Control Access - Google Cloud Build
IAM roles and permissions :
Access control in Cloud Build is controlled using Identity and Access Management (IAM). IAM enables you to create and manage permissions for Google Cloud resources. Cloud Build provides a specific set of predefined IAM roles where each role contains a set of permissions. You can use these roles to give more granular access to specific Google Cloud resources and prevent unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
This page describes Cloud Build roles and permissions.
Predefined Cloud Build roles
With IAM, every API method in Cloud Build API requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a principal (user, group, or service account). You can grant multiple roles to a principal on the same resource.
The table below lists the Cloud Build IAM roles and the permissions that they include:
Role | Description | Permissions |
---|---|---|
Name: roles/ Title: Cloud Build Viewer | Can view Cloud Build resources | cloudbuild.
|
Name: roles/ Title: Cloud Build Editor | Full control of Cloud Build resources | cloudbuild.
|
Name: roles/ Title: Cloud Build Approver | Provide access to approve or reject pending builds | cloudbuild.
|
Name: roles/ Title: Cloud Build Service Account | When you enable the Cloud Build API for a project, the Cloud Build service account is automatically created in the project and is granted this role for the resources in the project. The Cloud Build service account uses this role only as required to perform actions when executing your build. | For a list of permissions that this role contains, see Cloud Build service account. |
Name: roles/ Title: Cloud Build Integrations Viewer | Can view Cloud Build host connections | cloudbuild.
|
Name:roles/ Title: Cloud Build Integrations Editor | Edit control of Cloud Build host connections | cloudbuild.
|
Name:roles/ Title: Cloud Build Integrations Owner | Full control of Cloud Build host connections | cloudbuild.
|
Name:roles/ Title: Cloud Build Connection Viewer | Can view and list connections and repositories | resourcemanager.
|
Name:roles/ Title: Cloud Build Connection Admin | Can manage connections and repositories | resourcemanager.
|
Name:roles/ Title: Cloud Build Read Only Token Accessor | Can view the connection, its repositories, and access their read-only token | cloudbuild.
|
Name:roles/ Title: Cloud Build Token Accessor | Can view the connection, its repositories, and access their read-only and read/write token | cloudbuild.
|
Name: roles/ Title: Cloud Build WorkerPool Owner | Full control of the private pool | cloudbuild.
|
Name:roles/ Title: Cloud Build WorkerPool Editor | Can update private pools | cloudbuild.
|
Name: roles/ Title: Cloud Build WorkerPool Viewer | Can view private pools | cloudbuild.
|
Name: roles/ Title: Cloud Build WorkerPool User | Can run builds in the private pool | cloudbuild. |
In addition to the above Cloud Build predefined roles, the basic Viewer, Editor, and Owner roles also include permissions related to Cloud Build. However, we recommend that you grant predefined roles where possible to comply with the security principle of least privilege.
The table below lists the basic roles and the Cloud Build IAM roles that they include.
Role | includes role |
---|---|
roles/ | roles/ , roles/ |
roles/ | roles/ , roles/ |
roles/ | roles/ |
Permissions
The following table lists the permissions that the caller must have to call each method:
API Method | Required Permission | Role Title |
---|---|---|
builds.create() triggers.create() triggers.patch() triggers.delete() triggers.run() | cloudbuild. | Cloud Build Editor |
builds.cancel() | cloudbuild. | Cloud Build Editor |
builds.get() triggers.get() | cloudbuild. | Cloud Build Editor, Cloud Build Viewer |
builds.list() triggers.list() | cloudbuild. | Cloud Build Editor, Cloud Build Viewer |
Permissions to view build logs
To view build logs, you require additional permissions depending on whether you're storing your build logs in the default Cloud Storage bucket or in a user-specified Cloud Storage bucket. For more information on permissions required to view build logs, see Storing and viewing build logs.
Configuring access to Cloud Build resources :
By default, only the creator of a Google Cloud project has access to the project and its resources. To grant other users access, you can grant Identity and Access Management (IAM) roles on the project, or on a specific Cloud Build resource.
This page describes the ways you can set access control for your Cloud Build resources.
Before you begin
- Understand the basic concepts of IAM.
- Learn about the Cloud Build roles and permissions.
Granting roles on the project
Open the IAM page in the Google Cloud console:
Select your project, and click Continue.
Click Grant access.
Enter the user's or service account's email address.
Select the desired role from the drop-down menu. Cloud Build roles are under Cloud Build.
Click Save.
Open the IAM page in the Google Cloud console:
Select your project, and click Continue.
Click Grant access.
Enter the user's or service account's email address.
Select the desired role from the drop-down menu. Cloud Build roles are under Cloud Build.
Click Save.
Granting permissions to run gcloud commands
To run gcloud builds
commands, users with only cloudbuild.builds.viewer
or cloudbuild.builds.editor
roles also require the serviceusage.services.use
permission. To give this permission to the user, grant them the serviceusage.serviceUsageConsumer
role.
User with roles/editor and roles/owner roles can run gcloud builds
commands without the additional serviceusage.services.use
permission.
Permissions to view build logs
To view build logs, you require additional permissions depending on whether you're storing your build logs in the default Cloud Storage bucket or in a user-specified Cloud Storage bucket. For more information on permissions required to view build logs, see Viewing build logs.
Revoking roles on the project
Open the IAM page in the Google Cloud console:
Select your project, and click Continue.
In the permissions table, locate the email ID of the principal and click on the pencil icon.
Delete the role that you want to revoke.
Click Save.
Open the IAM page in the Google Cloud console:
Select your project, and click Continue.
In the permissions table, locate the email ID of the principal and click on the pencil icon.
Delete the role that you want to revoke.
Click Save.
Viewing roles on the project
Open the IAM page in the Google Cloud console:
Select your project, and click Continue.
Under View by, click Roles.
To view the principals with a particular role, expand the role name.
Open the IAM page in the Google Cloud console:
Select your project, and click Continue.
Under View by, click Roles.
To view the principals with a particular role, expand the role name.
Creating IAM custom roles
For users that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles. For instructions on creating and using IAM custom roles, see Creating and Managing Custom Roles.
Comments
Post a Comment