Halaman ini diterjemahkan oleh Cloud Translation API.

Peran dan izin IAM

Halaman ini menjelaskan akun layanan, peran, dan izin Cloud Deploy.

Akses di Cloud Deploy dikontrol menggunakan Identity and Access Management (IAM). Dengan IAM, Anda dapat membuat dan mengelola izin untuk Google Cloud resource. Cloud Deploy menyediakan serangkaian peran IAM bawaan tertentu di mana setiap peran berisi serangkaian izin. Anda dapat menggunakan peran ini untuk memberikan akses yang lebih terperinci ke resource tertentu dan mencegah akses yang tidak diinginkan ke resource lainnya. Google Cloud IAM memungkinkan Anda menerapkan prinsip hak istimewa terendah untuk keamanan, jadi Anda hanya memberikan akses yang diperlukan ke resource Anda.

Lihat Menggunakan IAM untuk membatasi akses Cloud Deploy untuk mempelajari fitur keamanan kontrol akses lanjutan.

Akun layanan di Cloud Deploy

Secara default, Cloud Deploy berjalan menggunakan akun layanan Compute Engine default. Untuk mengetahui informasi selengkapnya tentang cara mengonfigurasi akun layanan ini untuk digunakan dengan Cloud Deploy, atau memilih akun lain, lihat dokumentasi akun layanan eksekusi Cloud Deploy.

Cari tahu lebih lanjut cara Cloud Deploy menggunakan akun layanan.

Peran Cloud Deploy yang telah ditetapkan

Dengan IAM, setiap metode API di Cloud Deploy API mengharuskan identitas yang membuat permintaan API memiliki izin yang sesuai untuk menggunakan resource. Izin diberikan dengan menetapkan kebijakan yang memberikan peran kepada akun utama (pengguna, grup, atau akun layanan) project Anda. Anda dapat memberikan beberapa peran kepada akun utama di resource yang sama.

Dokumentasi IAM mencakup referensi yang dapat ditelusuri dari semua peran yang telah ditetapkan.

Tabel berikut mencantumkan peran IAM Cloud Deploy dan izin yang disertakan:

Role Permissions

Role	Permissions
Cloud Deploy Admin (`roles/clouddeploy.admin`) Full control of Cloud Deploy resources.	`clouddeploy.*` `clouddeploy.automationRuns.cancel` `clouddeploy.automationRuns.get` `clouddeploy.automationRuns.list` `clouddeploy.automations.create` `clouddeploy.automations.delete` `clouddeploy.automations.get` `clouddeploy.automations.list` `clouddeploy.automations.update` `clouddeploy.config.get` `clouddeploy.customTargetTypes.create` `clouddeploy.customTargetTypes.delete` `clouddeploy.customTargetTypes.get` `clouddeploy.customTargetTypes.getIamPolicy` `clouddeploy.customTargetTypes.list` `clouddeploy.customTargetTypes.setIamPolicy` `clouddeploy.customTargetTypes.update` `clouddeploy.deliveryPipelines.create` `clouddeploy.deliveryPipelines.createTagBinding` `clouddeploy.deliveryPipelines.delete` `clouddeploy.deliveryPipelines.deleteTagBinding` `clouddeploy.deliveryPipelines.get` `clouddeploy.deliveryPipelines.getIamPolicy` `clouddeploy.deliveryPipelines.list` `clouddeploy.deliveryPipelines.listEffectiveTags` `clouddeploy.deliveryPipelines.listTagBindings` `clouddeploy.deliveryPipelines.setIamPolicy` `clouddeploy.deliveryPipelines.update` `clouddeploy.deployPolicies.create` `clouddeploy.deployPolicies.delete` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.getIamPolicy` `clouddeploy.deployPolicies.list` `clouddeploy.deployPolicies.override` `clouddeploy.deployPolicies.setIamPolicy` `clouddeploy.deployPolicies.update` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.jobRuns.terminate` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.abandon` `clouddeploy.releases.create` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.advance` `clouddeploy.rollouts.approve` `clouddeploy.rollouts.cancel` `clouddeploy.rollouts.create` `clouddeploy.rollouts.get` `clouddeploy.rollouts.ignoreJob` `clouddeploy.rollouts.list` `clouddeploy.rollouts.retryJob` `clouddeploy.rollouts.rollback` `clouddeploy.targets.create` `clouddeploy.targets.createTagBinding` `clouddeploy.targets.delete` `clouddeploy.targets.deleteTagBinding` `clouddeploy.targets.get` `clouddeploy.targets.getIamPolicy` `clouddeploy.targets.list` `clouddeploy.targets.listEffectiveTags` `clouddeploy.targets.listTagBindings` `clouddeploy.targets.setIamPolicy` `clouddeploy.targets.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Approver (`roles/clouddeploy.approver`) Permission to approve or reject rollouts.	`clouddeploy.config.get` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.rollouts.approve` `clouddeploy.rollouts.get` `clouddeploy.rollouts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Custom Target Type Admin (`roles/clouddeploy.customTargetTypeAdmin`) Permission to manage CustomTargetType resources	`clouddeploy.config.get` `clouddeploy.customTargetTypes.*` `clouddeploy.customTargetTypes.create` `clouddeploy.customTargetTypes.delete` `clouddeploy.customTargetTypes.get` `clouddeploy.customTargetTypes.getIamPolicy` `clouddeploy.customTargetTypes.list` `clouddeploy.customTargetTypes.setIamPolicy` `clouddeploy.customTargetTypes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Developer (`roles/clouddeploy.developer`) Permission to manage deployment configuration without permission to access operational resources, such as targets.	`clouddeploy.automationRuns.get` `clouddeploy.automationRuns.list` `clouddeploy.automations.get` `clouddeploy.automations.list` `clouddeploy.config.get` `clouddeploy.deliveryPipelines.create` `clouddeploy.deliveryPipelines.createTagBinding` `clouddeploy.deliveryPipelines.delete` `clouddeploy.deliveryPipelines.deleteTagBinding` `clouddeploy.deliveryPipelines.get` `clouddeploy.deliveryPipelines.getIamPolicy` `clouddeploy.deliveryPipelines.list` `clouddeploy.deliveryPipelines.listEffectiveTags` `clouddeploy.deliveryPipelines.listTagBindings` `clouddeploy.deliveryPipelines.update` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.list` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.*` `clouddeploy.releases.abandon` `clouddeploy.releases.create` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.get` `clouddeploy.rollouts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Runner (`roles/clouddeploy.jobRunner`) Permission to execute Cloud Deploy work without permission to deliver to a target.	`clouddeploy.config.get` `logging.logEntries.create` `storage.objects.create` `storage.objects.get` `storage.objects.list`
Cloud Deploy Operator (`roles/clouddeploy.operator`) Permission to manage deployment configuration.	`clouddeploy.automationRuns.` `clouddeploy.automationRuns.cancel` `clouddeploy.automationRuns.get` `clouddeploy.automationRuns.list` `clouddeploy.automations.` `clouddeploy.automations.create` `clouddeploy.automations.delete` `clouddeploy.automations.get` `clouddeploy.automations.list` `clouddeploy.automations.update` `clouddeploy.config.get` `clouddeploy.customTargetTypes.get` `clouddeploy.customTargetTypes.getIamPolicy` `clouddeploy.customTargetTypes.list` `clouddeploy.deliveryPipelines.create` `clouddeploy.deliveryPipelines.createTagBinding` `clouddeploy.deliveryPipelines.delete` `clouddeploy.deliveryPipelines.deleteTagBinding` `clouddeploy.deliveryPipelines.get` `clouddeploy.deliveryPipelines.getIamPolicy` `clouddeploy.deliveryPipelines.list` `clouddeploy.deliveryPipelines.listEffectiveTags` `clouddeploy.deliveryPipelines.listTagBindings` `clouddeploy.deliveryPipelines.update` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.getIamPolicy` `clouddeploy.deployPolicies.list` `clouddeploy.jobRuns.` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.jobRuns.terminate` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.` `clouddeploy.releases.abandon` `clouddeploy.releases.create` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.advance` `clouddeploy.rollouts.cancel` `clouddeploy.rollouts.create` `clouddeploy.rollouts.get` `clouddeploy.rollouts.ignoreJob` `clouddeploy.rollouts.list` `clouddeploy.rollouts.retryJob` `clouddeploy.rollouts.rollback` `clouddeploy.targets.create` `clouddeploy.targets.createTagBinding` `clouddeploy.targets.delete` `clouddeploy.targets.deleteTagBinding` `clouddeploy.targets.get` `clouddeploy.targets.getIamPolicy` `clouddeploy.targets.list` `clouddeploy.targets.listEffectiveTags` `clouddeploy.targets.listTagBindings` `clouddeploy.targets.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Policy Admin (`roles/clouddeploy.policyAdmin`) Permission to manage Deploy Policies.	`clouddeploy.deployPolicies.` `clouddeploy.deployPolicies.create` `clouddeploy.deployPolicies.delete` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.getIamPolicy` `clouddeploy.deployPolicies.list` `clouddeploy.deployPolicies.override` `clouddeploy.deployPolicies.setIamPolicy` `clouddeploy.deployPolicies.update` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.*` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Policy Overrider (`roles/clouddeploy.policyOverrider`) Permission to override Deploy Policies.	`clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.list` `clouddeploy.deployPolicies.override` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Releaser (`roles/clouddeploy.releaser`) Permission to create Cloud Deploy releases and rollouts.	`clouddeploy.config.get` `clouddeploy.customTargetTypes.get` `clouddeploy.deliveryPipelines.get` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.locations.` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.` `clouddeploy.operations.cancel` `clouddeploy.operations.delete` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.create` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.advance` `clouddeploy.rollouts.cancel` `clouddeploy.rollouts.create` `clouddeploy.rollouts.get` `clouddeploy.rollouts.list` `clouddeploy.rollouts.rollback` `clouddeploy.targets.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Gives Cloud Deploy Service Account access to managed resources. Warning: Do not grant service agent roles to any principals except service agents.	`cloudbuild.builds.create` `cloudbuild.builds.get` `cloudbuild.builds.list` `cloudbuild.builds.update` `cloudbuild.workerpools.use` `iam.serviceAccounts.actAs` `iam.serviceAccounts.getAccessToken` `logging.logEntries.create` `pubsub.topics.get` `pubsub.topics.publish` `servicemanagement.services.report` `serviceusage.services.use` `storage.buckets.create` `storage.buckets.get` `storage.objects.get`
Cloud Deploy Viewer (`roles/clouddeploy.viewer`) Can view Cloud Deploy resources.	`clouddeploy.automationRuns.get` `clouddeploy.automationRuns.list` `clouddeploy.automations.get` `clouddeploy.automations.list` `clouddeploy.config.get` `clouddeploy.customTargetTypes.get` `clouddeploy.customTargetTypes.getIamPolicy` `clouddeploy.customTargetTypes.list` `clouddeploy.deliveryPipelines.get` `clouddeploy.deliveryPipelines.getIamPolicy` `clouddeploy.deliveryPipelines.list` `clouddeploy.deliveryPipelines.listEffectiveTags` `clouddeploy.deliveryPipelines.listTagBindings` `clouddeploy.deployPolicies.get` `clouddeploy.deployPolicies.getIamPolicy` `clouddeploy.deployPolicies.list` `clouddeploy.jobRuns.get` `clouddeploy.jobRuns.list` `clouddeploy.locations.*` `clouddeploy.locations.get` `clouddeploy.locations.list` `clouddeploy.operations.get` `clouddeploy.operations.list` `clouddeploy.releases.get` `clouddeploy.releases.list` `clouddeploy.rollouts.get` `clouddeploy.rollouts.list` `clouddeploy.targets.get` `clouddeploy.targets.getIamPolicy` `clouddeploy.targets.list` `clouddeploy.targets.listEffectiveTags` `clouddeploy.targets.listTagBindings` `resourcemanager.projects.get` `resourcemanager.projects.list`

Cloud Deploy Admin

(roles/clouddeploy.admin)

Full control of Cloud Deploy resources.

clouddeploy.*

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list
clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update
clouddeploy.config.get
clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.setIamPolicy
clouddeploy.customTargetTypes.update
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.createTagBinding
clouddeploy.deliveryPipelines.delete
clouddeploy.deliveryPipelines.deleteTagBinding
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.listEffectiveTags
clouddeploy.deliveryPipelines.listTagBindings
clouddeploy.deliveryPipelines.setIamPolicy
clouddeploy.deliveryPipelines.update
clouddeploy.deployPolicies.create
clouddeploy.deployPolicies.delete
clouddeploy.deployPolicies.get
clouddeploy.deployPolicies.getIamPolicy
clouddeploy.deployPolicies.list
clouddeploy.deployPolicies.override
clouddeploy.deployPolicies.setIamPolicy
clouddeploy.deployPolicies.update
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.jobRuns.terminate
clouddeploy.locations.get
clouddeploy.locations.list
clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.advance
clouddeploy.rollouts.approve
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.list
clouddeploy.rollouts.retryJob
clouddeploy.rollouts.rollback
clouddeploy.targets.create
clouddeploy.targets.createTagBinding
clouddeploy.targets.delete
clouddeploy.targets.deleteTagBinding
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.listEffectiveTags
clouddeploy.targets.listTagBindings
clouddeploy.targets.setIamPolicy
clouddeploy.targets.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Approver

(roles/clouddeploy.approver)

Permission to approve or reject rollouts.

clouddeploy.config.get

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.rollouts.approve

clouddeploy.rollouts.get

clouddeploy.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Custom Target Type Admin

(roles/clouddeploy.customTargetTypeAdmin)

Permission to manage CustomTargetType resources

clouddeploy.config.get

clouddeploy.customTargetTypes.*

clouddeploy.customTargetTypes.create
clouddeploy.customTargetTypes.delete
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.list
clouddeploy.customTargetTypes.setIamPolicy
clouddeploy.customTargetTypes.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Developer

(roles/clouddeploy.developer)

Permission to manage deployment configuration without permission to access operational resources, such as targets.

clouddeploy.automationRuns.get

clouddeploy.automationRuns.list

clouddeploy.automations.get

clouddeploy.automations.list

clouddeploy.config.get

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.createTagBinding

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.deleteTagBinding

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.listEffectiveTags

clouddeploy.deliveryPipelines.listTagBindings

clouddeploy.deliveryPipelines.update

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.list

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.releases.*

clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list

clouddeploy.rollouts.get

clouddeploy.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Runner

(roles/clouddeploy.jobRunner)

Permission to execute Cloud Deploy work without permission to deliver to a target.

clouddeploy.config.get

logging.logEntries.create

storage.objects.create

storage.objects.get

storage.objects.list

Cloud Deploy Operator

(roles/clouddeploy.operator)

Permission to manage deployment configuration.

clouddeploy.automationRuns.*

clouddeploy.automationRuns.cancel
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list

clouddeploy.automations.*

clouddeploy.automations.create
clouddeploy.automations.delete
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.automations.update

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.createTagBinding

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.deleteTagBinding

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.listEffectiveTags

clouddeploy.deliveryPipelines.listTagBindings

clouddeploy.deliveryPipelines.update

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.getIamPolicy

clouddeploy.deployPolicies.list

clouddeploy.jobRuns.*

clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.jobRuns.terminate

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.releases.*

clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.ignoreJob

clouddeploy.rollouts.list

clouddeploy.rollouts.retryJob

clouddeploy.rollouts.rollback

clouddeploy.targets.create

clouddeploy.targets.createTagBinding

clouddeploy.targets.delete

clouddeploy.targets.deleteTagBinding

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.listEffectiveTags

clouddeploy.targets.listTagBindings

clouddeploy.targets.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Policy Admin

(roles/clouddeploy.policyAdmin)

Permission to manage Deploy Policies.

clouddeploy.deployPolicies.*

clouddeploy.deployPolicies.create
clouddeploy.deployPolicies.delete
clouddeploy.deployPolicies.get
clouddeploy.deployPolicies.getIamPolicy
clouddeploy.deployPolicies.list
clouddeploy.deployPolicies.override
clouddeploy.deployPolicies.setIamPolicy
clouddeploy.deployPolicies.update

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Policy Overrider

(roles/clouddeploy.policyOverrider)

Permission to override Deploy Policies.

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.list

clouddeploy.deployPolicies.override

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Releaser

(roles/clouddeploy.releaser)

Permission to create Cloud Deploy releases and rollouts.

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.deliveryPipelines.get

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.releases.create

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.rollouts.rollback

clouddeploy.targets.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Service Agent

(roles/clouddeploy.serviceAgent)

Gives Cloud Deploy Service Account access to managed resources.

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.workerpools.use

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

logging.logEntries.create

pubsub.topics.get

pubsub.topics.publish

servicemanagement.services.report

serviceusage.services.use

storage.buckets.create

storage.buckets.get

storage.objects.get

Cloud Deploy Viewer

(roles/clouddeploy.viewer)

Can view Cloud Deploy resources.

clouddeploy.automationRuns.get

clouddeploy.automationRuns.list

clouddeploy.automations.get

clouddeploy.automations.list

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.listEffectiveTags

clouddeploy.deliveryPipelines.listTagBindings

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.getIamPolicy

clouddeploy.deployPolicies.list

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.get

clouddeploy.operations.list

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.listEffectiveTags

clouddeploy.targets.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

Selain peran bawaan Cloud Deploy, peran Viewer, Editor, dan Pemilik dasar juga mencakup izin yang terkait dengan Cloud Deploy. Namun, sebaiknya Anda memberikan peran bawaan jika memungkinkan untuk mematuhi prinsip keamanan hak istimewa terendah.

Izin

Tabel berikut mencantumkan izin yang harus dimiliki pemanggil untuk memanggil setiap metode:

Metode API	Izin yang diperlukan	Deskripsi
`automations.create()`	`clouddeploy.automations.create`	Buat resource otomatisasi baru.
`automations.delete()`	`clouddeploy.automations.delete`	Menghapus resource otomatisasi yang ada.
`automations.get()`	`clouddeploy.automations.get`	Mengambil detail untuk setiap resource otomatisasi.
`automations.list()`	`clouddeploy.automations.list`	Mencantumkan resource otomatisasi dan metadatanya.
`automations.update()`	`clouddeploy.automations.update`	Memperbarui resource otomatisasi yang ada.
`automationRuns.cancel()`	`clouddeploy.automationRuns.cancel`	Membatalkan otomatisasi yang sedang berjalan.
`automationRuns.get()`	`clouddeploy.automationRuns.get`	Mengambil detail untuk setiap operasi otomatisasi.
`automationRuns.list()`	`clouddeploy.automationRuns.list`	Mencantumkan eksekusi otomatisasi dan metadatanya.
`customTargetTypes.create()`	`clouddeploy.customTargetTypes.create`	Buat resource jenis target kustom.
`customTargetTypes.delete()`	`clouddeploy.customTargetTypes.delete`	Menghapus resource jenis target kustom.
`customTargetTypes.get()`	`clouddeploy.customTargetTypes.get`	Mengambil detail untuk jenis target kustom.
`customTargetTypes.getIamPolicy()`	`clouddeploy.customTargetTypes.getIamPolicy`	Mendapatkan kebijakan IAM untuk resource jenis target kustom.
`customTargetTypes.list()`	`clouddeploy.customTargetTypes.list`	Mencantumkan jenis target kustom yang tersedia dan metadatanya.
`customTargetTypes.patch()`	`clouddeploy.customTargetTypes.patch`	Memperbarui jenis target kustom yang ada.
`customTargetTypes.setIamPolicy()`	`clouddeploy.customTargetTypes.setIamPolicy`	Tetapkan kebijakan IAM untuk resource jenis target kustom.
`deliveryPipelines.create()`	`clouddeploy.deliveryPipelines.create`	Membuat resource pipeline pengiriman baru.
`deliveryPipelines.delete()`	`clouddeploy.deliveryPipelines.delete`	Menghapus resource pipeline pengiriman yang ada.
`deliveryPipelines.get()`	`clouddeploy.deliveryPipelines.get`	Mengambil detail untuk setiap pipeline pengiriman.
`deliveryPipelines.getIamPolicy()`	`clouddeploy.deliveryPipelines.getIamPolicy`	Mendapatkan kebijakan IAM untuk resource pipeline pengiriman.
`deliveryPipelines.list()`	`clouddeploy.deliveryPipelines.list`	Mencantumkan pipeline pengiriman dan metadatanya.
`deliveryPipelines.rollbackTarget()`	`clouddeploy.rollouts.rollback`	Mengembalikan target.
`deliveryPipelines.setIamPolicy()`	`clouddeploy.deliveryPipelines.setIamPolicy`	Tetapkan kebijakan IAM untuk resource pipeline pengiriman.
`deliveryPipelines.update()`	`clouddeploy.deliveryPipelines.update`	Memperbarui resource pipeline pengiriman yang ada.
`deployPolicies.create()`	`clouddeploy.deployPolicies.create`	Buat resource kebijakan deployment.
`deployPolicies.delete()`	`clouddeploy.deployPolicies.delete`	Menghapus resource kebijakan deployment.
`deployPolicies.get()`	`clouddeploy.deployPolicies.get`	Mengambil detail untuk resource kebijakan deployment.
`deployPolicies.list()`	`clouddeploy.deployPolicies.list`	Mencantumkan kebijakan deployment yang tersedia dan metadatanya.
`jobRuns.get()`	`clouddeploy.jobRuns.get`	Ambil resource `JobRuns`.
`jobRuns.list()`	`clouddeploy.jobRuns.list`	Mencantumkan resource `JobRuns` dan metadatanya.
`jobRuns.terminate()`	`clouddeploy.jobRuns.terminate`	Menghentikan eksekusi tugas yang sedang berlangsung.
`operations.cancel()`	`clouddeploy.operations.cancel`	Membatalkan operasi yang berjalan lama.
`operation.delete()`	`clouddeploy.operations.delete`	Menghapus operasi yang berjalan lama.
`operations.get()`	`clouddeploy.operations.get`	Mendapatkan operasi yang berjalan lama tertentu (misalnya, untuk menampilkan status pembuatan rilis).
`operations.list()`	`clouddeploy.operations.list`	Mencantumkan operasi yang berjalan lama.
`releases.abandon()`	`clouddeploy.releases.abandon`	Membatalkan rilis dan mencegah peluncuran lebih lanjut terhadap rilis.
`releases.create()`	`clouddeploy.releases.create`	Buat resource rilis baru. Pemanggil juga memerlukan izin `iam.serviceAccounts.actAs` pada akun layanan yang digunakan untuk merender manifes.
`releases.get()`	`clouddeploy.releases.get`	Mengambil detail untuk setiap rilis.
`releases.list()`	`clouddeploy.releases.list`	Mencantumkan rilis dan metadata.
`rollouts.advance()`	`clouddeploy.rollouts.advance`	Lanjutkan peluncuran ke fase berikutnya.
`rollouts.approve()`	`clouddeploy.rollouts.approve`	Menyetujui atau menolak peluncuran dengan status persetujuan `required`.
`rollouts.cancel()`	`clouddeploy.rollouts.cancel`	Membatalkan peluncuran.
`rollouts.create()`	`clouddeploy.rollouts.create`	Buat resource peluncuran baru atau promosikan rilis. Pemanggil juga memerlukan izin `iam.serviceAccounts.actAs` pada project atau akun layanan yang digunakan untuk men-deploy.
`rollouts.get()`	`clouddeploy.rollouts.get`	Mengambil detail untuk setiap peluncuran.
`rollouts.ignoreJob()`	`clouddeploy.rollouts.ignoreJob`	Abaikan tugas yang gagal.
`rollouts.list()`	`clouddeploy.rollouts.list`	Mencantumkan peluncuran dan metadata.
`rollouts.retryJob()`	`clouddeploy.rollouts.retryJob`	Mencoba lagi tugas yang gagal.
`rollouts.advance()`, `rollouts.approve()`, `rollouts.cancel()`, `rollouts.create()`, `rollouts.ignoreJob()`, `rollouts.retryJob()`, `deliveryPipelines.rollbackTarget()`, `jobRuns.terminate()`	`clouddeploy.deployPolicies.override`	Ganti resource kebijakan deployment.
`deployPolicies.update()`	`clouddeploy.deployPolicies.update`	Memperbarui resource kebijakan deployment yang ada.
`targets.create()`	`clouddeploy.targets.create`	Buat resource target baru.
`targets.delete()`	`clouddeploy.targets.delete`	Menghapus resource target yang ada.
`targets.get()`	`clouddeploy.targets.get`	Mengambil detail untuk setiap target.
`targets.getIamPolicy()`	`clouddeploy.targets.getIamPolicy`	Mendapatkan kebijakan IAM untuk resource target.
`targets.list()`	`clouddeploy.targets.list`	Mencantumkan target dan metadatanya.
`targets.setIamPolicy()`	`clouddeploy.targets.setIamPolicy`	Menetapkan kebijakan IAM untuk resource target.
`targets.update()`	`clouddeploy.targets.update`	Memperbarui resource target yang ada.

Menggunakan IAM untuk membatasi tindakan pada resource Cloud Deploy

Anda dapat mengamankan resource Cloud Deploy menggunakan IAM dengan cara berikut:

IAM meta API

Gunakan setIamPolicy pada resource Cloud Deploy untuk membatasi tindakan pada resource tersebut.
IAM Bersyarat

Menerapkan kebijakan akses secara terprogram, termasuk kondisi yang mendasari pemberian atau penolakan akses.

Anda dapat menggunakan kebijakan dan kondisi ini untuk membatasi tindakan berikut pada resource Cloud Deploy Anda:

Membuat target atau pipeline pengiriman

Anda dapat memberikan akses ini kepada pengguna atau grup tertentu.
Memperbarui atau menghapus pipeline pengiriman tertentu

Anda dapat memberikan akses ini kepada pengguna atau grup tertentu.
Membuat rilis untuk pipeline pengiriman tertentu

Anda dapat memberikan akses ini kepada pengguna atau grup tertentu.
Memperbarui atau menghapus target tertentu

Anda dapat memberikan akses ini kepada pengguna atau grup tertentu.
Membuat atau menyetujui peluncuran atau mempromosikan rilis

Anda dapat memberikan akses ini kepada pengguna atau grup tertentu untuk target atau pipeline pengiriman tertentu.

Anda juga dapat menetapkan kondisi yang membatasi akses ini dalam jangka waktu tertentu.

Langkah berikutnya

Pelajari IAM.
Pelajari lebih lanjut cara menggunakan kondisi di IAM
Cari tahu lebih lanjut akun layanan Cloud Deploy.

Peran dan izin IAM Tetap teratur dengan koleksi Simpan dan kategorikan konten berdasarkan preferensi Anda.

Akun layanan di Cloud Deploy

Peran Cloud Deploy yang telah ditetapkan

Cloud Deploy Admin

Cloud Deploy Approver

Cloud Deploy Custom Target Type Admin

Cloud Deploy Developer

Cloud Deploy Runner

Cloud Deploy Operator

Cloud Deploy Policy Admin

Cloud Deploy Policy Overrider

Cloud Deploy Releaser

Cloud Deploy Service Agent

Cloud Deploy Viewer

Izin

Menggunakan IAM untuk membatasi tindakan pada resource Cloud Deploy

Langkah berikutnya

Peran dan izin IAM