Configure IAM for Bare Metal Solution

When you want a principal to gain access to the resources in your Bare Metal Solution environment, you need to grant the proper roles and permissions to user accounts and service accounts. Similar to other components of Google Cloud, you can create an Identity and Access Management (IAM) policy and grant predefined roles specific to Bare Metal Solution.

You grant the roles to principals associated with your Google Cloud project. Grant roles with enough permissions for your principals to be able do their job but no more, so that you can follow the Google Cloud security principle of least privilege.

Predefined roles for Bare Metal Solution

Each IAM role for Bare Metal Solution contains permissions that give the principal access to specific resources as shown in the following table.

Role name Path Description
Bare Metal Solution Admin roles/baremetalsolution.admin
(The Owner basic role also has these permissions)
Full control of all current and future Bare Metal Solution resources. This role receives read and write permissions at the project level.
Bare Metal Solution Editor roles/baremetalsolution.editor
(The Editor basic role also has these permissions)
Editor of all current and future Bare Metal Solution resources. This role receives read and write permissions at the project level.
Bare Metal Solution Viewer roles/baremetalsolution.viewer
(The Viewer basic role also has these permissions)
Viewer of all current and future Bare Metal Solution resources. This role receives read-only permissions at the project level.
Bare Metal Solution Instances Admin roles/baremetalsolution.instancesadmin Administrator of Bare Metal Solution servers.
Bare Metal Solution Instances Editor roles/baremetalsolution.instanceseditor Editor of Bare Metal Solution servers. This role receives permissions to monitor and manage servers.
Bare Metal Solution Instances Viewer roles/baremetalsolution.instancesviewer Viewer of Bare Metal Solution servers. This role receives read-only permissions to view servers.
Bare Metal Solution Storage Admin roles/baremetalsolution.storageadmin Administrator of Bare Metal Solution storage resources, including volumes, LUNs, snapshots, and snapshot schedule policies.
Bare Metal Solution Storage Editor roles/baremetalsolution.storageeditor Editor of Bare Metal Solution storage resources, including volumes, LUNs, snapshots, and snapshot schedule policies. This role receives permissions to monitor and manage storage.
Bare Metal Solution Storage Viewer roles/baremetalsolution.storageviewer Viewer of Bare Metal Solution storage resources, including volumes, LUNs, snapshots, and snapshot schedule policies. This role receives read-only permissions to view storage.
Bare Metal Solution Networks Admin roles/baremetalsolution.networksadmin Administrator of Bare Metal Solution networking resources.
Bare Metal Solution Networks Editor roles/baremetalsolution.networkseditor Editor of Bare Metal Solution networking resources. This role receives permissions to monitor and manage networks.
Bare Metal Solution Networks Viewer roles/baremetalsolution.networksviewer Viewer of Bare Metal Solution networking resources. This role receives read-only permissions to view networks.
Bare Metal Solution NFS Shares Admin roles/baremetalsolution.nfssharesadmin Administrator of Bare Metal Solution NFS resources.
Bare Metal Solution NFS Shares Editor roles/baremetalsolution.nfsshareseditor Editor of Bare Metal Solution NFS resources. This role receives permissions to monitor and manage NFS file storage.
Bare Metal Solution NFS Shares Viewer roles/baremetalsolution.nfssharesviewer Viewer of Bare Metal Solution NFS resources. This role receives read-only permissions to view NFS file storage.

For the roles shown above, we recommend applying them as follows:

  • Filling out an intake form

    • Bare Metal Solution roles: Admin, Editor, or Instances Admin AND Compute Network Viewer
    • Basic roles: Admin or Editor
  • Restarting a Bare Metal Solution server

    • Bare Metal Solution roles: Admin or Editor
    • Basic roles: Admin or Editor
  • Listing servers or requesting status

    • Bare Metal Solution roles: Viewer or Instances Viewer
    • Basic role: Viewer
  • Managing storage components

    • Bare Metal Solution roles: Admin, Editor, or Storage Admin
    • Basic roles: Admin or Editor
  • Managing networking components

    • Bare Metal Solution roles: Admin, Editor, or Networks Admin
    • Basic roles: Admin or Editor

Grant an IAM role

Add an Identity and Access Management (IAM) policy to grant a Bare Metal Solution role to a principal (Cloud project user or service account). The role contains permissions which enable the principal to perform certain actions. To grant a role:

  1. Make sure that you have a role that contains the proper IAM permissions to grant roles to others, such as Owner, Project IAM Admin, or Security Admin. For more information about this requirement, see Required Permissions.
  2. Open a Cloud Shell window in your Cloud project.
  3. Add your Cloud project ID, email address for your principal's Google Cloud account, and the desired Bare Metal Solution role path into the following command:

    gcloud projects add-iam-policy-binding PROJECT_ID \
     --member=user:username@example.com \
     --role=roles/baremetalsolution.admin
     

  4. Copy the command and paste it into your Cloud Shell window.

  5. Press the Enter or Return key.

  6. In some cases, an Authorize Cloud Shell window opens, requesting you to allow an API call. If you see this, click Authorize.

  7. When you've entered the commands successfully, the output looks like this:

    Updated IAM policy for project [PROJECT_ID].
      bindings:
      - members:
       - user:username@example.com
       role: roles/baremetalsolution.admin
      - members:
       - serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com
       role: roles/compute.serviceAgent
      - members:
       - serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com
       - serviceAccount:PROJECT_NUMBER@cloudservices.gserviceaccount.com
       role: roles/editor
      - members:
       - user:username@example.com
       role: roles/owner
      etag: ETAG_NUMBER
      version: 1
     

To learn more about IAM, see Identity and Access Management.