此页面由 Cloud Translation API 翻译。

角色与权限

Google Cloud 提供 Identity and Access Management (IAM)，可让您授予对特定Google Cloud 资源的更细化访问权限，并防止对其他资源进行不必要的访问。本页介绍了 Service Directory API 角色。如需详细了解 IAM，请参阅 IAM 文档。

借助 IAM，您可以采用最小权限安全原则，只需授予对您的资源的必要访问权限。

借助 IAM，您可以通过设置 IAM 政策来控制哪些人对哪些资源具有什么访问权限。您可以使用 IAM 政策向用户授予特定角色，从而给予用户特定权限。

权限和角色

每种 Service Directory API 方法都要求调用者拥有必要的 IAM 权限。您可以通过为用户、群组或服务账号授予角色来分配权限。除了 Viewer、Editor、Owner 这些基本角色之外，您还可以向您项目的用户授予 Service Directory API 角色。

权限

您可以在 Service Directory API 参考文档中了解每种方法所需的权限。

角色

Role Permissions

Role	Permissions
Service Directory Admin (`roles/servicedirectory.admin`) Full control of all Service Directory resources and permissions.	`resourcemanager.projects.get` `resourcemanager.projects.list` `servicedirectory.endpoints.` `servicedirectory.endpoints.create` `servicedirectory.endpoints.delete` `servicedirectory.endpoints.get` `servicedirectory.endpoints.getIamPolicy` `servicedirectory.endpoints.list` `servicedirectory.endpoints.setIamPolicy` `servicedirectory.endpoints.update` `servicedirectory.locations.` `servicedirectory.locations.get` `servicedirectory.locations.list` `servicedirectory.namespaces.` `servicedirectory.namespaces.associatePrivateZone` `servicedirectory.namespaces.create` `servicedirectory.namespaces.delete` `servicedirectory.namespaces.get` `servicedirectory.namespaces.getIamPolicy` `servicedirectory.namespaces.list` `servicedirectory.namespaces.setIamPolicy` `servicedirectory.namespaces.update` `servicedirectory.networks.attach` `servicedirectory.services.` `servicedirectory.services.bind` `servicedirectory.services.create` `servicedirectory.services.delete` `servicedirectory.services.get` `servicedirectory.services.getIamPolicy` `servicedirectory.services.list` `servicedirectory.services.resolve` `servicedirectory.services.setIamPolicy` `servicedirectory.services.update`
Service Directory Editor (`roles/servicedirectory.editor`) Edit Service Directory resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `servicedirectory.endpoints.create` `servicedirectory.endpoints.delete` `servicedirectory.endpoints.get` `servicedirectory.endpoints.getIamPolicy` `servicedirectory.endpoints.list` `servicedirectory.endpoints.update` `servicedirectory.locations.*` `servicedirectory.locations.get` `servicedirectory.locations.list` `servicedirectory.namespaces.associatePrivateZone` `servicedirectory.namespaces.create` `servicedirectory.namespaces.delete` `servicedirectory.namespaces.get` `servicedirectory.namespaces.getIamPolicy` `servicedirectory.namespaces.list` `servicedirectory.namespaces.update` `servicedirectory.networks.attach` `servicedirectory.services.bind` `servicedirectory.services.create` `servicedirectory.services.delete` `servicedirectory.services.get` `servicedirectory.services.getIamPolicy` `servicedirectory.services.list` `servicedirectory.services.resolve` `servicedirectory.services.update`
Service Directory Network Attacher (`roles/servicedirectory.networkAttacher`) Gives access to attach VPC Networks to Service Directory Endpoints	`resourcemanager.projects.get` `resourcemanager.projects.list` `servicedirectory.networks.attach`
Private Service Connect Authorized Service (`roles/servicedirectory.pscAuthorizedService`) Gives access to VPC Networks via Service Directory	`resourcemanager.projects.get` `resourcemanager.projects.list` `servicedirectory.networks.access`
Service Directory Viewer (`roles/servicedirectory.viewer`) View Service Directory resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `servicedirectory.endpoints.get` `servicedirectory.endpoints.getIamPolicy` `servicedirectory.endpoints.list` `servicedirectory.locations.*` `servicedirectory.locations.get` `servicedirectory.locations.list` `servicedirectory.namespaces.get` `servicedirectory.namespaces.getIamPolicy` `servicedirectory.namespaces.list` `servicedirectory.services.get` `servicedirectory.services.getIamPolicy` `servicedirectory.services.list` `servicedirectory.services.resolve`

Service Directory Admin

(roles/servicedirectory.admin)

Full control of all Service Directory resources and permissions.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.*

servicedirectory.endpoints.create
servicedirectory.endpoints.delete
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.setIamPolicy
servicedirectory.endpoints.update

servicedirectory.locations.*

servicedirectory.locations.get
servicedirectory.locations.list

servicedirectory.namespaces.*

servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.setIamPolicy
servicedirectory.namespaces.update

servicedirectory.networks.attach

servicedirectory.services.*

servicedirectory.services.bind
servicedirectory.services.create
servicedirectory.services.delete
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
servicedirectory.services.setIamPolicy
servicedirectory.services.update

Service Directory Editor

(roles/servicedirectory.editor)

Edit Service Directory resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.create

servicedirectory.endpoints.delete

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.endpoints.update

servicedirectory.locations.*

servicedirectory.locations.get
servicedirectory.locations.list

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.namespaces.update

servicedirectory.networks.attach

servicedirectory.services.bind

servicedirectory.services.create

servicedirectory.services.delete

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

servicedirectory.services.update

Service Directory Network Attacher

(roles/servicedirectory.networkAttacher)

Gives access to attach VPC Networks to Service Directory Endpoints

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.networks.attach

Private Service Connect Authorized Service

(roles/servicedirectory.pscAuthorizedService)

Gives access to VPC Networks via Service Directory

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.networks.access

Service Directory Viewer

(roles/servicedirectory.viewer)

View Service Directory resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.locations.*

servicedirectory.locations.get
servicedirectory.locations.list

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

使用 Google Cloud 控制台进行访问权限控制

您可以使用 Google Cloud 控制台来管理注册库的访问权限控制。

要在项目级别设置访问控制，请执行以下操作：

控制台

在 Google Cloud 控制台中，转到 IAM 页面。

转到 IAM
从顶部的下拉菜单中选择您的项目。
点击添加。
在新的主账号中，输入新主账号的电子邮件地址。
从下拉菜单中选择所需的角色：servicedirectory.admin、servicedirectory.editor 或 servicedirectory.viewer
点击保存。
验证该主账号是否拥有您授予的角色。

Service Directory 可用区会替换 IAM 限制

向 Service Directory 区域分配命名空间后，服务名称将对有权查询专用区域的任何网络上的所有客户端可见。DNS 没有 IAM 访问控制，因为 DNS 协议不提供身份验证功能。

后续步骤

如需详细了解 Identity and Access Management，请参阅 IAM 文档
如需了解 Service Directory，请参阅概览。