角色与权限

本页面介绍使用 Network Connectivity Center 所需的 Identity and Access Management (IAM) 角色和权限。

概括来讲,您需要执行以下步骤:

请注意,如果您需要在共享 VPC 网络中使用 Network Connectivity Center,则必须在宿主项目中拥有所有需要的权限。Hub、其 Spoke 以及所有相关资源都必须位于宿主项目中。

如需了解如何授予权限,请参阅 IAM 概览

预定义角色

下表介绍了 Network Connectivity Center 的预定义角色。

Role Permissions

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

  • networkconnectivity.serviceConnectionPolicies.create
  • networkconnectivity.serviceConnectionPolicies.delete
  • networkconnectivity.serviceConnectionPolicies.get
  • networkconnectivity.serviceConnectionPolicies.list
  • networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.groups.*

  • networkconnectivity.groups.acceptSpoke
  • networkconnectivity.groups.get
  • networkconnectivity.groups.getIamPolicy
  • networkconnectivity.groups.list
  • networkconnectivity.groups.rejectSpoke
  • networkconnectivity.groups.setIamPolicy
  • networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

  • networkconnectivity.hubRouteTables.get
  • networkconnectivity.hubRouteTables.getIamPolicy
  • networkconnectivity.hubRouteTables.list
  • networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

  • networkconnectivity.hubRoutes.get
  • networkconnectivity.hubRoutes.getIamPolicy
  • networkconnectivity.hubRoutes.list
  • networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

  • networkconnectivity.hubs.create
  • networkconnectivity.hubs.delete
  • networkconnectivity.hubs.get
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.listSpokes
  • networkconnectivity.hubs.setIamPolicy
  • networkconnectivity.hubs.update

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

  • networkconnectivity.serviceClasses.create
  • networkconnectivity.serviceClasses.delete
  • networkconnectivity.serviceClasses.get
  • networkconnectivity.serviceClasses.list
  • networkconnectivity.serviceClasses.update
  • networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

  • networkconnectivity.serviceConnectionMaps.create
  • networkconnectivity.serviceConnectionMaps.delete
  • networkconnectivity.serviceConnectionMaps.get
  • networkconnectivity.serviceConnectionMaps.list
  • networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

其他必需的权限

根据您在 Network Connectivity Center 中需要执行的操作,您可能还需要以下各部分中所述的权限。

创建 Spoke 的权限

如需创建 Spoke,您必须有权读取该资源类型。例如:

  • 对于 VPN 隧道 Spoke、VLAN 连接 Spoke 和路由器设备 Spoke,您需要 compute.routers.get
  • 如需创建路由器设备 Spoke,您需要 compute.instances.get。 此外,您必须先在 Cloud Router 路由器和路由器设备实例之间设置对等互连,然后才能使用路由器设备 spoke。如需建立对等互连,您需要以下权限:
    • compute.instances.use
    • compute.routers.update
  • 如需创建 VLAN 连接 Spoke,您需要 compute.interconnectAttachments.get
  • 如需创建 VPN 隧道 Spoke,您需要 compute.vpnTunnels.get

  • 如需创建 VPC Spoke,您需要以下权限:

    • compute.networks.use
    • compute.networks.get

  • 如需在不同于 Hub 的其他项目(与 Hub 关联)中创建 VPC Spoke,您需要 networkconnectivity.groups.use

在 Google Cloud 控制台中使用 Network Connectivity Center 的权限

如需在 Google Cloud 控制台中使用 Network Connectivity Center,您需要一个诸如 Compute Network Viewer (roles/compute.networkViewer) 之类的角色,以提供下表中所述的权限。 如需使用这些权限,您必须先创建自定义角色

任务

所需权限
访问 Network Connectivity Center 页面
  • compute.projects.get
访问并使用添加 Spoke 页面
  • compute.networks.list
  • compute.regions.list
  • compute.routers.list
  • compute.zones.list
添加 VLAN 连接 Spoke
  • compute.interconnectAttachments.list
添加 VPN Spoke
  • compute.forwardingRules.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.list

使用 VPC Service Controls 保护资源

如需进一步保护 Network Connectivity Center 资源,请使用 VPC Service Controls。

VPC Service Controls 可为您的资源提供额外的安全保障,有助于降低数据渗漏的风险。通过使用 VPC Service Controls,您可以将 Network Connectivity Center 资源放置在服务边界内。然后,VPC Service Controls 会保护这些资源免受源自边界外的请求。

如需详细了解服务边界,请参阅 VPC Service Controls 文档中的服务边界配置页面。

后续步骤

如需详细了解项目角色和 Google Cloud 资源,请参阅以下文档: