Access control

With Private Catalog, cloud admins can make their products discoverable to their internal enterprise users. Cloud admins can manage their products and ensure their users are always launching the latest versions.

Prerequisites

  • You must have a Google Cloud organization and access to the organization
  • You must have the administrator role for your GCP organization

What is IAM?

Google Cloud offers Cloud Identity and Access Management, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. Cloud IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

Cloud IAM lets you control who (identity) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a project member, giving the identity certain permissions. For example, for a given resource, such as a project, you can assign the roles/compute.networkAdmin role to a Google account and that account can control network-related resources in the project, but cannot manage other resources, like instances and disks.

Private Catalog IAM roles

With Cloud IAM, every API method in both the Private Catalog API and Private Catalog Producer API require that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account as a member of your project. In addition to the legacy roles, owner, editor, and viewer, you can assign the Private Catalog and Private Catalog Producer roles described in this page to the members of your project.

The following tables list the Cloud IAM roles available to Private Catalog users. The tables are organized into different roles.

Catalog admin role

Role name Description Includes permissions
roles/cloudprivatecatalogproducer.admin

Permissions to control over Private Catalog Producer resources and read permissions over association and target resources.

  • cloudprivatecatalogproducer.catalogs.create
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.catalogs.get
  • cloudprivatecatalogproducer.catalogs.update
  • cloudprivatecatalogproducer.catalogs.delete
  • cloudprivatecatalogproducer.catalogs.undelete
  • cloudprivatecatalogproducer.catalogs.getIamPolicy
  • cloudprivatecatalogproducer.catalogs.setIamPolicy
  • cloudprivatecatalogproducer.associations.create
  • cloudprivatecatalogproducer.associations.list
  • cloudprivatecatalogproducer.associations.get
  • cloudprivatecatalogproducer.associations.delete

Catalog manager role

Role name Description Includes permissions
roles/cloudprivatecatalogproducer.manager

Permissions to manage associations with Private Catalog Producer and target resources.

  • cloudprivatecatalog.targets.get
  • cloudprivatecatalogproducer.catalogs.get
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.targets.associate
  • cloudprivatecatalogproducer.targets.unassociate
  • cloudprivatecatalogproducer.associations.get
  • cloudprivatecatalogproducer.associations.list
  • cloudprivatecatalogproducer.associations.create
  • cloudprivatecatalogproducer.associations.delete

Catalog consumer role

Role name Description Includes permissions
roles/cloudprivatecatalog.consumer Permissions to browse catalogs under a target resource context.
  • cloudprivatecatalog.targets.get

Next steps