This page describes Cloud Deploy service accounts, roles, and permissions.
Access in Cloud Deploy is controlled using Identity and Access Management (IAM). IAM lets you create and manage permissions for Google Cloud resources. Cloud Deploy provides a specific set of predefined IAM roles where each role contains a set of permissions. You can use these roles to give more fine-grained access to specific Google Cloud resources and prevent unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
See Using IAM to restrict Cloud Deploy access to learn about advanced access-control security features.
Service accounts in Cloud Deploy
By default, Cloud Deploy runs using the default Compute Engine service account. For more information on configuring this service account for use with Cloud Deploy, or choosing a different account, see the Cloud Deploy execution service account documentation.
Find out more about how Cloud Deploy uses service accounts.
Predefined Cloud Deploy roles
With IAM, every API method in Cloud Deploy API requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a principal (user, group, or service account) of your project. You can grant multiple roles to a principal on the same resource.
The IAM documentation includes a searchable reference of all predefined roles.
The following table lists the Cloud Deploy IAM roles and the permissions that they include:
Cloud Deploy roles |
Permissions |
Cloud Deploy Admin( Full control of Cloud Deploy resources. |
|
Cloud Deploy Approver( Permission to approve or reject rollouts. |
|
Cloud Deploy Custom Target Type Admin( Permission to manage CustomTargetType resources |
|
Cloud Deploy Developer( Permission to manage deployment configuration without permission to access operational resources, such as targets. |
|
Cloud Deploy Runner( Permission to execute Cloud Deploy work without permission to deliver to a target. |
|
Cloud Deploy Operator( Permission to manage deployment configuration. |
|
Cloud Deploy Policy Admin Beta( Permission to manage Deploy Policies. |
|
Cloud Deploy Policy Overrider Beta( Permission to override Deploy Policies. |
|
Cloud Deploy Releaser( Permission to create Cloud Deploy releases and rollouts. |
|
Cloud Deploy Viewer( Can view Cloud Deploy resources. |
|
In addition to the Cloud Deploy predefined roles, the basic Viewer, Editor, and Owner roles also include permissions related to Cloud Deploy. However, we recommend that you grant predefined roles where possible to comply with the security principle of least privilege.
Permissions
The following table lists the permissions that the caller must have to call each method:
| API Method | Required permission | Description |
|---|---|---|
automations.create() |
clouddeploy.automations.create |
Create a new automation resource. |
automations.delete() |
clouddeploy.automations.delete |
Delete an existing automation resource. |
automations.get() |
clouddeploy.automations.get |
Retrieve details for an individual automation resource. |
automations.list() |
clouddeploy.automations.list |
List automation resources and their metadata. |
automations.update() |
clouddeploy.automations.update |
Update an existing automation resource. |
automationRuns.cancel() |
clouddeploy.automationRuns.cancel |
Cancel a running automation. |
automationRuns.get() |
clouddeploy.automationRuns.get |
Retrieve details for an individual automation run. |
automationRuns.list() |
clouddeploy.automationRuns.list |
List automation runs and their metadata. |
customTargetTypes.create() |
clouddeploy.customTargetTypes.create |
Create a custom target type resource. |
customTargetTypes.delete() |
clouddeploy.customTargetTypes.delete |
Delete a custom target type resource. |
customTargetTypes.get() |
clouddeploy.customTargetTypes.get |
Retrieve details for a custom target type. |
customTargetTypes.getIamPolicy() |
clouddeploy.customTargetTypes.getIamPolicy |
Get the IAM policy for a custom target type resource. |
customTargetTypes.list() |
clouddeploy.customTargetTypes.list |
List available custom target types and their metadata. |
customTargetTypes.patch() |
clouddeploy.customTargetTypes.patch |
Update an existing custom target type. |
customTargetTypes.setIamPolicy() |
clouddeploy.customTargetTypes.setIamPolicy |
Set the IAM policy for a custom target type resource. |
deliveryPipelines.create() |
clouddeploy.deliveryPipelines.create |
Create a new delivery pipeline resource. |
deliveryPipelines.delete() |
clouddeploy.deliveryPipelines.delete |
Delete an existing delivery pipeline resource. |
deliveryPipelines.get() |
clouddeploy.deliveryPipelines.get |
Retrieve details for an individual delivery pipeline. |
deliveryPipelines.getIamPolicy() |
clouddeploy.deliveryPipelines.getIamPolicy |
Get the IAM policy for a delivery pipeline resource. |
deliveryPipelines.list() |
clouddeploy.deliveryPipelines.list |
List delivery pipelines and their metadata. |
deliveryPipelines.rollbackTarget() |
clouddeploy.rollouts.rollback |
Rolls back a target. |
deliveryPipelines.setIamPolicy() |
clouddeploy.deliveryPipelines.setIamPolicy |
Set the IAM policy for a delivery pipeline resource. |
deliveryPipelines.update() |
clouddeploy.deliveryPipelines.update |
Update an existing delivery pipeline resource. |
deployPolicies.create() |
clouddeploy.deployPolicies.create |
Create a deploy policy resource. |
deployPolicies.delete() |
clouddeploy.deployPolicies.delete |
Delete a deploy policy resource. |
deployPolicies.get() |
clouddeploy.deployPolicies.get |
Retrieve details for a deploy policy resource. |
deployPolicies.list() |
clouddeploy.deployPolicies.list |
List available deploy policies and their metadata. |
jobRuns.get() |
clouddeploy.jobRuns.get |
Retrieve a JobRuns resource. |
jobRuns.list() |
clouddeploy.jobRuns.list |
List JobRuns resources and their metadata. |
jobRuns.terminate() |
clouddeploy.jobRuns.terminate |
Terminate an in-progress job run. |
operations.cancel() |
clouddeploy.operations.cancel |
Cancel a long-running operation. |
operation.delete() |
clouddeploy.operations.delete |
Delete a long-running operation. |
operations.get() |
clouddeploy.operations.get |
Get a specific long-running operation (for example, to return the status of a release's creation). |
operations.list() |
clouddeploy.operations.list |
List long-running operations. |
releases.abandon() |
clouddeploy.releases.abandon |
Abandon a release and prevent further rollouts against the release. |
releases.create() |
clouddeploy.releases.create |
Create a new release resource. The caller also requires iam.serviceAccounts.actAs permission on the service account used to render the manifest. |
releases.get() |
clouddeploy.releases.get |
Retrieve details for individual release. |
releases.list() |
clouddeploy.releases.list |
List releases and metadata. |
rollouts.advance() |
clouddeploy.rollouts.advance |
Advance a rollout to the next phase. |
rollouts.approve() |
clouddeploy.rollouts.approve |
Approve or reject a rollout with approval state of required. |
rollouts.cancel() |
clouddeploy.rollouts.cancel |
Cancel a rollout. |
rollouts.create() |
clouddeploy.rollouts.create |
Create a new rollout resource or promote a release. The caller also requires iam.serviceAccounts.actAs permission on the project or service account used to deploy. |
rollouts.get() |
clouddeploy.rollouts.get |
Retrieve details for individual rollout. |
rollouts.ignoreJob() |
clouddeploy.rollouts.ignoreJob |
Ignore a failed job. |
rollouts.list() |
clouddeploy.rollouts.list |
List rollouts and metadata. |
rollouts.retryJob() |
clouddeploy.rollouts.retryJob |
Retries a failed job. |
rollouts.advance(), rollouts.approve(), rollouts.cancel(), rollouts.create(), rollouts.ignoreJob(), rollouts.retryJob(), deliveryPipelines.rollbackTarget(), jobRuns.terminate() |
clouddeploy.deployPolicies.override |
Override a deploy policy resource. |
deployPolicies.update() |
clouddeploy.deployPolicies.update |
Update an existing deploy policy resource. |
targets.create() |
clouddeploy.targets.create |
Create a new target resource. |
targets.delete() |
clouddeploy.targets.delete |
Delete an existing target resource. |
targets.get() |
clouddeploy.targets.get |
Retrieve details for an individual target. |
targets.getIamPolicy() |
clouddeploy.targets.getIamPolicy |
Gets the IAM policy for a target resource. |
targets.list() |
clouddeploy.targets.list |
List targets and their metadata. |
targets.setIamPolicy() |
clouddeploy.targets.setIamPolicy |
Sets the IAM policy for a target resource. |
targets.update() |
clouddeploy.targets.update |
Update an existing target resource. |
Using IAM to restrict actions on Cloud Deploy resources
You can secure your Cloud Deploy resources using IAM in the following ways:
IAM meta APIs
Use
setIamPolicyon Cloud Deploy resources to restrict actions on those resources.Conditional IAM
Programmatically apply access policies, including the conditions under which to grant or deny access.
You can use these policies and conditions to restrict the following actions on your Cloud Deploy resources:
Create a delivery pipeline or target
You can grant this access to specific users or groups.
Update or delete a specific delivery pipeline
You can grant this access to specific users or groups.
Create a release for a specific delivery pipeline
You can grant this access to specific users or groups.
Update or delete a specific target
You can grant this access to specific users or groups.
Create or approve a rollout or promote a release
You can grant this access to specific users or groups for a specific target or delivery pipeline.
You can also set a condition that limits this access to within a specified time window.
What's next
- Learn about IAM.
- Learn more about using conditions in IAM
- Find out more about Cloud Deploy service accounts.