Overview
IAM provides the ability to create custom roles. You can create a custom IAM role with one or more permissions and then grant that custom role to users who are part of your organization. Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions. For information about creating custom roles, see Creating and managing custom roles.
Common user flows and permissions
The following table lists common user flows and the required permissions for performing Binary Authorization operations.
The user flows and required permissions listed in the table are not exhaustive. To learn more about Binary Authorization-related permissions, see Permissions. To learn more about all Google Cloud permissions, see IAM Permissions.
| User flow | Required permissions |
|---|---|
| Enable the API | On the attestor and deployer project: serviceusage.services.getserviceusage.services.listserviceusage.services.enableserviceusage.services.disableserviceusage.services.useserviceusage.services.generateServiceIdentityserviceusage.services.getServiceIdentityserviceusage.quotas.getserviceusage.quotas.updateserviceusage.operations.cancelserviceusage.operations.deleteserviceusage.operations.getserviceusage.operations.list
|
| Configure a policy | On the deployer project:resourcemanager.projects.getresourcemanager.projects.listbinaryauthorization.policy.getbinaryauthorization.policy.updateOn the attestor project: resourcemanager.projects.getresourcemanager.projects.listbinaryauthorization.attestors.getbinaryauthorization.attestors.list |
| Update a policy | On the deployer project:binaryauthorization.policy.update
|
| Create an attestor | On the attestor project:containeranalysis.notes.listresourcemanager.projects.getresourcemanager.projects.listbinaryauthorization.attestors.getbinaryauthorization.attestors.listbinaryauthorization.attestors.create
|
| Update an attestor | On the containing attestor: binaryauthorization.attestors.update
|
| Create an attestation | On the note resource (or project):containeranalysis.notes.getcontaineranalysis.notes.attachOccurrenceOn the attestation project: containeranalysis.occurrences.createcontaineranalysis.occurrences.updatecontaineranalysis.occurrences.getcontaineranalysis.occurrences.list
|