By default, all Google Cloud Platform Console projects come with a single user: the original project creator. No other users have access to the project, and therefore, access to Google Cloud Platform resources, until a user is added as a project team member. This page describes the different ways you can add new users to your project.
It also describes how Deployment Manager authenticates to other Cloud Platform APIs on your behalf to create resources.
Before you begin
- If you want to use the command-line examples in this guide, install the gcloud command-line tool.
- If you want to use the API examples in this guide, set up API access.
- Understand Google Cloud Console projects.
- Understand Google Identity and Access Management.
Access control for users
To give your users access to your project so they can create configurations and deployments, add your users as a project team member and grant them the appropriate Identity and Access Management (IAM) roles. IAM supports two types of roles: predefined and primitive roles.
For information on how to add team members, read the documentation for adding team members.
Deployment Manager roles
||Deployment Manager Editor||Provides the permissions necessary to create and manage deployments.||
||Deployment Manager Type Editor||Provides read and write access to all Type Registry resources.||
||Deployment Manager Type Viewer||Provides read-only access to all Type Registry resources.||
||Deployment Manager Viewer||Provides read-only access to all Deployment Manager-related resources.||
Access control for Deployment Manager
To create other Google Cloud Platform resources, Deployment Manager uses the credentials of the Google APIs service account to authenticate to other APIs. The Google APIs service account is designed specifically to run internal Google processes on your behalf. The service account is identifiable using the email:
The Google APIs service account is automatically granted editor permissions on the project and is listed in the IAM section of the Google Cloud Platform console. The service account exists indefinitely with the project and is only deleted when the project is deleted. Since Deployment Manager and other services such as managed instance groups rely on this service account to create, delete, and manage resources, it is not recommended that you modify this account's permissions.