本页面介绍使用 Network Connectivity Center 所需的 Identity and Access Management (IAM) 角色和权限。
概括来讲,您需要执行以下步骤:
- 预定义角色中介绍了预定义的 Network Connectivity Center 权限。
- 其他权限,如下所示:
请注意,如果您需要在共享 VPC 网络中使用 Network Connectivity Center,则必须在宿主项目中拥有所有需要的权限。Hub、其 Spoke 以及所有相关资源都必须位于宿主项目中。
如需了解如何授予权限,请参阅 IAM 概览。
预定义角色
下表介绍了 Network Connectivity Center 的预定义角色。
Role |
Permissions |
Service Automation Consumer Network Admin
(roles/networkconnectivity.consumerNetworkAdmin )
Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.
|
networkconnectivity.serviceConnectionPolicies.*
networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Group User
(roles/networkconnectivity.groupUser )
Enables use access on group resources
|
networkconnectivity.groups.use
|
Hub & Spoke Admin
(roles/networkconnectivity.hubAdmin )
Enables full access to hub and spoke resources.
Lowest-level resources where you can grant this role:
|
networkconnectivity.groups.*
networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use
networkconnectivity.hubRouteTables.*
networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy
networkconnectivity.hubRoutes.*
networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy
networkconnectivity.hubs.*
networkconnectivity.hubs.create
networkconnectivity.hubs.delete
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.listSpokes
networkconnectivity.hubs.queryStatus
networkconnectivity.hubs.setIamPolicy
networkconnectivity.hubs.update
networkconnectivity.locations.*
networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.*
networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list
networkconnectivity.spokes.*
networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Hub & Spoke Viewer
(roles/networkconnectivity.hubViewer )
Enables read-only access to hub and spoke resources.
Lowest-level resources where you can grant this role:
|
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.listSpokes
networkconnectivity.hubs.queryStatus
networkconnectivity.locations.*
networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Regional Endpoint Admin
(roles/networkconnectivity.regionalEndpointAdmin )
Full access to all Regional Endpoint resources.
|
networkconnectivity.regionalEndpoints.*
networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Regional Endpoint Viewer
(roles/networkconnectivity.regionalEndpointViewer )
Read-only access to all Regional Endpoint resources.
|
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Service Class User
(roles/networkconnectivity.serviceClassUser )
Service Class User uses a ServiceClass
|
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.use
resourcemanager.projects.get
resourcemanager.projects.list
|
Service Automation Service Producer Admin
(roles/networkconnectivity.serviceProducerAdmin )
Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps
|
networkconnectivity.operations.get
networkconnectivity.operations.list
networkconnectivity.serviceClasses.*
networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use
networkconnectivity.serviceConnectionMaps.*
networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Spoke Admin
(roles/networkconnectivity.spokeAdmin )
Enables full access to spoke resources and read-only access to hub resources.
Lowest-level resources where you can grant this role:
|
networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.locations.*
networkconnectivity.locations.get
networkconnectivity.locations.list
networkconnectivity.operations.get
networkconnectivity.operations.list
networkconnectivity.spokes.*
networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update
resourcemanager.projects.get
resourcemanager.projects.list
|
其他必需的权限
根据您在 Network Connectivity Center 中需要执行的操作,您可能还需要以下各部分中所述的权限。
创建 Spoke 的权限
如需创建 Spoke,您必须有权读取该资源类型。例如:
在 Google Cloud 控制台中使用 Network Connectivity Center 的权限
如需在 Google Cloud 控制台中使用 Network Connectivity Center,您需要一个诸如 Compute Network Viewer (roles/compute.networkViewer
) 之类的角色,以提供下表中所述的权限。如需使用这些权限,您必须先创建自定义角色。
任务 |
所需权限 |
访问 Network Connectivity Center 页面 |
compute.projects.get
compute.networks.get
|
访问并使用添加 Spoke 页面 |
compute.networks.list
compute.regions.list
compute.routers.list
compute.zones.list
compute.networks.get
|
添加 VLAN 连接 Spoke |
compute.interconnectAttachments.list
compute.interconnectAttachments.get
compute.networks.get
compute.routers.list
compute.routers.get
|
添加 VPN 隧道 spoke |
compute.forwardingRules.list
compute.networks.get
compute.routers.get
compute.routers.list
compute.targetVpnGateways.list
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
|
添加路由器设备 spoke |
compute.instances.list
compute.instances.get
compute.networks.get
|
添加 VPC spoke |
compute.networks.use
compute.networks.get
compute.subnetworks.list
|
使用 VPC Service Controls 保护资源
如需进一步保护 Network Connectivity Center 资源,请使用 VPC Service Controls。
VPC Service Controls 可为您的资源提供额外的安全保障,有助于降低数据渗漏的风险。通过使用 VPC Service Controls,您可以将 Network Connectivity Center 资源放置在服务边界内。然后,VPC Service Controls 会保护这些资源免受源自边界外的请求。
如需详细了解服务边界,请参阅 VPC Service Controls 文档中的服务边界配置页面。
后续步骤
如需详细了解项目角色和 Google Cloud 资源,请参阅以下文档: