To control access to your resources in Google Cloud, you use Identity and Access Management (IAM). With IAM, you set permissions specifying who has what kind of access to which resources in your project. For an introduction to IAM, see the IAM Overview.
When you deploy resources, you can also control who has access to these resources by setting an IAM policy preemptively in your configuration. For example, if you plan to create Pub/Sub Topics that can be managed by specific users, you can express this to Deployment Manager by specifying an IAM policy in your configuration. When you create or update your deployment, Deployment Manager calls the IAM API to set the appropriate permissions on the resource.
Before you begin
- If you want to use the command-line examples in this guide, install the `gcloud` command-line tool.
- If you want to use the API examples in this guide, set up API access.
Using IAM policies in Deployment Manager
An IAM policy is a collection of users and their roles. You set an IAM policy at the project level, using either basic or predefined roles. Some services, such as Cloud Pub/Sub, also support setting IAM policies at the resource level.
If a service does not support setting IAM policies at the resource level,
Deployment Manager returns a NO_METHOD_TO_UPDATE_ACCESS_CONTROL
error.
For a list of roles and the resources you can apply them to, see Understanding Roles.
Granting Deployment Manager permission to set IAM policies
Deployment Manager uses the
Google APIs Service Account
to call other Google APIs and manage Google Cloud resources on your
behalf. You must grant your project's Google APIs service account the basic
roles/owner
role so it can apply the IAM policies you define in your
configurations.
- Go to the IAM page in the Google Cloud console of your project.
- If prompted, select your project from the list.
Look for the Google APIs service account, which has the email address in the following format:
[PROJECT_NUMBER]@cloudservices.gserviceaccount.com
Grant the APIs service account the
roles/owner
roles:Console
- While still in the Google Cloud console, expand the Roles dropdown for the Google APIs service account and select Project > Owner.
- Click Save to save your changes.
gcloud
With the Google Cloud CLI, add a binding to the IAM policy for the project:
gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/owner
where:
[PROJECT_ID]
is the ID of the project.[SERVICE_ACCOUNT_EMAIL]
is the email of the service account.
For example:
gcloud projects add-iam-policy-binding database-images \ --member serviceAccount:123456789012@cloudservices.gserviceaccount.com \ --role roles/owner
API
In the API, make a
POST
request to the following URL, where[PROJECT_ID]
is the ID of the project:POST https://cloudresourcemanager.googleapis.com/v1/projects/$[PROJECT_ID]:setIamPolicy
The request body should contain the list of bindings you want to apply to this project. The
roles/owner
role should be part of the binding. For example:{ "policy": { "version": "0", "bindings": [ { "role": "roles/owner", "members": [ "user:example@gmail.com", "serviceAccount:123456789012@cloudservices.gserviceaccount.com" ] } ] } }
Setting an IAM policy in your configuration
Next, in your configuration or template, you can set an IAM policy by following these instructions:
Add the
accessControl
section to the top-level configuration for each resource for which you want to apply access control policies.Specify the desired
gcpIamPolicy
for the resource. Each IAM policy can contain a list of bindings. Each binding binds a list of members to a role.If you're using
accessControl
to manage service accounts, learn more about managing service accounts.
For example, the following accessControl
section adds bindings that grant
these roles to users:
User | Role |
---|---|
alice@example.com |
roles/pubsub.editor |
|
roles/pubsub.publisher |
resources:
- name: a-new-pubsub-topic
type: pubsub.v1.topic
properties:
...
accessControl:
gcpIamPolicy:
bindings:
- role: roles/pubsub.editor
members:
- "user:alice@example.com"
- role: roles/pubsub.publisher
members:
- "user:jane@example.com"
- "serviceAccount:my-other-app@appspot.gserviceaccount.com"
For more information on IAM policies, read the IAM documentation.