Control Access - Google Cloud Build

IAM roles and permissions :

Access control in Cloud Build is controlled using Identity and Access Management (IAM). IAM enables you to create and manage permissions for Google Cloud resources. Cloud Build provides a specific set of predefined IAM roles where each role contains a set of permissions. You can use these roles to give more granular access to specific Google Cloud resources and prevent unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

This page describes Cloud Build roles and permissions.

With IAM, every API method in Cloud Build API requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a principal (user, group, or service account). You can grant multiple roles to a principal on the same resource.

The table below lists the Cloud Build IAM roles and the permissions that they include:

RoleDescriptionPermissions
Nameroles/cloudbuild.builds.viewer
Title: Cloud Build Viewer
Can view Cloud Build

resources

cloudbuild.builds.get

cloudbuild.builds.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Nameroles/cloudbuild.builds.editor
Title: Cloud Build Editor
Full control of Cloud Build

resources

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Nameroles/cloudbuild.builds.approver
Title: Cloud Build Approver
Provide access to approve or

reject pending builds

cloudbuild.builds.approve

cloudbuild.builds.get

cloudbuild.builds.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Nameroles/cloudbuild.builds.builder
Title: Cloud Build Service Account
When you enable the
Cloud Build API for a project,
the Cloud Build service account
is automatically created in the project
and is granted this role for the resources
in the project. The Cloud Build
service account uses this role only as
required to perform actions when
executing your build.
For a list of permissions
that this role contains,
see Cloud Build service account.
Nameroles/cloudbuild.integrations.viewer
Title: Cloud Build Integrations Viewer
Can view Cloud Build

host connections

cloudbuild.integrations.get

cloudbuild.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Name:roles/cloudbuild.integrations.editor
Title: Cloud Build Integrations Editor
Edit control of Cloud Build

host connections

cloudbuild.integrations.get

cloudbuild.integrations.list

cloudbuild.integrations.update

resourcemanager.projects.get

resourcemanager.projects.list

Name:roles/cloudbuild.integrations.owner
Title: Cloud Build Integrations Owner
Full control of Cloud Build

host connections

cloudbuild.integrations.create

cloudbuild.integrations.delete

cloudbuild.integrations.get

cloudbuild.integrations.list

cloudbuild.integrations.update

compute.firewalls.create

compute.firewalls.get

compute.firewalls.list

compute.networks.get

compute.networks.updatePolicy

compute.regions.get

compute.subnetworks.get

compute.subnetworks.list

resourcemanager.projects.get

resourcemanager.projects.list

Name:roles/cloudbuild.connectionViewer
Title: Cloud Build Connection Viewer
Can view and list connections

and repositories

resourcemanager.projects.get

resourcemanager.projects.list

cloudbuild.connections.get

cloudbuild.connections.fetchLinkableRepositories

cloudbuild.connections.list

cloudbuild.connections.getIamPolicy

cloudbuild.repositories.get

cloudbuild.repositories.list

Name:roles/cloudbuild.connectionAdmin
Title: Cloud Build Connection Admin
Can manage connections

and repositories

resourcemanager.projects.get

resourcemanager.projects.list

cloudbuild.connections.get

cloudbuild.connections.fetchLinkableRepositories

cloudbuild.connections.list

cloudbuild.connections.create

cloudbuild.connections.update

cloudbuild.connections.delete

cloudbuild.connections.getIamPolicy

cloudbuild.connections.setIamPolicy

cloudbuild.repositories.get

cloudbuild.repositories.list

cloudbuild.repositories.create

cloudbuild.repositories.delete

Name:roles/cloudbuild.readTokenAccessor
Title: Cloud Build Read Only Token Accessor
Can view the connection, its repositories,

and access their read-only token

cloudbuild.connections.get

cloudbuild.repositories.get

cloudbuild.repositories.accessReadToken

Name:roles/cloudbuild.tokenAccessor
Title: Cloud Build Token Accessor
Can view the connection, its repositories,

and access their read-only and read/write token

cloudbuild.connections.get

cloudbuild.repositories.get

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.accessReadWriteToken

Nameroles/cloudbuild.workerPoolOwner
Title: Cloud Build WorkerPool Owner
Full control of the private poolcloudbuild.workerpools.create

cloudbuild.workerpools.delete

cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list

Name:roles/cloudbuild.workerPoolEditor
Title: Cloud Build WorkerPool Editor
Can update private poolscloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list

Nameroles/cloudbuild.workerPoolViewer
Title: Cloud Build WorkerPool Viewer
Can view private poolscloudbuild.workerpools.get

cloudbuild.workerpools.list

resourcemanager.projects.get

resourcemanager.projects.list

Nameroles/cloudbuild.workerPoolUser
Title: Cloud Build WorkerPool User
Can run builds in the private poolcloudbuild.workerpools.use

In addition to the above Cloud Build predefined roles, the basic Viewer, Editor, and Owner roles also include permissions related to Cloud Build. However, we recommend that you grant predefined roles where possible to comply with the security principle of least privilege.

The table below lists the basic roles and the Cloud Build IAM roles that they include.

Roleincludes role
roles/viewerroles/cloudbuild.builds.viewerroles/cloudbuild.integrations.viewer
roles/editorroles/cloudbuild.builds.editorroles/cloudbuild.integrations.editor
roles/ownerroles/cloudbuild.integrations.owner

The following table lists the permissions that the caller must have to call each method:

API MethodRequired PermissionRole Title
builds.create()
triggers.create()
triggers.patch()
triggers.delete()
triggers.run()
cloudbuild.builds.createCloud Build Editor
builds.cancel()cloudbuild.builds.updateCloud Build Editor
builds.get()
triggers.get()
cloudbuild.builds.getCloud Build Editor, Cloud Build Viewer
builds.list()
triggers.list()
cloudbuild.builds.listCloud Build Editor, Cloud Build Viewer

To view build logs, you require additional permissions depending on whether you're storing your build logs in the default Cloud Storage bucket or in a user-specified Cloud Storage bucket. For more information on permissions required to view build logs, see Storing and viewing build logs.

  1. Open the IAM page in the Google Cloud console:

    Open the IAM page

  2. Select your project, and click Continue.

  3. Click Grant access.

  4. Enter the user's or service account's email address.

  5. Select the desired role from the drop-down menu. Cloud Build roles are under Cloud Build.

  6. Click Save.

To run gcloud builds commands, users with only cloudbuild.builds.viewer or cloudbuild.builds.editor roles also require the serviceusage.services.use permission. To give this permission to the user, grant them the serviceusage.serviceUsageConsumer role.

User with roles/editor and roles/owner roles can run gcloud builds commands without the additional serviceusage.services.use permission.

To view build logs, you require additional permissions depending on whether you're storing your build logs in the default Cloud Storage bucket or in a user-specified Cloud Storage bucket. For more information on permissions required to view build logs, see Viewing build logs.

  1. Open the IAM page in the Google Cloud console:

    Open the IAM page

  2. Select your project, and click Continue.

  3. In the permissions table, locate the email ID of the principal and click on the pencil icon.

  4. Delete the role that you want to revoke.

  5. Click Save.

  1. Open the IAM page in the Google Cloud console:

    Open the IAM page

  2. Select your project, and click Continue.

  3. Under View by, click Roles.

  4. To view the principals with a particular role, expand the role name.

For users that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles. For instructions on creating and using IAM custom roles, see Creating and Managing Custom Roles.

Comments

Popular posts from this blog

Terraform

Different Types of Reports in Scrum - Agile

Scrum Master Interview help - Bootcamp