本頁面由 Cloud Translation API 翻譯而成。

使用 IAM 控管存取權

標準

本頁說明 Eventarc 提供的存取權控管選項。

總覽

Eventarc 使用 Identity and Access Management (IAM) 控管存取權。

如要瞭解 IAM 及其功能，請參閱 IAM 總覽。如要瞭解如何授予及撤銷存取權，請參閱「管理專案、資料夾和機構的存取權」一文。

如需 Eventarc 支援的權限與角色清單，請參閱下列各節。

啟用 Eventarc API

如要查看及指派 Eventarc 的 IAM 角色，您必須為專案啟用 Eventarc API。您必須先啟用 API，才能在 Google Cloud 控制台中查看 Eventarc 角色。

主控台

Enable the APIs

gcloud

gcloud services enable eventarc.googleapis.com eventarcpublishing.googleapis.com

預先定義的角色

下表列出 Eventarc 預先定義的 IAM 角色，以及各角色具備的所有權限對應清單。

預先定義的角色可因應大多數一般用途。如果預先定義的角色無法滿足您的用途，可以建立 IAM 自訂角色。

Eventarc 角色

Role Permissions

Role	Permissions
Eventarc Admin (`roles/eventarc.admin`) Full control over all Eventarc resources. Lowest-level resources where you can grant this role: Project	`eventarc.*` `eventarc.channelConnections.create` `eventarc.channelConnections.delete` `eventarc.channelConnections.get` `eventarc.channelConnections.getIamPolicy` `eventarc.channelConnections.list` `eventarc.channelConnections.publish` `eventarc.channelConnections.setIamPolicy` `eventarc.channels.attach` `eventarc.channels.create` `eventarc.channels.delete` `eventarc.channels.get` `eventarc.channels.getIamPolicy` `eventarc.channels.list` `eventarc.channels.publish` `eventarc.channels.setIamPolicy` `eventarc.channels.undelete` `eventarc.channels.update` `eventarc.enrollments.create` `eventarc.enrollments.delete` `eventarc.enrollments.get` `eventarc.enrollments.getIamPolicy` `eventarc.enrollments.list` `eventarc.enrollments.setIamPolicy` `eventarc.enrollments.update` `eventarc.events.receiveAuditLogWritten` `eventarc.events.receiveEvent` `eventarc.googleApiSources.create` `eventarc.googleApiSources.delete` `eventarc.googleApiSources.get` `eventarc.googleApiSources.getIamPolicy` `eventarc.googleApiSources.list` `eventarc.googleApiSources.setIamPolicy` `eventarc.googleApiSources.update` `eventarc.googleChannelConfigs.get` `eventarc.googleChannelConfigs.update` `eventarc.kafkaSources.create` `eventarc.kafkaSources.delete` `eventarc.kafkaSources.get` `eventarc.kafkaSources.getIamPolicy` `eventarc.kafkaSources.list` `eventarc.kafkaSources.setIamPolicy` `eventarc.locations.get` `eventarc.locations.list` `eventarc.messageBuses.create` `eventarc.messageBuses.delete` `eventarc.messageBuses.get` `eventarc.messageBuses.getIamPolicy` `eventarc.messageBuses.list` `eventarc.messageBuses.publish` `eventarc.messageBuses.setIamPolicy` `eventarc.messageBuses.update` `eventarc.messageBuses.use` `eventarc.operations.cancel` `eventarc.operations.delete` `eventarc.operations.get` `eventarc.operations.list` `eventarc.pipelines.create` `eventarc.pipelines.delete` `eventarc.pipelines.get` `eventarc.pipelines.getIamPolicy` `eventarc.pipelines.list` `eventarc.pipelines.setIamPolicy` `eventarc.pipelines.update` `eventarc.providers.get` `eventarc.providers.list` `eventarc.triggers.create` `eventarc.triggers.delete` `eventarc.triggers.get` `eventarc.triggers.getIamPolicy` `eventarc.triggers.list` `eventarc.triggers.setIamPolicy` `eventarc.triggers.undelete` `eventarc.triggers.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Eventarc Connection Publisher ^Beta (`roles/eventarc.connectionPublisher`) Can publish events to Eventarc channel connections. Lowest-level resources where you can grant this role: Project	`eventarc.channelConnections.get` `eventarc.channelConnections.list` `eventarc.channelConnections.publish` `resourcemanager.projects.get` `resourcemanager.projects.list`
Eventarc Developer (`roles/eventarc.developer`) Access to read and write Eventarc resources. Lowest-level resources where you can grant this role: Project	`eventarc.channelConnections.create` `eventarc.channelConnections.delete` `eventarc.channelConnections.get` `eventarc.channelConnections.getIamPolicy` `eventarc.channelConnections.list` `eventarc.channelConnections.publish` `eventarc.channels.attach` `eventarc.channels.create` `eventarc.channels.delete` `eventarc.channels.get` `eventarc.channels.getIamPolicy` `eventarc.channels.list` `eventarc.channels.publish` `eventarc.channels.undelete` `eventarc.channels.update` `eventarc.enrollments.create` `eventarc.enrollments.delete` `eventarc.enrollments.get` `eventarc.enrollments.getIamPolicy` `eventarc.enrollments.list` `eventarc.enrollments.update` `eventarc.googleApiSources.create` `eventarc.googleApiSources.delete` `eventarc.googleApiSources.get` `eventarc.googleApiSources.getIamPolicy` `eventarc.googleApiSources.list` `eventarc.googleApiSources.update` `eventarc.googleChannelConfigs.` `eventarc.googleChannelConfigs.get` `eventarc.googleChannelConfigs.update` `eventarc.kafkaSources.create` `eventarc.kafkaSources.delete` `eventarc.kafkaSources.get` `eventarc.kafkaSources.getIamPolicy` `eventarc.kafkaSources.list` `eventarc.locations.` `eventarc.locations.get` `eventarc.locations.list` `eventarc.operations.` `eventarc.operations.cancel` `eventarc.operations.delete` `eventarc.operations.get` `eventarc.operations.list` `eventarc.pipelines.create` `eventarc.pipelines.delete` `eventarc.pipelines.get` `eventarc.pipelines.getIamPolicy` `eventarc.pipelines.list` `eventarc.pipelines.update` `eventarc.providers.` `eventarc.providers.get` `eventarc.providers.list` `eventarc.triggers.create` `eventarc.triggers.delete` `eventarc.triggers.get` `eventarc.triggers.getIamPolicy` `eventarc.triggers.list` `eventarc.triggers.undelete` `eventarc.triggers.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Eventarc Event Receiver (`roles/eventarc.eventReceiver`) Can receive events from all event providers. Lowest-level resources where you can grant this role: Project	`eventarc.events.*` `eventarc.events.receiveAuditLogWritten` `eventarc.events.receiveEvent`
Eventarc Message Bus Admin ^Beta (`roles/eventarc.messageBusAdmin`) Full control over Message Buses resources.	`eventarc.messageBuses.create` `eventarc.messageBuses.delete` `eventarc.messageBuses.get` `eventarc.messageBuses.getIamPolicy` `eventarc.messageBuses.list` `eventarc.messageBuses.publish` `eventarc.messageBuses.update` `eventarc.messageBuses.use`
Eventarc Message Bus User ^Beta (`roles/eventarc.messageBusUser`) Access to publish to or bind to a Message Bus.	`eventarc.messageBuses.get` `eventarc.messageBuses.list` `eventarc.messageBuses.publish` `eventarc.messageBuses.use`
Eventarc Publisher ^Beta (`roles/eventarc.publisher`) Can publish events to Eventarc channels. Lowest-level resources where you can grant this role: Project	`eventarc.channels.get` `eventarc.channels.list` `eventarc.channels.publish` `resourcemanager.projects.get` `resourcemanager.projects.list`
Eventarc Service Agent (`roles/eventarc.serviceAgent`) Gives Eventarc service account access to managed resources. Warning: Do not grant service agent roles to any principals except service agents.	`cloudfunctions.functions.get` `compute.instanceGroupManagers.get` `compute.networkAttachments.get` `compute.networkAttachments.update` `compute.networkAttachments.use` `compute.regionOperations.get` `container.clusters.connect` `container.clusters.get` `container.deployments.create` `container.deployments.delete` `container.deployments.get` `container.deployments.list` `container.deployments.update` `container.namespaces.create` `container.namespaces.delete` `container.namespaces.get` `container.namespaces.list` `container.serviceAccounts.create` `container.serviceAccounts.delete` `container.serviceAccounts.get` `container.serviceAccounts.list` `container.services.get` `container.services.list` `dns.networks.targetWithPeeringZone` `eventarc.channels.publish` `eventarc.messageBuses.publish` `eventarc.operations.get` `iam.serviceAccounts.actAs` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `monitoring.timeSeries.create` `pubsub.subscriptions.consume` `pubsub.subscriptions.create` `pubsub.subscriptions.delete` `pubsub.subscriptions.get` `pubsub.subscriptions.list` `pubsub.subscriptions.update` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.delete` `pubsub.topics.get` `pubsub.topics.list` `pubsub.topics.publish` `pubsub.topics.update` `run.jobs.get` `run.services.get` `serviceusage.services.use` `storage.buckets.get` `storage.buckets.update` `workflows.workflows.get`
Eventarc Viewer (`roles/eventarc.viewer`) Can view the state of all Eventarc resources, including IAM policies. Lowest-level resources where you can grant this role: Project	`eventarc.channelConnections.get` `eventarc.channelConnections.getIamPolicy` `eventarc.channelConnections.list` `eventarc.channels.get` `eventarc.channels.getIamPolicy` `eventarc.channels.list` `eventarc.enrollments.get` `eventarc.enrollments.getIamPolicy` `eventarc.enrollments.list` `eventarc.googleApiSources.get` `eventarc.googleApiSources.getIamPolicy` `eventarc.googleApiSources.list` `eventarc.googleChannelConfigs.get` `eventarc.kafkaSources.get` `eventarc.kafkaSources.getIamPolicy` `eventarc.kafkaSources.list` `eventarc.locations.` `eventarc.locations.get` `eventarc.locations.list` `eventarc.messageBuses.get` `eventarc.messageBuses.getIamPolicy` `eventarc.messageBuses.list` `eventarc.messageBuses.use` `eventarc.operations.get` `eventarc.operations.list` `eventarc.pipelines.get` `eventarc.pipelines.getIamPolicy` `eventarc.pipelines.list` `eventarc.providers.` `eventarc.providers.get` `eventarc.providers.list` `eventarc.triggers.get` `eventarc.triggers.getIamPolicy` `eventarc.triggers.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Eventarc Admin

(roles/eventarc.admin)

Full control over all Eventarc resources.

Lowest-level resources where you can grant this role:

Project

eventarc.*

eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc.enrollments.getIamPolicy
eventarc.enrollments.list
eventarc.enrollments.setIamPolicy
eventarc.enrollments.update
eventarc.events.receiveAuditLogWritten
eventarc.events.receiveEvent
eventarc.googleApiSources.create
eventarc.googleApiSources.delete
eventarc.googleApiSources.get
eventarc.googleApiSources.getIamPolicy
eventarc.googleApiSources.list
eventarc.googleApiSources.setIamPolicy
eventarc.googleApiSources.update
eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update
eventarc.kafkaSources.create
eventarc.kafkaSources.delete
eventarc.kafkaSources.get
eventarc.kafkaSources.getIamPolicy
eventarc.kafkaSources.list
eventarc.kafkaSources.setIamPolicy
eventarc.locations.get
eventarc.locations.list
eventarc.messageBuses.create
eventarc.messageBuses.delete
eventarc.messageBuses.get
eventarc.messageBuses.getIamPolicy
eventarc.messageBuses.list
eventarc.messageBuses.publish
eventarc.messageBuses.setIamPolicy
eventarc.messageBuses.update
eventarc.messageBuses.use
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc.pipelines.getIamPolicy
eventarc.pipelines.list
eventarc.pipelines.setIamPolicy
eventarc.pipelines.update
eventarc.providers.get
eventarc.providers.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Connection Publisher ^Beta

(roles/eventarc.connectionPublisher)

Can publish events to Eventarc channel connections.

Lowest-level resources where you can grant this role:

Project

eventarc.channelConnections.get

eventarc.channelConnections.list

eventarc.channelConnections.publish

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Developer

(roles/eventarc.developer)

Access to read and write Eventarc resources.

Lowest-level resources where you can grant this role:

Project

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.enrollments.create

eventarc.enrollments.delete

eventarc.enrollments.get

eventarc.enrollments.getIamPolicy

eventarc.enrollments.list

eventarc.enrollments.update

eventarc.googleApiSources.create

eventarc.googleApiSources.delete

eventarc.googleApiSources.get

eventarc.googleApiSources.getIamPolicy

eventarc.googleApiSources.list

eventarc.googleApiSources.update

eventarc.googleChannelConfigs.*

eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update

eventarc.kafkaSources.create

eventarc.kafkaSources.delete

eventarc.kafkaSources.get

eventarc.kafkaSources.getIamPolicy

eventarc.kafkaSources.list

eventarc.locations.*

eventarc.locations.get
eventarc.locations.list

eventarc.operations.*

eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list

eventarc.pipelines.create

eventarc.pipelines.delete

eventarc.pipelines.get

eventarc.pipelines.getIamPolicy

eventarc.pipelines.list

eventarc.pipelines.update

eventarc.providers.*

eventarc.providers.get
eventarc.providers.list

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Event Receiver

(roles/eventarc.eventReceiver)

Can receive events from all event providers.

Lowest-level resources where you can grant this role:

Project

eventarc.events.*

eventarc.events.receiveAuditLogWritten
eventarc.events.receiveEvent

Eventarc Message Bus Admin ^Beta

(roles/eventarc.messageBusAdmin)

Full control over Message Buses resources.

eventarc.messageBuses.create

eventarc.messageBuses.delete

eventarc.messageBuses.get

eventarc.messageBuses.getIamPolicy

eventarc.messageBuses.list

eventarc.messageBuses.publish

eventarc.messageBuses.update

eventarc.messageBuses.use

Eventarc Message Bus User ^Beta

(roles/eventarc.messageBusUser)

Access to publish to or bind to a Message Bus.

eventarc.messageBuses.get

eventarc.messageBuses.list

eventarc.messageBuses.publish

eventarc.messageBuses.use

Eventarc Publisher ^Beta

(roles/eventarc.publisher)

Can publish events to Eventarc channels.

Lowest-level resources where you can grant this role:

Project

eventarc.channels.get

eventarc.channels.list

eventarc.channels.publish

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Service Agent

(roles/eventarc.serviceAgent)

Gives Eventarc service account access to managed resources.

cloudfunctions.functions.get

compute.instanceGroupManagers.get

compute.networkAttachments.get

compute.networkAttachments.update

compute.networkAttachments.use

compute.regionOperations.get

container.clusters.connect

container.clusters.get

container.deployments.create

container.deployments.delete

container.deployments.get

container.deployments.list

container.deployments.update

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.namespaces.list

container.serviceAccounts.create

container.serviceAccounts.delete

container.serviceAccounts.get

container.serviceAccounts.list

container.services.get

container.services.list

dns.networks.targetWithPeeringZone

eventarc.channels.publish

eventarc.messageBuses.publish

eventarc.operations.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

monitoring.timeSeries.create

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

run.jobs.get

run.services.get

serviceusage.services.use

storage.buckets.get

storage.buckets.update

workflows.workflows.get

Eventarc Viewer

(roles/eventarc.viewer)

Can view the state of all Eventarc resources, including IAM policies.

Lowest-level resources where you can grant this role:

Project

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.enrollments.get

eventarc.enrollments.getIamPolicy

eventarc.enrollments.list

eventarc.googleApiSources.get

eventarc.googleApiSources.getIamPolicy

eventarc.googleApiSources.list

eventarc.googleChannelConfigs.get

eventarc.kafkaSources.get

eventarc.kafkaSources.getIamPolicy

eventarc.kafkaSources.list

eventarc.locations.*

eventarc.locations.get
eventarc.locations.list

eventarc.messageBuses.get

eventarc.messageBuses.getIamPolicy

eventarc.messageBuses.list

eventarc.messageBuses.use

eventarc.operations.get

eventarc.operations.list

eventarc.pipelines.get

eventarc.pipelines.getIamPolicy

eventarc.pipelines.list

eventarc.providers.*

eventarc.providers.get
eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

resourcemanager.projects.get

resourcemanager.projects.list

如要進一步瞭解 Eventarc Standard 角色和權限，請參閱「所有角色和權限」。

專案層級的 IAM 管理

在專案層級中，您可以透過 Google Cloud 控制台、IAM API 或是 Google Cloud CLI 來授予、變更及撤銷 IAM 角色。如需相關操作說明，請參閱「管理專案、資料夾和機構的存取權」。

使用 IAM 控管存取權 透過集合功能整理內容 你可以依據偏好儲存及分類內容。

總覽

啟用 Eventarc API

主控台

gcloud

預先定義的角色

Eventarc 角色

Eventarc Admin

Eventarc Connection Publisher Beta

Eventarc Developer

Eventarc Event Receiver

Eventarc Message Bus Admin Beta

Eventarc Message Bus User Beta

Eventarc Publisher Beta

Eventarc Service Agent

Eventarc Viewer

專案層級的 IAM 管理

使用 IAM 控管存取權

Eventarc Connection Publisher ^Beta

Eventarc Message Bus Admin ^Beta

Eventarc Message Bus User ^Beta

Eventarc Publisher ^Beta