Permissions and roles

This page describes permissions used in Binary Authorization.

Required permissions

The following table lists the permissions that the caller must have to call each API method:

Method	Required Permission(s)
getPolicy	binaryauthorization.policy.get on the requested policy.
updatePolicy	binaryauthorization.policy.update on the policy to update.
policy.getIamPolicy	binaryauthorization.policy.getIamPolicy on the requested policy.
policy.setIamPolicy	binaryauthorization.policy.setIamPolicy on the requested policy.
policy.testIamPermissions	None.
attestors.list	binaryauthorization.attestors.list on the containing Cloud project.
attestors.get	binaryauthorization.attestors.get on the requested attestor.
attestors.create	binaryauthorization.attestors.create on the containing Cloud project.
attestors.delete	binaryauthorization.attestors.delete on the attestor to delete.
attestors.update	binaryauthorization.attestors.update on the attestor to update.
attestors.getIamPolicy	binaryauthorization.attestors.getIamPolicy on the requested attestor.
attestors.setIamPolicy	binaryauthorization.attestors.setIamPolicy on the requested attestor.
attestors.testIamPermissions	None.
continuousValidationConfig.get	binaryauthorization.continuousValidationConfig.get on the requested continuousValidationConfig.
continuousValidationConfig.update	binaryauthorization.continuousValidationConfig.update on the requested continuousValidationConfig.
continuousValidationConfig.getIamPolicy	binaryauthorization.continuousValidationConfig.getIamPolicy on the requested continuousValidationConfig.
continuousValidationConfig.setIamPolicy	binaryauthorization.continuousValidationConfig.setIamPolicy on the requested continuousValidationConfig.
continuousValidationConfig.testIamPermissions	None.

Project types

The following table lists roles and permissions for different types of projects:

Project type	Description
Deployer	A project that manages the Google Kubernetes Engine (GKE) clusters where your images are deployed, as well as the Binary Authorization policy that governs deployment.
Image	A project that contains the image(s) to be verified.
Attestor	A project that stores attestor definitions. You can also use the note project for this purpose.
Note	A project that stores attestor notes for a particular attestor definition. You can also use the attestor project for this purpose.
Attestation	A project that stores attestations for a particular attestor. You can also use the attestor project or the image project for this purpose.

Predefined roles

The following table lists the predefined Binary Authorization IAM roles with corresponding permissions each role includes. Note that every permission is applicable to a particular resource type.

Basic roles of Owner , Editor and Viewer are available for use on Binary Authorization resources, in addition to predefined type-specific roles of Admin , Editor and Viewer for Binary Authorization attestors and policies.

Roles for the policy resource

Roles for the attestor resource

Note that the roles roles/owner , roles/editor , and roles/viewer include permissions for other Google Cloud services as well.

Checking permissions

binaryauthorization.policy.testIamPermissions and binaryauthorization.attestors.testIamPermissions can be run by any identity.