Google Cloud offers Identity and Access Management (IAM) to let you provide more granular access to specific Google Cloud resources and prevent access to other resources. This page describes the roles and permissions for Service Extensions.
IAM lets you adopt the security principle of least privilege so that you need to grant only the necessary access to your resources.
Roles are collections of IAM permissions. To make permissions available to principals, including users, groups, and service accounts, you grant roles to the principals. You can control who has what permissions to which resources by setting IAM policies. IAM policies grant specific roles to principals, thereby giving them certain permissions.
For detailed information about IAM roles, see Roles and permissions.
Predefined roles and permissions for Service Extensions
Service Extensions supports IAM permissions at the project level.
The following table lists Service Extensions IAM roles and the permissions that each role includes.
| Roles | Permissions |
Service Extensions Admin ( Permissions to create, updated, list, view, and delete extensions. |
networkservices.authzExtensions.createnetworkservices.authzExtensions.deletenetworkservices.authzExtensions.getnetworkservices.authzExtensions.listnetworkservices.authzExtensions.updatenetworkservices.authzExtensions.usenetworkservices.lbEdgeExtensions.createnetworkservices.lbEdgeExtensions.deletenetworkservices.lbEdgeExtensions.getnetworkservices.lbEdgeExtensions.listnetworkservices.lbEdgeExtensions.updatenetworkservices.lbRouteExtensions.createnetworkservices.lbRouteExtensions.deletenetworkservices.lbRouteExtensions.getnetworkservices.lbRouteExtensions.listnetworkservices.lbRouteExtensions.updatenetworkservices.lbTrafficExtensions.createnetworkservices.lbTrafficExtensions.deletenetworkservices.lbTrafficExtensions.getnetworkservices.lbTrafficExtensions.listnetworkservices.lbTrafficExtensions.updatenetworkservices.wasmPlugins.getnetworkservices.wasmPlugins.listnetworkservices.wasmPlugins.createnetworkservices.wasmPlugins.updatenetworkservices.wasmPlugins.deletenetworkservices.wasmPlugins.usenetworkservices.wasmActions.getnetworkservices.wasmActions.listnetworkservices.wasmActions.createnetworkservices.wasmActions.deletenetworkservices.wasmPluginVersions.getnetworkservices.wasmPluginVersions.listnetworkservices.wasmPluginVersons.createnetworkservices.wasmPluginVersions.delete
|
|---|---|
|
Service Extensions Viewer ( Permissions to list and view extensions. |
networkservices.authzExtensions.getnetworkservices.authzExtensions.listnetworkservices.lbEdgeExtensions.getnetworkservices.lbEdgeExtensions.listnetworkservices.wasmPlugins.getnetworkservices.wasmPlugins.listnetworkservices.wasmActions.getnetworkservices.wasmActions.listnetworkservices.wasmPluginVersions.getnetworkservices.wasmPluginVersions.listnetworkservices.lbRouteExtensions.getnetworkservices.lbRouteExtensions.listnetworkservices.lbTrafficExtensions.getnetworkservices.lbTrafficExtensions.list
|
The following table lists IAM roles that you need for other services and the permissions that each role includes.
| Roles | Permissions |
|---|---|
|
( Permissions to update forwarding rules. Required while creating and updating extensions that attach to forwarding rules. |
compute.forwardingRules.updatecompute.globalForwardingRules.update
|
|
Compute Load Balancer Services User ( Permissions to use backend services. Required while creating and updating extensions that use backend services as extension services. |
compute.backendServices.usecompute.regionBackendBuckets.use
|
Manage access control
To set access controls at the project level, follow these steps:
In the Google Cloud console, go to the IAM page.
Select your project.
Click Add.
In New principals, enter the email address of a new principal.
Select the required role.
Click Save.
Verify that the principal is listed with the role that you granted.
Identify the permissions in a role
To determine whether one or more permissions are included in a role, you can use one of the following methods:
- The IAM permissions search reference
- The
gcloud iam roles describecommand - The
roles.get()method in the IAM API
What's next
- See the Service Extensions overview.
- Learn how to prepare the plugin code to create plugins.
- Learn how to create a plugin.
- Learn how to manage plugins.