Google CloudにはOwner, Editor, Viewerというロールがあり、これらを使うとプロジェクトの幅広い部分に権限を与えることができます。
一方で上記のロールは「Legacy Basic Role」と呼ばれており、新たに「Basic Role」というロールも導入されようとしています。Admin, Writer, ReaderというロールがOwner, Editor, Viewerに対応しています。公式ドキュメントでの説明では新旧のロールの具体的な差分がいまいち不明でしたので、調査をしてみました。
Owner vs Admin
調査コマンド
diff -u <(gcloud iam roles describe roles/owner) <(gcloud iam roles describe roles/admin)
調査結果
@@ -1,5 +1,4 @@
-description: Full access to most Google Cloud resources. See the list of included
- permissions.
+description: Full access to all resources.
etag: AA==
includedPermissions:
- accessapproval.requests.approve
@@ -1576,19 +1575,30 @@
- bigquery.savedqueries.get
- bigquery.savedqueries.list
- bigquery.savedqueries.update
+- bigquery.tables.create
- bigquery.tables.createIndex
- bigquery.tables.createSnapshot
- bigquery.tables.createTagBinding
+- bigquery.tables.delete
- bigquery.tables.deleteIndex
- bigquery.tables.deleteSnapshot
- bigquery.tables.deleteTagBinding
+- bigquery.tables.export
+- bigquery.tables.get
+- bigquery.tables.getData
- bigquery.tables.getIamPolicy
+- bigquery.tables.list
- bigquery.tables.listEffectiveTags
- bigquery.tables.listTagBindings
- bigquery.tables.replicateData
- bigquery.tables.restoreSnapshot
+- bigquery.tables.setCategory
+- bigquery.tables.setColumnDataPolicy
- bigquery.tables.setIamPolicy
+- bigquery.tables.update
+- bigquery.tables.updateData
- bigquery.tables.updateIndex
+- bigquery.tables.updateTag
- bigquery.transfers.get
- bigquery.transfers.update
- bigquerymigration.subtasks.get
@@ -9484,9 +9494,18 @@
- remotebuildexecution.workerpools.get
- remotebuildexecution.workerpools.list
- remotebuildexecution.workerpools.update
+- resourcemanager.folders.create
- resourcemanager.folders.createPolicyBinding
+- resourcemanager.folders.delete
- resourcemanager.folders.deletePolicyBinding
+- resourcemanager.folders.get
+- resourcemanager.folders.getIamPolicy
+- resourcemanager.folders.list
+- resourcemanager.folders.move
- resourcemanager.folders.searchPolicyBindings
+- resourcemanager.folders.setIamPolicy
+- resourcemanager.folders.undelete
+- resourcemanager.folders.update
- resourcemanager.folders.updatePolicyBinding
- resourcemanager.hierarchyNodes.createTagBinding
- resourcemanager.hierarchyNodes.deleteTagBinding
@@ -9494,7 +9513,10 @@
- resourcemanager.hierarchyNodes.listTagBindings
- resourcemanager.organizations.createPolicyBinding
- resourcemanager.organizations.deletePolicyBinding
+- resourcemanager.organizations.get
+- resourcemanager.organizations.getIamPolicy
- resourcemanager.organizations.searchPolicyBindings
+- resourcemanager.organizations.setIamPolicy
- resourcemanager.organizations.updatePolicyBinding
- resourcemanager.projects.createBillingAssignment
- resourcemanager.projects.createPolicyBinding
@@ -10229,16 +10251,33 @@
- stackdriver.projects.get
- stackdriver.resourceMetadata.list
- stackdriver.resourceMetadata.write
+- storage.anywhereCaches.create
+- storage.anywhereCaches.disable
+- storage.anywhereCaches.get
+- storage.anywhereCaches.list
+- storage.anywhereCaches.pause
+- storage.anywhereCaches.resume
+- storage.anywhereCaches.update
+- storage.bucketOperations.cancel
+- storage.bucketOperations.get
+- storage.bucketOperations.list
- storage.buckets.create
- storage.buckets.createTagBinding
- storage.buckets.delete
- storage.buckets.deleteTagBinding
- storage.buckets.enableObjectRetention
+- storage.buckets.get
+- storage.buckets.getIamPolicy
+- storage.buckets.getIpFilter
- storage.buckets.getObjectInsights
- storage.buckets.list
- storage.buckets.listEffectiveTags
- storage.buckets.listTagBindings
+- storage.buckets.relocate
- storage.buckets.restore
+- storage.buckets.setIamPolicy
+- storage.buckets.setIpFilter
+- storage.buckets.update
- storage.folders.create
- storage.folders.delete
- storage.folders.get
@@ -10251,6 +10290,27 @@
- storage.hmacKeys.update
- storage.intelligenceConfigs.get
- storage.intelligenceConfigs.update
+- storage.managedFolders.create
+- storage.managedFolders.delete
+- storage.managedFolders.get
+- storage.managedFolders.getIamPolicy
+- storage.managedFolders.list
+- storage.managedFolders.setIamPolicy
+- storage.multipartUploads.abort
+- storage.multipartUploads.create
+- storage.multipartUploads.list
+- storage.multipartUploads.listParts
+- storage.objects.create
+- storage.objects.delete
+- storage.objects.get
+- storage.objects.getIamPolicy
+- storage.objects.list
+- storage.objects.move
+- storage.objects.overrideUnlockedRetention
+- storage.objects.restore
+- storage.objects.setIamPolicy
+- storage.objects.setRetention
+- storage.objects.update
- storageinsights.datasetConfigs.create
- storageinsights.datasetConfigs.delete
- storageinsights.datasetConfigs.get
@@ -10880,6 +10940,6 @@
- workstations.workstations.start
- workstations.workstations.stop
- workstations.workstations.update
-name: roles/owner
-stage: GA
-title: Owner
+name: roles/admin
+stage: ALPHA
+title: Admin
Ownerと比較してAdminのほうが多くのパーミッションを持っていることが分かります。なので、OwnerからAdminへの移行でパーミッションが狭くなることはありません。
Adminのみが持っているパーミッションは主に以下のものです。
- BigQuery
- Resource Manager
- Cloud Storage
Editor vs Writer
調査コマンド
diff -u <(gcloud iam roles describe roles/editor) <(gcloud iam roles describe roles/writer)
調査結果
@@ -1,5 +1,4 @@
-description: View, create, update, and delete most Google Cloud resources. See the
- list of included permissions.
+description: Write access to all resources.
etag: AA==
includedPermissions:
- accessapproval.requests.get
@@ -1493,15 +1492,24 @@
- bigquery.savedqueries.get
- bigquery.savedqueries.list
- bigquery.savedqueries.update
+- bigquery.tables.create
- bigquery.tables.createIndex
- bigquery.tables.createSnapshot
+- bigquery.tables.delete
- bigquery.tables.deleteIndex
+- bigquery.tables.export
+- bigquery.tables.get
+- bigquery.tables.getData
- bigquery.tables.getIamPolicy
+- bigquery.tables.list
- bigquery.tables.listEffectiveTags
- bigquery.tables.listTagBindings
- bigquery.tables.replicateData
- bigquery.tables.restoreSnapshot
+- bigquery.tables.update
+- bigquery.tables.updateData
- bigquery.tables.updateIndex
+- bigquery.tables.updateTag
- bigquery.transfers.get
- bigquery.transfers.update
- bigquerymigration.subtasks.get
@@ -8280,11 +8288,20 @@
- remotebuildexecution.workerpools.get
- remotebuildexecution.workerpools.list
- remotebuildexecution.workerpools.update
+- resourcemanager.folders.create
+- resourcemanager.folders.delete
+- resourcemanager.folders.get
+- resourcemanager.folders.getIamPolicy
+- resourcemanager.folders.list
- resourcemanager.folders.searchPolicyBindings
+- resourcemanager.folders.undelete
+- resourcemanager.folders.update
- resourcemanager.hierarchyNodes.createTagBinding
- resourcemanager.hierarchyNodes.deleteTagBinding
- resourcemanager.hierarchyNodes.listEffectiveTags
- resourcemanager.hierarchyNodes.listTagBindings
+- resourcemanager.organizations.get
+- resourcemanager.organizations.getIamPolicy
- resourcemanager.organizations.searchPolicyBindings
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
@@ -8954,20 +8971,39 @@
- stackdriver.resourceMetadata.write
- storage.buckets.create
- storage.buckets.delete
+- storage.buckets.get
+- storage.buckets.getIamPolicy
+- storage.buckets.getIpFilter
- storage.buckets.list
- storage.buckets.listEffectiveTags
- storage.buckets.listTagBindings
+- storage.buckets.update
- storage.folders.create
- storage.folders.delete
- storage.folders.get
- storage.folders.list
- storage.folders.rename
-- storage.hmacKeys.create
-- storage.hmacKeys.delete
- storage.hmacKeys.get
- storage.hmacKeys.list
-- storage.hmacKeys.update
- storage.intelligenceConfigs.get
+- storage.managedFolders.create
+- storage.managedFolders.delete
+- storage.managedFolders.get
+- storage.managedFolders.getIamPolicy
+- storage.managedFolders.list
+- storage.multipartUploads.abort
+- storage.multipartUploads.create
+- storage.multipartUploads.listParts
+- storage.objects.create
+- storage.objects.delete
+- storage.objects.get
+- storage.objects.getIamPolicy
+- storage.objects.list
+- storage.objects.move
+- storage.objects.overrideUnlockedRetention
+- storage.objects.restore
+- storage.objects.setRetention
+- storage.objects.update
- storageinsights.datasetConfigs.create
- storageinsights.datasetConfigs.delete
- storageinsights.datasetConfigs.get
@@ -9575,6 +9611,6 @@
- workstations.workstations.start
- workstations.workstations.stop
- workstations.workstations.update
-name: roles/editor
-stage: GA
-title: Editor
+name: roles/writer
+stage: ALPHA
+title: Writer
基本的な傾向はOwner vs Adminと同じですが、storage.hmacKeys
系のパーミッションがEditorのみに付与されている点に注意が必要です。
Viewer vs Reader
調査コマンド
diff -u <(gcloud iam roles describe roles/viewer) <(gcloud iam roles describe roles/reader)
調査結果
@@ -1,4 +1,4 @@
-description: View most Google Cloud resources. See the list of included permissions.
+description: Read access to all resources.
etag: AA==
includedPermissions:
- accessapproval.requests.get
@@ -711,7 +711,11 @@
- bigquery.savedqueries.get
- bigquery.savedqueries.list
- bigquery.tables.createSnapshot
+- bigquery.tables.export
+- bigquery.tables.get
+- bigquery.tables.getData
- bigquery.tables.getIamPolicy
+- bigquery.tables.list
- bigquery.tables.listEffectiveTags
- bigquery.tables.listTagBindings
- bigquery.tables.replicateData
@@ -4139,9 +4143,14 @@
- remotebuildexecution.logstreams.get
- remotebuildexecution.workerpools.get
- remotebuildexecution.workerpools.list
+- resourcemanager.folders.get
+- resourcemanager.folders.getIamPolicy
+- resourcemanager.folders.list
- resourcemanager.folders.searchPolicyBindings
- resourcemanager.hierarchyNodes.listEffectiveTags
- resourcemanager.hierarchyNodes.listTagBindings
+- resourcemanager.organizations.get
+- resourcemanager.organizations.getIamPolicy
- resourcemanager.organizations.searchPolicyBindings
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
@@ -4502,6 +4511,9 @@
- speech.recognizers.recognize
- stackdriver.projects.get
- stackdriver.resourceMetadata.list
+- storage.buckets.get
+- storage.buckets.getIamPolicy
+- storage.buckets.getIpFilter
- storage.buckets.list
- storage.buckets.listEffectiveTags
- storage.buckets.listTagBindings
@@ -4510,6 +4522,13 @@
- storage.hmacKeys.get
- storage.hmacKeys.list
- storage.intelligenceConfigs.get
+- storage.managedFolders.get
+- storage.managedFolders.getIamPolicy
+- storage.managedFolders.list
+- storage.multipartUploads.listParts
+- storage.objects.get
+- storage.objects.getIamPolicy
+- storage.objects.list
- storageinsights.datasetConfigs.get
- storageinsights.datasetConfigs.list
- storageinsights.locations.get
@@ -4820,6 +4839,6 @@
- workstations.workstations.get
- workstations.workstations.getIamPolicy
- workstations.workstations.list
-name: roles/viewer
-stage: GA
-title: Viewer
+name: roles/reader
+stage: ALPHA
+title: Reader
基本的な傾向はOwner vs Adminと同じです。
まとめ
Legacy Basic RoleをBasic Roleに置き換える場合、基本的には権限が広がる方向に変化するので、この操作によって権限エラーが発生するケースは基本的に発生しません。唯一の例外はEditorからWriterの置き換え時のHMACキーのパーミッションのみなので、このパーミッションを使っている場合は注意がやや必要です。