Questa pagina è stata tradotta dall'API Cloud Translation.

Controllo dell'accesso con IAM

Per impostazione predefinita, tutti i progetti della console Google Cloud includono un singolo utente: chi ha creato il progetto originale. Nessun altro utente ha accesso al progetto e quindi alle risorse Google Cloud finché non viene aggiunto un utente come membro del team di progetto. In questa pagina vengono descritti i vari modi per aggiungere nuovi utenti al tuo progetto.

Descrive inoltre come Deployment Manager esegue l'autenticazione ad altri le API Google Cloud al posto tuo per creare risorse.

Prima di iniziare

Se vuoi utilizzare gli esempi a riga di comando presenti in questa guida, installa lo strumento a riga di comando "gcloud".
Se vuoi utilizzare gli esempi di API in questa guida, configura l'accesso API.
Scopri i progetti della console Google Cloud.
Informazioni su Google Identity and Access Management.

Controllo dell'accesso per gli utenti

Per consentire agli utenti di accedere al progetto in modo che possano creare configurazioni e implementazioni, aggiungili come membri del team di progetto e concedi loro i ruoli IAM (Identity and Access Management) appropriati.

Per informazioni su come aggiungere membri al team, consulta la documentazione sull'aggiunta di membri al team.

Ruoli di Deployment Manager

Role Permissions

Role	Permissions
Deployment Manager Editor (`roles/deploymentmanager.editor`) Provides the permissions necessary to create and manage deployments. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.` `deploymentmanager.compositeTypes.create` `deploymentmanager.compositeTypes.delete` `deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.compositeTypes.update` `deploymentmanager.deployments.cancelPreview` `deploymentmanager.deployments.create` `deploymentmanager.deployments.delete` `deploymentmanager.deployments.get` `deploymentmanager.deployments.list` `deploymentmanager.deployments.stop` `deploymentmanager.deployments.update` `deploymentmanager.manifests.` `deploymentmanager.manifests.get` `deploymentmanager.manifests.list` `deploymentmanager.operations.` `deploymentmanager.operations.get` `deploymentmanager.operations.list` `deploymentmanager.resources.` `deploymentmanager.resources.get` `deploymentmanager.resources.list` `deploymentmanager.typeProviders.` `deploymentmanager.typeProviders.create` `deploymentmanager.typeProviders.delete` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.typeProviders.update` `deploymentmanager.types.` `deploymentmanager.types.create` `deploymentmanager.types.delete` `deploymentmanager.types.get` `deploymentmanager.types.list` `deploymentmanager.types.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`
Deployment Manager Type Editor (`roles/deploymentmanager.typeEditor`) Provides read and write access to all Type Registry resources. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.` `deploymentmanager.compositeTypes.create` `deploymentmanager.compositeTypes.delete` `deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.compositeTypes.update` `deploymentmanager.operations.get` `deploymentmanager.typeProviders.` `deploymentmanager.typeProviders.create` `deploymentmanager.typeProviders.delete` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.typeProviders.update` `deploymentmanager.types.*` `deploymentmanager.types.create` `deploymentmanager.types.delete` `deploymentmanager.types.get` `deploymentmanager.types.list` `deploymentmanager.types.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get`
Deployment Manager Type Viewer (`roles/deploymentmanager.typeViewer`) Provides read-only access to all Type Registry resources. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.types.get` `deploymentmanager.types.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get`
Deployment Manager Viewer (`roles/deploymentmanager.viewer`) Provides read-only access to all Deployment Manager-related resources. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.deployments.get` `deploymentmanager.deployments.list` `deploymentmanager.manifests.` `deploymentmanager.manifests.get` `deploymentmanager.manifests.list` `deploymentmanager.operations.` `deploymentmanager.operations.get` `deploymentmanager.operations.list` `deploymentmanager.resources.*` `deploymentmanager.resources.get` `deploymentmanager.resources.list` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.types.get` `deploymentmanager.types.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Deployment Manager Editor

(roles/deploymentmanager.editor)

Provides the permissions necessary to create and manage deployments.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.*

deploymentmanager.compositeTypes.create
deploymentmanager.compositeTypes.delete
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.compositeTypes.update

deploymentmanager.deployments.cancelPreview

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.stop

deploymentmanager.deployments.update

deploymentmanager.manifests.*

deploymentmanager.manifests.get
deploymentmanager.manifests.list

deploymentmanager.operations.*

deploymentmanager.operations.get
deploymentmanager.operations.list

deploymentmanager.resources.*

deploymentmanager.resources.get
deploymentmanager.resources.list

deploymentmanager.typeProviders.*

deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.delete
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.typeProviders.update

deploymentmanager.types.*

deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Deployment Manager Type Editor

(roles/deploymentmanager.typeEditor)

Provides read and write access to all Type Registry resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.*

deploymentmanager.compositeTypes.create
deploymentmanager.compositeTypes.delete
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.compositeTypes.update

deploymentmanager.operations.get

deploymentmanager.typeProviders.*

deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.delete
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.typeProviders.update

deploymentmanager.types.*

deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

Deployment Manager Type Viewer

(roles/deploymentmanager.typeViewer)

Provides read-only access to all Type Registry resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

Deployment Manager Viewer

(roles/deploymentmanager.viewer)

Provides read-only access to all Deployment Manager-related resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.manifests.*

deploymentmanager.manifests.get
deploymentmanager.manifests.list

deploymentmanager.operations.*

deploymentmanager.operations.get
deploymentmanager.operations.list

deploymentmanager.resources.*

deploymentmanager.resources.get
deploymentmanager.resources.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Controllo dell'accesso per Deployment Manager

Per creare altre risorse Google Cloud, Deployment Manager utilizza le credenziali dell'agente di servizio API di Google per eseguire l'autenticazione con su quelle di livello inferiore. L'agente di servizio delle API Google è progettato specificamente per eseguire processi interni di Google per tuo conto. Questo account di servizio è identificabile mediante Indirizzo email:

[PROJECT_NUMBER]@cloudservices.gserviceaccount.com

All'agente di servizio delle API di Google viene concesso automaticamente il ruolo Editor a livello di progetto ed è elencato nella sezione IAM della console Google Cloud. Questo account di servizio esiste a tempo indeterminato con progetto, e viene eliminato solo quando il progetto viene eliminato. Poiché Deployment Manager e altri servizi, come i gruppi di istanze gestite, si basano su questo account di servizio per creare, eliminare e gestire le risorse, non è consigliabile modificare le autorizzazioni di questo account.

Passaggi successivi

Scopri di più sugli account di servizio.
Scopri come aggiungere membri del team.
Scopri di più su IAM.