Permissions and Roles

This page describes permissions and roles in Binary Authorization. Policies and attestors are defined as resources in Google Cloud Platform, and can have assigned IAM policies like any other platform resource.

Required Permissions

The following table lists the permissions that the caller must have to call each API method:

Method Required Permission(s)
getPolicy binaryauthorization.policy.get on the requested policy.
updatePolicy binaryauthorization.policy.update on the policy to update.
policy.getIamPolicy binaryauthorization.policy.getIamPolicy on the requested policy.
policy.setIamPolicy binaryauthorization.policy.setIamPolicy on the requested policy.
policy.testIamPermissions None.
attestors.list binaryauthorization.attestors.list on the containing Cloud project.
attestors.get binaryauthorization.attestors.get on the requested attestor.
attestors.create binaryauthorization.attestors.create on the containing Cloud project.
attestors.delete binaryauthorization.attestors.delete on the attestor to delete.
attestors.update binaryauthorization.attestors.update on the attestor to update.
attestors.getIamPolicy binaryauthorization.attestors.getIamPolicy on the requested attestor.
attestors.setIamPolicy binaryauthorization.attestors.setIamPolicy on the requested attestor.
attestors.testIamPermissions None.

Project types

Roles and permissions can be applied to the following types of projects:

Project Type Description
Deployer A project that manages the Google Kubernetes Engine (GKE) clusters where your images are deployed, as well as the Binary Authorization policy that governs deployment.
Image A project that contains the image(s) to be verified.
Attestor A project that stores attestor definitions. You can also use the note project for this purpose.
Note A project that stores attestor notes for a particular attestor definition. You can also use the attestor project for this purpose.
Attestation A project that stores attestations for a particular attestor. You can also use the attestor project or the image project for this purpose.

Predefined roles

The following table lists the predefined Binary Authorization IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Primitive roles of Owner, Editor and Viewer are available for use on Binary Authorization resources, in addition to predefined type specific roles of Admin, Editor and Viewer for Binary Authorization attestors and policies.

Roles for the policy resource

Role Includes permission(s):
roles/binaryauthorization.policyViewer
binaryauthorization.policy.get
roles/binaryauthorization.policyEditor
All of the roles/binaryauthorization.policyViewer permissions, as well as:
binaryauthorization.policy.update
roles/binaryauthorization.policyAdmin
All of the roles/binaryauthorization.policyEditor permissions, as well as:
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy

Roles for the attestor resource

Role Includes permission(s):
roles/binaryauthorization.attestorsViewer
binaryauthorization.attestors.get
binaryauthorization.attestors.list
roles/binaryauthorization.attestorsVerifier
All of the roles/binaryauthorization.attestorsViewer permissions, as well as:
binaryauthorization.attestors.verifyImageAttested
roles/binaryauthorization.attestorsAdmin
All of the roles/binaryauthorization.attestorsViewer permissions, as well as:
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.setIamPolicy

Note that the roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud Platform services as well.

Custom roles

Cloud IAM also provides the ability to create custom roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization. Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions. For information about creating custom roles, see Creating and Managing Custom Roles.

To help you define custom roles, the following lists common user flows and the required permissions for performing Binary Authorization operations. This list is not considered exhaustive.

User flow Required permissions
Enable the API On the attestor and deployer project:
serviceusage.services.get
serviceusage.services.list
serviceusage.services.enable
serviceusage.services.disable
serviceusage.services.use
serviceusage.services.generateServiceIdentity
serviceusage.services.getServiceIdentity
serviceusage.quotas.get
serviceusage.quotas.update
serviceusage.operations.cancel
serviceusage.operations.delete
serviceusage.operations.get
serviceusage.operations.list
Configure a Policy On the deployer project:
resourcemanager.projects.get
resourcemanager.projects.list
binaryauthorization.policy.get
binaryauthorization.policy.update

On the attestor project:
resourcemanager.projects.get
resourcemanager.projects.list
binaryauthorization.attestors.get
binaryauthorization.attestors.list
Update a Policy On the deployer project:
binaryauthorization.policy.update
Create an Attestor On the attestor project:
containeranalysis.notes.list
resourcemanager.projects.get
resourcemanager.projects.list
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.create
Update an Attestor On the containing attestor:
binaryauthorization.attestors.update
Create an Attestation On the note resource (or project):
containeranalysis.notes.get
containeranalysis.notes.attachOccurrence

On the attestation project:
containeranalysis.occurrences.create
containeranalysis.occurrences.update
containeranalysis.occurrences.get
containeranalysis.occurrences.list

Checking permissions

binaryauthorization.policy.testIamPermissions and binaryauthorization.attestors.testIamPermissions can be run by any identity.

هل كانت هذه الصفحة مفيدة؟ يرجى تقييم أدائنا:

إرسال تعليقات حول...

Binary Authorization Documentation