此页面由 Cloud Translation API 翻译。

使用 IAM 进行访问权限控制

默认情况下，所有 Google Cloud 控制台项目都只包含一位用户：原始项目创建者。其他用户只有在被添加为项目团队成员之后，才能访问相关项目和 Google Cloud 资源。本页面介绍了将新用户添加到项目的不同方法。

此外，还介绍了 Deployment Manager 如何代表您对其他Google Cloud API 进行身份验证以创建资源。

准备工作

如果要使用本指南中的命令行示例，请安装 “gcloud” 命令行工具。
如果希望使用本指南中的 API 示例，请设置 API 访问权限。
了解 Google Cloud 控制台项目。
了解 Google Identity and Access Management。

针对用户的访问权限控制

为了让您的用户可以访问您的项目，以便他们可以创建配置和部署，您需要将用户添加为项目团队成员，并授予他们适当的 Identity and Access Management (IAM) 角色。

如需了解如何添加团队成员，请阅读文档添加团队成员。

Deployment Manager 角色

Role Permissions

Role	Permissions
Deployment Manager Editor (`roles/deploymentmanager.editor`) Provides the permissions necessary to create and manage deployments. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.` `deploymentmanager.compositeTypes.create` `deploymentmanager.compositeTypes.delete` `deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.compositeTypes.update` `deploymentmanager.deployments.cancelPreview` `deploymentmanager.deployments.create` `deploymentmanager.deployments.delete` `deploymentmanager.deployments.get` `deploymentmanager.deployments.list` `deploymentmanager.deployments.stop` `deploymentmanager.deployments.update` `deploymentmanager.manifests.` `deploymentmanager.manifests.get` `deploymentmanager.manifests.list` `deploymentmanager.operations.` `deploymentmanager.operations.get` `deploymentmanager.operations.list` `deploymentmanager.resources.` `deploymentmanager.resources.get` `deploymentmanager.resources.list` `deploymentmanager.typeProviders.` `deploymentmanager.typeProviders.create` `deploymentmanager.typeProviders.delete` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.typeProviders.update` `deploymentmanager.types.` `deploymentmanager.types.create` `deploymentmanager.types.delete` `deploymentmanager.types.get` `deploymentmanager.types.list` `deploymentmanager.types.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`
Deployment Manager Type Editor (`roles/deploymentmanager.typeEditor`) Provides read and write access to all Type Registry resources. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.` `deploymentmanager.compositeTypes.create` `deploymentmanager.compositeTypes.delete` `deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.compositeTypes.update` `deploymentmanager.operations.get` `deploymentmanager.typeProviders.` `deploymentmanager.typeProviders.create` `deploymentmanager.typeProviders.delete` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.typeProviders.update` `deploymentmanager.types.*` `deploymentmanager.types.create` `deploymentmanager.types.delete` `deploymentmanager.types.get` `deploymentmanager.types.list` `deploymentmanager.types.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get`
Deployment Manager Type Viewer (`roles/deploymentmanager.typeViewer`) Provides read-only access to all Type Registry resources. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.types.get` `deploymentmanager.types.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get`
Deployment Manager Viewer (`roles/deploymentmanager.viewer`) Provides read-only access to all Deployment Manager-related resources. Lowest-level resources where you can grant this role: Project	`deploymentmanager.compositeTypes.get` `deploymentmanager.compositeTypes.list` `deploymentmanager.deployments.get` `deploymentmanager.deployments.list` `deploymentmanager.manifests.` `deploymentmanager.manifests.get` `deploymentmanager.manifests.list` `deploymentmanager.operations.` `deploymentmanager.operations.get` `deploymentmanager.operations.list` `deploymentmanager.resources.*` `deploymentmanager.resources.get` `deploymentmanager.resources.list` `deploymentmanager.typeProviders.get` `deploymentmanager.typeProviders.getType` `deploymentmanager.typeProviders.list` `deploymentmanager.typeProviders.listTypes` `deploymentmanager.types.get` `deploymentmanager.types.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Deployment Manager Editor

(roles/deploymentmanager.editor)

Provides the permissions necessary to create and manage deployments.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.*

deploymentmanager.compositeTypes.create
deploymentmanager.compositeTypes.delete
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.compositeTypes.update

deploymentmanager.deployments.cancelPreview

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.stop

deploymentmanager.deployments.update

deploymentmanager.manifests.*

deploymentmanager.manifests.get
deploymentmanager.manifests.list

deploymentmanager.operations.*

deploymentmanager.operations.get
deploymentmanager.operations.list

deploymentmanager.resources.*

deploymentmanager.resources.get
deploymentmanager.resources.list

deploymentmanager.typeProviders.*

deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.delete
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.typeProviders.update

deploymentmanager.types.*

deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Deployment Manager Type Editor

(roles/deploymentmanager.typeEditor)

Provides read and write access to all Type Registry resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.*

deploymentmanager.compositeTypes.create
deploymentmanager.compositeTypes.delete
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.compositeTypes.update

deploymentmanager.operations.get

deploymentmanager.typeProviders.*

deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.delete
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.typeProviders.update

deploymentmanager.types.*

deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

Deployment Manager Type Viewer

(roles/deploymentmanager.typeViewer)

Provides read-only access to all Type Registry resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

Deployment Manager Viewer

(roles/deploymentmanager.viewer)

Provides read-only access to all Deployment Manager-related resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.manifests.*

deploymentmanager.manifests.get
deploymentmanager.manifests.list

deploymentmanager.operations.*

deploymentmanager.operations.get
deploymentmanager.operations.list

deploymentmanager.resources.*

deploymentmanager.resources.get
deploymentmanager.resources.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

针对 Deployment Manager 的访问权限控制

为了创建其他 Google Cloud 资源，Deployment Manager 会使用 Google API 服务代理的凭据对其他 API 进行身份验证。Google API 服务代理专门用于代表您运行内部 Google 流程。此服务账号采用如下电子邮件地址形式：

[PROJECT_NUMBER]@cloudservices.gserviceaccount.com

Google API 服务代理会自动在项目级层授予 Editor 角色，并列在Google Cloud 控制台的 IAM 部分中。此服务账号随项目无限期存在；只有在项目被删除时，它才会被删除。由于 Deployment Manager 和其他服务（如托管实例组）依赖此服务账号来创建、删除和管理资源，建议您不要修改此账号的权限。

后续步骤

了解服务账号。
了解如何添加团队成员。
了解 IAM。