This page describes Developer Connect roles and permissions.
Access control in Developer Connect is controlled using Identity and Access Management (IAM)
. IAM lets you create and
manage permissions for Google Cloud resources. Developer Connect provides a
specific set of predefined IAM roles
where each role contains a set of permissions suited to a particular type of
access or action. We recommend that you adopt the security principle of least privilege
,
and grant only the necessary access to your resources.
Predefined Developer Connect roles
You assign permissions to accounts through the use of roles. The following table
lists the IAM roles available for Developer Connect and the
permissions that they include:
The IAM documentation includes a searchable reference
of all predefined roles.
Developer Connect Admin Beta
( roles/ developerconnect.admin )
Full access to Developer Connect resources.
developerconnect. connections. constructGitHubAppManifest
developerconnect. connections. create
developerconnect. connections. delete
developerconnect. connections. fetchGitHubInstallations
developerconnect. connections. fetchLinkableGitRepositories
developerconnect. connections. generateGitHubStateToken
developerconnect. connections. get
developerconnect. connections. list
developerconnect. connections. processGitHubAppCreationCallback
developerconnect. connections. processGitHubOAuthCallback
developerconnect. connections. update
developerconnect. gitRepositoryLinks. create
developerconnect. gitRepositoryLinks. delete
developerconnect. gitRepositoryLinks. fetchGitRefs
developerconnect. gitRepositoryLinks. get
developerconnect. gitRepositoryLinks. gitProxyRead
developerconnect. gitRepositoryLinks. gitProxyWrite
developerconnect. gitRepositoryLinks. list
developerconnect.locations.*
developerconnect.locations.get
developerconnect. locations. list
developerconnect.operations.*
developerconnect. operations. cancel
developerconnect. operations. delete
developerconnect. operations. get
developerconnect. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Viewer Beta
( roles/ developerconnect.viewer )
Read-only access to Developer Connect resources.
developerconnect. connections. get
developerconnect. connections. list
developerconnect. gitRepositoryLinks. get
developerconnect. gitRepositoryLinks. list
developerconnect.locations.*
developerconnect.locations.get
developerconnect. locations. list
developerconnect. operations. get
developerconnect. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect HTTP Proxy Writer Beta
( roles/ developerconnect.connectionHttpProxyWriter )
Grants read and write access to connections through the HTTP Proxy.
developerconnect. connections. httpProxyRead
developerconnect. connections. httpProxyWrite
Developer Connect Git Proxy Reader Beta
( roles/ developerconnect.gitProxyReader )
Grants read-only access to repositories through the Git Proxy.
developerconnect. gitRepositoryLinks. gitProxyRead
Developer Connect Git Proxy User Beta
( roles/ developerconnect.gitProxyUser )
Grants read and write access to repositories through the Git Proxy.
developerconnect. gitRepositoryLinks. gitProxyRead
developerconnect. gitRepositoryLinks. gitProxyWrite
Developer Connect Insights Admin Beta
( roles/ developerconnect.insightsAdmin )
Admin access to Developer Connect Insights resources.
developerconnect. deploymentEvents.*
developerconnect. deploymentEvents. get
developerconnect. deploymentEvents. list
developerconnect. insightsConfigs.*
developerconnect. insightsConfigs. create
developerconnect. insightsConfigs. delete
developerconnect. insightsConfigs. get
developerconnect. insightsConfigs. list
developerconnect. insightsConfigs. update
developerconnect.locations.*
developerconnect.locations.get
developerconnect. locations. list
developerconnect. operations. get
developerconnect. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Insights Config Agent Beta
( roles/ developerconnect.insightsAgent )
Allow Developer Connect to access SDLC information.
cloudasset. assets. exportResource
cloudasset.assets.listResource
cloudasset. assets. searchAllResources
cloudasset.feeds.create
cloudasset.feeds.get
cloudasset.feeds.update
containeranalysis. occurrences. get
containeranalysis. occurrences. list
logging.logEntries.create
Developer Connect Insights Viewer Beta
( roles/ developerconnect.insightsViewer )
Read-only access to Developer Connect Insights resources.
developerconnect. deploymentEvents.*
developerconnect. deploymentEvents. get
developerconnect. deploymentEvents. list
developerconnect. insightsConfigs. get
developerconnect. insightsConfigs. list
developerconnect.locations.*
developerconnect.locations.get
developerconnect. locations. list
developerconnect. operations. get
developerconnect. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect OAuth Admin Beta
( roles/ developerconnect.oauthAdmin )
Grants read and write access to AccountConnector resources.
developerconnect. accountConnectors.*
developerconnect. accountConnectors. create
developerconnect. accountConnectors. delete
developerconnect. accountConnectors. get
developerconnect. accountConnectors. list
developerconnect. accountConnectors. update
developerconnect.locations.*
developerconnect.locations.get
developerconnect. locations. list
developerconnect. operations. get
developerconnect. operations. list
developerconnect. providers. list
developerconnect.users.*
developerconnect.users.delete
developerconnect. users. deleteSelf
developerconnect. users. fetchAccessToken
developerconnect. users. finishOAuth
developerconnect.users.getSelf
developerconnect.users.list
developerconnect. users. startOAuth
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect OAuth User Beta
( roles/ developerconnect.oauthUser )
Grants read and write access to User resources, and read access to AccountConnectors.
developerconnect. accountConnectors. get
developerconnect. accountConnectors. list
developerconnect.locations.*
developerconnect.locations.get
developerconnect. locations. list
developerconnect. operations. get
developerconnect. operations. list
developerconnect. users. deleteSelf
developerconnect. users. fetchAccessToken
developerconnect. users. finishOAuth
developerconnect.users.getSelf
developerconnect. users. startOAuth
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Read Token Accessor Beta
( roles/ developerconnect.readTokenAccessor )
Grants access to Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.
developerconnect. connections. get
developerconnect. gitRepositoryLinks. fetchReadToken
developerconnect. gitRepositoryLinks. get
Developer Connect Token Accessor Beta
( roles/ developerconnect.tokenAccessor )
Grants access to Read/Write and Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.
developerconnect. connections. get
developerconnect. gitRepositoryLinks. fetchReadToken
developerconnect. gitRepositoryLinks. fetchReadWriteToken
developerconnect. gitRepositoryLinks. get
Developer Connect User Beta
( roles/ developerconnect.user )
Grants access to view the connection and to the features that interact with the actual repository such as reading content from the repository
developerconnect. connections. fetchGitHubInstallations
developerconnect. connections. fetchLinkableGitRepositories
developerconnect. connections. get
developerconnect. connections. list
developerconnect. gitRepositoryLinks. fetchGitRefs
developerconnect. gitRepositoryLinks. get
developerconnect. gitRepositoryLinks. list
developerconnect.locations.*
developerconnect.locations.get
developerconnect. locations. list
developerconnect. operations. get
developerconnect. operations. list
resourcemanager.projects.get
resourcemanager.projects.list
Service agent roles
Service agent roles should only be granted to service agents
.
Developer Connect service account
Developer Connect uses a service agent
to execute tasks on your behalf
when communicating with other services. This service agent is created
automatically when you first interact with Developer Connect (create a
repository connection or account connector).
The identifier for the Developer Connect
service agent is as follows, where PROJECT_NUMBER
is your Google Cloud project number
.
service- PROJECT_NUMBER
@gcp-sa-devconnect.iam.gserviceaccount.com
You use this identifier to grant or modify IAM roles and
permissions.
For specific steps on granting roles, see Granting, changing, and revoking access to resources
.
What's next
