This topic describes how to limit the types of Google Cloud resources Config Connector can create and manage by limiting the Identity and Access Management (IAM) permissions assigned to your Google service account.
IAM permissions for Config Connector
IAM authorizes your Config Connector installation to take action on specific resources. By limiting the permissions assigned to your Config Connector service account, you have greater control over what kinds of resources Config Connector can create.
Selecting permissions for your Config Connector installation
Before you install Config Connector, you select the roles that Config Connector can use to create and manage Google Cloud resources. You then apply the role to the service account that you configure Config Connector with during installation.
Project Owner permissions
If you want to use Config Connector to create and manage most kinds of Google Cloud resources, you can assign IAM Project Owner permissions.
Limited permissions
If you prefer to grant more limited permissions to Config Connector, you can assign one or more IAM permissions to your Config Connector installation. The following roles are commonly assigned to the Config Connector service account.
Editor
Granting the editor role allows most Config Connector functionality except Project or Organization wide configurations such as IAM modifications.
IAM service account admin
Granting the
roles/iam.serviceAccountAdmin
permissions allows Config Connector to configure IAM service
accounts.
Resource Manager
Granting a Resource Manager role
such as roles/resourcemanager.folderCreator allows Config Connector to manage
folders and organizations.
Custom roles
IAM also provides the ability to create customized roles. You can create a custom role with one or more permissions and then grant that custom role to Config Connector. For more information, see Understanding IAM custom roles.