I have two users: [email protected] and [email protected], and I have a google cloud project X. Inside X, I have two VMs: vm1 and vm2. How can I grant access to start and stop action on vm1 and vm2 for users: [email protected] and [email protected], but access to vm1 should have [email protected], and access to vm2 should have [email protected]? If it is possible please show a scenario to do it.
Add a comment
|
1 Answer
The parent resource to Compute Engine is the project resource. Typically you grant IAM roles at the project level for an identity.
Compute Engine supports resource-level access control. This means that you can grant access to one Compute Engine VM resource and not all Compute Engine VMs in a project. A typical Compute Engine VM consists of multiple resources such as the instance, disks, snapshots, images, etc. Each item is a resource that requires permissions.
To grant a user the ability to "effectively" use a Compute Engine instance assign the role roles/compute.instanceAdmin.v1. This role allows a user to manage the instance, but not create new instances.
gcloud compute instances add-iam-policy-binding <RESOURCE-NAME> \
--member=user:<EMAIL-ADDRESS> \
--role=roles/compute.instanceAdmin.v1"