역할 및 권한

이 페이지에서는 Network Connectivity Center를 사용하는 데 필요한 Identity and Access Management(IAM) 역할과 권한을 설명합니다.

대략적으로 다음이 필요합니다.

사전 정의된 역할에 설명된 사전 정의된 Network Connectivity Center 권한
추가 권한은 다음과 같습니다.
- 스포크를 만들려면 스포크 만들기 권한에 설명된 대로 관련된 스포크 리소스 유형을 읽을 수 있는 권한이 필요합니다.
- Google Cloud 콘솔에서 Network Connectivity Center 작업을 수행하려면 Google Cloud 콘솔에서 Network Connectivity Center를 사용하기 위한 권한에 설명된 것처럼 특정 Virtual Private Cloud(VPC) 네트워크 리소스를 볼 수 있는 권한이 필요합니다.

공유 VPC 네트워크에서 Network Connectivity Center를 사용해야 하는 경우 호스트 프로젝트에 필요한 모든 권한이 있어야 합니다. 허브, 스포크, 모든 관련 리소스가 호스트 프로젝트에 있어야 합니다.

권한을 부여하는 방법은 IAM 개요를 참조하세요.

사전 정의된 역할

다음 표에서는 Network Connectivity Center의 사전 정의된 역할을 설명합니다.

Role Permissions

Role	Permissions
Service Automation Consumer Network Admin (`roles/networkconnectivity.consumerNetworkAdmin`) Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.	`networkconnectivity.serviceConnectionPolicies.*` `networkconnectivity.serviceConnectionPolicies.create` `networkconnectivity.serviceConnectionPolicies.delete` `networkconnectivity.serviceConnectionPolicies.get` `networkconnectivity.serviceConnectionPolicies.list` `networkconnectivity.serviceConnectionPolicies.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Group User (`roles/networkconnectivity.groupUser`) Enables use access on group resources	`networkconnectivity.groups.use`
Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Enables full access to hub and spoke resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.groups.` `networkconnectivity.groups.acceptSpoke` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.groups.rejectSpoke` `networkconnectivity.groups.setIamPolicy` `networkconnectivity.groups.use` `networkconnectivity.hubRouteTables.` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRouteTables.setIamPolicy` `networkconnectivity.hubRoutes.` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubRoutes.setIamPolicy` `networkconnectivity.hubs.` `networkconnectivity.hubs.create` `networkconnectivity.hubs.delete` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.hubs.listSpokes` `networkconnectivity.hubs.setIamPolicy` `networkconnectivity.hubs.update` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.` `networkconnectivity.operations.cancel` `networkconnectivity.operations.delete` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.*` `networkconnectivity.spokes.create` `networkconnectivity.spokes.delete` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `networkconnectivity.spokes.setIamPolicy` `networkconnectivity.spokes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Enables read-only access to hub and spoke resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.hubs.listSpokes` `networkconnectivity.locations.*` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Regional Endpoint Admin ^Beta (`roles/networkconnectivity.regionalEndpointAdmin`) Full access to all Regional Endpoint resources.	`networkconnectivity.regionalEndpoints.*` `networkconnectivity.regionalEndpoints.create` `networkconnectivity.regionalEndpoints.delete` `networkconnectivity.regionalEndpoints.get` `networkconnectivity.regionalEndpoints.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Regional Endpoint Viewer ^Beta (`roles/networkconnectivity.regionalEndpointViewer`) Read-only access to all Regional Endpoint resources.	`networkconnectivity.regionalEndpoints.get` `networkconnectivity.regionalEndpoints.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Service Class User (`roles/networkconnectivity.serviceClassUser`) Service Class User uses a ServiceClass	`networkconnectivity.serviceClasses.get` `networkconnectivity.serviceClasses.list` `networkconnectivity.serviceClasses.use` `resourcemanager.projects.get` `resourcemanager.projects.list`
Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps	`networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.serviceClasses.` `networkconnectivity.serviceClasses.create` `networkconnectivity.serviceClasses.delete` `networkconnectivity.serviceClasses.get` `networkconnectivity.serviceClasses.list` `networkconnectivity.serviceClasses.update` `networkconnectivity.serviceClasses.use` `networkconnectivity.serviceConnectionMaps.` `networkconnectivity.serviceConnectionMaps.create` `networkconnectivity.serviceConnectionMaps.delete` `networkconnectivity.serviceConnectionMaps.get` `networkconnectivity.serviceConnectionMaps.list` `networkconnectivity.serviceConnectionMaps.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Enables full access to spoke resources and read-only access to hub resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.` `networkconnectivity.spokes.create` `networkconnectivity.spokes.delete` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `networkconnectivity.spokes.setIamPolicy` `networkconnectivity.spokes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Automation Consumer Network Admin

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

Group User

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

Hub & Spoke Admin

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.groups.*

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

networkconnectivity.hubs.create
networkconnectivity.hubs.delete
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.listSpokes
networkconnectivity.hubs.setIamPolicy
networkconnectivity.hubs.update

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.*

networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Hub & Spoke Viewer

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

Regional Endpoint Admin ^Beta

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

Regional Endpoint Viewer ^Beta

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Class User

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

Service Automation Service Producer Admin

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

Spoke Admin

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

추가 필수 권한

Network Connectivity Center에서 수행해야 하는 작업에 따라 다음 섹션에 설명된 대로 권한이 필요할 수 있습니다.

스포크 만들기 권한

스포크를 만들려면 스포크의 리소스 유형을 읽을 수 있는 권한이 있어야 합니다. 예를 들면 다음과 같습니다.

VPN 터널 스포크, VLAN 연결 스포크, 라우터 어플라이언스 스포크의 경우 compute.routers.get이 필요합니다.
라우터 어플라이언스 스포크를 만들려면 compute.instances.get이 필요합니다. 또한 라우터 어플라이언스 스포크를 사용할 수 있으려면 먼저 Cloud Router와 라우터 어플라이언스 인스턴스 사이의 피어링을 설정해야 합니다. 피어링을 설정하려면 다음 권한이 필요합니다.
- compute.instances.use
- compute.routers.update
VLAN 연결 스포크를 만들려면 compute.interconnectAttachments.get이 필요합니다.
VPN 터널 스포크를 만들려면 compute.vpnTunnels.get이 필요합니다.
VPC 스포크를 만들려면 다음 권한이 필요합니다.
- compute.networks.use
- compute.networks.get
연결된 허브와 다른 프로젝트에서 VPC 스포크를 만들려면 networkconnectivity.groups.use가 필요합니다.

Google Cloud 콘솔에서 Network Connectivity Center를 사용할 수 있는 권한

Google Cloud 콘솔에서 Network Connectivity Center를 사용하려면 Compute 네트워크 뷰어(roles/compute.networkViewer)와 같이 다음 표에 설명된 권한이 포함된 역할이 필요합니다. 이러한 권한을 사용하려면 먼저 커스텀 역할을 만들어야 합니다.

태스크	필수 권한
Network Connectivity Center 페이지에 액세스	`compute.projects.get` `compute.networks.get`
스포크 추가 페이지 액세스 및 사용	`compute.networks.list` `compute.regions.list` `compute.routers.list` `compute.zones.list` `compute.networks.get`
VLAN 연결 스포크 추가	`compute.interconnectAttachments.list` `compute.interconnectAttachments.get` `compute.networks.get` `compute.routers.list` `compute.routers.get`
VPN 터널 스포크 추가	`compute.forwardingRules.list` `compute.networks.get` `compute.routers.get` `compute.routers.list` `compute.targetVpnGateways.list` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list`
라우터 어플라이언스 스포크 추가	`compute.instances.list` `compute.instances.get` `compute.networks.get`
VPC 스포크 추가	`compute.networks.use` `compute.networks.get` `compute.subnetworks.list`

VPC 서비스 제어로 리소스 보호

Network Connectivity Center 리소스를 더 보호하려면 VPC 서비스 제어를 사용합니다.

VPC 서비스 제어는 데이터 무단 반출 위험을 줄이기 위해 추가적인 보안을 리소스에 제공합니다. VPC 서비스 제어를 사용하면 서비스 경계 내에 Network Connectivity Center 리소스를 배치할 수 있습니다. 그러면 VPC 서비스 제어가 경계 외부에서 시작하는 요청으로부터 이러한 리소스를 보호합니다.

서비스 경계에 대한 자세한 내용은 VPC 서비스 제어 문서의 서비스 경계 구성 페이지를 참조하세요.

다음 단계

프로젝트 역할 및 Google Cloud 리소스에 대한 자세한 내용은 다음 문서를 참조하세요.

IAM 역할 및 권한에 대한 자세한 내용은 IAM을 사용하는 프로젝트의 액세스 제어를 참조하세요.
역할 유형을 이해하려면 Identity and Access Management 기본 및 사전 정의된 역할 참조를 확인하세요.
사전 정의된 역할에 대한 자세한 내용은 Compute Engine IAM 역할 및 권한을 참조하세요.
Network Connectivity Center에 대한 자세한 내용은 Network Connectivity Center 개요를 참조하세요.
허브 및 스포크를 관리하는 방법을 알아보려면 허브 및 스포크 작업을 참조하세요.

역할 및 권한

사전 정의된 역할

Service Automation Consumer Network Admin

Group User

Hub & Spoke Admin

Hub & Spoke Viewer

Regional Endpoint Admin Beta

Regional Endpoint Viewer Beta

Service Class User

Service Automation Service Producer Admin

Spoke Admin

추가 필수 권한

스포크 만들기 권한

Google Cloud 콘솔에서 Network Connectivity Center를 사용할 수 있는 권한

VPC 서비스 제어로 리소스 보호

다음 단계

Regional Endpoint Admin ^Beta

Regional Endpoint Viewer ^Beta