使用 IAM 进行访问权限控制

本页面介绍 Eventarc 中可用的访问权限控制选项。

概览

Eventarc 使用 Identity and Access Management (IAM) 进行访问权限控制。

如需了解 IAM 及其功能,请参阅 IAM 概览。如需了解如何授予和撤消访问权限,请参阅授予、更改和撤消对资源的访问权限

如需查看 Eventarc 支持的权限和角色列表,请参阅以下各部分。

启用 Eventarc API

如需查看和分配 Eventarc 的 IAM 角色,您必须为项目启用 Eventarc API。在启用此 API 之前,您无法在 Google Cloud 控制台中查看 Eventarc 角色。

启用 API

预定义角色

下表列出了 Eventarc 预定义 IAM 角色以及每个角色包含的所有权限的列表。

预定义角色可满足大多数典型的用例。如果预定义角色无法满足您的用例,您可以创建 IAM 自定义角色

Eventarc 角色

Role Permissions

(roles/eventarc.admin)

Full control over all Eventarc resources.

Lowest-level resources where you can grant this role:

  • Project

eventarc.*

  • eventarc.channelConnections.create
  • eventarc.channelConnections.delete
  • eventarc.channelConnections.get
  • eventarc.channelConnections.getIamPolicy
  • eventarc.channelConnections.list
  • eventarc.channelConnections.publish
  • eventarc.channelConnections.setIamPolicy
  • eventarc.channels.attach
  • eventarc.channels.create
  • eventarc.channels.delete
  • eventarc.channels.get
  • eventarc.channels.getIamPolicy
  • eventarc.channels.list
  • eventarc.channels.publish
  • eventarc.channels.setIamPolicy
  • eventarc.channels.undelete
  • eventarc.channels.update
  • eventarc.events.receiveAuditLogWritten
  • eventarc.events.receiveEvent
  • eventarc.googleChannelConfigs.get
  • eventarc.googleChannelConfigs.update
  • eventarc.locations.get
  • eventarc.locations.list
  • eventarc.operations.cancel
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.providers.get
  • eventarc.providers.list
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.setIamPolicy
  • eventarc.triggers.undelete
  • eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.connectionPublisher)

Can publish events to Eventarc channel connections.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.get

eventarc.channelConnections.list

eventarc.channelConnections.publish

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.developer)

Access to read and write Eventarc resources.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.googleChannelConfigs.*

  • eventarc.googleChannelConfigs.get
  • eventarc.googleChannelConfigs.update

eventarc.locations.*

  • eventarc.locations.get
  • eventarc.locations.list

eventarc.operations.*

  • eventarc.operations.cancel
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list

eventarc.providers.*

  • eventarc.providers.get
  • eventarc.providers.list

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.eventReceiver)

Can receive events from all event providers.

Lowest-level resources where you can grant this role:

  • Project

eventarc.events.*

  • eventarc.events.receiveAuditLogWritten
  • eventarc.events.receiveEvent

(roles/eventarc.publisher)

Can publish events to Eventarc channels.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channels.get

eventarc.channels.list

eventarc.channels.publish

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.viewer)

Can view the state of all Eventarc resources, including IAM policies.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

  • eventarc.locations.get
  • eventarc.locations.list

eventarc.operations.get

eventarc.operations.list

eventarc.providers.*

  • eventarc.providers.get
  • eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

resourcemanager.projects.get

resourcemanager.projects.list

如需详细了解 Eventarc 角色和权限,请参阅角色和权限

项目级层 IAM 管理

在项目级层,您可以使用 Google Cloud Console、IAM API 或 Google Cloud CLI 来授予、更改和撤消 IAM 角色。如需了解说明,请参阅授予、更改和撤消对资源的访问权限