Configuring Access Control

Access control in Google Cloud Platform is controlled using Google Cloud Identity and Access Management (IAM). IAM allows you to set permissions specifying who has what kind of access to which resources in your project. IAM provides primitive and predefined roles that you can grant to users on certain resources. It also allows you to create custom roles.

Cloud Build uses IAM for access control. You can use IAM to add team members to your project and to grant them permissions to create, view, and cancel builds. Users require the necessary Cloud IAM permissions to call Cloud Build API methods.

This page explains describes the IAM permissions and roles necessary to call Cloud Build method and explains how to use IAM to configure permissions for your project's team members and service accounts.

Permissions

The following table lists the permissions that the caller must have to call each method:

API Method Required Permission Role Title
create cloudbuild.builds.create Cloud Build Editor
cancel cloudbuild.builds.update Cloud Build Editor
get cloudbuild.builds.get Cloud Build Editor, Cloud Build Viewer
list cloudbuild.builds.list Cloud Build Editor, Cloud Build Viewer

Roles

With IAM, every API method in Cloud Build requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by granting roles, which includes that permission. In addition to the primitive roles owner, editor, and viewer, you can grant Cloud Build roles to the users of your project.

The table below lists the Cloud Build IAM roles and the permissions that they include:

Role Role Title includes permissions:
role/cloudbuild.builds.viewer Cloud Build Viewer cloudbuild.builds.get
cloudbuild.builds.list
role/cloudbuild.builds.editor Cloud Build Editor All of the above, and:
cloudbuild.builds.create
cloudbuild.builds.update

The table below lists the primitive roles that existed prior to Cloud IAM, and the Cloud Build IAM roles that they include.

Role Role Title includes role
role/viewer Viewer role/cloudbuild.builds.viewer
role/editor or role/owner Editor or Owner role/cloudbuild.builds.editor

Managing IAM roles via the GCP Console

To grant IAM roles for a new team member or service account:

  1. Open the Identity and Access Management page in the Google Cloud Platform Console.
  2. Select your project, and click Continue.
  3. Click Add.
  4. Enter the team member's or service account's email address.
  5. Select the desired Role Title from the drop-down menu. Cloud Build roles are found under Cloud Build.
  6. Click Add.

Creating IAM custom roles

To create an Cloud IAM custom role with Cloud Build permissions:

  1. Go to the Roles page in the GCP Console.

    Open the Roles page

  2. Select your project and organization.
  3. Click Create Role.
  4. Enter a Name, and Description for the role.
  5. Click Add Permissions.
  6. In the All services drop-down, select cloudbuild.
  7. Select the one or more permissions and click Add Permissions.
  8. Click Create.

For more instructions on using Cloud IAM custom roles, see Creating and Managing Custom Roles.

Cloud Build service account

Cloud Build uses a special service account to execute builds on your behalf.

When you enable the Cloud Build API, the service account is automatically created and granted the Cloud Build role for your project. This role is sufficient for several tasks, however it does not allow the account to perform certain actions, such as deploying to App Engine or Cloud Functions, managing Compute Engine or Kubernetes Engine resources, or accessing a Cloud Storage bucket. You can enable your service account to perform these actions by granting the account additional IAM roles. Use the IAM & Admin section in the GCP Console and add the appropriate roles to the service account's list of roles.

For instructions on granting access to Cloud Build service accounts see Granting additional access.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Build