存取權控管選項

根據預設,所有 Google Cloud Platform 主控台專案都只有一位使用者:原始專案建立者。除非使用者成為專案團隊成員,否則沒有任何其他使用者能夠存取專案,因此也無法存取當中的 Google Cloud Platform 資源。本頁面將說明您可以透過哪些不同的方式在專案中新增使用者。

另外也說明 Deployment Manager 如何代表您向其他 Cloud Platform API 進行驗證,以建立資源。

事前準備

使用者的存取權控管

如要讓使用者存取您的專案,以便建立設定和部署作業,請將使用者新增為專案團隊成員,並授予適當的身分與存取權管理 (IAM) 角色。IAM 支援兩種角色類型:預先定義角色和原始角色。

如要瞭解如何新增團隊成員,請參閱新增團隊成員說明文件。

預先定義的角色

預先定義的角色會授予一組相關權限。下表說明 Deployment Manager 可用的預先定義角色。

角色 具備的權限 適用的資源類型
roles/deploymentmanager.viewer deploymentmanager.deployments.get 部署
deploymentmanager.manifests.get 資訊清單
deploymentmanager.manifests.list 專案
deploymentmanager.resources.get 資源
deploymentmanager.resources.list 專案
deploymentmanager.types.list 專案
deploymentmanager.operations.get 作業
deploymentmanager.operations.list 專案
roles/deploymentmanager.editor deploymentmanager.viewer 的所有權限,加上:
deploymentmanager.deployments.cancelPreview 部署
deploymentmanager.deployments.create 專案
deploymentmanager.deployments.delete 部署
deploymentmanager.deployments.stop 部署
deploymentmanager.deployments.update 部署
roles/deploymentmanager.typeViewer deploymentmanager.types.list 專案
deploymentmanager.typeProviders.get 類型提供者
deploymentmanager.typeProviders.list 專案
deploymentmanager.compositeTypes.get 複合類型
deploymentmanager.compositeTypes.list 專案
roles/deploymentmanager.typeEditor deploymentmanager.typeViewer 的所有權限,加上:
deploymentmanager.typeProviders.create 專案
deploymentmanager.typeProviders.delete 類型提供者
deploymentmanager.typeProviders.update 類型提供者
deploymentmanager.compositeTypes.create 專案
deploymentmanager.compositeTypes.delete 複合類型
deploymentmanager.compositeTypes.update 複合類型

每個 API 方法都需要特定權限才能呼叫。請使用下表決定所需 API 方法的必要權限。

方法 所需權限 允許您呼叫這個方法的角色
deployments.cancelPreview deploymentmanager.deployments.cancelPreview
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
deployments.delete deploymentmanager.deployments.delete
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
deployments.get deploymentmanager.deployments.get
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
deployments.insert deploymentmanager.deployments.create
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
deployments.list deploymentmanager.deployments.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
deployments.patch deploymentmanager.deployments.update
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
deployments.stop deploymentmanager.deployments.stop
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
deployments.update deploymentmanager.deployments.update
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
manifests.get deploymentmanager.manifests.get
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
manifests.list deploymentmanager.manifests.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
resources.get deploymentmanager.resources.get
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
resources.list deploymentmanager.resources.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
types.list deploymentmanager.types.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer
compositeTypes.delete deploymentmanager.compositeTypes.delete
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
compositeTypes.get deploymentmanager.compositeTypes.get
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer
compositeTypes.insert deploymentmanager.compositeTypes.create
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
compositeTypes.list deploymentmanager.compositeTypes.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer
compositeTypes.patch deploymentmanager.compositeTypes.patch
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
compositeTypes.list deploymentmanager.compositeTypes.update
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
typeProviders.delete deploymentmanager.typeProviders.delete
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
typeProviders.get deploymentmanager.typeProviders.get
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer
typeProviders.insert deploymentmanager.typeProviders.create
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
typeProviders.list deploymentmanager.typeProviders.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer
typeProviders.patch deploymentmanager.typeProviders.patch
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
typeProviders.update deploymentmanager.typeProviders.update
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer

原始角色

原始 IAM 角色可直接對應到舊版專案的擁有者、編輯者和檢視者角色。與預先定義的角色相比,這些角色可授予更廣的服務存取權。一般來說,您應該要盡可能使用預先定義的角色;但在某些不支援 IAM 的情況下,您可能需要使用原始角色來授予適當權限。

如要進一步瞭解原始角色,請參閱原始角色說明文件。

Deployment Manager 的存取權控管

如要建立其他 Google Cloud Platform 資源,Deployment Manager 會使用 Google API 服務帳戶的憑證向其他 API 進行驗證。Google API 服務帳戶專門用於代表您執行內部 Google 處理程序。服務帳戶可以使用電子郵件識別:

[PROJECT_NUMBER]@cloudservices.gserviceaccount.com

Google API 服務帳戶會自動獲得專案的編輯者權限,並且會列在 Google Cloud Platform 主控台的 IAM 區段中。服務帳戶會與專案一起無限期存在,只有刪除專案時才會隨之刪除。由於 Deployment Manager 和其他服務 (例如代管執行個體群組) 必須依賴這個服務帳戶才能建立、刪除及代管資源,因此不建議您修改這個帳戶的權限。

相關資源

本頁內容對您是否有任何幫助?請提供意見:

傳送您對下列選項的寶貴意見...

這個網頁
Cloud Deployment Manager Documentation