks.get

compute.networks.updatePolicy

compute.regions.get

compute.subnetworks.get

compute.subnetworks.list

resourcemanager.projects.get

resourcemanager.projects.list
名称roles/cloudbuild.connectionViewer
称谓:Cloud Build Connection Viewer 		可以查看和列出连接

和代码库

 resourcemanager.projects.get

resourcemanager.projects.list

cloudbuild.connections.get

cloudbuild.connections.fetchLinkableRepositories

cloudbuild.connections.list

cloudbuild.connections.getIamPolicy

cloudbuild.repositories.get

cloudbuild.repositories.list
名称roles/cloudbuild.connectionAdmin
称谓:Cloud Build 关联管理员 		可以管理连接

和代码库

 resourcemanager.projects.get

resourcemanager.projects.list

cloudbuild.connections.get

cloudbuild.connections.fetchLinkableRepositories

cloudbuild.connections.list

cloudbuild.connections.create

cloudbuild.connections.update

cloudbuild.connections.delete

cloudbuild.connections.getIamPolicy

cloudbuild.connections.setIamPolicy

cloudbuild.repositories.get

cloudbuild.repositories.list

cloudbuild.repositories.create

cloudbuild.repositories.delete
名称roles/cloudbuild.readTokenAccessor
称谓:Cloud Build 只读令牌访问器 		可以查看连接及其代码库

并访问其只读令牌

 cloudbuild.connections.get

cloudbuild.repositories.get

cloudbuild.repositories.accessReadToken
名称roles/cloudbuild.tokenAccessor
称谓:Cloud Build Token Accessor 		可以查看连接及其代码库

并访问其只读令牌和读取/写入令牌

 cloudbuild.connections.get

cloudbuild.repositories.get

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.accessReadWriteToken
名称roles/cloudbuild.workerPoolOwner
称谓:Cloud Build WorkerPool Owner 		拥有专用池的完全控制权 cloudbuild.workerpools.create

cloudbuild.workerpools.delete

cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list
名称roles/cloudbuild.workerPoolEditor
称谓:Cloud Build WorkerPool Editor 		可以更新专用池 cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list
名称roles/cloudbuild.workerPoolViewer
称谓:Cloud Build WorkerPool Viewer		 可以查看专用池 cloudbuild.workerpools.get

cloudbuild.workerpools.list

resourcemanager.projects.get

resourcemanager.projects.list
名称roles/cloudbuild.workerPoolUser
称谓:Cloud Build WorkerPool User		 可以在专用池中运行构建 cloudbuild.workerpools.use

除了上述 Cloud Build 预定义角色之外,基本 Viewer、Editor 和 Owner 角色也包含与 Cloud Build 相关的权限。但是,我们建议您尽可能授予预定义角色,以便符合最小权限安全原则

下表列出了基本角色以及它们包含的 Cloud Build IAM 角色。

角色 包含的角色
roles/viewer roles/cloudbuild.integrations.viewerroles/cloudbuild.builds.viewer
roles/editor roles/cloudbuild.builds.editorroles/cloudbuild.integrations.editor
roles/owner roles/cloudbuild.integrations.owner

权限

下表列出了调用者调用每个方法必须具备的权限:

API 方法 所需权限 角色名称
builds.create()
triggers.create()
triggers.patch()
triggers.delete()
triggers.run()		 cloudbuild.builds.create Cloud Build 编辑者
builds.cancel() cloudbuild.builds.update Cloud Build 编辑者
builds.get()
triggers.get()		 cloudbuild.builds.get Cloud Build 编辑者、Cloud Build 查看者
builds.list()
triggers.list()		 cloudbuild.builds.list Cloud Build Editor、Cloud Build Viewer

构建日志的查看权限

要查看构建日志,您需要其他权限,具体取决于您是将构建日志存储在默认 Cloud Storage 存储分区还是用户指定的 Cloud Storage 存储分区。如需详细了解查看构建日志所需的权限,请参阅存储和查看构建日志

后续步骤