- Restrict queue management methods to a small set of people or entities.
- For large organizations, use a service account to run software that enforces proper queue configuration.
- Separate users and other entities into Queue Admins, Cloud Task Workers and App Engine Deployer categories.
- Queue Admins group have permission to call Cloud Tasks queue management methods, or to upload queue.yaml files.
- Queue Admins group is restricted to a very small set of users so as to reduce the risk of clobbering queue configuration.
- Cloud Tasks Workers group have permission to perform common interactions with Cloud Tasks such as enqueuing and dequeuing tasks.
- Cloud Tasks Workers group are not allowed to call Cloud Tasks queue management methods.
- App Engine Deployers for projects that have App Engine apps have permission to deploy the app.
- They are not permitted to upload queue.yaml files or make any Cloud Tasks API calls, thus allowing the queue admins to enforce the proper policies.
- Users who are queue admins should not also be Cloud Tasks workers, since that would defeat the purpose of the separation.
- If a project uses Cloud Tasks queue management methods exclusively, it might also make sense that queue admins should not also be App Engine deployers, since this would make it possible for an errant queue.yaml file to be uploaded.
- Small projects and organizations can assign Cloud IAM roles directly to users to place them into the groups above.
- This makes sense for teams who prefer configuration simplicity or who make queue configuration changes or App Engine app deployments by hand.
- Large projects and organizations can use Service Accounts to separate duties and responsibilities.
- This makes sense for teams with complex infrastructure for changing queue configuration and perhaps also deploying App Engine apps.