Google Cloud offers Identity and Access Management (IAM), which lets you give more
granular access to specific Google Cloud resources and prevents unwanted
access to other resources. IAM lets you adopt the
security principle of least privilege
,
so you grant only the necessary access to your resources.
IAM lets you control
who (users)
has
what access (roles)
to
which resources
by setting IAM policies, which grant
specific roles that contain certain permissions.
This page explains the
IAM
permissions and roles that
you can use to manage access to projects. For a detailed description of
IAM, read the
IAM documentation
. In particular, see
Granting, changing, and revoking access
.
Permissions and roles
To control access to resources, Google Cloud requires that accounts making API
requests have appropriate IAM roles. IAM roles
include permissions that allow users to perform specific actions on
Google Cloud resources. For example, the
resourcemanager.projects.delete
permission allows a user to delete a project.
You don't directly give users permissions; instead, you grant them
roles
,
which have one or more permissions bundled within them. You grant these roles on
a particular resource, but they also apply to all of that resource's descendants
in the
resource hierarchy
.
Permissions
To manage projects, the caller must have a role that includes the following
permissions. The role is granted on the organization resource or folder that contains the
projects:
Using predefined roles
IAM predefined roles allow you to carefully manage the set of
permissions that your users have access to. For a full list of the roles that
can be granted at the project level, see
Understanding Roles
.
The following table lists the predefined roles that you can use to grant access
to a project. Each role includes a description of what the role does, and the
permissions included in that role.
Role
|
Permissions
|
Project Creator
(
roles/
resourcemanager.projectCreator
)
Provides access to create new projects. Once a user creates a project,
they're automatically granted the owner role for that project.
Lowest-level resources where you can grant this role:
|
resourcemanager.
organizations.
get
resourcemanager.
projects.
create
|
Project Deleter
(
roles/
resourcemanager.projectDeleter
)
Provides access to delete Google Cloud projects.
Lowest-level resources where you can grant this role:
|
resourcemanager.
projects.
delete
|
Project Mover
(
roles/
resourcemanager.projectMover
)
Provides access to update and move projects.
Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get
resourcemanager.projects.move
resourcemanager.
projects.
update
|
Project IAM Admin
(
roles/
resourcemanager.projectIamAdmin
)
Provides permissions to administer allow policies on projects.
Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get
resourcemanager.
projects.
getIamPolicy
resourcemanager.
projects.
setIamPolicy
|
Browser
(
roles/
browser
)
Read access to browse the hierarchy for a project, including the folder, organization, and allow
policy. This role doesn't include permission to view resources in the project.
Lowest-level resources where you can grant this role:
|
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
organizations.
get
resourcemanager.projects.get
resourcemanager.
projects.
getIamPolicy
resourcemanager.projects.list
|
Basic roles
Avoid using basic roles except when absolutely necessary. These roles are very
powerful, and include a large number of permissions across all
Google Cloud services. For more details on when you should use basic
roles, see
Basic roles
.
Role
|
Description
|
Permissions
|
roles/owner
|
Full access to all resources.
|
All permissions for all resources.
|
roles/editor
|
Edit access to most resources.
|
Create and update access for most resources.
|
roles/viewer
|
Read access to most resources.
|
Get and list access for most resources.
|
Creating custom roles
In addition to the predefined roles described in this topic, you can also create
custom roles
that are collections of
permissions that you tailor to your needs. When creating a custom role for use
with Resource Manager, be aware of the following points:
- List and get permissions, such as
resourcemanager.projects.get/list
,
should always be granted as a pair.
- When your custom role includes the
folders.list
and
folders.get
permissions, it should also include
projects.list
and
projects.get
.
- Be aware that the
setIamPolicy
permission for organization, folder, and
project resources allows the user to grant all other permissions, and so should be assigned with care.
Access control at the project level
You can grant roles to users at the project level using the
Google Cloud console
,
the Cloud Resource Manager API, and the Google Cloud CLI. For instructions, see
Granting, Changing, and Revoking Access
.
Default roles
When you create a project, you are granted the
roles/owner
role for the
project to provide you full control as the creator. This default role can be
changed as normal in an IAM policy.
VPC Service Controls
VPC Service Controls
can provide additional security when using the
Cloud Resource Manager API. To learn more
about VPC Service Controls, see the
VPC Service Controls overview
.
To learn about the current limitations in using Resource Manager with
VPC Service Controls, see the
supported products and limitations
page.