Building Google Cloud Platform Solutions
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Resource-level policies

In addition to project-level policies that define access for entire classes of resources within a project, many resource types support more fine-grained access controls. Resource types that support per-instance IAM policies include Compute Engine VMs, Cloud Storage Buckets, BigQuery datasets, service accounts, and Pub/Sub topics, and subscriptions.

This is useful when we want to grant an actor access to one or more instances of a given resource type, but not all. As an example, an App Engine service running in another project may care to receive Pub/Sub messages from your project. With per-subscription IAM policies, you could allow that service to create subscriptions for a given topic and pull messages from that subscription. This would allow the service to get the messages it needs without allowing it to access messages in other Pub/Sub topics.

In the previous example, the external service would need the pubsub.topics.attachSubscription permission to create a new subscription on a topic and the pubsub.subscriptions.consume permission to pull messages on that subscription. This can be achieved by creating an IAM policy that grants the service the roles/pubsub.subscriber role for that topic.

In addition to resource-level IAM policies, some Google Cloud products and services support other forms of access control. For example, Cloud Storage supports bucket and object-level access control lists (ACLs), as well as signed URLs.
上一章目录下一章