Saat menambahkan anggota baru ke project, Anda dapat menggunakan kebijakan Identity and Access Management (IAM) untuk memberi anggota tersebut satu atau beberapa peran IAM. Setiap peran IAM berisi izin yang memberikan akses anggota ke resource tertentu.
Compute Engine memiliki sekumpulan peran IAM yang telah ditetapkan yang dijelaskan di halaman ini. Anda juga dapat membuat peran khusus yang berisi subset izin yang dipetakan langsung ke kebutuhan Anda.
Untuk mempelajari izin yang diperlukan bagi setiap metode, baca dokumentasi referensi Compute Engine API:
Untuk informasi tentang cara memberikan akses, baca halaman berikut.
- Untuk menetapkan kebijakan IAM di level project, baca Memberikan, mengubah, dan mencabut akses ke resource dalam dokumentasi IAM.
- Untuk menetapkan kebijakan resource Compute Engine tertentu, baca Memberikan akses ke resource Compute Engine.
- Untuk menetapkan peran ke akun layanan Compute Engine, baca Membuat dan mengaktifkan akun layanan untuk instance.
Apa itu IAM?
Google Cloud menawarkan IAM, yang memungkinkan Anda memberikan akses lebih terperinci ke resource Google Cloud tertentu dan mencegah akses yang tidak diinginkan ke resource lain. IAM memungkinkan Anda menerapkan prinsip hak istimewa terendah untuk keamanan, jadi Anda hanya memberikan akses yang diperlukan ke resource Anda.
Dengan IAM, Anda dapat mengontrol siapa (identitas) yang memiliki
izin apa (peran) ke resource mana dengan menetapkan
kebijakan IAM. Kebijakan IAM memberikan peran tertentu
kepada anggota project, sehingga identitas tersebut memiliki izin tertentu. Misalnya, untuk
resource tertentu, seperti project, Anda dapat menetapkan peran
roles/compute.networkAdmin
ke Akun Google
dan akun tersebut dapat mengontrol resource terkait jaringan dalam project, tetapi
tidak dapat mengelola resource lain, seperti instance dan disk. Anda juga dapat menggunakan
IAM untuk mengelola
peran lama konsol Google Cloud
yang diberikan kepada anggota tim project.
Peran serviceAccountUser
Jika diberikan bersama dengan
roles/compute.instanceAdmin.v1
,
roles/iam.serviceAccountUser
memberi anggota kemampuan
untuk membuat dan mengelola instance yang menggunakan akun layanan. Secara khusus,
memberikan roles/iam.serviceAccountUser
dan roles/compute.instanceAdmin.v1
secara bersamaan akan memberi anggota izin untuk:
- Buat instance yang berjalan sebagai akun layanan.
- Pasang persistent disk ke instance yang berjalan sebagai akun layanan.
- Tetapkan metadata instance pada instance yang berjalan sebagai akun layanan.
- Gunakan SSH untuk terhubung ke instance yang berjalan sebagai akun layanan.
- Konfigurasi ulang instance untuk dijalankan sebagai akun layanan.
Anda dapat memberi izin roles/iam.serviceAccountUser
dengan salah satu dari dua cara berikut:
Direkomendasikan. Berikan peran kepada anggota di akun layanan tertentu. Tindakan ini memberi anggota akses ke akun layanan yang anggotanya adalah
iam.serviceAccountUser
, tetapi mencegah akses ke akun layanan lain yang anggotanya bukaniam.serviceAccountUser
.Berikan peran kepada anggota di level project. Anggota memiliki akses ke semua akun layanan dalam project, termasuk akun layanan yang dibuat di masa mendatang.
Jika Anda belum memahami akun layanan, pelajari akun layanan lebih lanjut.
Izin konsol Google Cloud
Agar dapat menggunakan konsol Google Cloud untuk mengakses resource Compute Engine, Anda harus memiliki peran yang berisi izin berikut pada project:
compute.projects.get
Menghubungkan ke instance sebagai instanceAdmin
Setelah Anda memberi
anggota project peran roles/compute.instanceAdmin.v1
, mereka dapat terhubung ke instance virtual machine (VM) dengan menggunakan alat
Google Cloud standar, sepertigcloud CLI atau
SSH dalam browser.
Saat anggota menggunakan gcloud CLI atau SSH dalam browser, alat tersebut akan otomatis membuat pasangan kunci umum/pribadi dan menambahkan kunci publik ke metadata project. Jika anggota tidak memiliki izin untuk mengedit metadata project, alat ini akan menambahkan kunci publik anggota tersebut ke metadata instance.
Jika anggota sudah memiliki pasangan kunci yang ingin digunakan, mereka dapat menambahkan kunci publiknya secara manual ke metadata instance. Pelajari lebih lanjut cara menambahkan kunci SSH ke instance.
IAM dengan akun layanan
Buat akun layanan kustom baru dan berikan peran IAM ke akun layanan untuk membatasi akses instance Anda. Gunakan peran IAM dengan akun layanan kustom untuk:
- Batasi akses yang dimiliki instance Anda ke Google Cloud API menggunakan peran IAM terperinci.
- Berikan identitas unik pada setiap instance, atau sekumpulan instance.
- Batasi akses akun layanan default Anda.
Pelajari akun layanan lebih lanjut.
Grup instance terkelola dan IAM
Grup instance terkelola (MIG) adalah resource yang menjalankan tindakan atas nama Anda tanpa interaksi pengguna langsung. Misalnya, MIG dapat menambahkan dan menghapus VM dari grup.
Semua operasi yang dilakukan oleh Compute Engine sebagai bagian dari MIG
dilakukan oleh
Agen Layanan Google API
untuk project Anda, yang memiliki alamat email seperti berikut:
PROJECT_ID@cloudservices.gserviceaccount.com
Secara default, Agen Layanan Google API diberi
peran Editor (roles/editor
) di level project, yang memberikan hak istimewa yang cukup
untuk membuat resource berdasarkan konfigurasi MIG. Jika Anda menyesuaikan
akses untuk Agen Layanan Google API, berikan peran kepada Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1
) dan, secara opsional, peran Service Account User
(roles/iam.serviceAccountUser
). Peran Pengguna Akun Layanan hanya
diperlukan jika MIG membuat VM yang dapat dijalankan sebagai akun layanan.
Perlu diperhatikan bahwa Agen Layanan Google API juga digunakan oleh proses lain, termasuk Deployment Manager.
Saat Anda membuat MIG atau mengupdate template instance-nya, Compute Engine memvalidasi bahwa Agen Layanan Google API memiliki peran dan izin berikut:
- Peran Pengguna Akun Layanan, yang penting jika Anda berencana membuat instance yang dapat berjalan sebagai akun layanan
- Izin untuk semua resource yang dirujuk dari template instance, seperti image, disk, jaringan VPC, dan subnet
Peran IAM Compute Engine yang telah ditetapkan
Dengan IAM, setiap metode API di Compute Engine API mengharuskan identitas yang membuat permintaan API memiliki izin yang sesuai untuk menggunakan resource. Izin diberikan dengan menetapkan kebijakan yang memberikan peran ke anggota (pengguna, grup, atau akun layanan) project Anda.
Selain peran dasar (penampil, editor, pemilik) dan peran khusus, Anda dapat menetapkan peran Compute Engine yang telah ditetapkan berikut ke anggota project Anda.
Anda dapat memberikan beberapa peran kepada anggota project di resource yang sama. Misalnya,
jika tim jaringan Anda juga mengelola aturan firewall, Anda dapat memberikan
roles/compute.networkAdmin
dan roles/compute.securityAdmin
ke
grup Google tim jaringan.
Tabel berikut menjelaskan peran IAM Compute Engine yang telah ditetapkan, serta izin yang terdapat dalam setiap peran. Setiap peran berisi kumpulan izin yang cocok untuk tugas tertentu. Misalnya, peran Instance Admin memberikan izin untuk mengelola instance, peran terkait jaringan mencakup izin untuk mengelola resource terkait jaringan, dan peran keamanan mencakup izin untuk mengelola resource terkait keamanan, seperti firewall dan sertifikat SSL.
Compute Admin role
Details | Permissions |
---|---|
Compute Admin( Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
Lowest-level resources where you can grant this role:
|
|
Compute Future Reservation Admin role
Details | Permissions |
---|---|
Compute Future Reservation Admin Beta(
|
|
Compute Future Reservation User role
Details | Permissions |
---|---|
Compute Future Reservation User Beta(
|
|
Compute Future Reservation Viewer role
Details | Permissions |
---|---|
Compute Future Reservation Viewer Beta(
|
|
Compute Image User role
Details | Permissions |
---|---|
Compute Image User( Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project. Lowest-level resources where you can grant this role:
|
|
Compute Instance Admin (beta) role
Details | Permissions |
---|---|
Compute Instance Admin (beta)( Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances. Lowest-level resources where you can grant this role:
|
|
Compute Instance Admin (v1) role
Details | Permissions |
---|---|
Compute Instance Admin (v1)( Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances. |
|
Compute Load Balancer Admin role
Details | Permissions |
---|---|
Compute Load Balancer Admin( Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group. Lowest-level resources where you can grant this role:
|
|
Compute Load Balancer Services User role
Details | Permissions |
---|---|
Compute Load Balancer Services User( Permissions to use services from a load balancer in other projects. |
|
Compute Network Admin role
Details | Permissions |
---|---|
Compute Network Admin( Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the networking team's group.
Or, if you have a combined team that manages both security and networking,
then grant this role as well as the
Lowest-level resources where you can grant this role:
|
|
Compute Network User role
Details | Permissions |
---|---|
Compute Network User( Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project. Lowest-level resources where you can grant this role:
|
|
Compute Network Viewer role
Details | Permissions |
---|---|
Compute Network Viewer( Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account. Lowest-level resources where you can grant this role:
|
|
Compute Organization Firewall Policy Admin role
Details | Permissions |
---|---|
Compute Organization Firewall Policy Admin( Full control of Compute Engine Organization Firewall Policies. |
|
Compute Organization Firewall Policy User role
Details | Permissions |
---|---|
Compute Organization Firewall Policy User( View or use Compute Engine Firewall Policies to associate with the organization or folders. |
|
Compute Organization Security Policy Admin role
Details | Permissions |
---|---|
Compute Organization Security Policy Admin( Full control of Compute Engine Organization Security Policies. |
|
Compute Organization Security Policy User role
Details | Permissions |
---|---|
Compute Organization Security Policy User( View or use Compute Engine Security Policies to associate with the organization or folders. |
|
Compute Organization Resource Admin role
Details | Permissions |
---|---|
Compute Organization Resource Admin( Full control of Compute Engine Firewall Policy associations to the organization or folders. |
|
Compute OS Admin Login role
Details | Permissions |
---|---|
Compute OS Admin Login( Access to log in to a Compute Engine instance as an administrator user. Lowest-level resources where you can grant this role:
|
|
Compute OS Login role
Details | Permissions |
---|---|
Compute OS Login( Access to log in to a Compute Engine instance as a standard user. Lowest-level resources where you can grant this role:
|
|
Compute OS Login External User role
Details | Permissions |
---|---|
Compute OS Login External User( Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH. Lowest-level resources where you can grant this role:
|
|
Compute packet mirroring admin role
Details | Permissions |
---|---|
Compute packet mirroring admin( Specify resources to be mirrored. |
|
Compute packet mirroring user role
Details | Permissions |
---|---|
Compute packet mirroring user( Use Compute Engine packet mirrorings. |
|
Compute Public IP Admin role
Details | Permissions |
---|---|
Compute Public IP Admin( Full control of public IP address management for Compute Engine. |
|
Compute Security Admin role
Details | Permissions |
---|---|
Compute Security Admin( Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group. Lowest-level resources where you can grant this role:
|
|
Compute Sole Tenant Viewer role
Details | Permissions |
---|---|
Compute Sole Tenant Viewer( Permissions to view sole tenancy node groups |
|
Compute Storage Admin role
Details | Permissions |
---|---|
Compute Storage Admin( Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project. Lowest-level resources where you can grant this role:
|
|
Compute Viewer role
Details | Permissions |
---|---|
Compute Viewer( Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks. Lowest-level resources where you can grant this role:
|
|
Compute Shared VPC Admin role
Details | Permissions |
---|---|
Compute Shared VPC Admin( Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
( Lowest-level resources where you can grant this role:
|
|
OS Config Admin role
Details | Permissions |
---|---|
OS Config Admin Beta( Full access to OS Config resources |
|
GuestPolicy Admin role
Details | Permissions |
---|---|
GuestPolicy Admin Beta( Full admin access to GuestPolicies |
|
GuestPolicy Editor role
Details | Permissions |
---|---|
GuestPolicy Editor Beta( Editor of GuestPolicy resources |
|
GuestPolicy Viewer role
Details | Permissions |
---|---|
GuestPolicy Viewer Beta( Viewer of GuestPolicy resources |
|
InstanceOSPoliciesCompliance Viewer role
Details | Permissions |
---|---|
InstanceOSPoliciesCompliance Viewer Beta( Viewer of OS Policies Compliance of VM instances |
|
OS Inventory Viewer role
Details | Permissions |
---|---|
OS Inventory Viewer( Viewer of OS Inventories |
|
OSPolicyAssignment Admin role
Details | Permissions |
---|---|
OSPolicyAssignment Admin( Full admin access to OS Policy Assignments |
|
OSPolicyAssignment Editor role
Details | Permissions |
---|---|
OSPolicyAssignment Editor( Editor of OS Policy Assignments |
|
OSPolicyAssignmentReport Viewer role
Details | Permissions |
---|---|
OSPolicyAssignmentReport Viewer( Viewer of OS policy assignment reports for VM instances |
|
OSPolicyAssignment Viewer role
Details | Permissions |
---|---|
OSPolicyAssignment Viewer( Viewer of OS Policy Assignments |
|
PatchDeployment Admin role
Details | Permissions |
---|---|
PatchDeployment Admin( Full admin access to PatchDeployments |
|
PatchDeployment Viewer role
Details | Permissions |
---|---|
PatchDeployment Viewer( Viewer of PatchDeployment resources |
|
Patch Job Executor role
Details | Permissions |
---|---|
Patch Job Executor( Access to execute Patch Jobs. |
|
Patch Job Viewer role
Details | Permissions |
---|---|
Patch Job Viewer( Get and list Patch Jobs. |
|
PolicyOrchestrator Admin role
Details | Permissions |
---|---|
PolicyOrchestrator Admin Beta( Admin of PolicyOrchestrator resources |
|
PolicyOrchestrator Viewer role
Details | Permissions |
---|---|
PolicyOrchestrator Viewer Beta( Viewer of PolicyOrchestrator resources |
|
Project Feature Settings Editor role
Details | Permissions |
---|---|
Project Feature Settings Editor( Read/write access to project feature settings |
|
Project Feature Settings Viewer role
Details | Permissions |
---|---|
Project Feature Settings Viewer( Read access to project feature settings |
|
Upgrade Report Viewer role
Details | Permissions |
---|---|
Upgrade Report Viewer Beta( Provides read-only access to VM Manager Upgrade Reports |
|
OS Config Viewer role
Details | Permissions |
---|---|
OS Config Viewer Beta( Readonly access to OS Config resources |
|
OS VulnerabilityReport Viewer role
Details | Permissions |
---|---|
OS VulnerabilityReport Viewer( Viewer of OS VulnerabilityReports |
|
DNS Administrator role
Details | Permissions |
---|---|
DNS Administrator( Provides read-write access to all Cloud DNS resources. Lowest-level resources where you can grant this role:
|
|
DNS Peer role
Details | Permissions |
---|---|
DNS Peer( Access to target networks with DNS peering zones |
|
DNS Reader role
Details | Permissions |
---|---|
DNS Reader( Provides read-only access to all Cloud DNS resources. Lowest-level resources where you can grant this role:
|
|
Service Account Admin role
Details | Permissions |
---|---|
Service Account Admin( Create and manage service accounts. Lowest-level resources where you can grant this role:
|
|
Create Service Accounts role
Details | Permissions |
---|---|
Create Service Accounts( Access to create service accounts. |
|
Delete Service Accounts role
Details | Permissions |
---|---|
Delete Service Accounts( Access to delete service accounts. |
|
Service Account Key Admin role
Details | Permissions |
---|---|
Service Account Key Admin( Create and manage (and rotate) service account keys. Lowest-level resources where you can grant this role:
|
|
Service Account OpenID Connect Identity Token Creator role
Details | Permissions |
---|---|
Service Account OpenID Connect Identity Token Creator( Create OpenID Connect (OIDC) identity tokens |
|
Service Account Token Creator role
Details | Permissions |
---|---|
Service Account Token Creator( Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). Lowest-level resources where you can grant this role:
|
|
Service Account User role
Details | Permissions |
---|---|
Service Account User( Run operations as the service account. Lowest-level resources where you can grant this role:
|
|
View Service Accounts role
Details | Permissions |
---|---|
View Service Accounts( Read access to service accounts, metadata, and keys. |
|
Workload Identity User role
Details | Permissions |
---|---|
Workload Identity User( Impersonate service accounts from federated workloads. |
|
Langkah berikutnya
- Pelajari IAM lebih lanjut
- Pelajari cara membuat dan mengelola peran IAM kustom.
- Memberi peran IAM kepada pengguna project.
- Memberikan peran IAM untuk resource Compute Engine tertentu.
- Memberikan peran IAM ke akun layanan.