Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Google Cloud menawarkan Identity and Access Management (IAM), yang memungkinkan Anda memberikan akses yang lebih terperinci ke resourceGoogle Cloud tertentu dan mencegah akses yang tidak diinginkan ke resource lain. Halaman ini menjelaskan peran Service Directory API. Untuk mengetahui penjelasan lengkap tentang IAM, baca dokumentasi IAM.
Dengan IAM, Anda dapat mengontrol siapa yang memiliki izin untuk
resource tertentu dengan menetapkan kebijakan IAM. Kebijakan IAM memberikan peran tertentu kepada pengguna, sehingga pengguna memiliki izin tertentu.
Izin dan Peran
Setiap metode Service Directory API mengharuskan pemanggil memiliki izin IAM
yang diperlukan. Anda dapat menetapkan izin dengan memberikan peran ke pengguna, grup, atau akun layanan. Selain peran dasar Pemilik,
Editor, dan Viewer, Anda dapat memberikan peran Service Directory API kepada pengguna
project Anda.
Izin
Anda dapat mengetahui izin yang diperlukan untuk setiap metode di
dokumentasi referensi API Direktori Layanan.
Peran
Role
Permissions
Service Directory Admin
(roles/servicedirectory.admin)
Full control of all Service Directory resources and permissions.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.*
servicedirectory.endpoints.create
servicedirectory.endpoints.delete
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.setIamPolicy
servicedirectory.endpoints.update
servicedirectory.locations.*
servicedirectory.locations.get
servicedirectory.locations.list
servicedirectory.namespaces.*
servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.setIamPolicy
servicedirectory.namespaces.update
servicedirectory.networks.attach
servicedirectory.services.*
servicedirectory.services.bind
servicedirectory.services.create
servicedirectory.services.delete
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
servicedirectory.services.setIamPolicy
servicedirectory.services.update
Service Directory Editor
(roles/servicedirectory.editor)
Edit Service Directory resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.create
servicedirectory.endpoints.delete
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.update
servicedirectory.locations.*
servicedirectory.locations.get
servicedirectory.locations.list
servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.update
servicedirectory.networks.attach
servicedirectory.services.bind
servicedirectory.services.create
servicedirectory.services.delete
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
servicedirectory.services.update
Service Directory Network Attacher
(roles/servicedirectory.networkAttacher)
Gives access to attach VPC Networks to Service Directory Endpoints
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.networks.attach
Private Service Connect Authorized Service
(roles/servicedirectory.pscAuthorizedService)
Gives access to VPC Networks via Service Directory
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.networks.access
Service Directory Service Agent
(roles/servicedirectory.serviceAgent)
Give the Service Directory service agent access to Cloud Platform resources.
container.clusters.get
gkehub.features.get
gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.locations.get
gkehub.locations.list
gkehub.memberships.get
gkehub.memberships.list
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.create
servicedirectory.endpoints.delete
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.update
servicedirectory.locations.*
servicedirectory.locations.get
servicedirectory.locations.list
servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.update
servicedirectory.networks.attach
servicedirectory.services.bind
servicedirectory.services.create
servicedirectory.services.delete
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
servicedirectory.services.update
Service Directory Viewer
(roles/servicedirectory.viewer)
View Service Directory resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.locations.*
servicedirectory.locations.get
servicedirectory.locations.list
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
Kontrol Akses menggunakan Google Cloud console
Anda dapat menggunakan konsol Google Cloud untuk mengelola kontrol akses ke
registry.
Untuk menetapkan kontrol akses di tingkat project:
Di New principals, masukkan alamat email akun utama baru.
Pilih peran yang diinginkan dari menu drop-down: servicedirectory.admin,
servicedirectory.editor, atau servicedirectory.viewer
Klik Simpan.
Pastikan akun utama tercantum dengan peran yang Anda berikan.
Zona Direktori Layanan mengganti pembatasan IAM
Saat menetapkan namespace ke zona Direktori Layanan, nama layanan
akan terlihat oleh semua klien di jaringan mana pun yang diberi otorisasi untuk
mengkueri zona pribadi. Tidak ada kontrol akses IAM untuk DNS karena
protokol DNS tidak menyediakan kemampuan autentikasi.
Langkah berikutnya
Lihat dokumentasi IAM untuk mengetahui detail tentang Identity
and Access Management
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-29 UTC."],[],[],null,["# Roles and permissions\n\nGoogle Cloud offers Identity and Access Management (IAM),\nwhich enables you to give more granular access to specific\nGoogle Cloud resources and prevents unwanted access to other\nresources. This page describes the Service Directory API roles. For a detailed\ndescription of IAM, read the [IAM documentation](/iam/docs).\n\nIAM enables you to adopt the\n[security principle of least privilege](https://wikipedia.org/wiki/Principle_of_least_privilege),\nso you grant only the necessary access to your resources.\n\nIAM enables you to control *who* has *what* permissions to\n*which* resources by setting IAM policies. IAM\npolicies grant specific roles to a user, giving the user certain\npermissions.\n\nPermissions and Roles\n---------------------\n\nEvery Service Directory API method requires the caller to have the necessary\nIAM permissions. You can assign permissions by granting roles to\na user, group, or service account. In addition to the basic Owner,\nEditor, and Viewer roles, you can grant Service Directory API roles to the users\nof your project.\n\n### Permissions\n\nYou can find out which permissions are required for each method in the\nService Directory\n[API reference documentation](/service-directory/docs/reference/rest).\n\n### Roles\n\nAccess Control using the Google Cloud console\n---------------------------------------------\n\nYou can use the Google Cloud console to manage access control for your\nregistry.\n\nTo set access controls at the project level: \n\n### Console\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n2. Select your project from the top pull-down menu.\n\n3. Click **Add**.\n\n4. In **New principals**, enter the email address of a new principal.\n\n5. Select the desired role from the drop-down menu: `servicedirectory.admin`,\n `servicedirectory.editor`, or `servicedirectory.viewer`\n\n6. Click **Save**.\n\n7. Verify that the principal is listed with the role that you granted.\n\nService Directory zones override IAM restrictions\n-------------------------------------------------\n\nWhen assigning a namespace to a Service Directory zone, the service names\nbecome visible to all clients on any networks that are authorized to\nquery the private zone. There is no IAM access control for DNS as\nthe DNS protocol does not provide authentication capability.\n\nWhat's next\n-----------\n\n- See the [IAM documentation](/iam/docs) for details on Identity and Access Management\n- See the [Overview](/service-directory/docs/overview) for an understanding of Service Directory."]]
