角色和權限

本頁面說明使用 Network Connectivity Center 所需的 Identity and Access Management (IAM) 角色和權限。

整體來說,您需要:

請注意,如果您需要在共用虛擬私有雲網路中使用 Network Connectivity Center,必須在主專案中具備所有必要權限。中心、其輻條和所有相關資源都必須位於主機專案中。

如要進一步瞭解如何授予權限,請參閱 IAM 總覽

預先定義的角色

下表說明 Network Connectivity Center 的預先定義角色。

Role Permissions

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

  • networkconnectivity.serviceConnectionPolicies.create
  • networkconnectivity.serviceConnectionPolicies.delete
  • networkconnectivity.serviceConnectionPolicies.get
  • networkconnectivity.serviceConnectionPolicies.list
  • networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.groupAdmin)

Enables full access to group resources and read-only access to hub and spoke resources

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.*

  • networkconnectivity.groups.acceptSpoke
  • networkconnectivity.groups.acceptSpokeUpdate
  • networkconnectivity.groups.get
  • networkconnectivity.groups.getIamPolicy
  • networkconnectivity.groups.list
  • networkconnectivity.groups.rejectSpoke
  • networkconnectivity.groups.rejectSpokeUpdate
  • networkconnectivity.groups.setIamPolicy
  • networkconnectivity.groups.use

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.gatewayAdvertisedRoutes.*

  • networkconnectivity.gatewayAdvertisedRoutes.create
  • networkconnectivity.gatewayAdvertisedRoutes.delete
  • networkconnectivity.gatewayAdvertisedRoutes.get
  • networkconnectivity.gatewayAdvertisedRoutes.list
  • networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.groups.*

  • networkconnectivity.groups.acceptSpoke
  • networkconnectivity.groups.acceptSpokeUpdate
  • networkconnectivity.groups.get
  • networkconnectivity.groups.getIamPolicy
  • networkconnectivity.groups.list
  • networkconnectivity.groups.rejectSpoke
  • networkconnectivity.groups.rejectSpokeUpdate
  • networkconnectivity.groups.setIamPolicy
  • networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

  • networkconnectivity.hubRouteTables.get
  • networkconnectivity.hubRouteTables.getIamPolicy
  • networkconnectivity.hubRouteTables.list
  • networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

  • networkconnectivity.hubRoutes.get
  • networkconnectivity.hubRoutes.getIamPolicy
  • networkconnectivity.hubRoutes.list
  • networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

  • networkconnectivity.hubs.create
  • networkconnectivity.hubs.delete
  • networkconnectivity.hubs.get
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.listSpokes
  • networkconnectivity.hubs.queryStatus
  • networkconnectivity.hubs.setIamPolicy
  • networkconnectivity.hubs.update

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.hubs.queryStatus

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

  • networkconnectivity.regionalEndpoints.create
  • networkconnectivity.regionalEndpoints.delete
  • networkconnectivity.regionalEndpoints.get
  • networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceAgent)

Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.setLabels

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.forwardingRules.pscSetLabels

compute.forwardingRules.pscUpdate

compute.forwardingRules.setLabels

compute.instances.get

compute.interconnectAttachments.get

compute.networks.get

compute.networks.use

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.setIamPolicy

compute.subnetworks.use

compute.vpnTunnels.get

dns.managedZones.create

dns.networks.bindPrivateDNSZone

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.list

networkconnectivity.operations.get

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

  • networkconnectivity.serviceClasses.create
  • networkconnectivity.serviceClasses.delete
  • networkconnectivity.serviceClasses.get
  • networkconnectivity.serviceClasses.list
  • networkconnectivity.serviceClasses.update
  • networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

  • networkconnectivity.serviceConnectionMaps.create
  • networkconnectivity.serviceConnectionMaps.delete
  • networkconnectivity.serviceConnectionMaps.get
  • networkconnectivity.serviceConnectionMaps.list
  • networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.gatewayAdvertisedRoutes.*

  • networkconnectivity.gatewayAdvertisedRoutes.create
  • networkconnectivity.gatewayAdvertisedRoutes.delete
  • networkconnectivity.gatewayAdvertisedRoutes.get
  • networkconnectivity.gatewayAdvertisedRoutes.list
  • networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

其他必要權限

視您在 Network Connectivity Center 中需要採取的動作而定,您可能需要下列各節所述的權限。

建立輻條的權限

如要建立輻條,您必須具備讀取輻條資源類型的權限。例如:

  • 如要建立 VPN 通道輪輻、VLAN 連結輪輻和路由器設備輪輻,您需要使用 compute.routers.get
  • 如要建立路由器設備輻條,您需要 compute.instances.get。此外,您必須先在 Cloud Router 和路由器裝置執行個體之間建立對等連線,才能使用路由器裝置輻條。如要建立連線,您必須具備下列權限:
    • compute.instances.use
    • compute.routers.update
  • 如要建立 VLAN 連結輪輻,您需要使用 compute.interconnectAttachments.get
  • 如要建立 VPN 通道輻條,您需要 compute.vpnTunnels.get

  • 如要建立 VPC 輻射狀路由表,您必須具備下列權限:

    • compute.networks.use
    • compute.networks.get

  • 如要在與中樞相關聯的其他專案中建立虛擬私有雲輪輻,您需要使用 networkconnectivity.groups.use

在 Google Cloud 控制台中使用 Network Connectivity Center 的權限

如要在 Google Cloud 主控台中使用 Network Connectivity Center,您必須具備角色 (例如 Compute Network Viewer (roles/compute.networkViewer)),該角色必須包含下表所述的權限。如要使用這些權限,您必須先建立自訂角色

工作

所需權限
前往「Network Connectivity Center」頁面
  • compute.projects.get
  • compute.networks.get
存取及使用「新增輪輻」頁面
  • compute.networks.list
  • compute.regions.list
  • compute.routers.list
  • compute.zones.list
  • compute.networks.get
新增 VLAN 連結輪輻
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.get
  • compute.networks.get
  • compute.routers.list
  • compute.routers.get
新增 VPN 通道輪輻
  • compute.forwardingRules.list
  • compute.networks.get
  • compute.routers.get
  • compute.routers.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
新增路由器設備輪輻
  • compute.instances.list
  • compute.instances.get
  • compute.networks.get
新增 VPC 輪輻
  • compute.networks.use
  • compute.networks.get
  • compute.subnetworks.list

使用 VPC Service Controls 保護資源

如要進一步提升 Network Connectivity Center 資源的安全性,請使用 VPC Service Controls。

VPC Service Controls 可為您的資源提供額外安全防護,有助於降低資料竊取風險。您可以使用 VPC Service Controls,將 Network Connectivity Center 資源放置在服務範圍內。接著,VPC Service Controls 會保護這些資源,避免範圍外的要求存取。

如要進一步瞭解服務範圍,請參閱 VPC Service Controls 說明文件的「服務範圍設定」頁面。

後續步驟

如要進一步瞭解專案角色和 Google Cloud 資源,請參閱下列說明文件: