Create a Google Cloud IAM Role
A Google Cloud IAM role is a collection of permissions, such as read, write, and delete. Google Cloud IAM roles can be added to both cloud rules and cloud access roles in Kion.
Before implementing Google Cloud IAM roles, we recommend reading Google Cloud IAM Role Best Practices.
To create a new role in Kion:
- Navigate to Cloud Management > Google Cloud IAM Roles.
- Click Add New .
- Enter a Name for the IAM role. For information about Google's naming conventions for roles, see Understanding IAM Custom Roles - Naming the Role.
- (Optional) Add a Description.
- Select a Launch Stage for your role. You can read about Launch Stages Understanding IAM Custom Roles - Testing and Deploying.
- Enter allowed permissions for the role. Kion manages the other attributes like name/description, so you only need to create a JSON array with allowed permissions. Wildcards are accepted. For example, the permissions may look like this:
[ "cloudbuild.builds.create", "cloudbuild.builds.get", "cloudbuild.builds.list", "cloudbuild.builds.update", "remotebuildexecution.blobs.get", "resourcemanager.projects.get", "resourcemanager.projects.list" ]
- (Optional) Validate the IAM permissions against one of your Google Cloud projects.
- Enter denied permissions for the role. This prevents the role from inheriting the indicated permissions from parent resources. These permissions will be denied on the role, even if a parent resource or the Google Cloud project grants the permission. Wildcards are accepted. For more information, see Preventative Google Cloud IAM Roles.
- Select at least one user or user group as the owner.
- Select whether the policy will be public or restricted.
- Public policies. All users with permission to manage cloud access roles can select public policies when creating cloud access roles.
- Restricted policies. Only those users selected in the policy can select restricted policies when creating cloud access roles. When you set a policy as restricted, you must select at least one user or user group to have permission to use the policy.
To see which permissions are allowed or denied on a cloud access role, navigate to the details page of a project with the role, select Cloud Management > Cloud Access Roles, click the ellipsis menu next to the role, and select View Permissions. This lists all permissions applied or denied by the role, including those inherited from parent resources.