默认情况下,所有 Google Cloud 控制台项目都只包含一位用户:原始项目创建者。其他用户只有在被添加为项目团队成员之后,才能访问相关项目和 Google Cloud 资源。本页面介绍了将新用户添加到项目的不同方法。
此外,还介绍了 Deployment Manager 如何代表您对其他 Google Cloud API 进行身份验证以创建资源。
准备工作
- 如果要使用本指南中的命令行示例,请安装 “gcloud” 命令行工具。
- 如果希望使用本指南中的 API 示例,请设置 API 访问权限。
- 了解 Google Cloud 控制台项目。
- 了解 Google Identity and Access Management。
针对用户的访问权限控制
为了让您的用户可以访问您的项目,以便他们可以创建配置和部署,您需要将用户添加为项目团队成员,并授予他们适当的 Identity and Access Management (IAM) 角色。
如需了解如何添加团队成员,请阅读文档添加团队成员。
Deployment Manager 角色
Role | Permissions |
---|---|
Deployment Manager Editor( Provides the permissions necessary to create and manage deployments. Lowest-level resources where you can grant this role:
|
deploymentmanager.
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.
deploymentmanager.types.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Deployment Manager Type Editor( Provides read and write access to all Type Registry resources. Lowest-level resources where you can grant this role:
|
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get |
Deployment Manager Type Viewer( Provides read-only access to all Type Registry resources. Lowest-level resources where you can grant this role:
|
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get |
Deployment Manager Viewer( Provides read-only access to all Deployment Manager-related resources. Lowest-level resources where you can grant this role:
|
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Deployment Manager 的访问权限控制
为了创建其他 Google Cloud 资源,Deployment Manager 会使用 Google API 服务代理的凭据对其他 API 进行身份验证。Google API 服务代理专门用于代表您运行内部 Google 流程。此服务账号采用如下电子邮件地址形式:
[PROJECT_NUMBER]@cloudservices.gserviceaccount.com
Google API 服务代理会自动在项目级层授予 Editor 角色,并列在 Google Cloud Console 的 IAM 部分中。此服务账号随项目无限期存在;只有在项目被删除时,它才会被删除。由于 Deployment Manager 和其他服务(如托管实例组)依赖此服务账号来创建、删除和管理资源,建议您不要修改此账号的权限。