使用 IAM 进行访问权限控制

Cloud Tasks 使用 Identity and Access Management (IAM) 进行访问权限控制。如需了解 IAM 及其功能,请参阅 IAM 概览。如需了解如何授予和撤消访问权限,请参阅管理对项目、文件夹和组织的访问权限

您可以在项目级层和队列级层配置访问权限控制条件。例如,您可以授予用户创建任务并将其添加到队列的权限,但不授予其删除队列的权限。或者,您也可以向一组用户授予对某项目中的所有 Cloud Tasks 资源的访问权限。如需了解详情,请参阅安全队列配置

每种 Cloud Tasks 方法都要求调用者拥有必要的权限。本页介绍了 Cloud Tasks 支持的权限和角色。更新 queue.yamlqueue.xml 或使用 Google Cloud 控制台时也会检查权限。

启用 Cloud Tasks API

如需查看和分配 Cloud Tasks 的 IAM 角色,您必须为项目启用 Cloud Tasks API。在启用此 API 之前,您无法在 Google Cloud 控制台中看到 Cloud Tasks 角色。

控制台

Enable the Cloud Tasks API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

Enable the API

gcloud

Enable the Cloud Tasks API:

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

gcloud services enable cloudtasks.googleapis.com

预定义角色

下表列出了 Cloud Tasks 预定义 IAM 角色及其对应的权限。

预定义角色可满足大多数典型的用例。如果预定义角色无法满足您的用例,您可以创建 IAM 自定义角色

Role Permissions

(roles/cloudtasks.admin)

Full access to queues and tasks.

cloudtasks.*

  • cloudtasks.cmekConfig.get
  • cloudtasks.cmekConfig.update
  • cloudtasks.locations.get
  • cloudtasks.locations.list
  • cloudtasks.queues.create
  • cloudtasks.queues.delete
  • cloudtasks.queues.get
  • cloudtasks.queues.getIamPolicy
  • cloudtasks.queues.list
  • cloudtasks.queues.pause
  • cloudtasks.queues.purge
  • cloudtasks.queues.resume
  • cloudtasks.queues.setIamPolicy
  • cloudtasks.queues.update
  • cloudtasks.tasks.create
  • cloudtasks.tasks.delete
  • cloudtasks.tasks.fullView
  • cloudtasks.tasks.get
  • cloudtasks.tasks.list
  • cloudtasks.tasks.run

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtasks.enqueuer)

Access to create tasks.

cloudtasks.tasks.create

cloudtasks.tasks.fullView

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtasks.queueAdmin)

Admin access to queues.

cloudtasks.locations.*

  • cloudtasks.locations.get
  • cloudtasks.locations.list

cloudtasks.queues.*

  • cloudtasks.queues.create
  • cloudtasks.queues.delete
  • cloudtasks.queues.get
  • cloudtasks.queues.getIamPolicy
  • cloudtasks.queues.list
  • cloudtasks.queues.pause
  • cloudtasks.queues.purge
  • cloudtasks.queues.resume
  • cloudtasks.queues.setIamPolicy
  • cloudtasks.queues.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtasks.serviceAgent)

Grants Cloud Tasks Service Account access to manage resources.

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

logging.logEntries.create

(roles/cloudtasks.taskDeleter)

Access to delete tasks.

cloudtasks.tasks.delete

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtasks.taskRunner)

Access to run tasks.

cloudtasks.tasks.fullView

cloudtasks.tasks.run

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtasks.viewer)

Get and list access to tasks, queues, and locations.

cloudtasks.cmekConfig.get

cloudtasks.locations.*

  • cloudtasks.locations.get
  • cloudtasks.locations.list

cloudtasks.queues.get

cloudtasks.queues.list

cloudtasks.tasks.fullView

cloudtasks.tasks.get

cloudtasks.tasks.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

后续步骤