IAM roles and permissions

This page describes Cloud Deploy service accounts, roles, and permissions.

Access in Cloud Deploy is controlled using Identity and Access Management (IAM). IAM enables you to create and manage permissions for Google Cloud resources. Cloud Deploy provides a specific set of predefined IAM roles where each role contains a set of permissions. You can use these roles to give more fine-grained access to specific Google Cloud resources and prevent unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

See Using IAM to restrict Cloud Deploy access to learn about advanced access-control security features.

Service accounts in Cloud Deploy

By default, Cloud Deploy runs using the default Compute Engine service account. That service account has sufficient permissions to render manifests and deploy to your targets.

Find out more about how Cloud Deploy uses service accounts.

Predefined Cloud Deploy roles

With IAM, every API method in Cloud Deploy API requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a principal (user, group, or service account) of your project. You can grant multiple roles to a principal on the same resource.

The IAM documentation includes a searchable reference of all predefined roles.

The following table lists the Cloud Deploy IAM roles and the permissions that they include:

Role Description Permissions
roles/clouddeploy.viewer Can view Cloud Deploy

resources.

clouddeploy.*.get

clouddeploy.*.list

roles/clouddeploy.admin Full control of Cloud Deploy resources. clouddeploy.*
roles/clouddeploy.customTargetTypeAdmin Full control of Cloud Deploy custom target types. clouddeploy.customTargetType.*
roles/clouddeploy.developer Can create, retrieve, update, and

delete Cloud Deploy delivery pipeline resources.

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.update

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.releases.*

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.operations.*

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.automations.get

clouddeploy.automations.list

clouddeploy.automationRuns.get

clouddeploy.automationRuns.list

roles/clouddeploy.operator Can create, retrieve, update, and delete

Cloud Deploy delivery pipeline and target resources.

Can create and retrieve release, rollout, and job run resources.

Can retrieve custom target type resources.

clouddeploy.customTargetType.get

clouddeploy.customTargetType.list

clouddeploy.customTargetType.getIamPolicy

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.update

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.releases.*

clouddeploy.targets.get

clouddeploy.targets.list

clouddeploy.targets.create

clouddeploy.targets.delete

clouddeploy.targets.update

clouddeploy.targets.getIamPolicy

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.ignoreJob

clouddeploy.rollouts.list

clouddeploy.rollouts.retryJob

clouddeploy.rollouts.rollback

clouddeploy.operations.*

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.jobRuns.terminate

clouddeploy.automations.*

clouddeploy.automationRuns.*

roles/clouddeploy.approver Can view and approve Cloud Deploy

rollout resources only.

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.rollouts.approve

clouddeploy.operations.*

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

roles/clouddeploy.jobRunner Can execute Cloud Deploy work without

permission to deploy to a target.

logging.logEntries.create

storage.objects.create

storage.objects.list

storage.objects.get

roles/clouddeploy.releaser Can create and retrieve releases and rollouts clouddeploy.customTargetType.get

clouddeploy.deliveryPipelines.get

clouddeploy.targets.get

clouddeploy.releases.create

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.rollouts.rollback

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

In addition to the Cloud Deploy predefined roles, the basic Viewer, Editor, and Owner roles also include permissions related to Cloud Deploy. However, we recommend that you grant predefined roles where possible to comply with the security principle of least privilege.

Permissions

The following table lists the permissions that the caller must have to call each method:

API Method Required permission Description
automations.create() clouddeploy.automations.create Create a new automation resource.
automations.delete() clouddeploy.automations.delete Delete an existing automation resource.
automations.get() clouddeploy.automations.get Retrieve details for an individual automation resource.
automations.list() clouddeploy.automations.list List automation resources and their metadata.
automations.update() clouddeploy.automations.update Update an existing automation resource.
automationRuns.cancel() clouddeploy.automationRuns.cancel Cancel a running automation.
automationRuns.get() clouddeploy.automationRuns.get Retrieve details for an individual automation run.
automationRuns.list() clouddeploy.automationRuns.list List automation runs and their metadata.
customTargetTypes.create() clouddeploy.customTargetType.create Create a custom target type resource.
customTargetTypes.delete() clouddeploy.customTargetType.delete Delete a custom target type resource.
customTargetTypes.get() clouddeploy.customTargetType.get Retrieve details for a custom target type.
customTargetTypes.getIamPolicy() clouddeploy.customTargetType.getIamPolicy Get the IAM policy for a custom target type resource.
customTargetTypes.list() clouddeploy.customTargetType.list List available custom target types and their metadata.
customTargetTypes.patch() clouddeploy.customTargetType.patch Update an existing custom target type.
customTargetTypes.setIamPolicy() clouddeploy.customTargetType.setIamPolicy Set the IAM policy for a custom target type resource.
deliveryPipelines.create() clouddeploy.deliveryPipelines.create Create a new delivery pipeline resource.
deliveryPipelines.delete() clouddeploy.deliveryPipelines.delete Delete an existing delivery pipeline resource.
deliveryPipelines.get() clouddeploy.deliveryPipelines.get Retrieve details for an individual delivery pipeline.
deliveryPipelines.getIamPolicy() clouddeploy.deliveryPipelines.getIamPolicy Get the IAM policy for a delivery pipeline resource.
deliveryPipelines.list() clouddeploy.deliveryPipelines.list List delivery pipelines and their metadata.
deliveryPipelines.rollbackTarget() clouddeploy.rollouts.rollback Rolls back a target.
deliveryPipelines.setIamPolicy() clouddeploy.deliveryPipelines.setIamPolicy Set the IAM policy for a delivery pipeline resource.
deliveryPipelines.update() clouddeploy.deliveryPipelines.update Update an existing delivery pipeline resource.
jobRuns.get() clouddeploy.jobRuns.get Retrieve a JobRuns resource.
jobRuns.list() clouddeploy.jobRuns.list List JobRuns resources and their metadata.
jobRuns.terminate() clouddeploy.jobRuns.terminate Terminate an in-progress job run.
operations.cancel() clouddeploy.operations.cancel Cancel a long-running operation.
operation.delete() clouddeploy.operations.delete Delete a long-running operation.
operations.get() clouddeploy.operations.get Get a specific long-running operation (for example, to return the status of a release's creation).
operations.list() clouddeploy.operations.list List long-running operations.
releases.abandon() clouddeploy.releases.abandon Abandon a release and prevent further rollouts against the release.
releases.create() clouddeploy.releases.create Create a new release resource. The caller also requires iam.serviceAccounts.actAs permission on the service account used to render the manifest.
releases.get() clouddeploy.releases.get Retrieve details for individual release.
releases.list() clouddeploy.releases.list List releases and metadata.
releases.promote() clouddeploy.rollouts.create Promote the release to next target.
rollouts.advance() clouddeploy.rollouts.advance Advance a rollout to the next phase.
rollouts.approve() clouddeploy.rollouts.approve Approve or reject a rollout with approval state of required.
rollouts.cancel() clouddeploy.rollouts.cancel Cancel a rollout.
rollouts.create() clouddeploy.rollouts.create Create a new rollout resource. The caller also requires iam.serviceAccounts.actAs permission on the project or service account used to deploy.
rollouts.get() clouddeploy.rollouts.get Retrieve details for individual rollout.
rollouts.ignoreJob() clouddeploy.rollouts.ignoreJob Ignore a failed job.
rollouts.list() clouddeploy.rollouts.list List rollouts and metadata.
rollouts.retryJob() clouddeploy.rollouts.retryJob Retries a failed job.
targets.create() clouddeploy.targets.create Create a new target resource.
targets.delete() clouddeploy.targets.delete Delete an existing target resource.
targets.get() clouddeploy.targets.get Retrieve details for an individual target.
targets.getIamPolicy() clouddeploy.targets.getIamPolicy Gets the IAM policy for a target resource.
targets.list() clouddeploy.targets.list List targets and their metadata.
targets.setIamPolicy() clouddeploy.targets.setIamPolicy Sets the IAM policy for a target resource.
targets.update() clouddeploy.targets.update Update an existing target resource.

Using IAM to restrict actions on Cloud Deploy resources

You can secure your Cloud Deploy resources using IAM in the following ways:

  • IAM meta APIs

    Use setIamPolicy on Cloud Deploy resources to restrict actions on those resources.

  • Conditional IAM

    Programmatically apply access policies, including the conditions under which to grant or deny access.

You can use these policies and conditions to restrict the following actions on your Cloud Deploy resources:

  • Create a delivery pipeline or target

    You can grant this access to specific users or groups.

  • Update or delete a specific delivery pipeline

    You can grant this access to specific users or groups.

  • Create a release for a specific delivery pipeline

    You can grant this access to specific users or groups.

  • Update or delete a specific target

    You can grant this access to specific users or groups.

  • Create or approve a rollout or promote a release

    You can grant this access to specific users or groups for a specific target or delivery pipeline.

    You can also set a condition that limits this access to within a specified time window.

What's next