Questa pagina è stata tradotta dall'API Cloud Translation.

Controllo dell'accesso con IAM

Per impostazione predefinita, tutti i progetti della console Google Cloud sono dotati di un unico utente: il creatore del progetto originale. Nessun altro utente ha accesso al progetto e quindi alle risorse Google Cloud finché non viene aggiunto un utente come membro del team di progetto. Questa pagina descrive i diversi modi in cui puoi aggiungere nuovi utenti al tuo progetto.

Descrive inoltre in che modo Deployment Manager si autentica per tuo conto in altre API Google Cloud per creare risorse.

Prima di iniziare

Se vuoi utilizzare gli esempi di riga di comando in questa guida, installa lo strumento a riga di comando`gcloud`.
Se vuoi utilizzare gli esempi di API in questa guida, configura l'accesso API.
Scopri i progetti della console Google Cloud.
Scopri di più su Google Identity and Access Management.

Controllo dell'accesso per gli utenti

Per consentire agli utenti di accedere al progetto in modo che possano creare configurazioni e implementazioni, aggiungili come membri del team di progetto e concedi loro i ruoli IAM (Identity and Access Management) appropriati.

Per informazioni su come aggiungere membri al team, consulta la documentazione sull'aggiunta di membri al team.

Ruoli di Deployment Manager

Role Permissions

Role	Permissions
Deployment Manager Editor (`roles/deploymentmanager.editor`) Provides the permissions necessary to create and manage deployments. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.` `deploymentmanager.compositeTypes.create` `deploymentmanager.compositeTypes.delete` `deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.compositeTypes.update` `deploymentmanager.deployments.cancelPreview` `deploymentmanager.deployments.create` `deploymentmanager.deployments.delete` `deploymentmanager.deployments.get` `deploymentmanager.deployments.list` `deploymentmanager.deployments.stop` `deploymentmanager.deployments.update` `deploymentmanager.manifests.` `deploymentmanager.manifests.get` `deploymentmanager.manifests.list` `deploymentmanager.operations.` `deploymentmanager.operations.get` `deploymentmanager.operations.list` `deploymentmanager.resources.` `deploymentmanager.resources.get` `deploymentmanager.resources.list` `deploymentmanager.typeProviders.` `deploymentmanager.typeProviders.create` `deploymentmanager.typeProviders.delete` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.typeProviders.update` `deploymentmanager.types.` `deploymentmanager.types.create` `deploymentmanager.types.delete` `deploymentmanager.types.get` `deploymentmanager.types.list` `deploymentmanager.types.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`
Deployment Manager Type Editor (`roles/deploymentmanager.typeEditor`) Provides read and write access to all Type Registry resources. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.` `deploymentmanager.compositeTypes.create` `deploymentmanager.compositeTypes.delete` `deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.compositeTypes.update` `deploymentmanager.operations.get` `deploymentmanager.typeProviders.` `deploymentmanager.typeProviders.create` `deploymentmanager.typeProviders.delete` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.typeProviders.update` `deploymentmanager.types.*` `deploymentmanager.types.create` `deploymentmanager.types.delete` `deploymentmanager.types.get` `deploymentmanager.types.list` `deploymentmanager.types.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get`
Deployment Manager Type Viewer (`roles/deploymentmanager.typeViewer`) Provides read-only access to all Type Registry resources. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.types.get` `deploymentmanager.types.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get`
Deployment Manager Viewer (`roles/deploymentmanager.viewer`) Provides read-only access to all Deployment Manager-related resources. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.deployments.get` `deploymentmanager.deployments.list` `deploymentmanager.manifests.` `deploymentmanager.manifests.get` `deploymentmanager.manifests.list` `deploymentmanager.operations.` `deploymentmanager.operations.get` `deploymentmanager.operations.list` `deploymentmanager.resources.*` `deploymentmanager.resources.get` `deploymentmanager.resources.list` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.types.get` `deploymentmanager.types.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Deployment Manager Editor

(roles/deploymentmanager.editor)

Provides the permissions necessary to create and manage deployments.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.*

deploymentmanager.compositeTypes.create
deploymentmanager.compositeTypes.delete
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.compositeTypes.update

deploymentmanager.deployments.cancelPreview

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.stop

deploymentmanager.deployments.update

deploymentmanager.manifests.*

deploymentmanager.manifests.get
deploymentmanager.manifests.list

deploymentmanager.operations.*

deploymentmanager.operations.get
deploymentmanager.operations.list

deploymentmanager.resources.*

deploymentmanager.resources.get
deploymentmanager.resources.list

deploymentmanager.typeProviders.*

deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.delete
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.typeProviders.update

deploymentmanager.types.*

deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Deployment Manager Type Editor

(roles/deploymentmanager.typeEditor)

Provides read and write access to all Type Registry resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.*

deploymentmanager.compositeTypes.create
deploymentmanager.compositeTypes.delete
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.compositeTypes.update

deploymentmanager.operations.get

deploymentmanager.typeProviders.*

deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.delete
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.typeProviders.update

deploymentmanager.types.*

deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

Deployment Manager Type Viewer

(roles/deploymentmanager.typeViewer)

Provides read-only access to all Type Registry resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

Deployment Manager Viewer

(roles/deploymentmanager.viewer)

Provides read-only access to all Deployment Manager-related resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.manifests.*

deploymentmanager.manifests.get
deploymentmanager.manifests.list

deploymentmanager.operations.*

deploymentmanager.operations.get
deploymentmanager.operations.list

deploymentmanager.resources.*

deploymentmanager.resources.get
deploymentmanager.resources.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Controllo dell'accesso per Deployment Manager

Per creare altre risorse Google Cloud, Deployment Manager utilizza le credenziali dell'agente di servizio per le API di Google per autenticarsi in altre API. L'agente di servizio delle API Google è progettato specificamente per eseguire processi interni di Google per tuo conto. Questo account di servizio è identificabile tramite l'email:

[PROJECT_NUMBER]@cloudservices.gserviceaccount.com

All'agente di servizio delle API di Google viene concesso automaticamente il ruolo Editor a livello di progetto ed è elencato nella sezione IAM della console Google Cloud. Questo account di servizio esiste a tempo indeterminato con il progetto e viene eliminato solo quando viene eliminato il progetto. Poiché Deployment Manager e altri servizi, come i gruppi di istanze gestite, si basano su questo account di servizio per creare, eliminare e gestire le risorse, non è consigliabile modificare le autorizzazioni di questo account.

Passaggi successivi

Scopri di più sugli account di servizio.
Scopri come aggiungere membri al team.
Scopri di più su IAM.