本頁面由 Cloud Translation API 翻譯而成。

授予 App Engine 存取權的角色

角色會決定使用者帳戶或服務帳戶可使用的服務和動作。下列角色類型可授予 App Engine 存取權：

基本角色：適用於專案中的所有服務和資源，包括但不限於 App Engine。舉例來說，具有「編輯者」角色的帳戶可以變更 App Engine 和 Cloud Storage 設定。
預先定義的 App Engine 角色：提供 App Engine 的精細存取權限。Google Cloud 專案中的每項服務都會提供自己的預先定義角色。舉例來說，只有 App Engine 部署者角色的帳戶可以部署 App Engine 應用程式，但無法在 Cloud Storage 中查看或建立物件。這類帳戶也需要特定的 Cloud Storage 預先定義角色，才能在 Cloud Storage 中建立或查看物件。
自訂角色：根據您指定的權限清單，提供精細的存取權限。

處理需求較單純的小型專案時，您可以使用基本角色。如要執行更精細的存取權控管，請使用預先定義的角色。

基本角色

基本角色適用於專案中的所有服務和資源。舉例來說，具有「編輯者」角色的帳戶可以變更 App Engine 和 Cloud Storage 設定。

角色	Google Cloud 控制台權限	工具權限
`Owner`	建立 App Engine 應用程式的必要角色。具備所有檢視者和編輯者權限，並能夠查看部署的原始碼、邀請使用者、變更使用者角色，以及刪除應用程式。	建立 App Engine 應用程式的必要角色。也可以部署應用程式程式碼及更新所有設定。
`Editor`	查看應用程式資訊及編輯應用程式設定。	部署應用程式程式碼、更新索引/佇列/Cron。
`Viewer`	查看應用程式資訊。	要求記錄

預先定義的 App Engine 角色

Role Permissions

Role	Permissions
App Engine Admin (`roles/appengine.appAdmin`) Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have the Service Account User (`roles/iam.serviceAccountUser`) role on the assigned App Engine service account, and the Cloud Build Editor (`roles/cloudbuild.builds.editor`), and Cloud Storage Object Admin (`roles/storage.objectAdmin`) roles on the project. Lowest-level resources where you can grant this role: Project	`appengine.applications.get` `appengine.applications.listRuntimes` `appengine.applications.update` `appengine.instances.` `appengine.instances.delete` `appengine.instances.enableDebug` `appengine.instances.get` `appengine.instances.list` `appengine.memcache.addKey` `appengine.memcache.flush` `appengine.memcache.get` `appengine.memcache.update` `appengine.operations.` `appengine.operations.get` `appengine.operations.list` `appengine.runtimes.actAsAdmin` `appengine.services.*` `appengine.services.delete` `appengine.services.get` `appengine.services.list` `appengine.services.update` `appengine.versions.create` `appengine.versions.delete` `appengine.versions.get` `appengine.versions.list` `appengine.versions.update` `artifactregistry.projectsettings.get` `artifactregistry.repositories.deleteArtifacts` `artifactregistry.repositories.downloadArtifacts` `artifactregistry.repositories.uploadArtifacts` `resourcemanager.projects.get` `resourcemanager.projects.list`
App Engine Creator (`roles/appengine.appCreator`) Ability to create the App Engine resource for the project. Lowest-level resources where you can grant this role: Project	`appengine.applications.create` `resourcemanager.projects.get` `resourcemanager.projects.list`
App Engine Viewer (`roles/appengine.appViewer`) Read-only access to all application configuration and settings. Lowest-level resources where you can grant this role: Project	`appengine.applications.get` `appengine.applications.listRuntimes` `appengine.instances.get` `appengine.instances.list` `appengine.operations.*` `appengine.operations.get` `appengine.operations.list` `appengine.services.get` `appengine.services.list` `appengine.versions.get` `appengine.versions.list` `artifactregistry.projectsettings.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
App Engine Code Viewer (`roles/appengine.codeViewer`) Read-only access to all application configuration, settings, and deployed source code. Lowest-level resources where you can grant this role: Project	`appengine.applications.get` `appengine.applications.listRuntimes` `appengine.instances.get` `appengine.instances.list` `appengine.operations.*` `appengine.operations.get` `appengine.operations.list` `appengine.services.get` `appengine.services.list` `appengine.versions.get` `appengine.versions.getFileContents` `appengine.versions.list` `artifactregistry.projectsettings.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
App Engine Managed VM Debug Access (`roles/appengine.debugger`) Ability to read or manage v2 instances.	`appengine.applications.get` `appengine.applications.listRuntimes` `appengine.instances.` `appengine.instances.delete` `appengine.instances.enableDebug` `appengine.instances.get` `appengine.instances.list` `appengine.operations.` `appengine.operations.get` `appengine.operations.list` `appengine.services.get` `appengine.services.list` `appengine.versions.get` `appengine.versions.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
App Engine Deployer (`roles/appengine.deployer`) Read-only access to all application configuration and settings. To deploy new versions, you must also have the Service Account User (`roles/iam.serviceAccountUser`) role on the assigned App Engine service account, and the Cloud Build Editor (`roles/cloudbuild.builds.editor`), and Cloud Storage Object Admin (`roles/storage.objectAdmin`) roles on the project. Cannot modify existing versions other than deleting versions that are not receiving traffic. Lowest-level resources where you can grant this role: Project	`appengine.applications.get` `appengine.applications.listRuntimes` `appengine.instances.get` `appengine.instances.list` `appengine.operations.*` `appengine.operations.get` `appengine.operations.list` `appengine.services.get` `appengine.services.list` `appengine.versions.create` `appengine.versions.delete` `appengine.versions.get` `appengine.versions.list` `artifactregistry.projectsettings.get` `artifactregistry.repositories.deleteArtifacts` `artifactregistry.repositories.downloadArtifacts` `artifactregistry.repositories.uploadArtifacts` `resourcemanager.projects.get` `resourcemanager.projects.list`
App Engine Memcache Data Admin (`roles/appengine.memcacheDataAdmin`) Can get, set, delete, and flush App Engine Memcache items.	`appengine.applications.get` `appengine.memcache.addKey` `appengine.memcache.flush` `appengine.memcache.get` `appengine.memcache.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
App Engine Service Admin (`roles/appengine.serviceAdmin`) Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version. Lowest-level resources where you can grant this role: Project	`appengine.applications.get` `appengine.applications.listRuntimes` `appengine.instances.delete` `appengine.instances.get` `appengine.instances.list` `appengine.operations.` `appengine.operations.get` `appengine.operations.list` `appengine.services.` `appengine.services.delete` `appengine.services.get` `appengine.services.list` `appengine.services.update` `appengine.versions.delete` `appengine.versions.get` `appengine.versions.list` `appengine.versions.update` `artifactregistry.projectsettings.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
App Engine Standard Environment Service Agent (`roles/appengine.serviceAgent`) Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts. Warning: Do not grant service agent roles to any principals except service agents.	`appengine.versions.delete` `appengine.versions.get` `appengine.versions.list` `appengine.versions.update` `artifactregistry.aptartifacts.create` `artifactregistry.dockerimages.` `artifactregistry.dockerimages.get` `artifactregistry.dockerimages.list` `artifactregistry.files.download` `artifactregistry.files.get` `artifactregistry.files.list` `artifactregistry.kfpartifacts.create` `artifactregistry.locations.` `artifactregistry.locations.get` `artifactregistry.locations.list` `artifactregistry.mavenartifacts.` `artifactregistry.mavenartifacts.get` `artifactregistry.mavenartifacts.list` `artifactregistry.npmpackages.` `artifactregistry.npmpackages.get` `artifactregistry.npmpackages.list` `artifactregistry.packages.get` `artifactregistry.packages.list` `artifactregistry.projectsettings.get` `artifactregistry.pythonpackages.` `artifactregistry.pythonpackages.get` `artifactregistry.pythonpackages.list` `artifactregistry.repositories.create` `artifactregistry.repositories.downloadArtifacts` `artifactregistry.repositories.get` `artifactregistry.repositories.list` `artifactregistry.repositories.listEffectiveTags` `artifactregistry.repositories.listTagBindings` `artifactregistry.repositories.readViaVirtualRepository` `artifactregistry.repositories.uploadArtifacts` `artifactregistry.tags.create` `artifactregistry.tags.get` `artifactregistry.tags.list` `artifactregistry.tags.update` `artifactregistry.versions.get` `artifactregistry.versions.list` `artifactregistry.yumartifacts.create` `datastore.databases.get` `datastore.entities.create` `datastore.entities.delete` `datastore.entities.get` `datastore.entities.list` `datastore.entities.update` `datastore.indexes.list` `datastore.namespaces.` `datastore.namespaces.get` `datastore.namespaces.list` `datastore.statistics.*` `datastore.statistics.get` `datastore.statistics.list` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `iam.serviceAccounts.signBlob` `serviceusage.services.enable` `serviceusage.services.get` `storage.buckets.create` `storage.buckets.get`

App Engine Admin

(roles/appengine.appAdmin)

Read/Write/Modify access to all application configuration and settings.

To deploy new versions, a principal must have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.applications.update

appengine.instances.*

appengine.instances.delete
appengine.instances.enableDebug
appengine.instances.get
appengine.instances.list

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.runtimes.actAsAdmin

appengine.services.*

appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry.projectsettings.get

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.uploadArtifacts

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Creator

(roles/appengine.appCreator)

Ability to create the App Engine resource for the project.

Lowest-level resources where you can grant this role:

Project

appengine.applications.create

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Viewer

(roles/appengine.appViewer)

Read-only access to all application configuration and settings.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

artifactregistry.projectsettings.get

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Code Viewer

(roles/appengine.codeViewer)

Read-only access to all application configuration, settings, and deployed source code.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.getFileContents

appengine.versions.list

artifactregistry.projectsettings.get

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Managed VM Debug Access

(roles/appengine.debugger)

Ability to read or manage v2 instances.

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.*

appengine.instances.delete
appengine.instances.enableDebug
appengine.instances.get
appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Deployer

(roles/appengine.deployer)

Read-only access to all application configuration and settings.

To deploy new versions, you must also have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

Cannot modify existing versions other than deleting versions that are not receiving traffic.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

artifactregistry.projectsettings.get

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.uploadArtifacts

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Memcache Data Admin

(roles/appengine.memcacheDataAdmin)

Can get, set, delete, and flush App Engine Memcache items.

appengine.applications.get

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Service Admin

(roles/appengine.serviceAdmin)

Read-only access to all application configuration and settings.

Write access to module-level and version-level settings. Cannot deploy a new version.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.delete

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.*

appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry.projectsettings.get

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Standard Environment Service Agent

(roles/appengine.serviceAgent)

Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

datastore.databases.get

datastore.entities.create

datastore.entities.delete

datastore.entities.get

datastore.entities.list

datastore.entities.update

datastore.indexes.list

datastore.namespaces.*

datastore.namespaces.get
datastore.namespaces.list

datastore.statistics.*

datastore.statistics.get
datastore.statistics.list

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.signBlob

serviceusage.services.enable

serviceusage.services.get

storage.buckets.create

storage.buckets.get

App Engine 的預先定義角色可提供更精細的存取權控制選項。

這些角色僅提供 App Engine 存取權。如果專案包含其他服務 (例如 Cloud Storage 或 Cloud SQL)，您必須指派其他角色，才能存取其他服務。

App Engine 預先定義角色比較

下列表格針對每個預先定義的 App Engine 角色列出完整的權限比較。

權限	App Engine 管理員	App Engine 服務管理員	App Engine 部署者	App Engine 檢視者	App Engine 程式碼檢視者
列出所有服務、版本和執行個體	有	是	是	是	有
查看所有應用程式、服務、版本和執行個體的設定	有	是	是	是	有
查看資源使用量、負載資訊和錯誤資訊等執行階段指標	有	是	是	是	有
查看應用程式原始碼	無	否	否	否	有
部署新版應用程式	是，如果您也授予服務帳戶使用者角色	否	是，如果您也授予服務帳戶使用者角色	否	無
拆分或遷移流量	有	是	否^***	否	無
啟用或停止版本	有	是	否	否	無
刪除版本	有	是	是	否	無
刪除整個服務	有	是	否	否	無
在彈性環境中使用 SSH 連線到 VM 執行個體	有	否	否	否	無
關閉執行個體	有	否	否	否	無
停用及重新啟用 App Engine 應用程式	有	否	否	否	否
存取含有 login:admin 限制的處理常式 (僅限第一代執行階段)	是	否	否	否	無
更新分派規則	有	否	否	否	無
更新 DoS 設定	有	否	否	否	無
更新 Cron 排程	無	否	否	否	無
更新預設的 Cookie 到期時間	有	否	否	否	無
更新參照網址	有	否	否	否	無
更新 Email API 已授權的寄件者	有	否	否	否	否

如要進一步瞭解每個角色授予的特定身分與存取權管理權限，請參閱 Admin API 的角色一節。

應用程式部署作業的建議角色

如果帳戶僅負責部署應用程式的新版本，建議您授予下列角色：

App Engine 部署者角色 (roles/appengine.deployer)
服務帳戶使用者角色 (roles/iam.serviceAccountUser)

服務帳戶使用者角色可讓帳戶在部署程序期間模擬預設 App Engine 服務帳戶。
如果帳戶使用 gcloud 指令進行部署，請一併新增下列角色：
- Storage 物件管理員 (roles/storage.objectAdmin)
- Cloud Build 編輯器 (roles/cloudbuild.builds.editor)
如要存取儲存在 Datastore 中的資料或更新索引，請啟用 Cloud Datastore 索引管理員角色 (roles/datastore.indexAdmin)。

如要進一步瞭解如何授予必要權限，請參閱「建立使用者帳戶」一文。

部署和流量轉送的授權區隔

許多機構都偏好區隔部署應用程式版本與增加流量至新建版本的工作，並將工作交由不同職務的人來完成。「App Engine 部署者」和「App Engine 服務管理員」角色可提供這類區隔：

「App Engine 部署者」和「服務帳戶使用者」角色：帳戶只能部署新版本及刪除不再提供流量的舊版本。具有這些角色的帳戶無法設定傳送至任何版本的流量，也不能變更應用程式層級設定，例如分派規則或驗證網域。
「App Engine 服務管理員」角色：帳戶無法部署應用程式的新版本，也不能變更應用程式層級設定。但這些帳戶的權限可以變更現有服務和版本的屬性，包括變更可以提供流量的版本。「App Engine 服務管理員」角色非常適合營運/IT 部門，因為這些部門負責處理增加至新部署版本的流量。

注意：具有「App Engine 部署者」角色的帳戶，可以透過部署同名的新版本 (使用 --version 旗標) 覆寫提供流量的版本。

預先定義角色的限制

以下作業的存取權均未授予給任何 App Engine 預先定義角色：

查看及下載應用程式記錄。
在 Google Cloud 控制台中查看監控圖表。
啟用及停用計費功能。
在 Cloud Security Scanner 中執行安全掃描。
存取儲存在 Datastore、Task Queues、Cloud Search 或任何其他 Cloud Platform 儲存空間產品的設定或資料。

授予 App Engine 存取權的角色 透過集合功能整理內容 你可以依據偏好儲存及分類內容。

基本角色

預先定義的 App Engine 角色

App Engine Admin

App Engine Creator

App Engine Viewer

App Engine Code Viewer

App Engine Managed VM Debug Access

App Engine Deployer

App Engine Memcache Data Admin

App Engine Service Admin

App Engine Standard Environment Service Agent

App Engine 預先定義角色比較

應用程式部署作業的建議角色

部署和流量轉送的授權區隔

預先定義角色的限制

授予 App Engine 存取權的角色