Access control with IAM

Artifact Analysis uses Identity and Access Management (IAM) to grant granular access to specific resources depending on the task you are going to perform.

This page describes permissions to control access to Artifact Analysis.

Before you begin

  1. Read about metadata storage concepts.
  2. Read how to grant, revoke, and change access to resources.

IAM roles for metadata providers and customers

Metadata management in Artifact Analysis involves two entities that require different level of access:

  • A provider that creates metadata stored in notes.
  • A customer that identifies occurrences of notes.

Metadata providers

A metadata provider in Artifact Analysis is a writer of resource metadata. It creates notes, which describe something that can happen to a resource.

We recommend that you create a Google Cloud project dedicated exclusively to storing notes. In that project, restrict access to a user or service account with the following roles:

  • Container Analysis Notes Editor - To create notes your customers can attach occurrences to.

  • Container Analysis Occurrences for Notes Viewer - To list all the occurrences attached to a note.

Metadata customers

A metadata customer in Artifact Analysis attaches information to metadata resources. It creates occurrences, which are instances of notes and target a specific image within a project.

As a customer, to be able to attach occurrences to notes and to list them, grant the following roles to your user or service account:

  • Container Analysis Occurrences Editor - Grant this role in the customer project to create occurrences.

  • Container Analysis Notes Attacher - Grant this role in the provider project to attach occurrences to notes.

  • Container Analysis Occurrences Viewer - Grant this role in the customer project to list occurrences within that project.

Vulnerability metadata

An additional security measure for vulnerability metadata is that Artifact Analysis allows providers to create and manage vulnerability occurrences on behalf of many customers. The metadata customers don't have write permission to third-party provider vulnerability occurrences in their own projects.

This means, for example, that Artifact Analysis can create vulnerability occurrences for images in your project, but you cannot add or remove any vulnerability information that Artifact Analysis detects.

This helps to enforce security policies by preventing manipulation of vulnerability metadata on the customer side.

IAM roles

The following table lists the Artifact Analysis IAM roles and the permissions that they include:

Role Permissions

(roles/containeranalysis.admin)

Access to all Container Analysis resources.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.getIamPolicy

containeranalysis.notes.list

containeranalysis.notes.setIamPolicy

containeranalysis.notes.update

containeranalysis.occurrences.*

  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.getIamPolicy
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.setIamPolicy
  • containeranalysis.occurrences.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.notes.attacher)

Can attach Container Analysis Occurrences to Notes.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.get

(roles/containeranalysis.notes.editor)

Can edit Container Analysis Notes.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.notes.occurrences.viewer)

Can view all Container Analysis Occurrences attached to a Note.

containeranalysis.notes.get

containeranalysis.notes.listOccurrences

(roles/containeranalysis.notes.viewer)

Can view Container Analysis Notes.

containeranalysis.notes.get

containeranalysis.notes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.occurrences.editor)

Can edit Container Analysis Occurrences.

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.occurrences.viewer)

Can view Container Analysis Occurrences.

containeranalysis.occurrences.get

containeranalysis.occurrences.list

resourcemanager.projects.get

resourcemanager.projects.list