如需使用 GKE 关联集群 API,用户的 Google Cloud 账号必须拥有特定的 Identity and Access Management (IAM) 权限,才能访问 GKE Multi-Cloud 资源。GKE 关联集群包含两个预定义角色,将两组常用的权限捆绑在一起:
gkemulticloud.viewer
(用于授予只读权限)和gkemulticloud.admin
(用于授予管理控制权限)。
这些角色拥有如下权限:
gkemulticloud.admin
- gkemulticloud.*
- resourcemanager.projects.get
- resourcemanager.projects.list
gkemulticloud.viewer
- gkemulticloud.attachedClusters.get
- gkemulticloud.attachedClusters.list
- gkemulticloud.attachedServerConfigs.get
- gkemulticloud.attachedClusters.generateInstallManifest
- gkemulticloud.awsClusters.generateAccessToken
- gkemulticloud.awsClusters.get
- gkemulticloud.awsClusters.list
- gkemulticloud.awsNodePools.get
- gkemulticloud.awsNodePools.list
- gkemulticloud.awsServerConfigs.get
- gkemulticloud.azureClients.get
- gkemulticloud.azureClients.list
- gkemulticloud.azureClusters.generateAccessToken
- gkemulticloud.azureClusters.get
- gkemulticloud.azureClusters.list
- gkemulticloud.azureNodePools.get
- gkemulticloud.azureNodePools.list
- gkemulticloud.azureServerConfigs.get
- gkemulticloud.operations.get
- gkemulticloud.operations.list
- gkemulticloud.operations.wait
- resourcemanager.projects.get
- resourcemanager.projects.list
如需了解如何授予和撤消这些权限,请参阅管理对项目、文件夹和组织的访问权限。