Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Service Directory API roles. For a detailed description of IAM, read the IAM documentation.
IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who has what permissions to which resources by setting IAM policies. IAM policies grant specific roles to a user, giving the user certain permissions.
Permissions and Roles
Every Service Directory API method requires the caller to have the necessary IAM permissions. Permissions are assigned by granting roles to a user, group, or service account. In addition to the primitive roles owner, editor, and viewer, you can grant Service Directory API roles to the users of your project.
You can find out which permissions are required for each method in the Service Directory API reference documentation.
||Service Directory Admin||Full control of all Service Directory resources and permissions.||
||Service Directory Editor||Edit Service Directory resources.||
||Service Directory Viewer||View Service Directory resources.||
Access Control via the Cloud Console
You can use the Cloud Console to manage access control for your registry.
To set access controls at the project level:
- Open the IAM page in the Google Cloud Console.
- Select your project from the top pull-down menu.
- Click Add.
- Enter the email address of a new member.
- Select the desired role from the drop-down menu:
- Click Add.
- Verify that the member is listed with the role that you granted.
Service Directory zones override IAM restrictions
When assigning a namespace to a Service Directory zone, the service names become visible to all clients on any networks that are authorized to query the private zone. There is no IAM access control for DNS as the DNS protocol does not provide authentication capability.