- Building Google Cloud Platform Solutions
- Ted Hunter Steven Porter Legorie Rajan PS
- 210字
- 2021-07-02 12:24:37
IAM on the Google App Engine
When it comes to managing App Engine services, Google Cloud offers an expressive control plane in the form of Cloud Identity & Access Management (IAM) integrations. There are over 20 IAM permissions dedicated to specific App Engine operations. As discussed in Chapter 3, APIs, CLIs, IAM, and Billing, these permissions are allocated to users and service accounts in the form of curated roles. App Engine curated roles include:
- App Engine Viewer (roles/appengine.appViewer): Grants read-only access to App Engine instances, services, and configurations
- App Engine Code Viewer (roles/appengine.codeViewer): Grants read-only access to App Engine resources including deployments, services, instance details, configurations, and deployed source code
- App Engine Deployer (roles/appengine.deployer): Grants read-only access to existing services and the ability to deploy new versions of existing services
- App Engine Service Admin (roles/appengine.serviceAdmin): Grants access to modify version and instance settings for existing services
- App Engine Admin (roles/appengine.appAdmin): Grants full access to all App Engine operations
Each of these roles can be assigned in project-level IAM policies to grant permissions on all App Engine services within a project, or in organization-level policies, to allow access to App Engine resources across all projects within the organization. Primitive roles such as owner, editor, and viewer apply here as well.