Container Analysis uses Identity and Access Management (IAM) to grant granular access to specific resources depending on the task you are going to perform.
This page describes permissions to control access to Container Analysis.
Metadata management in Container Analysis involves two entities that require different level of access:
Before you begin
IAM roles for metadata providers and customers
A metadata provider in Container Analysis is a writer of resource metadata. It creates notes, which describe something that can happen to a resource.
We recommend that you create a Google Cloud project dedicated exclusively to storing notes. In that project, restrict access to a user or service account with the following roles:
Container Analysis Notes Editor - To create notes your customers can attach occurrences to.
Container Analysis Occurrences for Notes Viewer - To list all the occurrences attached to a note.
A metadata customer in Container Analysis attaches information to metadata resources. It creates occurrences, which are instances of notes and target a specific image within a project.
As a customer, to be able to attach occurrences to notes and to list them, grant the following roles to your user or service account:
Container Analysis Ocurrences Editor - Grant this role in the customer project to create occurrences.
Container Analysis Notes Attacher - Grant this role in the provider project to attach occurrences to notes.
Container Analysis Occurrences Viewer - Grant this role in the customer project to list occurrences within that project.
An additional security measure for vulnerability metadata is that Container Analysis allows providers to create and manage vulnerability occurrences on behalf of many customers. The metadata customers don't have write permission to third-party provider vulnerability occurrences in their own projects.
This means, for example, that Container Analysis can create vulnerability occurrences for images in your project, but you cannot add or remove any vulnerability information that Container Analysis detects.
This helps to enforce security policies by preventing manipulation of vulnerability metadata on the customer side.
The following table lists the Container Analysis IAM roles and the permissions that they include:
||Container Analysis Admin||Access to all Container Analysis resources.||
||Container Analysis Notes Attacher||Can attach Container Analysis Occurrences to Notes.||
||Container Analysis Notes Editor||Can edit Container Analysis Notes.||
||Container Analysis Occurrences for Notes Viewer||
||Container Analysis Notes Viewer||Can view Container Analysis Notes.||
||Container Analysis Occurrences Editor||Can edit Container Analysis Occurrences.||
||Container Analysis Occurrences Viewer||Can view Container Analysis Occurrences.||