IAM 角色和权限

本页面介绍了 Cloud Deploy 服务账号、角色和权限。

Cloud Deploy 中的访问权限使用 Identity and Access Management (IAM) 进行控制。通过 IAM,您可以为 Google Cloud 资源创建和管理权限。Cloud Deploy 提供了一组特定的预定义 IAM 角色,其中每个角色都包含一组权限。您可以使用这些角色以更精细的方式授予对特定 Google Cloud 资源的访问权限,并防止对其他资源进行不必要的访问。IAM 允许您采用最小权限安全原则,因此您只需授予对您的资源的必要访问权限即可。

请参阅使用 IAM 限制 Cloud Deploy 访问权限,了解高级访问权限控制安全功能。

Cloud Deploy 中的服务账号

默认情况下,Cloud Deploy 使用默认 Compute Engine 服务账号运行。如需详细了解如何配置此服务账号以用于 Cloud Deploy,或选择其他账号,请参阅 Cloud Deploy 执行服务账号文档。

详细了解 Cloud Deploy 如何使用服务账号。

预定义的 Cloud Deploy 角色

使用 IAM 时,Cloud Deploy API 中的每个 API 方法都会要求发出 API 请求的身份拥有适当的资源使用权限。您可以通过设置政策为项目主账号(用户、群组或服务账号)授予角色,进而授予相应权限。您可以就同一资源授予某个主账号多个角色。

IAM 文档包含所有预定义角色的可搜索参考

下表列出了 Cloud Deploy IAM 角色及其具备的权限:

Role Permissions

(roles/clouddeploy.admin)

Full control of Cloud Deploy resources.

clouddeploy.*

  • clouddeploy.automationRuns.cancel
  • clouddeploy.automationRuns.get
  • clouddeploy.automationRuns.list
  • clouddeploy.automations.create
  • clouddeploy.automations.delete
  • clouddeploy.automations.get
  • clouddeploy.automations.list
  • clouddeploy.automations.update
  • clouddeploy.config.get
  • clouddeploy.customTargetTypes.create
  • clouddeploy.customTargetTypes.delete
  • clouddeploy.customTargetTypes.get
  • clouddeploy.customTargetTypes.getIamPolicy
  • clouddeploy.customTargetTypes.list
  • clouddeploy.customTargetTypes.setIamPolicy
  • clouddeploy.customTargetTypes.update
  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.createTagBinding
  • clouddeploy.deliveryPipelines.delete
  • clouddeploy.deliveryPipelines.deleteTagBinding
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.listEffectiveTags
  • clouddeploy.deliveryPipelines.listTagBindings
  • clouddeploy.deliveryPipelines.setIamPolicy
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.deployPolicies.create
  • clouddeploy.deployPolicies.delete
  • clouddeploy.deployPolicies.get
  • clouddeploy.deployPolicies.getIamPolicy
  • clouddeploy.deployPolicies.list
  • clouddeploy.deployPolicies.override
  • clouddeploy.deployPolicies.setIamPolicy
  • clouddeploy.deployPolicies.update
  • clouddeploy.jobRuns.get
  • clouddeploy.jobRuns.list
  • clouddeploy.jobRuns.terminate
  • clouddeploy.locations.get
  • clouddeploy.locations.list
  • clouddeploy.operations.cancel
  • clouddeploy.operations.delete
  • clouddeploy.operations.get
  • clouddeploy.operations.list
  • clouddeploy.releases.abandon
  • clouddeploy.releases.create
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.advance
  • clouddeploy.rollouts.approve
  • clouddeploy.rollouts.cancel
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.ignoreJob
  • clouddeploy.rollouts.list
  • clouddeploy.rollouts.retryJob
  • clouddeploy.rollouts.rollback
  • clouddeploy.targets.create
  • clouddeploy.targets.createTagBinding
  • clouddeploy.targets.delete
  • clouddeploy.targets.deleteTagBinding
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • clouddeploy.targets.listEffectiveTags
  • clouddeploy.targets.listTagBindings
  • clouddeploy.targets.setIamPolicy
  • clouddeploy.targets.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.approver)

Permission to approve or reject rollouts.

clouddeploy.config.get

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

  • clouddeploy.locations.get
  • clouddeploy.locations.list

clouddeploy.operations.*

  • clouddeploy.operations.cancel
  • clouddeploy.operations.delete
  • clouddeploy.operations.get
  • clouddeploy.operations.list

clouddeploy.rollouts.approve

clouddeploy.rollouts.get

clouddeploy.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.customTargetTypeAdmin)

Permission to manage CustomTargetType resources

clouddeploy.config.get

clouddeploy.customTargetTypes.*

  • clouddeploy.customTargetTypes.create
  • clouddeploy.customTargetTypes.delete
  • clouddeploy.customTargetTypes.get
  • clouddeploy.customTargetTypes.getIamPolicy
  • clouddeploy.customTargetTypes.list
  • clouddeploy.customTargetTypes.setIamPolicy
  • clouddeploy.customTargetTypes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.developer)

Permission to manage deployment configuration without permission to access operational resources, such as targets.

clouddeploy.automationRuns.get

clouddeploy.automationRuns.list

clouddeploy.automations.get

clouddeploy.automations.list

clouddeploy.config.get

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.createTagBinding

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.deleteTagBinding

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.listEffectiveTags

clouddeploy.deliveryPipelines.listTagBindings

clouddeploy.deliveryPipelines.update

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.list

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

  • clouddeploy.locations.get
  • clouddeploy.locations.list

clouddeploy.operations.*

  • clouddeploy.operations.cancel
  • clouddeploy.operations.delete
  • clouddeploy.operations.get
  • clouddeploy.operations.list

clouddeploy.releases.*

  • clouddeploy.releases.abandon
  • clouddeploy.releases.create
  • clouddeploy.releases.get
  • clouddeploy.releases.list

clouddeploy.rollouts.get

clouddeploy.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.jobRunner)

Permission to execute Cloud Deploy work without permission to deliver to a target.

clouddeploy.config.get

logging.logEntries.create

storage.objects.create

storage.objects.get

storage.objects.list

(roles/clouddeploy.operator)

Permission to manage deployment configuration.

clouddeploy.automationRuns.*

  • clouddeploy.automationRuns.cancel
  • clouddeploy.automationRuns.get
  • clouddeploy.automationRuns.list

clouddeploy.automations.*

  • clouddeploy.automations.create
  • clouddeploy.automations.delete
  • clouddeploy.automations.get
  • clouddeploy.automations.list
  • clouddeploy.automations.update

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.createTagBinding

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.deleteTagBinding

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.listEffectiveTags

clouddeploy.deliveryPipelines.listTagBindings

clouddeploy.deliveryPipelines.update

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.getIamPolicy

clouddeploy.deployPolicies.list

clouddeploy.jobRuns.*

  • clouddeploy.jobRuns.get
  • clouddeploy.jobRuns.list
  • clouddeploy.jobRuns.terminate

clouddeploy.locations.*

  • clouddeploy.locations.get
  • clouddeploy.locations.list

clouddeploy.operations.*

  • clouddeploy.operations.cancel
  • clouddeploy.operations.delete
  • clouddeploy.operations.get
  • clouddeploy.operations.list

clouddeploy.releases.*

  • clouddeploy.releases.abandon
  • clouddeploy.releases.create
  • clouddeploy.releases.get
  • clouddeploy.releases.list

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.ignoreJob

clouddeploy.rollouts.list

clouddeploy.rollouts.retryJob

clouddeploy.rollouts.rollback

clouddeploy.targets.create

clouddeploy.targets.createTagBinding

clouddeploy.targets.delete

clouddeploy.targets.deleteTagBinding

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.listEffectiveTags

clouddeploy.targets.listTagBindings

clouddeploy.targets.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.policyAdmin)

Permission to manage Deploy Policies.

clouddeploy.deployPolicies.*

  • clouddeploy.deployPolicies.create
  • clouddeploy.deployPolicies.delete
  • clouddeploy.deployPolicies.get
  • clouddeploy.deployPolicies.getIamPolicy
  • clouddeploy.deployPolicies.list
  • clouddeploy.deployPolicies.override
  • clouddeploy.deployPolicies.setIamPolicy
  • clouddeploy.deployPolicies.update

clouddeploy.locations.*

  • clouddeploy.locations.get
  • clouddeploy.locations.list

clouddeploy.operations.*

  • clouddeploy.operations.cancel
  • clouddeploy.operations.delete
  • clouddeploy.operations.get
  • clouddeploy.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.policyOverrider)

Permission to override Deploy Policies.

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.list

clouddeploy.deployPolicies.override

clouddeploy.locations.*

  • clouddeploy.locations.get
  • clouddeploy.locations.list

clouddeploy.operations.*

  • clouddeploy.operations.cancel
  • clouddeploy.operations.delete
  • clouddeploy.operations.get
  • clouddeploy.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.releaser)

Permission to create Cloud Deploy releases and rollouts.

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.deliveryPipelines.get

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

  • clouddeploy.locations.get
  • clouddeploy.locations.list

clouddeploy.operations.*

  • clouddeploy.operations.cancel
  • clouddeploy.operations.delete
  • clouddeploy.operations.get
  • clouddeploy.operations.list

clouddeploy.releases.create

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.rollouts.rollback

clouddeploy.targets.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.serviceAgent)

Gives Cloud Deploy Service Account access to managed resources.

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.workerpools.use

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

logging.logEntries.create

pubsub.topics.get

pubsub.topics.publish

servicemanagement.services.report

serviceusage.services.use

storage.buckets.create

storage.buckets.get

storage.objects.get

(roles/clouddeploy.viewer)

Can view Cloud Deploy resources.

clouddeploy.automationRuns.get

clouddeploy.automationRuns.list

clouddeploy.automations.get

clouddeploy.automations.list

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.listEffectiveTags

clouddeploy.deliveryPipelines.listTagBindings

clouddeploy.deployPolicies.get

clouddeploy.deployPolicies.getIamPolicy

clouddeploy.deployPolicies.list

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

  • clouddeploy.locations.get
  • clouddeploy.locations.list

clouddeploy.operations.get

clouddeploy.operations.list

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.listEffectiveTags

clouddeploy.targets.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

除了 Cloud Deploy 预定义角色之外,基本 Viewer、Editor 和 Owner 角色也包含与 Cloud Deploy 相关的权限。但是,我们建议您尽可能授予预定义角色,以便符合最小权限安全原则

权限

下表列出了调用者调用每个方法必须具备的权限:

API 方法 所需权限 说明
automations.create() clouddeploy.automations.create 创建新的自动化资源。
automations.delete() clouddeploy.automations.delete 删除现有自动化资源。
automations.get() clouddeploy.automations.get 检索单个自动化资源的详细信息。
automations.list() clouddeploy.automations.list 列出自动化资源及其元数据。
automations.update() clouddeploy.automations.update 更新现有自动化资源。
automationRuns.cancel() clouddeploy.automationRuns.cancel 取消正在运行的自动化操作。
automationRuns.get() clouddeploy.automationRuns.get 检索单个自动化运行的详细信息。
automationRuns.list() clouddeploy.automationRuns.list 列出自动化运行及其元数据。
customTargetTypes.create() clouddeploy.customTargetTypes.create 创建自定义目标类型资源。
customTargetTypes.delete() clouddeploy.customTargetTypes.delete 删除自定义目标类型资源。
customTargetTypes.get() clouddeploy.customTargetTypes.get 检索自定义目标类型的详细信息。
customTargetTypes.getIamPolicy() clouddeploy.customTargetTypes.getIamPolicy 获取自定义目标类型资源的 IAM 政策。
customTargetTypes.list() clouddeploy.customTargetTypes.list 列出可用的自定义目标类型及其元数据。
customTargetTypes.patch() clouddeploy.customTargetTypes.patch 更新现有的自定义目标类型。
customTargetTypes.setIamPolicy() clouddeploy.customTargetTypes.setIamPolicy 为自定义目标类型资源设置 IAM 政策。
deliveryPipelines.create() clouddeploy.deliveryPipelines.create 创建新的交付流水线资源。
deliveryPipelines.delete() clouddeploy.deliveryPipelines.delete 删除现有的交付流水线资源。
deliveryPipelines.get() clouddeploy.deliveryPipelines.get 检索个别交付流水线的详细信息。
deliveryPipelines.getIamPolicy() clouddeploy.deliveryPipelines.getIamPolicy 获取交付流水线资源的 IAM 政策。
deliveryPipelines.list() clouddeploy.deliveryPipelines.list 列出交付流水线及其元数据。
deliveryPipelines.rollbackTarget() clouddeploy.rollouts.rollback 回滚目标。
deliveryPipelines.setIamPolicy() clouddeploy.deliveryPipelines.setIamPolicy 为交付流水线资源设置 IAM 政策。
deliveryPipelines.update() clouddeploy.deliveryPipelines.update 更新现有的交付流水线资源。
deployPolicies.create() clouddeploy.deployPolicies.create 创建部署政策资源。
deployPolicies.delete() clouddeploy.deployPolicies.delete 删除部署政策资源。
deployPolicies.get() clouddeploy.deployPolicies.get 检索部署政策资源的详细信息。
deployPolicies.list() clouddeploy.deployPolicies.list 列出可用的部署政策及其元数据。
jobRuns.get() clouddeploy.jobRuns.get 检索 JobRuns 资源。
jobRuns.list() clouddeploy.jobRuns.list 列出 JobRuns 资源及其元数据。
jobRuns.terminate() clouddeploy.jobRuns.terminate 终止正在进行的作业运行。
operations.cancel() clouddeploy.operations.cancel 取消长时间运行的操作。
operation.delete() clouddeploy.operations.delete 删除长时间运行的操作。
operations.get() clouddeploy.operations.get 获取特定的长时间运行的操作(例如,恢复到版本创建的状态)。
operations.list() clouddeploy.operations.list 列出长时间运行的操作。
releases.abandon() clouddeploy.releases.abandon 放弃发布版本并阻止针对该版本的进一步发布。
releases.create() clouddeploy.releases.create 创建新的版本资源。调用方还需要对用于渲染清单的服务账号拥有 iam.serviceAccounts.actAs 权限。
releases.get() clouddeploy.releases.get 检索各个版本的详细信息。
releases.list() clouddeploy.releases.list 列出版本和元数据。
rollouts.advance() clouddeploy.rollouts.advance 将发布作业推进到下一阶段。
rollouts.approve() clouddeploy.rollouts.approve 批准或拒绝状态为 required 的发布。
rollouts.cancel() clouddeploy.rollouts.cancel 取消发布。
rollouts.create() clouddeploy.rollouts.create 创建新的发布资源或提升版本。调用方还需要对用于部署的项目或服务账号拥有 iam.serviceAccounts.actAs 权限。
rollouts.get() clouddeploy.rollouts.get 检索个别发布的详细信息。
rollouts.ignoreJob() clouddeploy.rollouts.ignoreJob 忽略失败的作业。
rollouts.list() clouddeploy.rollouts.list 列出发布和元数据。
rollouts.retryJob() clouddeploy.rollouts.retryJob 重试失败的作业。
rollouts.advance()rollouts.approve()rollouts.cancel()rollouts.create()rollouts.ignoreJob()rollouts.retryJob()deliveryPipelines.rollbackTarget()jobRuns.terminate() clouddeploy.deployPolicies.override 替换部署政策资源。
deployPolicies.update() clouddeploy.deployPolicies.update 更新现有的部署政策资源。
targets.create() clouddeploy.targets.create 创建新的目标资源。
targets.delete() clouddeploy.targets.delete 删除现有的目标资源。
targets.get() clouddeploy.targets.get 检索个别目标的详细信息。
targets.getIamPolicy() clouddeploy.targets.getIamPolicy 获取目标资源的 IAM 政策。
targets.list() clouddeploy.targets.list 列出目标及其元数据。
targets.setIamPolicy() clouddeploy.targets.setIamPolicy 设置目标资源的 IAM 政策。
targets.update() clouddeploy.targets.update 更新现有的目标资源。

使用 IAM 限制对 Cloud Deploy 资源的操作

您可以通过以下方式来使用 IAM 保护 Cloud Deploy 资源:

  • IAM 元 API

    针对 Cloud Deploy 资源使用 setIamPolicy 来限制对这些资源执行的操作。

  • 条件 IAM

    以编程方式应用访问权限政策,包括授予或拒绝访问权限的条件

您可以使用这些政策和条件来限制对 Cloud Deploy 资源的以下操作:

  • 创建交付流水线或目标

    您可以向特定用户或群组授予此访问权限。

  • 更新或删除特定的交付流水线

    您可以向特定用户或群组授予此访问权限。

  • 为特定交付流水线创建版本

    您可以向特定用户或群组授予此访问权限。

  • 更新或删除特定目标

    您可以向特定用户或群组授予此访问权限。

  • 创建或批准发布或提升版本

    您可以向特定用户或组授予对特定目标或交付流水线的此访问权限。

    您还可以设置条件,将此访问权限限制在指定的时间范围内。

后续步骤