Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Por predefinição, apenas o criador de um Google Cloud projeto tem acesso
ao projeto e aos respetivos recursos. Para conceder acesso a outros utilizadores, pode conceder funções de gestão de identidade e acesso (IAM) no projeto ou num recurso específico do Cloud Build.
Esta página descreve as formas como pode definir o controlo de acesso para os seus recursos do Cloud Build.
Introduza o endereço de email do utilizador ou da conta de serviço.
Selecione a função pretendida no menu pendente. As funções do Cloud Build
estão em Cloud Build.
Clique em Guardar.
gcloud
Para conceder uma função a um principal, execute o comando add-iam-policy-binding:
gcloud group add-iam-policy-binding resource \
--member=principal --role=role-id
Onde:
group: O grupo da CLI gcloud para o recurso que quer atualizar. Por exemplo, pode usar projetos ou organizações.
resource: o nome do recurso.
principal: um identificador para o principal, que normalmente tem o seguinte formato: principal-type:id. Por exemplo, user:my-user@example.com.
Para uma lista completa dos tipos de principais ou membros, consulte a
referência de associação de políticas.
role-id: o nome da função.
Por exemplo, para conceder a função Leitor do Cloud Build ao utilizador
my-user@example.com para o projeto my-project:
Conceder autorizações para executar comandos gcloud
Para executar comandos gcloud builds, os utilizadores com apenas as funções cloudbuild.builds.viewer ou cloudbuild.builds.editor também precisam da autorização serviceusage.services.use. Para conceder esta autorização ao utilizador, atribua-lhe a função serviceusage.serviceUsageConsumer.
O utilizador com as funções roles/editor e roles/owner pode executar comandos
gcloud builds sem a autorização
serviceusage.services.use adicional.
Autorizações para ver registos de compilação
Para ver os registos de compilação, precisa de autorizações adicionais, consoante esteja a armazenar os registos de compilação no contentor do Cloud Storage predefinido ou num contentor do Cloud Storage especificado pelo utilizador. Para mais informações sobre as autorizações necessárias para ver os registos de compilação, consulte o artigo Ver registos de compilação.
Na tabela de autorizações, localize o ID de email do principal e clique no ícone de lápis.
Elimine a função que quer revogar.
Clique em Guardar.
gcloud
Para revogar uma função de um utilizador, execute o comando remove-iam-policy-binding:
gcloud group remove-iam-policy-binding resource \
--member=principal --role=role-id
Onde:
group: O grupo da CLI gcloud para o recurso que quer atualizar. Por exemplo, pode usar projetos ou organizações.
resource: o nome do recurso.
principal: um identificador para o principal, que normalmente tem o seguinte formato: principal-type:id. Por exemplo, user:my-user@example.com.
Para uma lista completa dos tipos de principais ou membros, consulte a
referência de associação de políticas.
role-id: o nome da função.
Por exemplo, para revogar a função Leitor do Cloud Build do utilizador
my-user@example.com para o projeto my-project:
role-id é o nome da função para a qual quer ver os responsáveis.
Por exemplo, para ver todos os principais num projeto aos quais foi concedido o papel de Google Cloud visualizador do projeto, execute o seguinte comando:
Para os utilizadores que querem definir as suas próprias funções com conjuntos de autorizações que especificam, o IAM oferece funções personalizadas. Para obter instruções
sobre como criar e usar funções personalizadas da IAM, consulte o artigo Criar e gerir funções
personalizadas.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-21 UTC."],[[["\u003cp\u003eBy default, only the project creator has access, and you can grant access to other users by assigning Identity and Access Management (IAM) roles either at the project level or for specific Cloud Build resources.\u003c/p\u003e\n"],["\u003cp\u003eAccess can be granted to users or service accounts through the Google Cloud console's IAM page or by using the \u003ccode\u003egcloud\u003c/code\u003e command-line tool's \u003ccode\u003eadd-iam-policy-binding\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eUsers with \u003ccode\u003ecloudbuild.builds.viewer\u003c/code\u003e or \u003ccode\u003ecloudbuild.builds.editor\u003c/code\u003e roles need the \u003ccode\u003eserviceusage.services.use\u003c/code\u003e permission to run \u003ccode\u003egcloud builds\u003c/code\u003e commands, which can be granted by assigning them the \u003ccode\u003eserviceusage.serviceUsageConsumer\u003c/code\u003e role.\u003c/p\u003e\n"],["\u003cp\u003eRoles can be revoked using the Google Cloud console by editing permissions on the IAM page, or via the \u003ccode\u003egcloud\u003c/code\u003e tool with the \u003ccode\u003eremove-iam-policy-binding\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eIAM custom roles can be created to bundle specific permissions, but must include the \u003ccode\u003eserviceusage.services.use\u003c/code\u003e permission for Cloud Build custom roles.\u003c/p\u003e\n"]]],[],null,["# Configuring access to Cloud Build resources\n\nBy default, only the creator of a Google Cloud project has access\nto the project and its resources. To grant other users access, you can grant\nIdentity and Access Management (IAM) roles on the project, or on a specific\nCloud Build resource.\n\nThis page describes the ways you can set access control for your\nCloud Build resources.\n\nBefore you begin\n----------------\n\n- Understand the [basic concepts of IAM](/iam/docs/overview).\n- Learn about the [Cloud Build roles and permissions](/build/docs/iam-roles-permissions).\n\nGranting roles on the project\n-----------------------------\n\n### Console\n\n1. Open the IAM page in the Google Cloud console:\n\n [Open the IAM page](https://console.cloud.google.com/iam-admin/roles)\n2. Select your project, and click **Continue**.\n\n3. Click **Grant access**.\n\n4. Enter the user's or service account's email address.\n\n5. Select the desired role from the drop-down menu. Cloud Build\n roles are under **Cloud Build**.\n\n6. Click **Save**.\n\n| **Note:** If you do not see the Cloud Build roles in the drop-down menu, you may need to [enable the Cloud Build\n| API](https://console.cloud.google.com/flows/enableapi?apiid=cloudbuild.googleapis.com&_ga=1.128224844.1904271179.1489680703).\n\n### gcloud\n\nTo grant a role to a principal, run the `add-iam-policy-binding` command: \n\n gcloud \u003cvar translate=\"no\"\u003egroup\u003c/var\u003e add-iam-policy-binding \u003cvar translate=\"no\"\u003eresource\u003c/var\u003e \\\n --member=\u003cvar translate=\"no\"\u003eprincipal\u003c/var\u003e --role=\u003cvar translate=\"no\"\u003erole-id\u003c/var\u003e\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003egroup\u003c/var\u003e: The gcloud CLI group for the resource you\n want to update. For example, you can use projects or organizations.\n\n- \u003cvar translate=\"no\"\u003eresource\u003c/var\u003e: The name of the resource.\n\n- \u003cvar translate=\"no\"\u003eprincipal\u003c/var\u003e: An identifier for the principal, which usually\n has the following form: principal-type:id. For example, user:my-user@example.com.\n For a full list of principal, or member, types, see the\n [Policy Binding reference](/iam/docs/reference/rest/v1/Policy#Binding).\n\n- \u003cvar translate=\"no\"\u003erole-id\u003c/var\u003e: The name of the role.\n\nFor example, to grant the Cloud Build Viewer role to the user\n`my-user@example.com` for the project `my-project`: \n\n gcloud projects add-iam-policy-binding my-project \\\n --member=user:my-user@example.com --role=roles/cloudbuild.builds.viewer\n\nGranting permissions to run gcloud commands\n-------------------------------------------\n\nTo run [`gcloud builds`](/sdk/gcloud/reference/builds) commands, users with only\n`cloudbuild.builds.viewer` or `cloudbuild.builds.editor` roles also require the\n`serviceusage.services.use` permission. To give this permission to the user, grant\nthem the `serviceusage.serviceUsageConsumer` role.\n\nUser with roles/editor and roles/owner roles can run\n[`gcloud builds`](/sdk/gcloud/reference/builds) commands without the additional\n`serviceusage.services.use` permission.\n\nPermissions to view build logs\n------------------------------\n\nTo view build logs, you require additional permissions depending on whether\nyou're storing your build logs in the default Cloud Storage bucket or in\na user-specified Cloud Storage bucket. For more information on permissions\nrequired to view build logs, see [Viewing build logs](/build/docs/securing-builds/store-manage-build-logs#viewing_build_logs).\n\nRevoking roles on the project\n-----------------------------\n\n### Console\n\n1. Open the IAM page in the Google Cloud console:\n\n [Open the IAM page](https://console.cloud.google.com/iam-admin/roles)\n2. Select your project, and click **Continue**.\n\n3. In the permissions table, locate the email ID of the principal and click on the\n pencil icon.\n\n4. Delete the role that you want to revoke.\n\n5. Click **Save**.\n\n### gcloud\n\nTo revoke a role from a user, run the `remove-iam-policy-binding` command: \n\n gcloud \u003cvar translate=\"no\"\u003egroup\u003c/var\u003e remove-iam-policy-binding \u003cvar translate=\"no\"\u003eresource\u003c/var\u003e \\\n --member=\u003cvar translate=\"no\"\u003eprincipal\u003c/var\u003e --role=\u003cvar translate=\"no\"\u003erole-id\u003c/var\u003e\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003egroup\u003c/var\u003e: The gcloud CLI group for the resource you\n want to update. For example, you can use projects or organizations.\n\n- \u003cvar translate=\"no\"\u003eresource\u003c/var\u003e: The name of the resource.\n\n- \u003cvar translate=\"no\"\u003eprincipal\u003c/var\u003e: An identifier for the principal, which usually\n has the following form: principal-type:id. For example, user:my-user@example.com.\n For a full list of principal, or member, types, see the\n [Policy Binding reference](/iam/docs/reference/rest/v1/Policy#Binding).\n\n- \u003cvar translate=\"no\"\u003erole-id\u003c/var\u003e: The name of the role.\n\nFor example, to revoke the Cloud Build Viewer role from the user\n`my-user@example.com` for the project `my-project`: \n\n gcloud projects remove-iam-policy-binding my-project \\\n --member=user:my-user@example.com --role=roles/cloudbuild.builds.viewer\n\nViewing roles on the project\n----------------------------\n\n### Console\n\n1. Open the IAM page in the Google Cloud console:\n\n [Open the IAM page](https://console.cloud.google.com/iam-admin/roles)\n2. Select your project, and click **Continue**.\n\n3. Under **View by** , click **Roles**.\n\n4. To view the principals with a particular role, expand the role name.\n\n### gcloud\n\nTo view all users that are granted a particular role in a Google Cloud project,\nrun the following command: \n\n gcloud projects get-iam-policy \u003cvar translate=\"no\"\u003eproject-id\u003c/var\u003e \\\n --flatten=\"bindings[].members\" \\\n --format=\"table(bindings.members)\" \\\n --filter=\"bindings.role:\u003cvar translate=\"no\"\u003erole-id\u003c/var\u003e\"\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003eproject-id\u003c/var\u003e is your project ID.\n\n- \u003cvar translate=\"no\"\u003erole-id\u003c/var\u003e is the name of the role for which you want\n to view the principals.\n\nFor example, to view all principals in a project that are granted the Google Cloud project\nViewer role, run the following command: \n\n gcloud projects get-iam-policy my-project \\\n --flatten=\"bindings[].members\" \\\n --format=\"table(bindings.members)\" \\\n --filter=\"bindings.role:roles/cloudbuild.builds.viewer\"\n\nCreating IAM custom roles\n-------------------------\n\nFor users that want to define their own roles containing bundles of\npermissions that they specify, IAM offers custom roles. For instructions\non creating and using IAM custom roles, see [Creating and Managing Custom\nRoles](/iam/docs/creating-custom-roles).\n| **Note:** You must include the `serviceusage.services.use` permission in each Cloud Build custom role you create.\n\nWhat's next\n-----------\n\n- Learn about [Default Cloud Build service account](/build/docs/cloud-build-service-account).\n- Learn how to [configure access to Cloud Build service account](/build/docs/securing-builds/configure-access-for-cloud-build-service-account).\n- Learn about [the permissions required to view build logs](/build/docs/securing-builds/store-view-build-logs)."]]
