Configuring Access Control

Access control in Google Cloud Platform is controlled using Google Cloud Identity and Access Management (IAM). IAM allows you to set permissions specifying who has what kind of access to which resources in your project. IAM provides primitive and predefined roles that you can grant to users on certain resources. It also allows you to create custom roles.

Container Builder uses IAM for access control. You can use IAM to add team members to your project and to grant them permissions to create, view, and cancel builds. Users require the necessary Cloud IAM permissions to call Container Builder API methods.

This page explains describes the IAM permissions and roles necessary to call Container Builder method and explains how to use IAM to configure permissions for your project's team members and service accounts.

Permissions

The following table lists the permissions that the caller must have to call each method:

API Method Required Permission Role Title
create cloudbuild.builds.create Cloud Container Builder Editor
cancel cloudbuild.builds.update Cloud Container Builder Editor
get cloudbuild.builds.get Cloud Container Builder Editor, Cloud Container Builder Viewer
list cloudbuild.builds.list Cloud Container Builder Editor, Cloud Container Builder Viewer

Roles

With IAM, every API method in Container Builder requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by granting roles, which includes that permission. In addition to the primitive roles owner, editor, and viewer, you can grant Container Builder roles to the users of your project.

The table below lists the Container Builder IAM roles and the permissions that they include:

Role Role Title includes permissions:
role/cloudbuild.builds.viewer Cloud Container Builder Viewer cloudbuild.builds.get
cloudbuild.builds.list
role/cloudbuild.builds.editor Cloud Container Builder Editor All of the above, and:
cloudbuild.builds.create
cloudbuild.builds.update

The table below lists the primitive roles that existed prior to Cloud IAM, and the Container Builder IAM roles that they include.

Role Role Title includes role
role/viewer Viewer role/cloudbuild.builds.viewer
role/editor or role/owner Editor or Owner role/cloudbuild.builds.editor

Managing IAM roles via the GCP Console

To grant IAM roles for a new team member or service account:

  1. Open the Identity and Access Management page in the Google Cloud Platform Console.
  2. Select your project, and click Continue.
  3. Click Add.
  4. Enter the team member's or service account's email address.
  5. Select the desired Role Title from the drop-down menu. Container Builder roles are found under Container Builder.
  6. Click Add.

Creating IAM custom roles

To create an Cloud IAM custom role with Container Builder permissions:

  1. Go to the Roles page in the GCP Console.

    Open the Roles page

  2. Select your project and organization.
  3. Click Create Role.
  4. Enter a Name, and Description for the role.
  5. Click Add Permissions.
  6. In the All services drop-down, select cloudbuild.
  7. Select the one or more permissions and click Add Permissions.
  8. Click Create.

For more instructions on using Cloud IAM custom roles, see Creating and Managing Custom Roles.

What's next

Send feedback about...

Cloud Container Builder