Configure IAM for Bare Metal Solution
When you want a principal, such as a Google Cloud project user or service account, to gain access to the resources in your Bare Metal Solution environment, you need to grant them appropriate roles and permissions. To grant access, you can create an Identity and Access Management (IAM) policy and grant predefined roles specific to Bare Metal Solution.
Grant roles with enough permissions for your principals to be able do their job but no more, so that you can follow the Google Cloud security principle of least privilege.
Predefined roles for Bare Metal Solution
Each IAM role for Bare Metal Solution contains permissions that give the principal access to specific resources as shown in the following table.
| Role name | Path | Description |
|---|---|---|
| Bare Metal Solution Admin | roles/baremetalsolution.admin(The Owner basic role also has these permissions) |
Full control of all current and future Bare Metal Solution resources. This role receives read and write permissions at the project level. |
| Bare Metal Solution Editor | roles/baremetalsolution.editor(The Editor basic role also has these permissions) |
Editor of all current and future Bare Metal Solution resources. This role receives read and write permissions at the project level. |
| Bare Metal Solution Viewer | roles/baremetalsolution.viewer(The Viewer basic role also has these permissions) |
Viewer of all current and future Bare Metal Solution resources. This role receives read-only permissions at the project level. |
| Bare Metal Solution Instances Admin | roles/baremetalsolution.instancesadmin |
Administrator of Bare Metal Solution servers. |
| Bare Metal Solution Instances Editor | roles/baremetalsolution.instanceseditor |
Editor of Bare Metal Solution servers. This role receives permissions to monitor and manage servers. |
| Bare Metal Solution Instances Viewer | roles/baremetalsolution.instancesviewer |
Viewer of Bare Metal Solution servers. This role receives read-only permissions to view servers. |
| Bare Metal Solution Storage Admin | roles/baremetalsolution.storageadmin |
Administrator of Bare Metal Solution storage resources, including volumes, LUNs, snapshots, and snapshot schedule policies. |
| Bare Metal Solution Storage Editor | roles/baremetalsolution.storageeditor |
Editor of Bare Metal Solution storage resources, including volumes, LUNs, snapshots, and snapshot schedule policies. This role receives permissions to monitor and manage storage. |
| Bare Metal Solution Storage Viewer | roles/baremetalsolution.storageviewer |
Viewer of Bare Metal Solution storage resources, including volumes, LUNs, snapshots, and snapshot schedule policies. This role receives read-only permissions to view storage. |
| Bare Metal Solution Networks Admin | roles/baremetalsolution.networksadmin |
Administrator of Bare Metal Solution networking resources. |
| Bare Metal Solution Networks Editor | roles/baremetalsolution.networkseditor |
Editor of Bare Metal Solution networking resources. This role receives permissions to monitor and manage networks. |
| Bare Metal Solution Networks Viewer | roles/baremetalsolution.networksviewer |
Viewer of Bare Metal Solution networking resources. This role receives read-only permissions to view networks. |
| Bare Metal Solution NFS Shares Admin | roles/baremetalsolution.nfssharesadmin |
Administrator of Bare Metal Solution NFS resources. |
| Bare Metal Solution NFS Shares Editor | roles/baremetalsolution.nfsshareseditor |
Editor of Bare Metal Solution NFS resources. This role receives permissions to monitor and manage NFS file storage. |
| Bare Metal Solution NFS Shares Viewer | roles/baremetalsolution.nfssharesviewer |
Viewer of Bare Metal Solution NFS resources. This role receives read-only permissions to view NFS file storage. |
For the roles shown above, we recommend applying them as follows:
Filling out an intake form
- Bare Metal Solution roles: Admin, Editor, or Instances Admin AND Compute Network Viewer
- Basic roles: Owner or Editor
Restarting a Bare Metal Solution server
- Bare Metal Solution roles: Admin or Editor
- Basic roles: Owner or Editor
Listing servers or requesting status
- Bare Metal Solution roles: Viewer or Instances Viewer
- Basic role: Viewer
Managing storage components
- Bare Metal Solution roles: Admin, Editor, or Storage Admin
- Basic roles: Owner or Editor
Managing networking components
- Bare Metal Solution roles: Admin, Editor, or Networks Admin
- Basic roles: Owner or Editor
For a full list of Bare Metal Solution roles, see Predefined roles and enter
baremetalsolution. in the search box.
For a full list of Bare Metal Solution permissions, see Search for a permission and enter
baremetalsolution. in the search box.
Grant an IAM role
Add an IAM policy to grant a Bare Metal Solution role to a principal. The role contains permissions which enable the principal to perform certain actions. To grant a role:
Console
Make sure that you have a role that contains the proper IAM permissions to grant roles to others, such as Owner, Project IAM Admin, or Security Admin. For more information about this requirement, see Required Roles.
In the Google Cloud console, go to the IAM permissions page.
Click Grant access.
Enter the following information:
For Add principals, enter your users. You can add individual users, Google groups, service accounts, or Google Workspace domains.
For Assign roles, choose a role from the Select a role menu to grant this role to the principals.
Click Add another role if you need to assign multiple roles to your principals.
Click Save.
Your principals and their assigned roles appear in the IAM permissions status page.
gcloud
Make sure that you have a role that contains the proper IAM permissions to grant roles to others, such as Owner, Project IAM Admin, or Security Admin. For more information about this requirement, see Required Roles.
Open a Cloud Shell window in your Google Cloud project.
Add your Google Cloud project ID, email address for your principal's Google Cloud account, and the desired Bare Metal Solution role path into the following command:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=user:username@example.com \ --role=roles/baremetalsolution.admin
Copy the command and paste it into your Cloud Shell window.
Press the Enter or Return key.
In some cases, an Authorize Cloud Shell window opens, requesting you to allow an API call. If you see this, click Authorize.
When you've entered the commands successfully, the output looks like this:
Updated IAM policy for project [PROJECT_ID]. bindings: - members: - user:username@example.com role: roles/baremetalsolution.admin - members: - serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com role: roles/compute.serviceAgent - members: - serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com - serviceAccount:PROJECT_NUMBER@cloudservices.gserviceaccount.com role: roles/editor - members: - user:username@example.com role: roles/owner etag: ETAG_NUMBER version: 1
To learn more about IAM, see Identity and Access Management.