Access control with IAM

This page explains how you grant and manage access to Service Catalog using Identity and Access Management (IAM).

Before you begin

What is Identity and Access Management (IAM)?

Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege , so you grant only the necessary access to your resources.

IAM lets you control who (identity) has what (roles) permissions to which resources by setting IAM policies. IAM policies grant specific role(s) to a principal, giving the identity certain permissions.

For example, for a given resource, such as a project, you can assign the roles/compute.networkAdmin role to a Google account and that account can control network-related resources in the project, but cannot manage other resources, like instances and disks.

Service Catalog IAM roles

With IAM, every API method in both the Service Catalog API and Service Catalog Producer API require that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a principal, such as a user, group, or service account. In addition to the basic roles, Owner, Editor, and Viewer, you can assign the Service Catalog and Service Catalog Producer roles described in this page to principals.

The following tables list the IAM roles available to Service Catalog users. The tables are organized into different roles.

Catalog Org Admin

Role name Description Includes permissions
roles/cloudprivatecatalogproducer.orgAdmin

Manages Service Catalog settings at the Google Cloud organization level. Creates and manages Service Catalog resources, such as solutions and catalogs.
  • cloudprivatecatalogproducer.settings.*
  • cloudprivatecatalogproducer.catalogs.*
  • cloudprivatecatalogproducer.associations.*
  • cloudprivatecatalogproducer.targets.*
  • cloudprivatecatalogproducer.producerCatalogs.*
  • cloudprivatecatalogproducer.catalogAssociations.*
  • cloudprivatecatalogproducer.products.*
  • cloudprivatecatalog.targets.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get

Catalog Admin

Role name Description Includes permissions
roles/cloudprivatecatalogproducer.admin

Creates and manages Service Catalog resources, such as solutions and catalogs.
  • cloudprivatecatalogproducer.catalogs.*
  • cloudprivatecatalogproducer.associations.*
  • cloudprivatecatalogproducer.targets.*
  • cloudprivatecatalogproducer.producerCatalogs.*
  • cloudprivatecatalogproducer.catalogAssociations.*
  • cloudprivatecatalogproducer.products.*
  • cloudprivatecatalog.targets.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get

Catalog Manager

Role name Description Includes permissions
roles/cloudprivatecatalogproducer.manager

Views solutions and catalogs, and shares catalogs with Service Catalog users.
  • cloudprivatecatalog.targets.get
  • cloudprivatecatalogproducer.catalogs.get
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.targets.*
  • cloudprivatecatalogproducer.associations.*
  • cloudprivatecatalogproducer.producerCatalogs.get
  • cloudprivatecatalogproducer.producerCatalogs.list
  • cloudprivatecatalogproducer.catalogAssociations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get

Catalog Consumer

Role name Description Includes permissions
roles/cloudprivatecatalog.consumer Browses catalogs. Views and launches solutions. Operates under a target Google Cloud resource, such as an organization, project, or folder.
  • cloudprivatecatalog.targets.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Adding users to Service Catalog IAM roles

Users, Google Groups, or domains must have the resourcemanager.organizations.setIamPolicy permission on the organization to add users to the Service Catalog IAM roles. You can give a user or group that permission by granting them the Organization Administrator role (roles/resourcemanager.organizationAdmin).

For example, if your organization would like users granted the Catalog Admin role to also be able to add and remove users and groups from the other Service Catalog IAM roles, then an Organization Administrator can do the following:

  • Create a Google Group for the users (MyCompanyCatalogAdmins).
  • Assign the Google Group (MyCompanyCatalogAdmins) the Organization Administrator role.
  • Assign the Google Group (MyCompanyCatalogAdmins) the Catalog Admin role.

In the example, members of the Google Group (MyCompanyCatalogAdmins) can assign users and groups to IAM roles in the organization because the group has been granted the setIamPolicy permission when granted the Organization Administrator role. As new Catalog Administrators join the organization, add them to the Google Group (MyCompanyCatalogAdmins) to grant them the desired roles.

To add a user, group, or domain to a Service Catalog IAM role, follow these steps.

  1. Sign in to the Google Cloud console IAM & admin page as an Organization Administrator.
    Go to the Google Cloud console IAM & admin page
  2. Select Cloud Private Catalog from the side menu.
  3. Select the role to assign:
    • Catalog Admin
    • Catalog Manager
    • Catalog Consumer
  4. Specify the users, groups, or domains to add.

What's next