使用 IAM 控制访问权限

当您创建某一 Google Cloud 项目后,您便成为该项目的唯一用户。默认情况下,其他任何用户都无权访问您的项目或其资源。 Identity and Access Management (IAM) 用于管理对 Google Cloud 资源(例如集群)的访问权限。系统可为 IAM 主账号分配权限。

IAM 可让您为主账号授予角色。角色可提供一组权限,授予给主账号后,它可控制对一个或多个 Google Cloud 资源的访问权限。您可以使用以下类型的角色:

  • 基本角色:提供仅针对 Owner、Editor 和 Viewer 的粗略权限。
  • 预定义角色,提供比基本角色更细化的访问权限,适用于许多常见使用场景。
  • 自定义角色:用于创建一组独有的权限。

主账号可以是以下任何一种:

  • 用户账号
  • 服务账号
  • Google Workspace Google 群组
  • Google Workspace 网域
  • Cloud Identity 网域

IAM 政策类型

IAM 支持以下政策类型:

  • 允许政策:向主账号授予角色。如需了解详情,请参阅允许政策
  • 拒绝政策:阻止主账号使用特定的 IAM 权限,无论这些主账号被授予了哪些角色。如需了解详情,请参阅拒绝政策

使用拒绝政策可以限制特定主账号在您的项目、文件夹或组织中执行特定操作,即使 IAM 允许政策为这些主账号授予提供相关权限的角色也是如此。

预定义角色

IAM 提供预定义角色,这些角色可提供对特定 Google Cloud 资源的精细访问权限,同时阻止对其他资源的不必要的访问。 Google Cloud 创建和维护这些角色,并根据需要自动更新其权限,例如当 Google Cloud Observability 添加新功能时。

Google Cloud Observability 的预定义角色包含跨多个产品领域的功能的权限。因此,您可能会看到针对这些产品领域的预定义角色中包含的一些权限,例如 observability.scopes.get。例如,Logs Viewer 角色 (roles/logging.viewer) 除了包含许多特定于日志记录的权限之外,还包含 observability.scopes.get 权限。

下表列出了 Google Cloud Observability 的预定义角色。对于每个角色,该表都会显示角色名称、说明、包含的权限以及可授予这些角色的最低级资源类型。您可以在 Google Cloud 项目级授予预定义角色,或者在大多数情况下,可以在资源层次结构中的任何更高级授予预定义角色。

如需获取角色中包含的所有个别权限的列表,请参阅获取角色元数据

可观测性角色

Role Permissions

(roles/observability.admin)

Full access to Observability resources.

observability.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update
  • observability.buckets.create
  • observability.buckets.delete
  • observability.buckets.get
  • observability.buckets.list
  • observability.buckets.undelete
  • observability.buckets.update
  • observability.datasets.create
  • observability.datasets.delete
  • observability.datasets.get
  • observability.datasets.list
  • observability.datasets.undelete
  • observability.datasets.update
  • observability.links.create
  • observability.links.delete
  • observability.links.get
  • observability.links.list
  • observability.links.update
  • observability.operations.cancel
  • observability.operations.delete
  • observability.operations.get
  • observability.operations.list
  • observability.scopes.get
  • observability.scopes.update

(roles/observability.analyticsUser)

Grants permissions to use Cloud Observability Analytics.

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

observability.analyticsViews.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

(roles/observability.editor)

Edit access to Observability resources.

observability.analyticsViews.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update

observability.buckets.create

observability.buckets.get

observability.buckets.list

observability.buckets.update

observability.datasets.create

observability.datasets.get

observability.datasets.list

observability.datasets.update

observability.links.*

  • observability.links.create
  • observability.links.delete
  • observability.links.get
  • observability.links.list
  • observability.links.update

observability.operations.*

  • observability.operations.cancel
  • observability.operations.delete
  • observability.operations.get
  • observability.operations.list

observability.scopes.*

  • observability.scopes.get
  • observability.scopes.update

(roles/observability.scopesEditor)

Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes

logging.logScopes.*

  • logging.logScopes.create
  • logging.logScopes.delete
  • logging.logScopes.get
  • logging.logScopes.list
  • logging.logScopes.update

monitoring.metricsScopes.link

observability.scopes.*

  • observability.scopes.get
  • observability.scopes.update

(roles/observability.viewAccessor)

Read only access to data defined by an Observability View.

(roles/observability.viewer)

Read only access to Observability resources.

observability.analyticsViews.get

observability.analyticsViews.list

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

Telemetry API 角色

Role Permissions

(roles/telemetry.metricsWriter)

Access to write metrics.

telemetry.metrics.write

(roles/telemetry.tracesWriter)

Access to write trace spans.

telemetry.traces.write

(roles/telemetry.writer)

Full access to write all telemetry data.

telemetry.*

  • telemetry.metrics.write
  • telemetry.traces.write

后续步骤