Papéis e permissões

Nesta página, descrevemos os papéis e as permissões do Identity and Access Management (IAM, na sigla em inglês) necessários para usar o Network Connectivity Center.

Em geral, você precisa de:

Se precisar trabalhar com o Network Connectivity Center em uma rede VPC compartilhada, você precisará ter todas as permissões necessárias no projeto host. Um hub, os spokes dele e todos os recursos relacionados precisam estar no projeto host.

Para mais informações sobre como conceder permissões, consulte a visão geral do IAM.

Papéis predefinidos

A tabela a seguir descreve os papéis predefinidos do Network Connectivity Center.

Role Permissions

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

  • networkconnectivity.serviceConnectionPolicies.create
  • networkconnectivity.serviceConnectionPolicies.delete
  • networkconnectivity.serviceConnectionPolicies.get
  • networkconnectivity.serviceConnectionPolicies.list
  • networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.groups.*

  • networkconnectivity.groups.acceptSpoke
  • networkconnectivity.groups.get
  • networkconnectivity.groups.getIamPolicy
  • networkconnectivity.groups.list
  • networkconnectivity.groups.rejectSpoke
  • networkconnectivity.groups.setIamPolicy
  • networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

  • networkconnectivity.hubRouteTables.get
  • networkconnectivity.hubRouteTables.getIamPolicy
  • networkconnectivity.hubRouteTables.list
  • networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

  • networkconnectivity.hubRoutes.get
  • networkconnectivity.hubRoutes.getIamPolicy
  • networkconnectivity.hubRoutes.list
  • networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

  • networkconnectivity.hubs.create
  • networkconnectivity.hubs.delete
  • networkconnectivity.hubs.get
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.listSpokes
  • networkconnectivity.hubs.queryStatus
  • networkconnectivity.hubs.setIamPolicy
  • networkconnectivity.hubs.update

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.hubs.queryStatus

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

  • networkconnectivity.regionalEndpoints.create
  • networkconnectivity.regionalEndpoints.delete
  • networkconnectivity.regionalEndpoints.get
  • networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

  • networkconnectivity.serviceClasses.create
  • networkconnectivity.serviceClasses.delete
  • networkconnectivity.serviceClasses.get
  • networkconnectivity.serviceClasses.list
  • networkconnectivity.serviceClasses.update
  • networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

  • networkconnectivity.serviceConnectionMaps.create
  • networkconnectivity.serviceConnectionMaps.delete
  • networkconnectivity.serviceConnectionMaps.get
  • networkconnectivity.serviceConnectionMaps.list
  • networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Outras permissões obrigatórias

Dependendo do que você precisa fazer no Network Connectivity Center, talvez precise das permissões descritas nas seções a seguir.

Permissão para criar um spoke

Para criar um spoke, você precisa ter permissão para ler o tipo de recurso do spoke. Exemplo:

  • Para spokes de túnel VPN, anexos de VLAN e spokes do dispositivo roteador, você precisa de compute.routers.get.
  • Para criar spokes do dispositivo do Router, você precisa de compute.instances.get. Além disso, antes de usar um spoke do dispositivo do Router, você precisa configurar o peering entre o Cloud Router e a instância do appliance do roteador. Para estabelecer o peering, você precisa das seguintes permissões:
    • compute.instances.use
    • compute.routers.update
  • Para criar spokes de anexos da VLAN, você precisa de compute.interconnectAttachments.get.
  • Para criar spokes de túnel de VPN, você precisa de compute.vpnTunnels.get.
  • Para criar spokes de VPC, você precisa das seguintes permissões:

    • compute.networks.use
    • compute.networks.get
  • Para criar spokes de VPC em um projeto diferente do hub ao qual ele está associado, você precisa de networkconnectivity.groups.use.

Permissão para usar o Network Connectivity Center no console do Google Cloud

Para usar o Network Connectivity Center no console do Google Cloud, você precisa de um papel como Visualizador de rede do Compute (roles/compute.networkViewer), que inclui as permissões descritas na tabela a seguir. Para usar essas permissões, é necessário primeiro criar um papel personalizado.

Tarefa

Permissões necessárias

Acessar a página Network Connectivity Center
  • compute.projects.get
  • compute.networks.get
Acessar e usar a página Adicionar spokes
  • compute.networks.list
  • compute.regions.list
  • compute.routers.list
  • compute.zones.list
  • compute.networks.get
Adicionar um spoke de anexo da VLAN
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.get
  • compute.networks.get
  • compute.routers.list
  • compute.routers.get
Adicionar um spoke do túnel VPN
  • compute.forwardingRules.list
  • compute.networks.get
  • compute.routers.get
  • compute.routers.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
Adicionar um spoke do dispositivo roteador
  • compute.instances.list
  • compute.instances.get
  • compute.networks.get
Adicionar um spoke VPC
  • compute.networks.use
  • compute.networks.get
  • compute.subnetworks.list

Como proteger recursos com o VPC Service Controls

Para proteger ainda mais os recursos do Network Connectivity Center, use o VPC Service Controls.

O VPC Service Controls oferece mais segurança aos recursos para ajudar a reduzir o risco de exfiltração de dados. Ao usar o VPC Service Controls, é possível colocar os recursos do Network Connectivity Center dentro dos perímetros de serviço. O VPC Service Controls protege esses recursos de solicitações originadas fora do perímetro.

Para mais informações sobre perímetros de serviço, consulte a página de configuração do perímetro de serviço na documentação do VPC Service Controls.

A seguir

Para mais informações sobre papéis do projeto e recursos do Google Cloud, consulte a seguinte documentação: