默认情况下,所有 Google Cloud 控制台项目都只包含一位用户:原始项目创建者。其他用户只有在被添加为项目团队成员之后,才能访问相关项目和 Google Cloud 资源。本页面介绍了将新用户添加到项目的不同方法。
此外,还介绍了 Deployment Manager 如何代表您对其他 Google Cloud API 进行身份验证以创建资源。
准备工作
针对用户的访问权限控制
为了让您的用户可以访问您的项目,以便他们可以创建配置和部署,您需要将用户添加为项目团队成员,并授予他们适当的 Identity and Access Management (IAM) 角色。
如需了解如何添加团队成员,请阅读文档添加团队成员 。
Deployment Manager 角色
Role
Permissions
Deployment Manager Editor
(roles/ deploymentmanager.editor
)
Provides the permissions necessary to create and manage deployments.
Lowest-level resources where you can grant this role:
deploymentmanager. compositeTypes.*
deploymentmanager. compositeTypes. create
deploymentmanager. compositeTypes. delete
deploymentmanager. compositeTypes. get
deploymentmanager. compositeTypes. list
deploymentmanager. compositeTypes. update
deploymentmanager. deployments. cancelPreview
deploymentmanager. deployments. create
deploymentmanager. deployments. delete
deploymentmanager. deployments. get
deploymentmanager. deployments. list
deploymentmanager. deployments. stop
deploymentmanager. deployments. update
deploymentmanager.manifests.*
deploymentmanager. manifests. get
deploymentmanager. manifests. list
deploymentmanager.operations.*
deploymentmanager. operations. get
deploymentmanager. operations. list
deploymentmanager.resources.*
deploymentmanager. resources. get
deploymentmanager. resources. list
deploymentmanager. typeProviders.*
deploymentmanager. typeProviders. create
deploymentmanager. typeProviders. delete
deploymentmanager. typeProviders. get
deploymentmanager. typeProviders. getType
deploymentmanager. typeProviders. list
deploymentmanager. typeProviders. listTypes
deploymentmanager. typeProviders. update
deploymentmanager.types.*
deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Deployment Manager Type Editor
(roles/ deploymentmanager.typeEditor
)
Provides read and write access to all Type Registry resources.
Lowest-level resources where you can grant this role:
deploymentmanager. compositeTypes.*
deploymentmanager. compositeTypes. create
deploymentmanager. compositeTypes. delete
deploymentmanager. compositeTypes. get
deploymentmanager. compositeTypes. list
deploymentmanager. compositeTypes. update
deploymentmanager. operations. get
deploymentmanager. typeProviders.*
deploymentmanager. typeProviders. create
deploymentmanager. typeProviders. delete
deploymentmanager. typeProviders. get
deploymentmanager. typeProviders. getType
deploymentmanager. typeProviders. list
deploymentmanager. typeProviders. listTypes
deploymentmanager. typeProviders. update
deploymentmanager.types.*
deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Deployment Manager Type Viewer
(roles/ deploymentmanager.typeViewer
)
Provides read-only access to all Type Registry resources.
Lowest-level resources where you can grant this role:
deploymentmanager. compositeTypes. get
deploymentmanager. compositeTypes. list
deploymentmanager. typeProviders. get
deploymentmanager. typeProviders. getType
deploymentmanager. typeProviders. list
deploymentmanager. typeProviders. listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Deployment Manager Viewer
(roles/ deploymentmanager.viewer
)
Provides read-only access to all Deployment Manager-related
resources.
Lowest-level resources where you can grant this role:
deploymentmanager. compositeTypes. get
deploymentmanager. compositeTypes. list
deploymentmanager. deployments. get
deploymentmanager. deployments. list
deploymentmanager.manifests.*
deploymentmanager. manifests. get
deploymentmanager. manifests. list
deploymentmanager.operations.*
deploymentmanager. operations. get
deploymentmanager. operations. list
deploymentmanager.resources.*
deploymentmanager. resources. get
deploymentmanager. resources. list
deploymentmanager. typeProviders. get
deploymentmanager. typeProviders. getType
deploymentmanager. typeProviders. list
deploymentmanager. typeProviders. listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Deployment Manager 的访问权限控制
为了创建其他 Google Cloud 资源,Deployment Manager 会使用 Google API 服务代理 的凭据对其他 API 进行身份验证。Google API 服务代理专门用于代表您运行内部 Google 流程。此服务账号采用如下电子邮件地址形式:
[ PROJECT_NUMBER ] @cloudservices . gserviceaccount.com
Google API 服务代理会自动在项目级层授予 Editor 角色,并列在 Google Cloud Console 的 IAM 部分中。此服务账号随项目无限期存在;只有在项目被删除时,它才会被删除。由于 Deployment Manager 和其他服务(如托管实例组 )依赖此服务账号来创建、删除和管理资源,建议您不要修改此账号的权限。
注意 :如果使用 Deployment Manager 来管理项目或自定义 IAM 角色等关键资源,则必须向默认的 Google API 服务代理分配其他 IAM 角色。例如,如果要使用 Deployment Manager 创建和管理自定义 IAM 角色,您必须将角色管理员角色分配给 Google API 服务代理。 后续步骤