Custom roles

Overview

IAM provides the ability to create custom roles. You can create a custom IAM role with one or more permissions and then grant that custom role to users who are part of your organization. Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions. For information about creating custom roles, see Creating and managing custom roles.

Common user flows and permissions

The following table lists common user flows and the required permissions for performing Binary Authorization operations.

The user flows and required permissions listed in the table are not exhaustive. To learn more about Binary Authorization-related permissions, see Permissions. To learn more about all Google Cloud permissions, see IAM Permissions.

User flow Required permissions
Enable the API On the attestor and deployer project:
serviceusage.services.get
serviceusage.services.list
serviceusage.services.enable
serviceusage.services.disable
serviceusage.services.use
serviceusage.services.generateServiceIdentity
serviceusage.services.getServiceIdentity
serviceusage.quotas.get
serviceusage.quotas.update
serviceusage.operations.cancel
serviceusage.operations.delete
serviceusage.operations.get
serviceusage.operations.list
Configure a policy On the deployer project:
resourcemanager.projects.get
resourcemanager.projects.list
binaryauthorization.policy.get
binaryauthorization.policy.update

On the attestor project:
resourcemanager.projects.get
resourcemanager.projects.list
binaryauthorization.attestors.get
binaryauthorization.attestors.list
Update a policy On the deployer project:
binaryauthorization.policy.update
Create an attestor On the attestor project:
containeranalysis.notes.list
resourcemanager.projects.get
resourcemanager.projects.list
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.create
Update an attestor On the containing attestor:
binaryauthorization.attestors.update
Create an attestation On the note resource (or project):
containeranalysis.notes.get
containeranalysis.notes.attachOccurrence

On the attestation project:
containeranalysis.occurrences.create
containeranalysis.occurrences.update
containeranalysis.occurrences.get
containeranalysis.occurrences.list