By default, all Google Cloud console projects come with a single user: the original project creator. No other users have access to the project, and therefore, access to Google Cloud resources, until a user is added as a project team member. This page describes the different ways you can add new users to your project.
It also describes how Deployment Manager authenticates to other Google Cloud APIs on your behalf to create resources.
Before you begin
- If you want to use the command-line examples in this guide, install the `gcloud` command-line tool.
- If you want to use the API examples in this guide, set up API access.
- Understand Google Cloud console projects.
- Understand Google Identity and Access Management.
Access control for users
To give your users access to your project so they can create configurations and deployments, add your users as a project team member and grant them the appropriate Identity and Access Management (IAM) roles.
For information on how to add team members, read the documentation for adding team members.
Deployment Manager roles
Role | Permissions |
---|---|
Deployment Manager Editor( Provides the permissions necessary to create and manage deployments. Lowest-level resources where you can grant this role:
|
deploymentmanager.
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.
deploymentmanager.types.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Deployment Manager Type Editor( Provides read and write access to all Type Registry resources. Lowest-level resources where you can grant this role:
|
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get |
Deployment Manager Type Viewer( Provides read-only access to all Type Registry resources. Lowest-level resources where you can grant this role:
|
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get |
Deployment Manager Viewer( Provides read-only access to all Deployment Manager-related resources. Lowest-level resources where you can grant this role:
|
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Access control for Deployment Manager
To create other Google Cloud resources, Deployment Manager uses the credentials of the Google APIs Service Agent to authenticate to other APIs. The Google APIs Service Agent is designed specifically to run internal Google processes on your behalf. This service account is identifiable using the email:
[PROJECT_NUMBER]@cloudservices.gserviceaccount.com
The Google APIs Service Agent is automatically granted the Editor role at the project level and is listed in the IAM section of the Google Cloud console. This service account exists indefinitely with the project, and is only deleted when the project is deleted. Since Deployment Manager and other services, such as managed instance groups, rely on this service account to create, delete, and manage resources, it is not recommended that you modify this account's permissions.
What's next
- Learn about service accounts.
- Learn how to add team members.
- Learn about IAM.