Configuring access control

Container Analysis uses Identity and Access Management (IAM) to grant granular access to specific resources depending on the task you are going to perform.

This page describes permissions to control access to Container Analysis.

Metadata management in Container Analysis involves two entities that require different level of access:

  • A provider that creates metadata stored in notes.
  • A customer that identifies occurrences of notes.

Before you begin

  1. Read about metadata storage concepts.
  2. Read how to grant, revoke, and change access to resources.

IAM roles for metadata providers and customers

Metadata providers

A metadata provider in Container Analysis is a writer of resource metadata. It creates notes, which describe something that can happen to a resource.

We recommend that you create a Google Cloud project dedicated exclusively to storing notes. In that project, restrict access to a user or service account with the following roles:

  • Container Analysis Notes Editor - To create notes your customers can attach occurrences to.

  • Container Analysis Occurrences for Notes Viewer - To list all the occurrences attached to a note.

Metadata customers

A metadata customer in Container Analysis attaches information to metadata resources. It creates occurrences, which are instances of notes and target a specific image within a project.

As a customer, to be able to attach occurrences to notes and to list them, grant the following roles to your user or service account:

  • Container Analysis Ocurrences Editor - Grant this role in the customer project to create occurrences.

  • Container Analysis Notes Attacher - Grant this role in the provider project to attach occurrences to notes.

  • Container Analysis Occurrences Viewer - Grant this role in the customer project to list occurrences within that project.

Vulnerability metadata

An additional security measure for vulnerability metadata is that Container Analysis allows providers to create and manage vulnerability occurrences on behalf of many customers. The metadata customers don't have write permission to third-party provider vulnerability occurrences in their own projects.

This means, for example, that Container Analysis can create vulnerability occurrences for images in your project, but you cannot add or remove any vulnerability information that Container Analysis detects.

This helps to enforce security policies by preventing manipulation of vulnerability metadata on the customer side.

IAM roles

The following table lists the Container Analysis IAM roles and the permissions that they include:

Rolle Titel Beschreibung Berechtigungen Niedrigste Ressource
roles/containeranalysis.admin Container Analysis-Administrator Zugriff auf alle Container Analysis-Ressourcen.
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.getIamPolicy
  • containeranalysis.notes.list
  • containeranalysis.notes.setIamPolicy
  • containeranalysis.notes.update
  • containeranalysis.occurrences.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.notes.attacher Hinzufüger von Container Analysis-Hinweisen Kann bei Ereignissen Container Analysis-Hinweise anhängen.
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.get
roles/containeranalysis.notes.editor Bearbeiter von Container Analysis-Hinweisen Kann Container Analysis-Hinweise bearbeiten.
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.notes.occurrences.viewer Container Analysis-Ereignisse für Betrachter von Hinweisen
  • containeranalysis.notes.get
  • containeranalysis.notes.listOccurrences
roles/containeranalysis.notes.viewer Betrachter von Container Analysis-Hinweisen Kann Container Analysis-Hinweise aufrufen.
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.occurrences.editor Bearbeiter von Container Analysis-Ereignissen Kann Container Analysis-Ereignisse bearbeiten.
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.occurrences.viewer Betrachter von Container Analysis-Ereignissen Kann Container Analysis-Ereignisse aufrufen.
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list