This document describes how to grant Config Controller permissions to manage your Google Cloud resources.
Least privilege
To use Identity and Access Management securely, Google Cloud recommends following the least privilege best practice. In production environments, give any user accounts or processes only those privileges which are essentially vital to perform its intended functions.
IAM permissions for Config Connector
IAM authorizes Config Connector to take actions on Google Cloud resources.
(Recommended) Predefined or custom roles
To follow the least privilege best practice, grant the most limited
predefined roles
or
custom roles
that meet your needs. For example, if you need Config Connector to manage your
GKE cluster creation, grant the
Kubernetes Engine Cluster Admin role
(roles/container.clusterAdmin).
You can use role recommendations to determine which roles to grant instead. You can also use the Policy Simulator to ensure that changing the role won't affect the principal's access.
Basic roles
It is recommended to have the same permissions in a non-production environment that you have in a production environment, following the least privilege best practice. Having the same permissions has the benefit of testing the production configurations in non-production, and detecting issues earlier.
That said, for certain situations you may want to speed up experimenting with Config Connector. For non-production environments, you can use one of the basic roles as an experiment, before deciding on the most limited permissions.
The
Owner role
(roles/owner) allows Config Connector to manage most of Google Cloud resources in
your project, including IAM resources.
The
Editor role
(roles/editor) allows most Config Connector capabilities except Project or
Organization-wide configurations such as IAM modifications.
To learn more about IAM permissions for Config Connector: