Google Cloud には Identity and Access Management(IAM)機能があり、特定の Google Cloud リソースに対するアクセス権を詳細に設定できるため、他のリソースへの不要なアクセスを防ぐことができます。IAM を使用すると、セキュリティに関する最小権限の原則を導入できるため、リソースに対する必要なアクセス権のみを付与できます。
IAM では、IAM ポリシーを設定して誰(どのユーザー)に、どのリソースに対するどのアクセス権(ロール)を付与するかを制御できます。IAM ポリシーは、特定のロールをユーザーに付与することで、そのユーザーに特定の権限を付与します。
リソースへのアクセスを制御するために、Google Cloud では API リクエストを行うアカウントに適切な IAM ロールが必要です。IAM ロールには、ユーザーが Google Cloud リソースで特定のアクションを実行できる権限が含まれています。たとえば、resourcemanager.projects.delete 権限を持つユーザーはプロジェクトを削除できます。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2024-12-21 UTC。"],[],[],null,["# Access control for projects with IAM\n\nGoogle Cloud offers [Identity and Access Management (IAM)](/iam/docs/overview), which lets\nyou give more granular access to specific Google Cloud resources and\nprevents unwanted access to other resources. IAM lets you adopt\nthe\n[security principle of least privilege](https://wikipedia.org/wiki/Principle_of_least_privilege),\nso you grant only the necessary access to your resources.\n\nIAM lets you control **who (users)** has **what access (roles)**\nto **which resources** by setting allow policies. Allow policies grant specific\nroles to a user giving the user certain permissions.\n\nThis page explains the IAM permissions and roles you can use to\nmanage access to projects. For more information, see\n[Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\n| **Note:** You can also use deny policies to prevent principals from using specific IAM permissions. For more information, see [Deny\n| policies](/iam/docs/deny-overview).\n\n\u003cbr /\u003e\n\n| **Note:** If you're getting started with Google Cloud, you can set up your resource hierarchy and grant initial access as part of the [Google Cloud setup process](/docs/enterprise/setup-checklist).\n\nPermissions and roles\n---------------------\n\nTo control access to resources, Google Cloud requires that accounts making API\nrequests have appropriate IAM roles. IAM roles\ninclude permissions that allow users to perform specific actions on\nGoogle Cloud resources. For example, the `resourcemanager.projects.delete`\npermission allows a user to delete a project.\n\nYou don't directly give users permissions; instead, you grant them *roles* ,\nwhich have one or more permissions bundled within them. You grant these roles on\na particular resource, but they also apply to all of that resource's descendants\nin the\n[resource hierarchy](/resource-manager/docs/cloud-platform-resource-hierarchy).\n\n### Permissions\n\nTo manage projects, the caller must have a role that includes the following\npermissions. The role is granted on the organization resource or folder that contains the\nprojects:\n\n### Using predefined roles\n\nIAM predefined roles allow you to carefully manage the set of\npermissions that your users have access to. For a full list of the roles that\ncan be granted at the project level, see\n[Understanding Roles](/iam/docs/understanding-roles).\n\nThe following table lists the predefined roles that you can use to grant access\nto a project. Each role includes a description of what the role does, and the\npermissions included in that role.\n\n### Basic roles\n\nAvoid using basic roles except when absolutely necessary. These roles are very\npowerful, and include a large number of permissions across all\nGoogle Cloud services. For more details on when you should use basic\nroles, see [Basic roles](/iam/docs/roles-overview#basic).\n\n### Creating custom roles\n\nIn addition to the predefined roles described in this topic, you can also create [custom roles](/iam/docs/understanding-custom-roles) that are collections of permissions that you tailor to your needs. When creating a custom role for use with Resource Manager, be aware of the following points:\n\n- List and get permissions, such as `resourcemanager.projects.get/list`, should always be granted as a pair.\n- When your custom role includes the `folders.list` and `folders.get` permissions, it should also include `projects.list` and `projects.get`.\n- Be aware that the `setIamPolicy` permission for organization, folder, and project resources allows the user to grant all other permissions, and so should be assigned with care.\n\nAccess control at the project level\n-----------------------------------\n\nYou can grant roles to users at the project level using the [Google Cloud console](https://console.cloud.google.com/),\nthe Cloud Resource Manager API, and the Google Cloud CLI. For instructions, see\n[Granting, Changing, and Revoking Access](/iam/docs/granting-changing-revoking-access).\n\n### Default roles\n\nWhen you create a project, you are granted the **roles/owner** role for the\nproject to provide you full control as the creator. This default role can be\nchanged as normal in an allow policy.\n\nVPC Service Controls\n--------------------\n\n**VPC Service Controls** can provide additional security when using the\nCloud Resource Manager API. To learn more\nabout VPC Service Controls, see the\n[VPC Service Controls overview](/vpc-service-controls/docs/overview).\n\nTo learn about the current limitations in using Resource Manager with\nVPC Service Controls, see the\n[supported products and limitations](/vpc-service-controls/docs/supported-products)\npage."]]
