使用 IAM 控管存取權

當您建立 Google Cloud 專案時,您是專案的唯一使用者。根據預設,其他使用者都不能存取您的專案或專案資源。身分與存取權管理 (IAM) 會管理叢集等 Google Cloud 資源的存取權。權限會指派給 IAM 主體

IAM 可讓您將角色授予主體。角色其實就是一組權限,指派給主體後,即可控制一或多項 Google Cloud 資源的存取權。您可以使用下列類型的角色:

  • 基本角色提供限於擁有者、編輯者和檢視者的粗略權限。
  • 預先定義角色:提供比基本角色更精細的存取權,且適用於許多常見用途。
  • 自訂角色可讓您建立唯一的權限組合。

主體可以是下列任一項:

  • 使用者帳戶
  • 服務帳戶
  • Google Workspace Google 群組
  • Google Workspace 網域
  • Cloud Identity 網域

IAM 政策類型

IAM 支援下列政策類型:

  • 允許政策:將角色授予主體。詳情請參閱「允許政策」。
  • 拒絕政策:無論主體獲得何種角色,都能防止主體使用特定身分與存取權管理權限。詳情請參閱「拒絕政策」。

使用拒絕政策,限制特定主體在專案、資料夾或機構中執行特定動作,即使 IAM 允許政策授予這些主體包含相關權限的角色,也一樣。

預先定義的角色

IAM 提供預先定義的角色,可授予特定 Google Cloud 資源的精細存取權,並防止其他資源遭到未經授權的存取。 Google Cloud 會建立及維護這些角色,並視需要自動更新權限,例如 Google Cloud Observability 新增新功能時。

Google Cloud Observability 的預先定義角色包含跨多個產品領域的功能權限。因此,您可能會在這些產品領域的預先定義角色中,看到 observability.scopes.get 等權限。舉例來說,除了許多記錄專屬權限外,「記錄檢視者」角色 (roles/logging.viewer) 還包含 observability.scopes.get 權限。

下表列出 Google Cloud Observability 的預先定義角色。表格會針對每個角色顯示角色名稱、說明、包含的權限,以及可授予角色的最低層級資源類型。您可以在 Google Cloud 專案層級授予預先定義的角色,或在大多數情況下,授予資源階層中較高層級的任何類型角色。

如要取得角色包含的所有個別權限清單,請參閱「取得角色中繼資料」一文。

觀測角色

Role Permissions

(roles/observability.admin)

Full access to Observability resources.

observability.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update
  • observability.buckets.create
  • observability.buckets.delete
  • observability.buckets.get
  • observability.buckets.list
  • observability.buckets.undelete
  • observability.buckets.update
  • observability.datasets.create
  • observability.datasets.delete
  • observability.datasets.get
  • observability.datasets.list
  • observability.datasets.undelete
  • observability.datasets.update
  • observability.links.create
  • observability.links.delete
  • observability.links.get
  • observability.links.list
  • observability.links.update
  • observability.operations.cancel
  • observability.operations.delete
  • observability.operations.get
  • observability.operations.list
  • observability.scopes.get
  • observability.scopes.update
  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update
  • observability.views.access
  • observability.views.create
  • observability.views.delete
  • observability.views.get
  • observability.views.list
  • observability.views.update

(roles/observability.analyticsUser)

Grants permissions to use Cloud Observability Analytics.

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

observability.analyticsViews.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

observability.traceScopes.get

observability.traceScopes.list

observability.views.get

observability.views.list

(roles/observability.editor)

Edit access to Observability resources.

observability.analyticsViews.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update

observability.buckets.create

observability.buckets.get

observability.buckets.list

observability.buckets.update

observability.datasets.create

observability.datasets.get

observability.datasets.list

observability.datasets.update

observability.links.*

  • observability.links.create
  • observability.links.delete
  • observability.links.get
  • observability.links.list
  • observability.links.update

observability.operations.*

  • observability.operations.cancel
  • observability.operations.delete
  • observability.operations.get
  • observability.operations.list

observability.scopes.*

  • observability.scopes.get
  • observability.scopes.update

observability.traceScopes.*

  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update

observability.views.create

observability.views.delete

observability.views.get

observability.views.list

observability.views.update

(roles/observability.scopesEditor)

Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes

logging.logScopes.*

  • logging.logScopes.create
  • logging.logScopes.delete
  • logging.logScopes.get
  • logging.logScopes.list
  • logging.logScopes.update

monitoring.metricsScopes.link

observability.scopes.*

  • observability.scopes.get
  • observability.scopes.update

observability.traceScopes.*

  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update

(roles/observability.serviceAgent)

Grants Observability service account the ability to list, create and link datasets in the consumer project.

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.link

(roles/observability.viewAccessor)

Read only access to data defined by an Observability View.

observability.views.access

(roles/observability.viewer)

Read only access to Observability resources.

observability.analyticsViews.get

observability.analyticsViews.list

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

observability.traceScopes.get

observability.traceScopes.list

observability.views.get

observability.views.list

Telemetry API 角色

Role Permissions

(roles/telemetry.metricsWriter)

Access to write metrics.

telemetry.metrics.write

(roles/telemetry.serviceLogsWriter)

Allows an onboarded service to write log data to a destination.

telemetry.consumers.writeLogs

(roles/telemetry.serviceMetricsWriter)

Allows an onboarded service to write metrics data to a destination.

telemetry.consumers.writeMetrics

(roles/telemetry.serviceTelemetryWriter)

Allows an onboarded service to write all telemetry data to a destination.

telemetry.consumers.*

  • telemetry.consumers.writeLogs
  • telemetry.consumers.writeMetrics
  • telemetry.consumers.writeTraces

(roles/telemetry.serviceTracesWriter)

Allows an onboarded service to write trace data to a destination.

telemetry.consumers.writeTraces

(roles/telemetry.tracesWriter)

Access to write trace spans.

telemetry.traces.write

(roles/telemetry.writer)

Full access to write all telemetry data.

telemetry.metrics.write

telemetry.traces.write

後續步驟