Configuring access control

Container Analysis uses Identity and Access Management (IAM) to grant granular access to specific resources depending on the task you are going to perform.

This page describes permissions to control access to Container Analysis.

Metadata management in Container Analysis involves two entities that require different level of access:

  • A provider that creates metadata stored in notes.
  • A customer that identifies occurrences of notes.

Before you begin

  1. Read about metadata storage concepts.
  2. Read how to grant, revoke, and change access to resources.

IAM roles for metadata providers and customers

Metadata providers

A metadata provider in Container Analysis is a writer of resource metadata. It creates notes, which describe something that can happen to a resource.

We recommend that you create a Google Cloud project dedicated exclusively to storing notes. In that project, restrict access to a user or service account with the following roles:

  • Container Analysis Notes Editor - To create notes your customers can attach occurrences to.

  • Container Analysis Occurrences for Notes Viewer - To list all the occurrences attached to a note.

Metadata customers

A metadata customer in Container Analysis attaches information to metadata resources. It creates occurrences, which are instances of notes and target a specific image within a project.

As a customer, to be able to attach occurrences to notes and to list them, grant the following roles to your user or service account:

  • Container Analysis Ocurrences Editor - Grant this role in the customer project to create occurrences.

  • Container Analysis Notes Attacher - Grant this role in the provider project to attach occurrences to notes.

  • Container Analysis Occurrences Viewer - Grant this role in the customer project to list occurrences within that project.

Vulnerability metadata

An additional security measure for vulnerability metadata is that Container Analysis allows providers to create and manage vulnerability occurrences on behalf of many customers. The metadata customers don't have write permission to third-party provider vulnerability occurrences in their own projects.

This means, for example, that Container Analysis can create vulnerability occurrences for images in your project, but you cannot add or remove any vulnerability information that Container Analysis detects.

This helps to enforce security policies by preventing manipulation of vulnerability metadata on the customer side.

IAM roles

The following table lists the Container Analysis IAM roles and the permissions that they include:

역할 이름 설명 권한 최하위 리소스
roles/containeranalysis.admin 컨테이너 분석 관리자 모든 컨테이너 분석 리소스에 대한 액세스 권한입니다.
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.getIamPolicy
  • containeranalysis.notes.list
  • containeranalysis.notes.setIamPolicy
  • containeranalysis.notes.update
  • containeranalysis.occurrences.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.notes.attacher 컨테이너 분석 메모 첨부자 컨테이너 분석 어커런스를 메모에 첨부할 수 있습니다.
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.get
roles/containeranalysis.notes.editor 컨테이너 분석 메모 편집자 컨테이너 분석 메모를 수정할 수 있습니다.
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.notes.occurrences.viewer 메모의 컨테이너 분석 어커런스 뷰어
  • containeranalysis.notes.get
  • containeranalysis.notes.listOccurrences
roles/containeranalysis.notes.viewer 컨테이너 분석 메모 뷰어 컨테이너 분석 메모를 볼 수 있습니다.
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.occurrences.editor 컨테이너 분석 발생 횟수 편집자 컨테이너 분석 어커런스를 수정할 수 있습니다.
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.occurrences.viewer 컨테이너 분석 어커런스 뷰어 컨테이너 분석 어커런스를 볼 수 있습니다.
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list