Permissions and Roles

Policies and Attestors are resources in Google Cloud Platform, and can have IAM policies set on them like any other resource.

Required Permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
getPolicy binaryauthorization.policy.get on the requested policy.
updatePolicy binaryauthorization.policy.update on the policy to update.
policy.getIamPolicy binaryauthorization.policy.getIamPolicy on the requested policy.
policy.setIamPolicy binaryauthorization.policy.setIamPolicy on the requested policy.
policy.testIamPermissions None.
attestors.list binaryauthorization.attestors.list on the containing Cloud project.
attestors.get binaryauthorization.attestors.get on the requested attestor.
attestors.create binaryauthorization.attestors.create on the containing Cloud project.
attestors.delete binaryauthorization.attestors.delete on the attestor to delete.
attestors.update binaryauthorization.attestors.update on the attestor to update.
attestors.getIamPolicy binaryauthorization.attestors.getIamPolicy on the requested attestor.
attestors.setIamPolicy binaryauthorization.attestors.setIamPolicy on the requested attestor.
attestors.testIamPermissions None.

Predefined Roles

The following table lists the predefined Binary Authorization IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Primitive roles of Owner, Editor and Viewer are available for use on Binary Authorization resources, in addition to predefined type specific roles of Admin, Editor and Viewer for Binary Authorization attestors and policies.

Roles for the Policy Resource

Role Includes permission(s):
roles/binaryauthorization.policyViewer
binaryauthorization.policy.get
roles/binaryauthorization.policyEditor
All of the roles/binaryauthorization.policyViewer permissions, as well as:
binaryauthorization.policy.update
roles/binaryauthorization.policyAdmin
All of the roles/binaryauthorization.policyEditor permissions, as well as:
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy

Roles for the Attestor Resource

Role Includes permission(s):
roles/binaryauthorization.attestorsViewer
binaryauthorization.attestors.get
binaryauthorization.attestors.list
roles/binaryauthorization.attestorsVerifier
All of the roles/binaryauthorization.attestorsViewer permissions, as well as:
binaryauthorization.attestors.verifyImageAttested
roles/binaryauthorization.attestorsAdmin
All of the roles/binaryauthorization.attestorsViewer permissions, as well as:
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.setIamPolicy

Note that the roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud Platform services as well.

Custom Roles

Cloud IAM also provides the ability to create custom roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization. Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions. For information about creating custom roles, see Creating and Managing Custom Roles.

To help you define custom roles, the following lists common user flows and the required permissions for performing Binary Authorization operations. This list is not considered exhaustive.

User flow Required permission(s)
when using the API:
Required permission(s)
when using the GCP Console
(see footnote 1):
Update a policy binaryauthorization.policy.update on the containing project Same as the required API permissions, as well as

binaryauthorization.attestors.verifyImageAttested for all attestors to be added to the policy.

Create an attestor binaryauthorization.attestor.create on the containing project The required API permissions, as well as:

binaryauthorization.attestor.list on the containing project.

Update an attestor binaryauthorization.attestor.update on the containing attestor The required API permissions, as well as:

binaryauthorization.attestor.list on the containing project

Checking permissions

binaryauthorization.policy.testIamPermissions and binaryauthorization.attestors.testIamPermissions can be run by any identity.

Was this page helpful? Let us know how we did:

Send feedback about...

Binary Authorization Documentation