Console
    Contact Us Start free

    Custom roles

    Overview

    IAM provides the ability to create custom roles . You can create a custom IAM role with one or more permissions and then grant that custom role to users who are part of your organization. Custom roles enable you to enforce the principle of least privilege , ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions. For information about creating custom roles, see Creating and managing custom roles .

    Common user flows and permissions

    The following table lists common user flows and the required permissions for performing Binary Authorization operations.

    The user flows and required permissions listed in the table are not exhaustive. To learn more about Binary Authorization-related permissions, see Permissions . To learn more about all Google Cloud permissions, see IAM Permissions .

    User flow Required permissions
    Enable the API On the attestor and deployer project:
    serviceusage.services.get
    serviceusage.services.list
    serviceusage.services.enable
    serviceusage.services.disable
    serviceusage.services.use
    serviceusage.services.generateServiceIdentity
    serviceusage.services.getServiceIdentity
    serviceusage.quotas.get
    serviceusage.quotas.update
    serviceusage.operations.cancel
    serviceusage.operations.delete
    serviceusage.operations.get
    serviceusage.operations.list
    Configure a policy On the deployer project:
    resourcemanager.projects.get
    resourcemanager.projects.list
    binaryauthorization.policy.get
    binaryauthorization.policy.update

    On the attestor project:
    resourcemanager.projects.get
    resourcemanager.projects.list
    binaryauthorization.attestors.get
    binaryauthorization.attestors.list
    Update a policy On the deployer project:
    binaryauthorization.policy.update
    Create an attestor On the attestor project:
    containeranalysis.notes.list
    resourcemanager.projects.get
    resourcemanager.projects.list
    binaryauthorization.attestors.get
    binaryauthorization.attestors.list
    binaryauthorization.attestors.create
    Update an attestor On the containing attestor:
    binaryauthorization.attestors.update
    Create an attestation On the note resource (or project):
    containeranalysis.notes.get
    containeranalysis.notes.attachOccurrence

    On the attestation project:
    containeranalysis.occurrences.create
    containeranalysis.occurrences.update
    containeranalysis.occurrences.get
    containeranalysis.occurrences.list
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: