使用 IAM 进行访问权限控制

本页面介绍您在 Cloud Marketplace 上购买和管理商业产品所需的 Identity and Access Management (IAM) 角色和权限。

借助 IAM,您可以通过定义谁(身份)对哪些资源具有哪种访问权限(角色)来管理访问权限控制。对于 Cloud Marketplace 上的商业应用,您的 Google Cloud 组织中的用户需要 IAM 角色,才能注册 Cloud Marketplace 方案和更改结算方案。

准备工作

  • 如需使用 gcloud 授予 Cloud Marketplace 角色和权限,请安装 gcloud CLI。否则,您可以使用 Google Cloud 控制台授予角色。

用于购买和管理产品的 IAM 角色

我们建议您为从 Cloud Marketplace 购买服务的用户分配 Billing Account Administrator IAM 角色。

用户如需访问这些服务,必须至少具有 Viewer 角色。

如需更精细地控制用户权限,您可以使用要授予的权限创建自定义角色

产品专属要求

如需在 Google Cloud 项目中使用以下服务,您必须拥有项目编辑者角色:

  • Google Cloud Dataprep by Trifacta
  • Neo4j Aura Professional

IAM 角色和权限列表

您可以为用户授予以下一个或多个 IAM 角色。根据您向用户授予的角色,您还必须将角色分配给 Google Cloud 结算账号、组织或项目。如需了解详情,请参阅向用户授予 IAM 角色部分。

角色 权限

(roles/commercebusinessenablement.admin)

可以管理各种提供方配置资源

commercebusinessenablement.leadgenConfig.*

  • commercebusinessenablement.leadgenConfig.get
  • commercebusinessenablement.leadgenConfig.update

commercebusinessenablement.partnerAccounts.*

  • commercebusinessenablement.partnerAccounts.get
  • commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.paymentConfigAdmin)

管理付款配置资源

commercebusinessenablement.paymentConfig.*

  • commercebusinessenablement.paymentConfig.get
  • commercebusinessenablement.paymentConfig.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.paymentConfigViewer)

付款配置资源的查看者

commercebusinessenablement.paymentConfig.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.resellerDiscountAdmin)

提供对转销商折扣优惠的管理员访问权限

commercebusinessenablement.partnerAccounts.*

  • commercebusinessenablement.partnerAccounts.get
  • commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerDiscountOffers.*

  • commercebusinessenablement.resellerDiscountOffers.cancel
  • commercebusinessenablement.resellerDiscountOffers.create
  • commercebusinessenablement.resellerDiscountOffers.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.resellerDiscountViewer)

提供对转销商折扣优惠的只读权限

commercebusinessenablement.partnerAccounts.*

  • commercebusinessenablement.partnerAccounts.get
  • commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerDiscountOffers.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.viewer)

可以查看各种提供商配置资源

commercebusinessenablement.leadgenConfig.get

commercebusinessenablement.partnerAccounts.*

  • commercebusinessenablement.partnerAccounts.get
  • commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

roles/commerceoffercatalog.offersViewer

允许查看优惠

commerceoffercatalog.*

  • commerceoffercatalog.documents.get
  • commerceoffercatalog.offers.get

(roles/commerceorggovernance.admin)

拥有对组织治理 API 的完整访问权限

commerceorggovernance.*

  • commerceorggovernance.collections.create
  • commerceorggovernance.collections.delete
  • commerceorggovernance.collections.get
  • commerceorggovernance.collections.list
  • commerceorggovernance.collections.update
  • commerceorggovernance.consumerSharingPolicies.get
  • commerceorggovernance.consumerSharingPolicies.update
  • commerceorggovernance.organizationSettings.get
  • commerceorggovernance.organizationSettings.update
  • commerceorggovernance.services.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceorggovernance.viewer)

拥有对组织治理只读 API 的完整访问权限。

commerceorggovernance.collections.get

commerceorggovernance.collections.list

commerceorggovernance.consumerSharingPolicies.get

commerceorggovernance.organizationSettings.get

commerceorggovernance.services.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercepricemanagement.eventsViewer)

允许查看产品的关键事件

commerceprice.events.*

  • commerceprice.events.get
  • commerceprice.events.list

resourcemanager.projects.get

resourcemanager.projects.list

roles/commercepricemanagement.privateOffersAdmin

允许管理非公开优惠

commerceprice.*

  • commerceprice.events.get
  • commerceprice.events.list
  • commerceprice.privateoffers.cancel
  • commerceprice.privateoffers.create
  • commerceprice.privateoffers.delete
  • commerceprice.privateoffers.get
  • commerceprice.privateoffers.list
  • commerceprice.privateoffers.publish
  • commerceprice.privateoffers.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

roles/commercepricemanagement.viewer

允许查看优惠、免费试用、SKU

commerceprice.privateoffers.get

commerceprice.privateoffers.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/commerceproducer.admin)

授予对 Cloud Commerce Producer API 中所有资源的完整访问权限。

commercebusinessenablement.partnerInfo.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceproducer.viewer)

授予对 Cloud Commerce Producer API 中所有资源的读取权限。

commercebusinessenablement.partnerInfo.get

resourcemanager.projects.get

resourcemanager.projects.list

roles/consumerprocurement.entitlementManager

允许管理使用方项目的授权,启用、停用使用方项目以及检查其服务状态。

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.entitlements.*

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list

consumerprocurement.freeTrials.*

  • consumerprocurement.freeTrials.create
  • consumerprocurement.freeTrials.get
  • consumerprocurement.freeTrials.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

roles/consumerprocurement.entitlementViewer

允许检查使用方项目的授权和服务状态。

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.entitlements.*

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list

consumerprocurement.freeTrials.get

consumerprocurement.freeTrials.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/consumerprocurement.eventsViewer)

允许查看产品的关键事件

consumerprocurement.events.*

  • consumerprocurement.events.get
  • consumerprocurement.events.list

roles/consumerprocurement.orderAdmin

允许管理购买交易。

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

commerceoffercatalog.*

  • commerceoffercatalog.documents.get
  • commerceoffercatalog.offers.get

consumerprocurement.accounts.*

  • consumerprocurement.accounts.create
  • consumerprocurement.accounts.delete
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

  • consumerprocurement.events.get
  • consumerprocurement.events.list

consumerprocurement.orderAttributions.*

  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orderAttributions.update

consumerprocurement.orders.*

  • consumerprocurement.orders.cancel
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • consumerprocurement.orders.modify
  • consumerprocurement.orders.place

roles/consumerprocurement.orderViewer

允许检查购买交易。

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.credits.list

commerceoffercatalog.*

  • commerceoffercatalog.documents.get
  • commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

(roles/consumerprocurement.procurementAdmin)

允许在结算帐号级和项目级管理购买交易及同意声明。

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

commerceoffercatalog.*

  • commerceoffercatalog.documents.get
  • commerceoffercatalog.offers.get

consumerprocurement.*

  • consumerprocurement.accounts.create
  • consumerprocurement.accounts.delete
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.consents.allowProjectGrant
  • consumerprocurement.consents.check
  • consumerprocurement.consents.grant
  • consumerprocurement.consents.list
  • consumerprocurement.consents.revoke
  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list
  • consumerprocurement.events.get
  • consumerprocurement.events.list
  • consumerprocurement.freeTrials.create
  • consumerprocurement.freeTrials.get
  • consumerprocurement.freeTrials.list
  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orderAttributions.update
  • consumerprocurement.orders.cancel
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • consumerprocurement.orders.modify
  • consumerprocurement.orders.place

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/consumerprocurement.procurementViewer)

允许检查使用方项目的购买交易、同意声明以及授权和服务状态。

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.credits.list

commerceoffercatalog.*

  • commerceoffercatalog.documents.get
  • commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.entitlements.*

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list

consumerprocurement.freeTrials.get

consumerprocurement.freeTrials.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

向用户授予 IAM 角色

对于上中的角色,您必须在结算账号或组织级层分配 consumerprocurement.orderAdminconsumerprocurement.orderViewer 角色,必须在项目或组织级层分配 consumerprocurement.entitlementManagerconsumerprocurement.entitlementViewer 角色。

如需使用 gcloud 为用户授予角色,请运行以下命令之一:

组织

您必须具有 resourcemanager.organizationAdmin 角色才能在组织级层分配角色。

gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id

占位值如下:

  • organization-id:您要向其授予角色的组织的数字 ID。
  • member:要向其授予访问权限的用户。
  • role-id:上表中的角色 ID。

结算账号

您必须具有 billing.admin 角色才能在结算账号级层分配角色。

gcloud beta billing accounts set-iam-policy account-id \
policy-file

占位值如下:

  • account-id:您的结算账号 ID,您可以从“管理结算账号”页面获得。
  • policy-fileIAM 政策文件,采用 JSON 或 YAML 格式。政策文件必须包含上表中的角色 ID,以及要为其分配这些角色的用户。

项目

您必须具有 resourcemanager.folderAdmin 角色才能在项目级层分配角色。

gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id

占位值如下:

  • project-id:要为其授予角色的项目。
  • member:要向其授予访问权限的用户。
  • role-id:上表中的角色 ID。

如需使用 Google Cloud 控制台向用户授予角色,请参阅关于授予、更改和撤消用户的访问权限的 IAM 文档。

将自定义角色与 Cloud Marketplace 搭配使用

如果您想精细控制您授予用户的权限,您可以使用授予的权限创建自定义角色

如果您要为从 Cloud Marketplace 购买服务的用户创建自定义角色,该角色必须包含他们用于购买服务的结算账号的以下权限:

通过单点登录 (SSO) 访问合作伙伴网站

某些 Marketplace 产品支持通过单点登录 (SSO) 访问合作伙伴的外部网站。组织内的授权用户可以使用产品详情页面上的“在提供商网站上管理”按钮。点击此按钮后,系统会将用户转到合作伙伴的网站。在某些情况下,系统会提示用户“使用 Google 账号登录”。在其他情况下,用户会通过共享账号上下文登录。

如需使用 SSO 功能,用户需要导航到产品详情页面,然后选择适当的项目。该项目必须与购买该方案的结算账号关联。如需详细了解 Marketplace 方案管理,请参阅管理结算方案

此外,用户必须在所选项目中拥有足够的 IAM 权限。对于大多数产品,目前需要 roles/consumerprocurement.entitlementManager(或 roles/editor 基本角色)。

特定产品的最小权限

以下产品可以基于一组不同的权限运行,以便使用单点登录功能:

  • Apache Kafka on Confluent Cloud
  • DataStax Astra for Apache Cassandra
  • Elastic Cloud
  • Neo4j Aura Professional
  • Redis Enterprise Cloud

对于这些产品,您可以使用以下最小权限:

  • consumerprocurement.entitlements.get
  • consumerprocurement.entitlements.list
  • serviceusage.services.get
  • serviceusage.services.list
  • resourcemanager.projects.get

这些权限通常通过 roles/consumerprocurement.entitlementManagerroles/consumerprocurement.entitlementViewer 角色授予。