Roles and permissions

Google Cloud offers Identity and Access Management (IAM), which enables you to give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Service Directory API roles. For a detailed description of IAM, read the IAM documentation.

IAM enables you to adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM enables you to control who has what permissions to which resources by setting IAM policies. IAM policies grant specific roles to a user, giving the user certain permissions.

Permissions and Roles

Every Service Directory API method requires the caller to have the necessary IAM permissions. You can assign permissions by granting roles to a user, group, or service account. In addition to the basic Owner, Editor, and Viewer roles, you can grant Service Directory API roles to the users of your project.

Permissions

You can find out which permissions are required for each method in the Service Directory API reference documentation.

Roles

Role Permissions

(roles/servicedirectory.admin)

Full control of all Service Directory resources and permissions.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.*

  • servicedirectory.endpoints.create
  • servicedirectory.endpoints.delete
  • servicedirectory.endpoints.get
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.endpoints.setIamPolicy
  • servicedirectory.endpoints.update

servicedirectory.locations.*

  • servicedirectory.locations.get
  • servicedirectory.locations.list

servicedirectory.namespaces.*

  • servicedirectory.namespaces.associatePrivateZone
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.namespaces.get
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.namespaces.setIamPolicy
  • servicedirectory.namespaces.update

servicedirectory.networks.attach

servicedirectory.services.*

  • servicedirectory.services.bind
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicedirectory.services.get
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicedirectory.services.resolve
  • servicedirectory.services.setIamPolicy
  • servicedirectory.services.update

(roles/servicedirectory.editor)

Edit Service Directory resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.create

servicedirectory.endpoints.delete

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.endpoints.update

servicedirectory.locations.*

  • servicedirectory.locations.get
  • servicedirectory.locations.list

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.namespaces.update

servicedirectory.networks.attach

servicedirectory.services.bind

servicedirectory.services.create

servicedirectory.services.delete

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

servicedirectory.services.update

(roles/servicedirectory.networkAttacher)

Gives access to attach VPC Networks to Service Directory Endpoints

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.networks.attach

(roles/servicedirectory.pscAuthorizedService)

Gives access to VPC Networks via Service Directory

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.networks.access

(roles/servicedirectory.viewer)

View Service Directory resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.locations.*

  • servicedirectory.locations.get
  • servicedirectory.locations.list

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

Access Control using the Google Cloud console

You can use the Google Cloud console to manage access control for your registry.

To set access controls at the project level:

Console

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. Select your project from the top pull-down menu.

  3. Click Add.

  4. In New principals, enter the email address of a new principal.

  5. Select the desired role from the drop-down menu: servicedirectory.admin, servicedirectory.editor, or servicedirectory.viewer

  6. Click Save.

  7. Verify that the principal is listed with the role that you granted.

Service Directory zones override IAM restrictions

When assigning a namespace to a Service Directory zone, the service names become visible to all clients on any networks that are authorized to query the private zone. There is no IAM access control for DNS as the DNS protocol does not provide authentication capability.

What's next

  • See the IAM documentation for details on Identity and Access Management
  • See the Overview for an understanding of Service Directory.