Compute Engine tiene un conjunto específico de funciones de administración de identidades y accesos (IAM).
Cada función predefinida contiene un conjunto de permisos.
Cuando agregas un miembro nuevo a tu proyecto, puedes usar una política de IAM para dar a ese miembro una o más funciones de IAM. Cada función de IAM contiene permisos que otorgan al miembro acceso a recursos específicos.
Para obtener más información sobre cómo establecer políticas a nivel de proyecto, consulta la sección sobre cómo otorgar, cambiar y revocar el acceso a los recursos en la documentación de IAM. Para saber cómo establecer políticas en los recursos de Compute Engine, consulta la sección sobre cómo otorgar acceso a los recursos de Compute Engine.
Si deseas obtener información sobre cómo asignar funciones a una cuenta de servicio de Compute Engine, consulta la documentación sobre cómo crear y habilitar cuentas de servicio para instancias. Para aprender a crear funciones personalizadas que contengan cualquier subconjunto de permisos, consulta la sección sobre cómo crear y administrar funciones personalizadas.
Antes de comenzar
¿Qué es IAM?
Google Cloud Platform ofrece la administración de identidades y accesos (IAM), que te permite brindar un acceso más detallado a recursos específicos de Google Cloud Platform y evita el acceso no deseado a otros recursos.
IAM te permite adoptar el principio de seguridad de menor privilegio, de manera que solo otorgues el acceso necesario a tus recursos.
IAM te permite controlar quién (identidad) tiene qué (funciones) permisos sobre cuáles recursos mediante la configuración de políticas de IAM. Las políticas de IAM otorgan funciones específicas a un miembro del proyecto, ya que otorga a la identidad ciertos permisos. Por ejemplo, para un recurso determinado, como un proyecto, puedes asignar la función roles/compute.networkAdmin a una Cuenta de Google a fin de que pueda controlar los recursos relacionados con la red en el proyecto, pero no administrar otros recursos, como instancias y discos. También puedes usar IAM para administrar las funciones heredadas de GCP Console otorgadas a los miembros del equipo del proyecto.
Funciones predefinidas de IAM en Compute Engine
Con IAM, cada método de API en Compute Engine requiere que la identidad que realiza la solicitud a la API tenga los permisos adecuados para usar el recurso.
Los permisos se otorgan cuando mediante la configuración de políticas que otorgan funciones a un miembro (usuario, grupo o cuenta de servicio) de tu proyecto.
Además de las funciones heredadas (visualizador, editor y propietario) y funciones personalizadas, puedes asignar las siguientes funciones predefinidas de Compute Engine a los miembros de tu proyecto.
Puedes otorgar varias funciones a un miembro del proyecto para un mismo recurso. Por ejemplo, si tu equipo de redes también administra las reglas de firewall, puedes otorgar roles/compute.networkAdmin y roles/compute.securityAdmin al grupo de Google del equipo de redes.
En las siguientes tablas, se describen las funciones predefinidas de IAM en Compute Engine, además de los permisos que contiene cada función. Cada función contiene un conjunto de permisos que es adecuado para una tarea específica. Por ejemplo, las primeras dos funciones otorgan permisos de administración de instancias, las funciones relacionadas con la red incluyen permisos de administración de los recursos relacionados con la red y la función de seguridad incluye permisos de administración de recursos relacionados con la seguridad, como firewalls y certificados SSL.
Compute Admin role
| Name |
Description |
Permissions |
roles/
compute.admin
|
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
|
compute.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Image User role
| Name |
Description |
Permissions |
roles/
compute.imageUser
|
Permission to list and read images without having other permissions on the
image. Granting the compute.imageUser role at the project level
gives users the ability to list all images in the project and create
resources, such as instances and persistent disks, based on images in the
project.
|
compute.images.getcompute.images.getFromFamilycompute.images.listcompute.images.useReadOnlyresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Instance Admin (beta) role
| Name |
Description |
Permissions |
roles/
compute.instanceAdmin
|
Permissions to create, modify, and delete virtual machine instances.
This includes permissions to create, modify, and delete disks, and also to
configure Shielded VMBETA
settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
For example, if your company has someone who manages groups of virtual
machine instances but does not manage network or security settings and
does not manage instances that run as service accounts, you can grant this
role on the organization, folder, or project that contains the instances,
or you can grant it on individual instances.
|
compute.acceleratorTypes.*compute.addresses.getcompute.addresses.listcompute.addresses.usecompute.autoscalers.*compute.diskTypes.*compute.disks.createcompute.disks.createSnapshotcompute.disks.deletecompute.disks.getcompute.disks.listcompute.disks.resizecompute.disks.setLabelscompute.disks.updatecompute.disks.usecompute.disks.useReadOnlycompute.globalAddresses.getcompute.globalAddresses.listcompute.globalAddresses.usecompute.globalOperations.getcompute.globalOperations.listcompute.images.getcompute.images.getFromFamilycompute.images.listcompute.images.useReadOnlycompute.instanceGroupManagers.*compute.instanceGroups.*compute.instanceTemplates.*compute.instances.*compute.licenses.getcompute.licenses.listcompute.machineTypes.*compute.networkEndpointGroups.*compute.networks.getcompute.networks.listcompute.networks.usecompute.networks.useExternalIpcompute.projects.getcompute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.reservations.getcompute.reservations.listcompute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.subnetworks.useExternalIpcompute.targetPools.getcompute.targetPools.listcompute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Instance Admin (v1) role
| Name |
Description |
Permissions |
roles/
compute.instanceAdmin.v1
|
Full control of Compute Engine instances, instance groups, disks, snapshots, and images.
Read access to all Compute Engine networking resources.
If you grant a user this role only at an instance level, then that user cannot create new instances.
|
compute.acceleratorTypes.*compute.addresses.getcompute.addresses.listcompute.addresses.usecompute.autoscalers.*compute.backendBuckets.getcompute.backendBuckets.listcompute.backendServices.getcompute.backendServices.listcompute.diskTypes.*compute.disks.*compute.externalVpnGateways.getcompute.externalVpnGateways.listcompute.firewalls.getcompute.firewalls.listcompute.forwardingRules.getcompute.forwardingRules.listcompute.globalAddresses.getcompute.globalAddresses.listcompute.globalAddresses.usecompute.globalForwardingRules.getcompute.globalForwardingRules.listcompute.globalOperations.getcompute.globalOperations.listcompute.healthChecks.getcompute.healthChecks.listcompute.httpHealthChecks.getcompute.httpHealthChecks.listcompute.httpsHealthChecks.getcompute.httpsHealthChecks.listcompute.images.*compute.instanceGroupManagers.*compute.instanceGroups.*compute.instanceTemplates.*compute.instances.*compute.interconnectAttachments.getcompute.interconnectAttachments.listcompute.interconnectLocations.*compute.interconnects.getcompute.interconnects.listcompute.licenseCodes.*compute.licenses.*compute.machineTypes.*compute.networkEndpointGroups.*compute.networks.getcompute.networks.listcompute.networks.usecompute.networks.useExternalIpcompute.projects.getcompute.projects.setCommonInstanceMetadatacompute.regionBackendServices.getcompute.regionBackendServices.listcompute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.reservations.getcompute.reservations.listcompute.resourcePolicies.*compute.routers.getcompute.routers.listcompute.routes.getcompute.routes.listcompute.snapshots.*compute.sslCertificates.getcompute.sslCertificates.listcompute.sslPolicies.getcompute.sslPolicies.listcompute.sslPolicies.listAvailableFeaturescompute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.subnetworks.useExternalIpcompute.targetHttpProxies.getcompute.targetHttpProxies.listcompute.targetHttpsProxies.getcompute.targetHttpsProxies.listcompute.targetInstances.getcompute.targetInstances.listcompute.targetPools.getcompute.targetPools.listcompute.targetSslProxies.getcompute.targetSslProxies.listcompute.targetTcpProxies.getcompute.targetTcpProxies.listcompute.targetVpnGateways.getcompute.targetVpnGateways.listcompute.urlMaps.getcompute.urlMaps.listcompute.vpnGateways.getcompute.vpnGateways.listcompute.vpnTunnels.getcompute.vpnTunnels.listcompute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Load Balancer Admin role
| Name |
Description |
Permissions |
roles/
compute.loadBalancerAdmin
Beta
|
Permissions to create, modify, and delete load balancers and associate
resources.
For example, if your company has a load balancing team that manages load
balancers, SSL certificates for load balancers, SSL policies, and other
load balancing resources, and a separate networking team that manages
the rest of the networking resources, then grant the load balancing
team's group the loadBalancerAdmin role.
|
compute.addresses.*compute.backendBuckets.*compute.backendServices.*compute.forwardingRules.*compute.globalAddresses.*compute.globalForwardingRules.*compute.healthChecks.*compute.httpHealthChecks.*compute.httpsHealthChecks.*compute.instanceGroups.*compute.instances.getcompute.instances.listcompute.instances.usecompute.networkEndpointGroups.*compute.networks.getcompute.networks.listcompute.networks.usecompute.projects.getcompute.regionBackendServices.*compute.securityPolicies.getcompute.securityPolicies.listcompute.securityPolicies.usecompute.sslCertificates.*compute.sslPolicies.*compute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.targetHttpProxies.*compute.targetHttpsProxies.*compute.targetInstances.*compute.targetPools.*compute.targetSslProxies.*compute.targetTcpProxies.*compute.urlMaps.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Network Admin role
| Name |
Description |
Permissions |
roles/
compute.networkAdmin
|
Permissions to create, modify, and delete networking resources,
except for firewall rules and SSL certificates. The network admin role
allows read-only access to firewall rules, SSL certificates, and instances
(to view their ephemeral IP addresses). The network admin role does not
allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant the networking team's group the
networkAdmin role.
|
compute.addresses.*compute.autoscalers.getcompute.autoscalers.listcompute.backendBuckets.*compute.backendServices.*compute.externalVpnGateways.*compute.firewalls.getcompute.firewalls.listcompute.forwardingRules.*compute.globalAddresses.*compute.globalForwardingRules.*compute.globalOperations.getcompute.globalOperations.listcompute.healthChecks.*compute.httpHealthChecks.*compute.httpsHealthChecks.*compute.instanceGroupManagers.getcompute.instanceGroupManagers.listcompute.instanceGroupManagers.updatecompute.instanceGroupManagers.usecompute.instanceGroups.getcompute.instanceGroups.listcompute.instanceGroups.updatecompute.instanceGroups.usecompute.instances.getcompute.instances.getGuestAttributescompute.instances.getSerialPortOutputcompute.instances.listcompute.instances.listReferrerscompute.instances.usecompute.interconnectAttachments.*compute.interconnectLocations.*compute.interconnects.*compute.networkEndpointGroups.getcompute.networkEndpointGroups.listcompute.networkEndpointGroups.usecompute.networks.*compute.projects.getcompute.regionBackendServices.*compute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.routers.*compute.routes.*compute.securityPolicies.getcompute.securityPolicies.listcompute.securityPolicies.usecompute.sslCertificates.getcompute.sslCertificates.listcompute.sslPolicies.*compute.subnetworks.*compute.targetHttpProxies.*compute.targetHttpsProxies.*compute.targetInstances.*compute.targetPools.*compute.targetSslProxies.*compute.targetTcpProxies.*compute.targetVpnGateways.*compute.urlMaps.*compute.vpnGateways.*compute.vpnTunnels.*compute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listservicenetworking.operations.getservicenetworking.services.addPeeringservicenetworking.services.getserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Network User role
| Name |
Description |
Permissions |
roles/
compute.networkUser
|
Provides access to a shared VPC network
Once granted, service owners can use VPC networks and subnets that belong
to the host project. For example, a network user can create a VM instance
that belongs to a host project network but they cannot delete or create
new networks in the host project.
|
compute.addresses.createInternalcompute.addresses.deleteInternalcompute.addresses.getcompute.addresses.listcompute.addresses.useInternalcompute.externalVpnGateways.getcompute.externalVpnGateways.listcompute.externalVpnGateways.usecompute.firewalls.getcompute.firewalls.listcompute.interconnectAttachments.getcompute.interconnectAttachments.listcompute.interconnectLocations.*compute.interconnects.getcompute.interconnects.listcompute.interconnects.usecompute.networks.getcompute.networks.listcompute.networks.usecompute.networks.useExternalIpcompute.projects.getcompute.regions.*compute.routers.getcompute.routers.listcompute.routes.getcompute.routes.listcompute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.subnetworks.useExternalIpcompute.targetVpnGateways.getcompute.targetVpnGateways.listcompute.vpnGateways.getcompute.vpnGateways.listcompute.vpnGateways.usecompute.vpnTunnels.getcompute.vpnTunnels.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listservicenetworking.services.getserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Network Viewer role
| Name |
Description |
Permissions |
roles/
compute.networkViewer
|
Read-only access to all networking resources
For example, if you have software that inspects your network
configuration, you could grant that software's service account the
networkViewer role.
|
compute.addresses.getcompute.addresses.listcompute.autoscalers.getcompute.autoscalers.listcompute.backendBuckets.getcompute.backendBuckets.listcompute.backendServices.getcompute.backendServices.listcompute.firewalls.getcompute.firewalls.listcompute.forwardingRules.getcompute.forwardingRules.listcompute.globalAddresses.getcompute.globalAddresses.listcompute.globalForwardingRules.getcompute.globalForwardingRules.listcompute.healthChecks.getcompute.healthChecks.listcompute.httpHealthChecks.getcompute.httpHealthChecks.listcompute.httpsHealthChecks.getcompute.httpsHealthChecks.listcompute.instanceGroupManagers.getcompute.instanceGroupManagers.listcompute.instanceGroups.getcompute.instanceGroups.listcompute.instances.getcompute.instances.getGuestAttributescompute.instances.getSerialPortOutputcompute.instances.listcompute.instances.listReferrerscompute.interconnectAttachments.getcompute.interconnectAttachments.listcompute.interconnectLocations.*compute.interconnects.getcompute.interconnects.listcompute.networks.getcompute.networks.listcompute.projects.getcompute.regionBackendServices.getcompute.regionBackendServices.listcompute.regions.*compute.routers.getcompute.routers.listcompute.routes.getcompute.routes.listcompute.sslCertificates.getcompute.sslCertificates.listcompute.sslPolicies.getcompute.sslPolicies.listcompute.sslPolicies.listAvailableFeaturescompute.subnetworks.getcompute.subnetworks.listcompute.targetHttpProxies.getcompute.targetHttpProxies.listcompute.targetHttpsProxies.getcompute.targetHttpsProxies.listcompute.targetInstances.getcompute.targetInstances.listcompute.targetPools.getcompute.targetPools.listcompute.targetSslProxies.getcompute.targetSslProxies.listcompute.targetTcpProxies.getcompute.targetTcpProxies.listcompute.targetVpnGateways.getcompute.targetVpnGateways.listcompute.urlMaps.getcompute.urlMaps.listcompute.vpnGateways.getcompute.vpnGateways.listcompute.vpnTunnels.getcompute.vpnTunnels.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listservicenetworking.services.getserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Organization Security Policy Admin role
| Name |
Description |
Permissions |
roles/
compute.orgSecurityPolicyAdmin
Beta
|
Full control of Compute Engine Organization Security Policies.
|
compute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.globalOperations.setIamPolicycompute.projects.getcompute.securityPolicies.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Organization Security Policy User role
| Name |
Description |
Permissions |
roles/
compute.orgSecurityPolicyUser
Beta
|
View or use Compute Engine Security Policies to associate with the organization or folders.
|
compute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.globalOperations.setIamPolicycompute.projects.getcompute.securityPolicies.getcompute.securityPolicies.listcompute.securityPolicies.useresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Organization Resource Admin role
| Name |
Description |
Permissions |
roles/
compute.orgSecurityResourceAdmin
Beta
|
Full control of Compute Engine Security Policy associations to the organization or folders.
|
compute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.globalOperations.setIamPolicycompute.projects.getresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute OS Admin Login role
| Name |
Description |
Permissions |
roles/
compute.osAdminLogin
|
Access to log in to a Compute Engine instance as an administrator
user.
|
compute.instances.getcompute.instances.listcompute.instances.osAdminLogincompute.instances.osLogincompute.projects.getresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute OS Login role
| Name |
Description |
Permissions |
roles/
compute.osLogin
|
Access to log in to a Compute Engine instance as a standard user.
|
compute.instances.getcompute.instances.listcompute.instances.osLogincompute.projects.getresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute OS Login External User role
| Name |
Description |
Permissions |
roles/
compute.osLoginExternalUser
|
Available only at the organization level.
Access for an external user to set OS Login information associated with
this organization. This role does not grant access to instances. External
users must be granted one of the required
OS Login roles
in order to allow access to instances using SSH.
|
|
Compute Security Admin role
| Name |
Description |
Permissions |
roles/
compute.securityAdmin
|
Permissions to create, modify, and delete firewall rules and SSL
certificates, and also to
configure Shielded VMBETA
settings.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant the security team's group the
securityAdmin role.
|
compute.firewalls.*compute.globalOperations.getcompute.globalOperations.listcompute.instances.setShieldedInstanceIntegrityPolicycompute.instances.setShieldedVmIntegrityPolicycompute.instances.updateShieldedInstanceConfigcompute.instances.updateShieldedVmConfigcompute.networks.getcompute.networks.listcompute.networks.updatePolicycompute.projects.getcompute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.routes.getcompute.routes.listcompute.securityPolicies.*compute.sslCertificates.*compute.sslPolicies.*compute.subnetworks.getcompute.subnetworks.listcompute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Storage Admin role
| Name |
Description |
Permissions |
roles/
compute.storageAdmin
|
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and
you don't want them to have the editor role on the project, then grant
their account the storageAdmin role on the project.
|
compute.diskTypes.*compute.disks.*compute.globalOperations.getcompute.globalOperations.listcompute.images.*compute.licenseCodes.*compute.licenses.*compute.projects.getcompute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.resourcePolicies.*compute.snapshots.*compute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Viewer role
Compute Shared VPC Admin role
| Name |
Description |
Permissions |
roles/
compute.xpnAdmin
|
Permissions to administer shared VPC host projects,
specifically enabling the host projects and associating shared VPC service projects to the host
project's network.
This role can only be granted on the organization by an organization
admin.
Google Cloud Platform recommends that the Shared VPC Admin be the owner of the shared VPC host
project. The Shared VPC Admin is responsible for granting the compute.networkUser role
to service owners, and the shared VPC host project owner controls the project itself. Managing the
project is easier if a single principal (individual or group) can fulfill both roles.
|
compute.globalOperations.getcompute.globalOperations.listcompute.organizations.*compute.projects.getcompute.subnetworks.getIamPolicycompute.subnetworks.setIamPolicyresourcemanager.organizations.getresourcemanager.projects.getresourcemanager.projects.getIamPolicyresourcemanager.projects.list
|
DNS Administrator role
| Name |
Description |
Permissions |
roles/
dns.admin
|
Provides read-write access to all Cloud DNS resources.
|
compute.networks.getcompute.networks.listdns.changes.*dns.dnsKeys.*dns.managedZoneOperations.*dns.managedZones.*dns.networks.*dns.policies.createdns.policies.deletedns.policies.getdns.policies.listdns.policies.updatedns.projects.*dns.resourceRecordSets.*resourcemanager.projects.getresourcemanager.projects.list
|
DNS Peer role
| Name |
Description |
Permissions |
roles/
dns.peer
Beta
|
Access to target networks with DNS peering zones
|
dns.networks.targetWithPeeringZone
|
DNS Reader role
| Name |
Description |
Permissions |
roles/
dns.reader
|
Provides read-only access to all Cloud DNS resources.
|
compute.networks.getdns.changes.getdns.changes.listdns.dnsKeys.*dns.managedZoneOperations.*dns.managedZones.getdns.managedZones.listdns.policies.getdns.policies.listdns.projects.*dns.resourceRecordSets.listresourcemanager.projects.getresourcemanager.projects.list
|
Service Account Admin role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountAdmin
|
Create and manage service accounts.
|
iam.serviceAccounts.createiam.serviceAccounts.deleteiam.serviceAccounts.getiam.serviceAccounts.getIamPolicyiam.serviceAccounts.listiam.serviceAccounts.setIamPolicyiam.serviceAccounts.updateresourcemanager.projects.getresourcemanager.projects.list
|
Create Service Accounts role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountCreator
|
Access to create service accounts.
|
iam.serviceAccounts.createiam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Delete Service Accounts role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountDeleter
|
Access to delete service accounts.
|
iam.serviceAccounts.deleteiam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Service Account Key Admin role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountKeyAdmin
|
Create and manage (and rotate) service account keys.
|
iam.serviceAccountKeys.*iam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Service Account Token Creator role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountTokenCreator
|
Impersonate service accounts (create OAuth2 access tokens, sign blobs or
JWTs, etc).
|
iam.serviceAccounts.getiam.serviceAccounts.getAccessTokeniam.serviceAccounts.implicitDelegationiam.serviceAccounts.listiam.serviceAccounts.signBlobiam.serviceAccounts.signJwtresourcemanager.projects.getresourcemanager.projects.list
|
Service Account User role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountUser
|
Run operations as the service account.
|
iam.serviceAccounts.actAsiam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Workload Identity User role
| Name |
Description |
Permissions |
roles/
iam.workloadIdentityUser
|
Impersonate service accounts from GKE Workloads
|
iam.serviceAccounts.getiam.serviceAccounts.getAccessTokeniam.serviceAccounts.list
|
La función serviceAccountUser
roles/iam.serviceAccountUser, cuando se otorga junto con roles/compute.instanceAdmin.v1, permite a los miembros crear y administrar instancias que usan una cuenta de servicio. En particular, otorgar las funciones roles/iam.serviceAccountUser y roles/compute.instanceAdmin.v1 juntas da a los miembros permiso para hacer lo siguiente:
- Crear una instancia que se ejecute como una cuenta de servicio
- Adjuntar un disco persistente a una instancia que se ejecuta como cuenta de servicio
- Establecer metadatos de instancia en una instancia que se ejecuta como cuenta de servicio
- Usar SSH para conectarse a una instancia que se ejecuta como cuenta de servicio
- Volver a configurar una instancia para ejecutarla como una cuenta de servicio
Puedes otorgar roles/iam.serviceAccountUser de las siguientes maneras:
[Recomendada] Otorga la función a un miembro en una cuenta de servicio específica.
Esto le da a un miembro acceso a la cuenta de servicio en la que tiene la función iam.serviceAccountUser, pero le impide el acceso a otras cuentas de servicio en las que no tiene la función iam.serviceAccountUser.
Otorga la función a un miembro en el nivel de proyecto. El miembro tiene acceso a todas las cuentas de servicio en el proyecto, incluidas las cuentas de servicio que se creen en el futuro.
Si no estás familiarizado con las cuentas de servicio, obtén más información sobre las cuentas de servicio.
Conéctate a una instancia como instanceAdmin
Después de que un miembro del proyecto recibe la función roles/compute.instanceAdmin.v1, puede conectarse a instancias de máquinas virtuales mediante las herramientas estándar de Google Cloud Platform, como la herramienta de gcloud o SSH desde el navegador.
Cuando un miembro use la herramienta de línea de comandos de gcloud o SSH desde el navegador, las herramientas generarán de forma automática un par de clave pública y clave privada, y agregarán la clave pública a los metadatos del proyecto. Si el miembro no tiene permisos para editar metadatos del proyecto, la herramienta agregará la clave pública del miembro a los metadatos de la instancia.
Si el miembro tiene un par de claves existente que quiere usar, puede agregar su clave pública a los metadatos de la instancia de forma manual.
Obtén más información sobre cómo agregar y quitar Llaves SSH de una instancia.
IAM con cuentas de servicio
Crea nuevas cuentas de servicio personalizadas y otorga funciones de IAM a las cuentas de servicio para limitar el acceso de tus instancias. Usa las funciones de IAM con cuentas de servicio personalizadas para hacer lo siguiente:
- Limitar el acceso que tienen tus instancias a las API de Cloud Platform mediante funciones de IAM detalladas
- Dar una identidad exclusiva a cada instancia o conjunto de instancias
- Limitar el acceso de tu cuenta de servicio predeterminada
Obtén más información sobre cuentas de servicio.
IAM y los grupos de instancias administrados
Los grupos de instancias administrados son recursos que realizan acciones en tu nombre sin interacción directa del usuario, en especial cuando se configuran para el ajuste de escala automático. Los grupos de instancias administrados usan una identidad de cuenta de servicio para crear, borrar y administrar instancias en el grupo de instancias. Para obtener más información, consulta la documentación de IAM y los grupos de instancias administrados.
Operaciones no admitidas
No puedes otorgar acceso para realizar actualizaciones progresivas en grupos de instancias que usan funciones de IAM.
Si deseas otorgar permiso para realizar estas operaciones, usa las funciones más amplias de propietario, editor o visualizador.
Pasos siguientes
