Controle de acesso com o IAM

Mantenha tudo organizado com as coleções Salve e categorize o conteúdo com base nas suas preferências.

Cloud Composer 1 | Cloud Composer 2

Nesta página, descrevemos as opções de controle de acesso disponíveis no Cloud Composer e explicamos como conceder papéis.

Para saber mais sobre a concessão de papéis, consulte Gerenciar o acesso a projetos, pastas e organizações.

Com o controle de acesso da IU do Airflow, é possível controlar as permissões da IU do Airflow e da IU do DAG, além de ativar ou desativar o acesso a ela.

Sobre o Identity and Access Management no Cloud Composer

O Cloud Composer usa o Identity and Access Management (IAM) para controle de acesso.

Você controla o acesso a diferentes recursos do Cloud Composer concedendo papéis e permissões para contas de serviço do IAM e contas de usuário no projeto do Google Cloud.

O Cloud Composer usa dois tipos de contas de serviço do IAM:

Além desses dois tipos de conta de serviço, o agente de serviço de APIs do Google executa processos internos do Google em seu nome.

Conceder papéis à conta do agente de serviço do Cloud Composer

No projeto do Google Cloud, o serviço do Cloud Composer cria uma conta de serviço especial gerenciada pelo Google para gerenciar recursos relacionados ao Cloud Composer. Essa conta é chamada de Agente de serviço do Cloud Composer.

O agente de serviço do Cloud Composer é usado em todos os ambientes no projeto. Por padrão, a conta do Agente de serviço do Composer tem apenas o papel Agente de serviço da API Cloud Composer. Mantenha esse papel nesta conta de serviço.

Conceder papéis à conta de serviço de um ambiente

Ao criar um ambiente, você especifica uma conta de serviço. Essa conta de serviço é chamada de conta de serviço do ambiente. O cluster do ambiente usa essa conta de serviço para executar pods com diferentes componentes de ambiente, como workers e programadores do Airflow.

Por padrão, os ambientes do Cloud Composer são executados com a conta de serviço padrão do Compute Engine. Essa conta de serviço gerenciada pelo Google tem mais permissões do que o necessário para executar ambientes do Cloud Composer, geralmente o papel básico de Editor.

É recomendável configurar uma conta de serviço gerenciada pelo usuário para ambientes do Cloud Composer. Conceda um papel específico para o Cloud Composer nessa conta. Depois, especifique essa conta de serviço ao criar novos ambientes.

Para uma conta de serviço gerenciada pelo usuário que executa um ambiente do Cloud Composer:

  • Para uma configuração de IP público, conceda o papel Worker do Composer (composer.worker).

  • Para uma configuração de IP privado:

    1. Conceda o papel Worker do Composer (composer.worker).
    2. Conceda o papel Usuário da conta de serviço (iam.serviceAccountUser).

Conceder papéis aos usuários

Para acionar uma operação de ambiente, um usuário precisa ter permissões suficientes. Por exemplo, se você quiser criar um novo ambiente, será necessário ter a permissão composer.environments.create.

No Cloud Composer, as permissões individuais são agrupadas em papéis. Você pode conceder esses papéis aos principais.

Se a conta de serviço tiver o papel Editor do projeto, será possível executar todas as operações do ambiente. No entanto, esse papel tem permissões amplas. Para usuários que trabalham com ambientes, recomendamos usar papéis específicos do Cloud Composer. Dessa forma, é possível restringir o escopo das permissões e fornecer diferentes níveis de acesso para principais diferentes. Por exemplo, um usuário pode ter permissões para criar, atualizar, fazer upgrade e excluir ambientes, enquanto outro usuário só pode ver ambientes e acessar a interface da Web do Airflow.

Dependendo do nível de acesso que você quer dar aos ambientes do Cloud Composer, conceda as seguintes permissões aos principais.

Gerenciar ambientes e buckets de ambiente

Para um usuário que pode ver, criar, atualizar, fazer upgrade e excluir ambientes, gerenciar objetos (como arquivos DAG) nos buckets do ambiente, acessar a interface da Web do Airflow, visualizar e acionar DAGs na IU do DAG:

  1. Conceda o papel Administrador de objetos do ambiente e do armazenamento (composer.environmentAndStorageObjectAdmin).

  2. Conceda o papel Usuário da conta de serviço (iam.serviceAccountUser).

    Para restringir as permissões de um usuário, conceda esse papel apenas na conta de serviço do seu ambiente. Para mais informações, consulte Conceder ou revogar um único papel.

  3. Conceda a permissão iam.serviceAccounts.actAs na conta de serviço do seu ambiente.

Gerenciar ambientes

Para um usuário que pode ver, criar, atualizar, fazer upgrade e excluir ambientes, acesse a interface da Web do Airflow, visualize e acione DAGs na IU do DAG:

  1. Conceda o papel Administrador do Composer (composer.admin).

  2. Conceda o papel Usuário da conta de serviço (iam.serviceAccountUser).

    Para restringir as permissões de um usuário, conceda esse papel apenas na conta de serviço do seu ambiente. Para mais informações, consulte Conceder ou revogar um único papel.

  3. Conceda a permissão iam.serviceAccounts.actAs na conta de serviço do seu ambiente.

Ver ambientes e gerenciar buckets de ambientes

Para um usuário que pode ver ambientes, acesse a interface da Web do Airflow, veja e acione DAGs na IU do DAG e gerencie objetos nos buckets do ambiente (por exemplo, para fazer upload de novos arquivos DAG):

  1. Conceda o papel Leitor de usuários do ambiente e objeto de armazenamento (composer.environmentAndStorageObjectViewer).
  2. Conceda o papel Administrador de objetos do Storage (storage.objectAdmin).

Ver ambientes e buckets de ambiente

Para um usuário que pode ver ambientes, acessar a interface da Web do Airflow, visualizar e acionar DAGs na IU do DAG e ver objetos em buckets do ambiente, conceda o papel de Leitor de ambiente e usuário de objetos do Storage (composer.environmentAndStorageObjectViewer).

Ver ambientes

Para um usuário que pode ver ambientes, visualizar e acionar DAGs na IU do DAG e acessar a interface da Web do Airflow, conceda o papel de Usuário do Composer (composer.user).

Conceder permissões para usar gcloud com ambientes

Para usar o gcloud com os ambientes do Cloud Composer, você precisa das seguintes permissões:

  • composer.environments.get
  • container.clusters.get
  • container.clusters.list
  • container.clusters.getCredentials

Se você quiser gerenciar ambientes ou buckets de ambiente com comandos gcloud composer, também precisará ter um papel com permissões suficientes para isso.

Se você quiser executar comandos da CLI do Airflow, precisará das seguintes permissões adicionais:

  • container.namespaces.list
  • container.pods.exec
  • container.pods.get
  • container.pods.list

Papéis

Papel Permissões

(roles/composer.ServiceAgentV2Ext)

A extensão do agente de serviço da API Cloud Composer v2 é um papel complementar necessário para gerenciar os ambientes da Composer v2.

Contém 1 permissão de proprietário

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.setIamPolicy

(roles/composer.admin)

Concede controle total dos recursos do Cloud Composer.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto

composer.*

  • composer.dags.execute
  • composer.dags.get
  • composer.dags.getSourceCode
  • composer.dags.list
  • composer.environments.create
  • composer.environments.delete
  • composer.environments.get
  • composer.environments.list
  • composer.environments.update
  • composer.imageversions.list
  • composer.operations.delete
  • composer.operations.get
  • composer.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/composer.environmentAndStorageObjectAdmin)

Concede controle total dos recursos do Cloud Composer e dos objetos em todos os buckets do projeto.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto

Contém 2 permissões de proprietário

composer.*

  • composer.dags.execute
  • composer.dags.get
  • composer.dags.getSourceCode
  • composer.dags.list
  • composer.environments.create
  • composer.environments.delete
  • composer.environments.get
  • composer.environments.list
  • composer.environments.update
  • composer.imageversions.list
  • composer.operations.delete
  • composer.operations.get
  • composer.operations.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.setIamPolicy
  • storage.objects.update

(roles/composer.environmentAndStorageObjectViewer)

Concede as permissões necessárias para listar e receber ambientes e operações do Cloud Composer. Concede acesso somente leitura a objetos em todos os buckets do projeto.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto

composer.dags.*

  • composer.dags.execute
  • composer.dags.get
  • composer.dags.getSourceCode
  • composer.dags.list

composer.environments.get

composer.environments.list

composer.imageversions.list

composer.operations.get

composer.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.objects.get

storage.objects.list

(roles/composer.sharedVpcAgent)

Papel a ser atribuído à conta de serviço do agente do Cloud Composer no projeto host da VPC compartilhada

compute.networks.access

compute.networks.addPeering

compute.networks.get

compute.networks.list

compute.networks.listPeeringRoutes

compute.networks.removePeering

compute.networks.updatePeering

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zones.*

  • compute.zones.get
  • compute.zones.list

(roles/composer.user)

Concede as permissões necessárias para listar e receber ambientes e operações do Cloud Composer.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto

composer.dags.*

  • composer.dags.execute
  • composer.dags.get
  • composer.dags.getSourceCode
  • composer.dags.list

composer.environments.get

composer.environments.list

composer.imageversions.list

composer.operations.get

composer.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/composer.worker)

Concede as permissões necessárias para executar uma VM de ambiente do Cloud Composer. Destinado a contas de serviço.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto

Contém 29 permissões de proprietário

artifactregistry.*

  • artifactregistry.aptartifacts.create
  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list
  • artifactregistry.files.get
  • artifactregistry.files.list
  • artifactregistry.kfpartifacts.create
  • artifactregistry.locations.get
  • artifactregistry.locations.list
  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list
  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list
  • artifactregistry.packages.delete
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.projectsettings.get
  • artifactregistry.projectsettings.update
  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list
  • artifactregistry.repositories.create
  • artifactregistry.repositories.createTagBinding
  • artifactregistry.repositories.delete
  • artifactregistry.repositories.deleteArtifacts
  • artifactregistry.repositories.deleteTagBinding
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.getIamPolicy
  • artifactregistry.repositories.list
  • artifactregistry.repositories.listEffectiveTags
  • artifactregistry.repositories.listTagBindings
  • artifactregistry.repositories.setIamPolicy
  • artifactregistry.repositories.update
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.delete
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.delete
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.create

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.workerpools.use

composer.environments.get

container.*

  • container.apiServices.create
  • container.apiServices.delete
  • container.apiServices.get
  • container.apiServices.getStatus
  • container.apiServices.list
  • container.apiServices.update
  • container.apiServices.updateStatus
  • container.auditSinks.create
  • container.auditSinks.delete
  • container.auditSinks.get
  • container.auditSinks.list
  • container.auditSinks.update
  • container.backendConfigs.create
  • container.backendConfigs.delete
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.backendConfigs.update
  • container.bindings.create
  • container.bindings.delete
  • container.bindings.get
  • container.bindings.list
  • container.bindings.update
  • container.certificateSigningRequests.approve
  • container.certificateSigningRequests.create
  • container.certificateSigningRequests.delete
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.getStatus
  • container.certificateSigningRequests.list
  • container.certificateSigningRequests.update
  • container.certificateSigningRequests.updateStatus
  • container.clusterRoleBindings.create
  • container.clusterRoleBindings.delete
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoleBindings.update
  • container.clusterRoles.bind
  • container.clusterRoles.create
  • container.clusterRoles.delete
  • container.clusterRoles.escalate
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusterRoles.update
  • container.clusters.create
  • container.clusters.createTagBinding
  • container.clusters.delete
  • container.clusters.deleteTagBinding
  • container.clusters.get
  • container.clusters.getCredentials
  • container.clusters.list
  • container.clusters.listEffectiveTags
  • container.clusters.listTagBindings
  • container.clusters.update
  • container.componentStatuses.get
  • container.componentStatuses.list
  • container.configMaps.create
  • container.configMaps.delete
  • container.configMaps.get
  • container.configMaps.list
  • container.configMaps.update
  • container.controllerRevisions.create
  • container.controllerRevisions.delete
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.controllerRevisions.update
  • container.cronJobs.create
  • container.cronJobs.delete
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.cronJobs.update
  • container.cronJobs.updateStatus
  • container.csiDrivers.create
  • container.csiDrivers.delete
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiDrivers.update
  • container.csiNodeInfos.create
  • container.csiNodeInfos.delete
  • container.csiNodeInfos.get
  • container.csiNodeInfos.list
  • container.csiNodeInfos.update
  • container.csiNodes.create
  • container.csiNodes.delete
  • container.csiNodes.get
  • container.csiNodes.list
  • container.csiNodes.update
  • container.customResourceDefinitions.create
  • container.customResourceDefinitions.delete
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.getStatus
  • container.customResourceDefinitions.list
  • container.customResourceDefinitions.update
  • container.customResourceDefinitions.updateStatus
  • container.daemonSets.create
  • container.daemonSets.delete
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.daemonSets.update
  • container.daemonSets.updateStatus
  • container.deployments.create
  • container.deployments.delete
  • container.deployments.get
  • container.deployments.getScale
  • container.deployments.getStatus
  • container.deployments.list
  • container.deployments.rollback
  • container.deployments.update
  • container.deployments.updateScale
  • container.deployments.updateStatus
  • container.endpointSlices.create
  • container.endpointSlices.delete
  • container.endpointSlices.get
  • container.endpointSlices.list
  • container.endpointSlices.update
  • container.endpoints.create
  • container.endpoints.delete
  • container.endpoints.get
  • container.endpoints.list
  • container.endpoints.update
  • container.events.create
  • container.events.delete
  • container.events.get
  • container.events.list
  • container.events.update
  • container.frontendConfigs.create
  • container.frontendConfigs.delete
  • container.frontendConfigs.get
  • container.frontendConfigs.list
  • container.frontendConfigs.update
  • container.horizontalPodAutoscalers.create
  • container.horizontalPodAutoscalers.delete
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.horizontalPodAutoscalers.update
  • container.horizontalPodAutoscalers.updateStatus
  • container.hostServiceAgent.use
  • container.ingresses.create
  • container.ingresses.delete
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.ingresses.update
  • container.ingresses.updateStatus
  • container.initializerConfigurations.create
  • container.initializerConfigurations.delete
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.initializerConfigurations.update
  • container.jobs.create
  • container.jobs.delete
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.jobs.update
  • container.jobs.updateStatus
  • container.leases.create
  • container.leases.delete
  • container.leases.get
  • container.leases.list
  • container.leases.update
  • container.limitRanges.create
  • container.limitRanges.delete
  • container.limitRanges.get
  • container.limitRanges.list
  • container.limitRanges.update
  • container.localSubjectAccessReviews.create
  • container.localSubjectAccessReviews.list
  • container.managedCertificates.create
  • container.managedCertificates.delete
  • container.managedCertificates.get
  • container.managedCertificates.list
  • container.managedCertificates.update
  • container.mutatingWebhookConfigurations.create
  • container.mutatingWebhookConfigurations.delete
  • container.mutatingWebhookConfigurations.get
  • container.mutatingWebhookConfigurations.list
  • container.mutatingWebhookConfigurations.update
  • container.namespaces.create
  • container.namespaces.delete
  • container.namespaces.finalize
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.namespaces.update
  • container.namespaces.updateStatus
  • container.networkPolicies.create
  • container.networkPolicies.delete
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.networkPolicies.update
  • container.nodes.create
  • container.nodes.delete
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.nodes.proxy
  • container.nodes.update
  • container.nodes.updateStatus
  • container.operations.get
  • container.operations.list
  • container.persistentVolumeClaims.create
  • container.persistentVolumeClaims.delete
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumeClaims.update
  • container.persistentVolumeClaims.updateStatus
  • container.persistentVolumes.create
  • container.persistentVolumes.delete
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.persistentVolumes.update
  • container.persistentVolumes.updateStatus
  • container.petSets.create
  • container.petSets.delete
  • container.petSets.get
  • container.petSets.list
  • container.petSets.update
  • container.petSets.updateStatus
  • container.podDisruptionBudgets.create
  • container.podDisruptionBudgets.delete
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podDisruptionBudgets.update
  • container.podDisruptionBudgets.updateStatus
  • container.podPresets.create
  • container.podPresets.delete
  • container.podPresets.get
  • container.podPresets.list
  • container.podPresets.update
  • container.podSecurityPolicies.create
  • container.podSecurityPolicies.delete
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podSecurityPolicies.update
  • container.podSecurityPolicies.use
  • container.podTemplates.create
  • container.podTemplates.delete
  • container.podTemplates.get
  • container.podTemplates.list
  • container.podTemplates.update
  • container.pods.attach
  • container.pods.create
  • container.pods.delete
  • container.pods.evict
  • container.pods.exec
  • container.pods.get
  • container.pods.getLogs
  • container.pods.getStatus
  • container.pods.initialize
  • container.pods.list
  • container.pods.portForward
  • container.pods.proxy
  • container.pods.update
  • container.pods.updateStatus
  • container.priorityClasses.create
  • container.priorityClasses.delete
  • container.priorityClasses.get
  • container.priorityClasses.list
  • container.priorityClasses.update
  • container.replicaSets.create
  • container.replicaSets.delete
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicaSets.update
  • container.replicaSets.updateScale
  • container.replicaSets.updateStatus
  • container.replicationControllers.create
  • container.replicationControllers.delete
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.replicationControllers.update
  • container.replicationControllers.updateScale
  • container.replicationControllers.updateStatus
  • container.resourceQuotas.create
  • container.resourceQuotas.delete
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.resourceQuotas.update
  • container.resourceQuotas.updateStatus
  • container.roleBindings.create
  • container.roleBindings.delete
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roleBindings.update
  • container.roles.bind
  • container.roles.create
  • container.roles.delete
  • container.roles.escalate
  • container.roles.get
  • container.roles.list
  • container.roles.update
  • container.runtimeClasses.create
  • container.runtimeClasses.delete
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.runtimeClasses.update
  • container.scheduledJobs.create
  • container.scheduledJobs.delete
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.scheduledJobs.update
  • container.scheduledJobs.updateStatus
  • container.secrets.create
  • container.secrets.delete
  • container.secrets.get
  • container.secrets.list
  • container.secrets.update
  • container.selfSubjectAccessReviews.create
  • container.selfSubjectAccessReviews.list
  • container.selfSubjectRulesReviews.create
  • container.serviceAccounts.create
  • container.serviceAccounts.createToken
  • container.serviceAccounts.delete
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.serviceAccounts.update
  • container.services.create
  • container.services.delete
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.services.proxy
  • container.services.update
  • container.services.updateStatus
  • container.statefulSets.create
  • container.statefulSets.delete
  • container.statefulSets.get
  • container.statefulSets.getScale
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.statefulSets.update
  • container.statefulSets.updateScale
  • container.statefulSets.updateStatus
  • container.storageClasses.create
  • container.storageClasses.delete
  • container.storageClasses.get
  • container.storageClasses.list
  • container.storageClasses.update
  • container.storageStates.create
  • container.storageStates.delete
  • container.storageStates.get
  • container.storageStates.getStatus
  • container.storageStates.list
  • container.storageStates.update
  • container.storageStates.updateStatus
  • container.storageVersionMigrations.create
  • container.storageVersionMigrations.delete
  • container.storageVersionMigrations.get
  • container.storageVersionMigrations.getStatus
  • container.storageVersionMigrations.list
  • container.storageVersionMigrations.update
  • container.storageVersionMigrations.updateStatus
  • container.subjectAccessReviews.create
  • container.subjectAccessReviews.list
  • container.thirdPartyObjects.create
  • container.thirdPartyObjects.delete
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyObjects.update
  • container.thirdPartyResources.create
  • container.thirdPartyResources.delete
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.thirdPartyResources.update
  • container.tokenReviews.create
  • container.updateInfos.create
  • container.updateInfos.delete
  • container.updateInfos.get
  • container.updateInfos.list
  • container.updateInfos.update
  • container.validatingWebhookConfigurations.create
  • container.validatingWebhookConfigurations.delete
  • container.validatingWebhookConfigurations.get
  • container.validatingWebhookConfigurations.list
  • container.validatingWebhookConfigurations.update
  • container.volumeAttachments.create
  • container.volumeAttachments.delete
  • container.volumeAttachments.get
  • container.volumeAttachments.getStatus
  • container.volumeAttachments.list
  • container.volumeAttachments.update
  • container.volumeAttachments.updateStatus
  • container.volumeSnapshotClasses.create
  • container.volumeSnapshotClasses.delete
  • container.volumeSnapshotClasses.get
  • container.volumeSnapshotClasses.list
  • container.volumeSnapshotClasses.update
  • container.volumeSnapshotContents.create
  • container.volumeSnapshotContents.delete
  • container.volumeSnapshotContents.get
  • container.volumeSnapshotContents.getStatus
  • container.volumeSnapshotContents.list
  • container.volumeSnapshotContents.update
  • container.volumeSnapshotContents.updateStatus
  • container.volumeSnapshots.create
  • container.volumeSnapshots.delete
  • container.volumeSnapshots.get
  • container.volumeSnapshots.getStatus
  • container.volumeSnapshots.list
  • container.volumeSnapshots.update
  • container.volumeSnapshots.updateStatus

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

logging.logEntries.create

logging.logEntries.list

logging.privateLogEntries.list

logging.views.access

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

orgpolicy.policy.get

pubsub.schemas.attach

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.delete

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.setIamPolicy
  • storage.objects.update

Papéis para agentes de serviço

Papel Permissões

(roles/composer.serviceAgent)

O agente de serviço da API Cloud Composer pode gerenciar ambientes.

Contém 82 permissões de proprietário

appengine.applications.get

appengine.applications.update

appengine.instances.*

  • appengine.instances.delete
  • appengine.instances.get
  • appengine.instances.list

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

appengine.operations.*

  • appengine.operations.get
  • appengine.operations.list

appengine.runtimes.actAsAdmin

appengine.services.*

  • appengine.services.delete
  • appengine.services.get
  • appengine.services.list
  • appengine.services.update

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry.repositories.create

artifactregistry.repositories.delete

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.update

cloudnotifications.activities.list

cloudsql.*

  • cloudsql.backupRuns.create
  • cloudsql.backupRuns.delete
  • cloudsql.backupRuns.get
  • cloudsql.backupRuns.list
  • cloudsql.databases.create
  • cloudsql.databases.delete
  • cloudsql.databases.get
  • cloudsql.databases.list
  • cloudsql.databases.update
  • cloudsql.instances.addServerCa
  • cloudsql.instances.clone
  • cloudsql.instances.connect
  • cloudsql.instances.create
  • cloudsql.instances.createTagBinding
  • cloudsql.instances.delete
  • cloudsql.instances.deleteTagBinding
  • cloudsql.instances.demoteMaster
  • cloudsql.instances.export
  • cloudsql.instances.failover
  • cloudsql.instances.get
  • cloudsql.instances.import
  • cloudsql.instances.list
  • cloudsql.instances.listEffectiveTags
  • cloudsql.instances.listServerCas
  • cloudsql.instances.listTagBindings
  • cloudsql.instances.login
  • cloudsql.instances.promoteReplica
  • cloudsql.instances.resetSslConfig
  • cloudsql.instances.restart
  • cloudsql.instances.restoreBackup
  • cloudsql.instances.rotateServerCa
  • cloudsql.instances.startReplica
  • cloudsql.instances.stopReplica
  • cloudsql.instances.truncateLog
  • cloudsql.instances.update
  • cloudsql.sslCerts.create
  • cloudsql.sslCerts.createEphemeral
  • cloudsql.sslCerts.delete
  • cloudsql.sslCerts.get
  • cloudsql.sslCerts.list
  • cloudsql.users.create
  • cloudsql.users.delete
  • cloudsql.users.get
  • cloudsql.users.list
  • cloudsql.users.update

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.*

  • compute.addresses.create
  • compute.addresses.createInternal
  • compute.addresses.delete
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.setLabels
  • compute.addresses.use
  • compute.addresses.useInternal

compute.autoscalers.*

  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.autoscalers.update

compute.backendBuckets.*

  • compute.backendBuckets.addSignedUrlKey
  • compute.backendBuckets.create
  • compute.backendBuckets.delete
  • compute.backendBuckets.deleteSignedUrlKey
  • compute.backendBuckets.get
  • compute.backendBuckets.getIamPolicy
  • compute.backendBuckets.list
  • compute.backendBuckets.setIamPolicy
  • compute.backendBuckets.setSecurityPolicy
  • compute.backendBuckets.update
  • compute.backendBuckets.use

compute.backendServices.*

  • compute.backendServices.addSignedUrlKey
  • compute.backendServices.create
  • compute.backendServices.delete
  • compute.backendServices.deleteSignedUrlKey
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.backendServices.setIamPolicy
  • compute.backendServices.setSecurityPolicy
  • compute.backendServices.update
  • compute.backendServices.use

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.*

  • compute.disks.addResourcePolicies
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.createTagBinding
  • compute.disks.delete
  • compute.disks.deleteTagBinding
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.disks.removeResourcePolicies
  • compute.disks.resize
  • compute.disks.setIamPolicy
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly

compute.externalVpnGateways.*

  • compute.externalVpnGateways.create
  • compute.externalVpnGateways.delete
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.setLabels
  • compute.externalVpnGateways.use

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.use

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.*

  • compute.forwardingRules.create
  • compute.forwardingRules.delete
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.forwardingRules.pscCreate
  • compute.forwardingRules.pscDelete
  • compute.forwardingRules.pscSetLabels
  • compute.forwardingRules.pscSetTarget
  • compute.forwardingRules.pscUpdate
  • compute.forwardingRules.setLabels
  • compute.forwardingRules.setTarget
  • compute.forwardingRules.update
  • compute.forwardingRules.use

compute.globalAddresses.*

  • compute.globalAddresses.create
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.delete
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.setLabels
  • compute.globalAddresses.use

compute.globalForwardingRules.*

  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscCreate
  • compute.globalForwardingRules.pscDelete
  • compute.globalForwardingRules.pscGet
  • compute.globalForwardingRules.pscSetLabels
  • compute.globalForwardingRules.pscSetTarget
  • compute.globalForwardingRules.pscUpdate
  • compute.globalForwardingRules.setLabels
  • compute.globalForwardingRules.setTarget
  • compute.globalForwardingRules.update

compute.globalNetworkEndpointGroups.*

  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.delete

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.globalPublicDelegatedPrefixes.update

compute.globalPublicDelegatedPrefixes.updatePolicy

compute.healthChecks.*

  • compute.healthChecks.create
  • compute.healthChecks.delete
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.healthChecks.update
  • compute.healthChecks.use
  • compute.healthChecks.useReadOnly

compute.httpHealthChecks.*

  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpHealthChecks.update
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.*

  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly

compute.images.*

  • compute.images.create
  • compute.images.createTagBinding
  • compute.images.delete
  • compute.images.deleteTagBinding
  • compute.images.deprecate
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.images.setIamPolicy
  • compute.images.setLabels
  • compute.images.update
  • compute.images.useReadOnly

compute.instanceGroupManagers.*

  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use

compute.instanceGroups.*

  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use

compute.instanceTemplates.*

  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instanceTemplates.useReadOnly

compute.instances.*,

  • compute.instances.addAccessConfig
  • compute.instances.addMaintenancePolicies
  • compute.instances.addResourcePolicies
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.createTagBinding
  • compute.instances.delete
  • compute.instances.deleteAccessConfig
  • compute.instances.deleteTagBinding
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.instances.removeMaintenancePolicies
  • compute.instances.removeResourcePolicies
  • compute.instances.reset
  • compute.instances.resume
  • compute.instances.sendDiagnosticInterrupt
  • compute.instances.setDeletionProtection
  • compute.instances.setDiskAutoDelete
  • compute.instances.setIamPolicy
  • compute.instances.setLabels
  • compute.instances.setMachineResources
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setName
  • compute.instances.setScheduling
  • compute.instances.setServiceAccount
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.setTags
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.suspend
  • compute.instances.update
  • compute.instances.updateAccessConfig
  • compute.instances.updateDisplayDevice
  • compute.instances.updateNetworkInterface
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.instances.use
  • compute.instances.useReadOnly

compute.interconnectAttachments.*

  • compute.interconnectAttachments.create
  • compute.interconnectAttachments.delete
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.setLabels
  • compute.interconnectAttachments.update
  • compute.interconnectAttachments.use

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnects.*

  • compute.interconnects.create
  • compute.interconnects.delete
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.interconnects.setLabels
  • compute.interconnects.update
  • compute.interconnects.use

compute.licenseCodes.*

  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.LicenseCodes.setIamPolicy
  • compute.licenseCodes.update
  • compute.licenseCodes.use

compute.licenses.*

  • compute.licenses.create
  • compute.licenses.delete
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.licenses.setIamPolicy

compute.machineImages.*

  • compute.machineImages.create
  • compute.machineImages.delete
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineImages.useReadOnly

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networkAttachments.*

  • compute.networkAttachments.create
  • compute.networkAttachments.delete
  • compute.networkAttachments.get
  • compute.networkAttachments.list

compute.networkEndpointGroups.*

  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.setIamPolicy
  • compute.networkEndpointGroups.use

compute.networks.*

  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.create
  • compute.networks.delete
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.mirror
  • compute.networks.removePeering
  • compute.networks.setFirewallPolicy
  • compute.networks.switchToCustomMode
  • compute.networks.update
  • compute.networks.updatePeering
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.networks.useExternalIp

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.publicDelegatedPrefixes.delete

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.update

compute.publicDelegatedPrefixes.updatePolicy

compute.regionBackendServices.*

  • compute.regionBackendServices.create
  • compute.regionBackendServices.delete
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionBackendServices.setIamPolicy
  • compute.regionBackendServices.setSecurityPolicy
  • compute.regionBackendServices.update
  • compute.regionBackendServices.use

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.use

compute.regionHealthCheckServices.*

  • compute.regionHealthCheckServices.create
  • compute.regionHealthCheckServices.delete
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthCheckServices.update
  • compute.regionHealthCheckServices.use

compute.regionHealthChecks.*

  • compute.regionHealthChecks.create
  • compute.regionHealthChecks.delete
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionHealthChecks.update
  • compute.regionHealthChecks.use
  • compute.regionHealthChecks.useReadOnly

compute.regionNetworkEndpointGroups.*

  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.*

  • compute.regionNotificationEndpoints.create
  • compute.regionNotificationEndpoints.delete
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionNotificationEndpoints.update
  • compute.regionNotificationEndpoints.use

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.use

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.*

  • compute.regionSslPolicies.create
  • compute.regionSslPolicies.delete
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionSslPolicies.update
  • compute.regionSslPolicies.use

compute.regionTargetHttpProxies.*

  • compute.regionTargetHttpProxies.create
  • compute.regionTargetHttpProxies.delete
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpProxies.setUrlMap
  • compute.regionTargetHttpProxies.update
  • compute.regionTargetHttpProxies.use

compute.regionTargetHttpsProxies.*

  • compute.regionTargetHttpsProxies.create
  • compute.regionTargetHttpsProxies.delete
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetHttpsProxies.setSslCertificates
  • compute.regionTargetHttpsProxies.setUrlMap
  • compute.regionTargetHttpsProxies.update
  • compute.regionTargetHttpsProxies.use

compute.regionTargetTcpProxies.*

  • compute.regionTargetTcpProxies.create
  • compute.regionTargetTcpProxies.delete
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionTargetTcpProxies.use

compute.regionUrlMaps.*

  • compute.regionUrlMaps.create
  • compute.regionUrlMaps.delete
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.invalidateCache
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.update
  • compute.regionUrlMaps.use
  • compute.regionUrlMaps.validate

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

  • compute.resourcePolicies.create
  • compute.resourcePolicies.delete
  • compute.resourcePolicies.get
  • compute.resourcePolicies.getIamPolicy
  • compute.resourcePolicies.list
  • compute.resourcePolicies.setIamPolicy
  • compute.resourcePolicies.use

compute.routers.*

  • compute.routers.create
  • compute.routers.delete
  • compute.routers.get
  • compute.routers.list
  • compute.routers.update
  • compute.routers.use

compute.routes.*

  • compute.routes.create
  • compute.routes.delete
  • compute.routes.get
  • compute.routes.list

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.use

compute.serviceAttachments.*

  • compute.serviceAttachments.create
  • compute.serviceAttachments.delete
  • compute.serviceAttachments.get
  • compute.serviceAttachments.getIamPolicy
  • compute.serviceAttachments.list
  • compute.serviceAttachments.setIamPolicy
  • compute.serviceAttachments.update
  • compute.serviceAttachments.use

compute.snapshots.*

  • compute.snapshots.create
  • compute.snapshots.createTagBinding
  • compute.snapshots.delete
  • compute.snapshots.deleteTagBinding
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.snapshots.setIamPolicy
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.*

  • compute.sslPolicies.create
  • compute.sslPolicies.delete
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.sslPolicies.update
  • compute.sslPolicies.use

compute.subnetworks.*

  • compute.subnetworks.create
  • compute.subnetworks.delete
  • compute.subnetworks.expandIpCidrRange
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.subnetworks.mirror
  • compute.subnetworks.setIamPolicy
  • compute.subnetworks.setPrivateIpGoogleAccess
  • compute.subnetworks.update
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp

compute.targetGrpcProxies.*

  • compute.targetGrpcProxies.create
  • compute.targetGrpcProxies.delete
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetGrpcProxies.update
  • compute.targetGrpcProxies.use

compute.targetHttpProxies.*

  • compute.targetHttpProxies.create
  • compute.targetHttpProxies.delete
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpProxies.setUrlMap
  • compute.targetHttpProxies.update
  • compute.targetHttpProxies.use

compute.targetHttpsProxies.*

  • compute.targetHttpsProxies.create
  • compute.targetHttpsProxies.delete
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetHttpsProxies.setCertificateMap
  • compute.targetHttpsProxies.setQuicOverride
  • compute.targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.setSslPolicy
  • compute.targetHttpsProxies.setUrlMap
  • compute.targetHttpsProxies.update
  • compute.targetHttpsProxies.use

compute.targetInstances.*

  • compute.targetInstances.create
  • compute.targetInstances.delete
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetInstances.use

compute.targetPools.*

  • compute.targetPools.addHealthCheck
  • compute.targetPools.addInstance
  • compute.targetPools.create
  • compute.targetPools.delete
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetPools.removeHealthCheck
  • compute.targetPools.removeInstance
  • compute.targetPools.update
  • compute.targetPools.use

compute.targetSslProxies.*

  • compute.targetSslProxies.create
  • compute.targetSslProxies.delete
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetSslProxies.setBackendService
  • compute.targetSslProxies.setCertificateMap
  • compute.targetSslProxies.setProxyHeader
  • compute.targetSslProxies.setSslCertificates
  • compute.targetSslProxies.setSslPolicy
  • compute.targetSslProxies.update
  • compute.targetSslProxies.use

compute.targetTcpProxies.*

  • compute.targetTcpProxies.create
  • compute.targetTcpProxies.delete
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetTcpProxies.update
  • compute.targetTcpProxies.use

compute.targetVpnGateways.*

  • compute.targetVpnGateways.create
  • compute.targetVpnGateways.delete
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.targetVpnGateways.setLabels
  • compute.targetVpnGateways.use

compute.urlMaps.*

  • compute.urlMaps.create
  • compute.urlMaps.delete
  • compute.urlMaps.get
  • compute.urlMaps.invalidateCache
  • compute.urlMaps.list
  • compute.urlMaps.update
  • compute.urlMaps.use
  • compute.urlMaps.validate

compute.vpnGateways.*

  • compute.vpnGateways.create
  • compute.vpnGateways.delete
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.setLabels
  • compute.vpnGateways.use

compute.vpnTunnels.*

  • compute.vpnTunnels.create
  • compute.vpnTunnels.delete
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.vpnTunnels.setLabels

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

container.*

  • container.apiServices.create
  • container.apiServices.delete
  • container.apiServices.get
  • container.apiServices.getStatus
  • container.apiServices.list
  • container.apiServices.update
  • container.apiServices.updateStatus
  • container.auditSinks.create
  • container.auditSinks.delete
  • container.auditSinks.get
  • container.auditSinks.list
  • container.auditSinks.update
  • container.backendConfigs.create
  • container.backendConfigs.delete
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.backendConfigs.update
  • container.bindings.create
  • container.bindings.delete
  • container.bindings.get
  • container.bindings.list
  • container.bindings.update
  • container.certificateSigningRequests.aprovar
  • container.certificateSigningRequests.create
  • container.certificateSigningRequests.delete
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.getStatus
  • container.certificateSigningRequests.list
  • container.certificateSigningRequests.update
  • container.certificateSigningRequests.updateStatus
  • container.clusterRoleBindings.create
  • container.clusterRoleBindings.delete
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoleBindings.update
  • container.clusterRoles.bind
  • container.clusterRoles.create
  • container.clusterRoles.delete
  • container.clusterRoles.escalar
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusterRoles.update
  • container.clusters.create
  • container.clusters.createTagBinding
  • container.clusters.delete
  • container.clusters.deleteTagBinding
  • container.clusters.get
  • container.clusters.getCredentials
  • container.clusters.list
  • container.clusters.listEffectiveTags
  • container.clusters.listTagBindings
  • container.clusters.update
  • container.componentStatuses.get
  • container.componentStatuses.list
  • container.configMaps.create
  • container.configMaps.delete
  • container.configMaps.get
  • container.configMaps.list
  • container.configMaps.update
  • container.controllerRevisions.create
  • container.controllerRevisions.delete
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.controllerRevisions.update
  • container.cronJobs.create
  • container.cronJobs.delete
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.cronJobs.update
  • container.cronJobs.updateStatus
  • container.csiDrivers.create
  • container.csiDrivers.delete
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiDrivers.update
  • container.csiNodeInfos.create
  • container.csiNodeInfos.delete
  • container.csiNodeInfos.get
  • container.csiNodeInfos.list
  • container.csiNodeInfos.update
  • container.csiNodes.create
  • container.csiNodes.delete
  • container.csiNodes.get
  • container.csiNodes.list
  • container.csiNodes.update
  • container.customResourceDefinitions.create
  • container.customResourceDefinitions.delete
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.getStatus
  • container.customResourceDefinitions.list
  • container.customResourceDefinitions.update
  • container.customResourceDefinitions.updateStatus
  • container.daemonSets.create
  • container.daemonSets.delete
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.daemonSets.update
  • container.daemonSets.updateStatus
  • container.deployments.create
  • container.deployments.delete
  • container.deployments.get
  • container.deployments.getScale
  • container.deployments.getStatus
  • container.deployments.list
  • container.deployments.rollback
  • container.deployments.update
  • container.deployments.updateScale
  • container.deployments.updateStatus
  • container.endpointSlices.create
  • container.endpointSlices.delete
  • container.endpointSlices.get
  • container.endpointSlices.list
  • container.endpointSlices.update
  • container.endpoints.create
  • container.endpoints.delete
  • container.endpoints.get
  • container.endpoints.list
  • container.endpoints.update
  • container.events.create
  • container.events.delete
  • container.events.get
  • container.events.list
  • container.events.update
  • container.frontendConfigs.create
  • container.frontendConfigs.delete
  • container.frontendConfigs.get
  • container.frontendConfigs.list
  • container.frontendConfigs.update
  • container.horizontalPodAutoscalers.create
  • container.horizontalPodAutoscalers.delete
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.horizontalPodAutoscalers.update
  • container.horizontalPodAutoscalers.updateStatus
  • container.hostServiceAgent.use
  • container.ingresses.create
  • container.ingresses.delete
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.ingresses.update
  • container.ingresses.updateStatus
  • container.initializerConfigurations.create
  • container.initializerConfigurations.delete
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.initializerConfigurations.update
  • container.jobs.create
  • container.jobs.delete
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.jobs.update
  • container.jobs.updateStatus
  • container.leases.create
  • container.leases.delete
  • container.leases.get
  • container.leases.list
  • container.leases.update
  • container.limitRanges.create
  • container.limitRanges.delete
  • container.limitRanges.get
  • container.limitRanges.list
  • container.limitRanges.update
  • container.localSubjectAccessReviews.criar
  • container.localSubjectAccessReviews.list
  • container.managedCertificates.create
  • container.managedCertificates.delete
  • container.managedCertificates.get
  • container.managedCertificates.list
  • container.managedCertificates.update
  • container.mutatingWebhookConfigurations.create
  • container.mutatingWebhookConfigurations.delete
  • container.mutatingWebhookConfigurations.get
  • container.mutatingWebhookConfigurations.list
  • container.mutatingWebhookConfigurations.update
  • container.namespaces.create
  • container.namespaces.delete
  • container.namespaces.finalize
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.namespaces.update
  • container.namespaces.updateStatus
  • container.networkPolicies.create
  • container.networkPolicies.delete
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.networkPolicies.update
  • container.nodes.create
  • container.nodes.delete
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.nodes.proxy
  • container.nodes.update
  • container.nodes.updateStatus
  • container.operations.get
  • container.operations.list
  • container.persistentVolumeClaims.create
  • container.persistentVolumeClaims.delete
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumeClaims.update
  • container.persistentVolumeClaims.updateStatus
  • container.persistentVolumes.create
  • container.persistentVolumes.delete
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.persistentVolumes.update
  • container.persistentVolumes.updateStatus
  • container.petSets.create
  • container.petSets.delete
  • container.petSets.get
  • container.petSets.list
  • container.petSets.update
  • container.petSets.updateStatus
  • container.podDisruptionBudgets.create
  • container.podDisruptionBudgets.delete
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podDisruptionBudgets.update
  • container.podDisruptionBudgets.updateStatus
  • container.podPresets.create
  • container.podPresets.delete
  • container.podPresets.get
  • container.podPresets.list
  • container.podPresets.update
  • container.podSecurityPolicies.create
  • container.podSecurityPolicies.delete
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podSecurityPolicies.update
  • container.podSecurityPolicies.use
  • container.podTemplates.create
  • container.podTemplates.delete
  • container.podTemplates.get
  • container.podTemplates.list
  • container.podTemplates.update
  • container.pods.attach
  • container.pods.create
  • container.pods.delete
  • container.pods.evict
  • container.pods.exec
  • container.pods.get
  • container.pods.getLogs
  • container.pods.getStatus
  • container.pods.initialize
  • container.pods.list
  • container.pods.portForward
  • container.pods.proxy
  • container.pods.update
  • container.pods.updateStatus
  • container.priorityClasses.create
  • container.priorityClasses.delete
  • container.priorityClasses.get
  • container.priorityClasses.list
  • container.priorityClasses.update
  • container.replicaSets.create
  • container.replicaSets.delete
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicaSets.update
  • container.replicaSets.updateScale
  • container.replicaSets.updateStatus
  • container.replicationControllers.create
  • container.replicationControllers.delete
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.replicationControllers.update
  • container.replicationControllers.updateScale
  • container.replicationControllers.updateStatus
  • container.resourceQuotas.create
  • container.resourceQuotas.delete
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.resourceQuotas.update
  • container.resourceQuotas.updateStatus
  • container.roleBindings.create
  • container.roleBindings.delete
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roleBindings.update
  • container.roles.bind
  • container.roles.create
  • container.roles.delete
  • container.roles.escalate
  • container.roles.get
  • container.roles.list
  • container.roles.update
  • container.runtimeClasses.create
  • container.runtimeClasses.delete
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.runtimeClasses.update
  • container.scheduledJobs.create
  • container.scheduledJobs.delete
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.scheduledJobs.update
  • container.scheduledJobs.updateStatus
  • container.secrets.create
  • container.secrets.delete
  • container.secrets.get
  • container.secrets.list
  • container.secrets.update
  • container.selfSubjectAccessReviews.create
  • container.selfSubjectAccessReviews.list
  • container.selfSubjectRulesReviews.create
  • container.serviceAccounts.create
  • container.serviceAccounts.createToken
  • container.serviceAccounts.delete
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.serviceAccounts.update
  • container.services.create
  • container.services.delete
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.services.proxy
  • container.services.update
  • container.services.updateStatus
  • container.statefulSets.create
  • container.statefulSets.delete
  • container.statefulSets.get
  • container.statefulSets.getScale
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.statefulSets.update
  • container.statefulSets.updateScale
  • container.statefulSets.updateStatus
  • container.storageClasses.create
  • container.storageClasses.delete
  • container.storageClasses.get
  • container.storageClasses.list
  • container.storageClasses.update
  • container.storageStates.create
  • container.storageStates.delete
  • container.storageStates.get
  • container.storageStates.getStatus
  • container.storageStates.list
  • container.storageStates.update
  • container.storageStates.updateStatus
  • container.storageVersionMigrations.create
  • container.storageVersionMigrations.delete
  • container.storageVersionMigrations.get
  • container.storageVersionMigrations.getStatus
  • container.storageVersionMigrations.list
  • container.storageVersionMigrations.update
  • container.storageVersionMigrations.updateStatus
  • container.subjectAccessReviews.create
  • container.subjectAccessReviews.list
  • container.thirdPartyObjects.create
  • container.thirdPartyObjects.delete
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyObjects.update
  • container.thirdPartyResources.create
  • container.thirdPartyResources.delete
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.thirdPartyResources.update
  • container.tokenReviews.create
  • container.updateInfos.create
  • container.updateInfos.delete
  • container.updateInfos.get
  • container.updateInfos.list
  • container.updateInfos.update
  • container.validatingWebhookConfigurations.create
  • container.validatingWebhookConfigurations.delete
  • container.validatingWebhookConfigurations.get
  • container.validatingWebhookConfigurations.list
  • container.validatingWebhookConfigurations.update
  • container.volumeAttachments.create
  • container.volumeAttachments.delete
  • container.volumeAttachments.get
  • container.volumeAttachments.getStatus
  • container.volumeAttachments.list
  • container.volumeAttachments.update
  • container.volumeAttachments.updateStatus
  • container.volumeSnapshotClasses.create
  • container.volumeSnapshotClasses.delete
  • container.volumeSnapshotClasses.get
  • container.volumeSnapshotClasses.list
  • container.volumeSnapshotClasses.update
  • container.volumeSnapshotContents.create
  • container.volumeSnapshotContents.delete
  • container.volumeSnapshotContents.get
  • container.volumeSnapshotContents.getStatus
  • container.volumeSnapshotContents.list
  • container.volumeSnapshotContents.update
  • container.volumeSnapshotContents.updateStatus
  • container.volumeSnapshots.create
  • container.volumeSnapshots.delete
  • container.volumeSnapshots.get
  • container.volumeSnapshots.getStatus
  • container.volumeSnapshots.list
  • container.volumeSnapshots.update
  • container.volumeSnapshots.updateStatus

deploymentmanager.compositeTypes.*

  • deploymentmanager.compositeTypes.create
  • deploymentmanager.compositeTypes.delete
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.compositeTypes.update

deploymentmanager.deployments.cancelPreview

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.stop

deploymentmanager.deployments.update

deploymentmanager.manifests.*

  • deploymentmanager.manifests.get
  • deploymentmanager.manifests.list

deploymentmanager.operations.*

  • deploymentmanager.operations.get
  • deploymentmanager.operations.list

deploymentmanager.resources.*

  • deploymentmanager.resources.get
  • deploymentmanager.resources.list

deploymentmanager.typeProviders.*

  • deploymentmanager.typeProviders.create
  • deploymentmanager.typeProviders.delete
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.typeProviders.update

deploymentmanager.types.*

  • deploymentmanager.types.create
  • deploymentmanager.types.delete
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • deploymentmanager.types.update

firebase.projects.get

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

logging.buckets.create

logging.buckets.delete

logging.buckets.get

logging.buckets.list

logging.buckets.undelete

logging.buckets.update

logging.cmekSettings.*

  • logging.cmekSettings.get
  • logging.cmekSettings.update

logging.exclusions.*

  • logging.exclusions.create
  • logging.exclusions.delete
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.exclusions.update

logging.links.*

  • logging.links.create
  • logging.links.delete
  • logging.links.get
  • logging.links.list

logging.locations.*

  • logging.locations.get
  • logging.locations.list

logging.logEntries.create

logging.logMetrics.*

  • logging.logMetrics.create
  • logging.logMetrics.delete
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logMetrics.update

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.*

  • logging.notificationRules.create
  • logging.notificationRules.delete
  • logging.notificationRules.get
  • logging.notificationRules.list
  • logging.notificationRules.update

logging.operations.*

  • logging.operations.cancel
  • logging.operations.get
  • logging.operations.list

logging.sinks.*

  • logging.cole..create
  • logging.Coletor.delete
  • logging.sinks.get
  • logging.sinks.list
  • logging.Coletor.update

logging.views.create

logging.views.delete

logging.views.get

logging.views.list

logging.views.update

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.*

  • networkconnectivity.policyBasedRoutes.create
  • networkconnectivity.policyBasedRoutes.delete
  • networkconnectivity.policyBasedRoutes.get
  • networkconnectivity.policyBasedRoutes.getIamPolicy
  • networkconnectivity.policyBasedRoutes.list
  • networkconnectivity.policyBasedRoutes.setIamPolicy

networksecurity.*

  • networksecurity.authorizationPolicies.create
  • networksecurity.authorizationPolicies.delete
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.getIamPolicy
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.setIamPolicy
  • networksecurity.authorizationPolicies.update
  • networksecurity.authorizationPolicies.use
  • networksecurity.clientTlsPolicies.create
  • networksecurity.clientTlsPolicies.delete
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.getIamPolicy
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.setIamPolicy
  • networksecurity.clientTlsPolicies.update
  • networksecurity.clientTlsPolicies.use
  • networksecurity.locations.get
  • networksecurity.locations.list
  • networksecurity.operations.cancel
  • networksecurity.operations.delete
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.create
  • networksecurity.serverTlsPolicies.delete
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.getIamPolicy
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.setIamPolicy
  • networksecurity.serverTlsPolicies.update
  • networksecurity.serverTlsPolicies.use

networkservices.*

  • networkservices.endpointConfigSelectors.create
  • networkservices.endpointConfigSelectors.delete
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.getIamPolicy
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.setIamPolicy
  • networkservices.endpointConfigSelectors.update
  • networkservices.endpointConfigSelectors.use
  • networkservices.endpointPolicies.create
  • networkservices.endpointPolicies.delete
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.getIamPolicy
  • networkservices.endpointPolicies.list
  • networkservices.endpointPolicies.setIamPolicy
  • networkservices.endpointPolicies.update
  • networkservices.endpointPolicies.use
  • networkservices.gateways.create
  • networkservices.gateways.delete
  • networkservices.gateways.get
  • networkservices.gateways.list
  • networkservices.gateways.update
  • networkservices.gateways.use
  • networkservices.grpcRoutes.create
  • networkservices.grpcRoutes.delete
  • networkservices.grpcRoutes.get
  • networkservices.grpcRoutes.getIamPolicy
  • networkservices.grpcRoutes.list
  • networkservices.grpcRoutes.setIamPolicy
  • networkservices.grpcRoutes.update
  • networkservices.grpcRoutes.use
  • networkservices.httpFilters.create
  • networkservices.httpFilters.delete
  • networkservices.httpFilters.get
  • networkservices.httpFilters.getIamPolicy
  • networkservices.httpFilters.list
  • networkservices.httpFilters.setIamPolicy
  • networkservices.httpFilters.update
  • networkservices.httpFilters.use
  • networkservices.httpRoutes.create
  • networkservices.httpRoutes.delete
  • networkservices.httpRoutes.get
  • networkservices.httpRoutes.getIamPolicy
  • networkservices.httpRoutes.list
  • networkservices.httpRoutes.setIamPolicy
  • networkservices.httpRoutes.update
  • networkservices.httpRoutes.use
  • networkservices.httpfilters.create
  • networkservices.httpfilters.delete
  • networkservices.httpfilters.get
  • networkservices.httpfilters.getIamPolicy
  • networkservices.httpfilters.list
  • networkservices.httpfilter.setIamPolicy
  • networkservices.httpfilters.update
  • networkservices.httpfilters.use
  • networkservices.locations.get
  • networkservices.locations.list
  • networkservices.meshes.create
  • networkservices.meshes.delete
  • networkservices.meshes.get
  • networkservices.meshes.getIamPolicy
  • networkservices.meshes.list
  • networkservices.meses.setIamPolicy
  • networkservices.meshes.update
  • networkservices.meshes.use
  • networkservices.operations.cancel
  • networkservices.operations.delete
  • networkservices.operations.get
  • networkservices.operations.list
  • networkservices.serviceBindings.create
  • networkservices.serviceBindings.delete
  • networkservices.serviceBindings.get
  • networkservices.serviceBindings.list
  • networkservices.serviceBindings.update
  • networkservices.tcpRoutes.create
  • networkservices.tcpRoutes.delete
  • networkservices.tcpRoutes.get
  • networkservices.tcpRoutes.getIamPolicy
  • networkservices.tcpRoutes.list
  • networkservices.tcpRoutes.setIamPolicy
  • networkservices.tcpRoutes.update
  • networkservices.tcpRoutes.use
  • networkservices.tlsRoutes.create
  • networkservices.tlsRoutes.delete
  • networkservices.tlsRoutes.get
  • networkservices.tlsRoutes.list
  • networkservices.tlsRoutes.update
  • networkservices.tlsRoutes.use

opsconfigmonitoring.resourceMetadata.list

orgpolicy.policy.get

pubsub.*

  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.getIamPolicy
  • pubsub.schemas.list
  • pubsub.schemas.setIamPolicy
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.getIamPolicy
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.setIamPolicy
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.getIamPolicy
  • pubsub.subscriptions.list
  • pubsub.subscriptions.setIamPolicy
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.setIamPolicy
  • pubsub.topics.update
  • pubsub.topics.updateTag

recommender.cloudsqlIdleInstanceRecommendations.*

  • recommender.cloudsqlIdleInstanceRecommendations.get
  • recommender.cloudsqlIdleInstanceRecommendations.list
  • recommender.cloudsqlIdleInstanceRecommendations.update

recommender.cloudsqlInstanceActivityInsights.*

  • recommender.cloudsqlInstanceActivityInsights.get
  • recommender.cloudsqlInstanceActivityInsights.list
  • recommender.cloudsqlInstanceActivityInsights.update

recommender.cloudsqlInstanceCpuUsageInsights.*

  • recommender.cloudsqlInstanceCpuUsageInsights.get
  • recommender.cloudsqlInstanceCpuUsageInsights.list
  • recommender.cloudsqlInstanceCpuUsageInsights.update

recommender.cloudsqlInstanceDiskUsageTrendInsights.*

  • recommender.cloudsqlInstanceDiskUsageTrendInsights.get
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.list
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.update

recommender.cloudsqlInstanceMemoryUsageInsights.*

  • recommender.cloudsqlInstanceMemoryUsageInsights.get
  • recommender.cloudsqlInstanceMemoryUsageInsights.list
  • recommender.cloudsqlInstanceMemoryUsageInsights.update

recommender.cloudsqlInstanceOutOfDiskRecommendations.*

  • recommender.cloudsqlInstanceOutOfDiskRecommendations.get
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.list
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.update

recommender.cloudsqlInstancePerformanceInsights.*

  • recommender.cloudsqlInstancePerformanceInsights.get
  • recommender.cloudsqlInstancePerformanceInsights.list
  • recommender.cloudsqlInstancePerformanceInsights.update

recommender.cloudsqlInstancePerformanceRecommendations.*

  • recommender.cloudsqlInstancePerformanceRecommendations.get
  • recommender.cloudsqlInstancePerformanceRecommendations.list
  • recommender.cloudsqlInstancePerformanceRecommendations.update

recommender.cloudsqlInstanceSecurityInsights.*

  • recomendador.cloudsqlInstanceSecurityInsights.get
  • recomendador.cloudsqlInstanceSecurityInsights.lista
  • recommender.cloudsqlInstanceSecurityInsights.update

recommender.cloudsqlInstanceSecurityRecommendations.*

  • recomendador.cloudsqlInstanceSecurityRecommendations.get
  • recomendador.cloudsqlInstanceSecurityRecommendations.lista
  • recommender.cloudsqlInstanceSecurityRecommendations.update

recommender.cloudsqlOverprovisionedInstanceRecommendations.*

  • recommender.cloudsqlOverprovisionedInstanceRecommendations.get
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.list
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.update

recommender.iamPolicyInsights.*

  • recommender.iamPolicyInsights.get
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

  • recommender.iamPolicyRecommendations.get
  • recommender.iamPolicyRecommendations.list
  • recommender.iamPolicyRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

servicenetworking.operations.get

servicenetworking.services.addPeering

servicenetworking.services.createPeeredDnsDomain

servicenetworking.services.deleteConnection

servicenetworking.services.deletePeeredDnsDomain

servicenetworking.services.disableVpcServiceControls

servicenetworking.services.enableVpcServiceControls

servicenetworking.services.get

servicenetworking.services.listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

stackdriver.projects.get

storage.buckets.*

  • storage.buckets.create
  • storage.buckets.createTagBinding
  • storage.buckets.delete
  • storage.buckets.deleteTagBinding
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.buckets.listEffectiveTags
  • storage.buckets.listTagBindings
  • storage.buckets.setIamPolicy
  • storage.buckets.update

storage.multipartUploads.*

  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.list
  • storage.multipartUploads.listParts

storage.objects.*

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.setIamPolicy
  • storage.objects.update

trafficdirector.*

  • trafficdirector.networks.getConfigs
  • trafficdirector.networks.reportMetrics

Papéis básicos

Papel Nome Descrição Permissões Menor recurso
roles/owner Proprietário Papel básico que permite o controle total dos recursos do Cloud Composer. composer.environments.create
composer.environments.delete
composer.environments.get
composer.environments.list
composer.environments.update
composer.imageversions.list
composer.operations.delete
composer.operations.get
composer.operations.list
composer.dags.list
composer.dags.act.gs.
composer
Projeto
roles/editor Editor Papel básico que permite o controle total dos recursos do Cloud Composer. composer.environments.create
composer.environments.delete
composer.environments.get
composer.environments.list
composer.environments.update
composer.imageversions.list
composer.operations.delete
composer.operations.get
composer.operations.list
composer.dags.list
composer.dags.act.gs.
composer
Projeto
roles/viewer Leitor Papel básico que permite ao usuário listar e acessar recursos do Cloud Composer. composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer.dags.list
composer.dags.get
composer.dags.getSourceCode
Projeto

Permissões para métodos de API

A tabela a seguir lista as permissões que o autor da chamada precisa ter para chamar cada método da API na API Cloud Composer ou para executar tarefas usando ferramentas do Google Cloud que usam a API (como o console do Google Cloud ou a Google Cloud CLI).

Método Permissão
environments.create composer.environments.create e iam.serviceAccounts.actAs na conta de serviço do ambiente.
environments.delete composer.environments.delete
environments.get composer.environments.get
environments.list composer.environments.list
environments.update composer.environments.update
operations.delete composer.operations.delete
operations.get composer.operations.get
operations.list composer.operations.list

Permissões para trabalhar com DAGs no console do Google Cloud

As permissões a seguir abrangem o trabalho com DAGs no console do Google Cloud por meio da IU do DAG:

Permissão Descrição
composer.dags.list Veja a lista de DAGs na página de detalhes do ambiente.
composer.dags.get Veja informações detalhadas sobre DAGs, execuções e tarefas na página de detalhes do DAG.
composer.dags.getSourceCode Veja o código-fonte dos DAGs na página de detalhes do DAG.
composer.dags.execute Acionar DAGs na página de detalhes do DAG

É possível usar o controle de acesso da IU do Airflow para controlar ainda mais as permissões do DAG para contas de usuário. A IU do DAG requer permissões de controle de acesso da IU do IAM e do Airflow para permitir uma ação específica em um DAG. Ao mesmo tempo, a IU do Airflow valida o acesso do usuário apenas em relação às permissões de controle de acesso da IU do Airflow, ignorando as permissões do IAM.

Por exemplo, se um usuário tiver a permissão composer.dags.execute e o papel Viewer do Airflow, ele não poderá acionar DAGs no console do Google Cloud. Como exemplo oposto, se um usuário não tiver a permissão composer.dags.list, ele ainda poderá ver a lista de DAGs na IU do Airflow.

Como usar uma conta de serviço de outro projeto

Se você quiser que um ambiente do Cloud Composer em um projeto use uma conta de serviço gerenciada pelo usuário de um projeto diferente, configure a conta de serviço gerenciada pelo usuário para funcionar em todos os projetos.

Substitua SERVICE_PROJECT_NUMBER pelo número do projeto em que o Cloud Composer está localizado.

  1. Edite a política de permissão do projeto em que sua conta de serviço gerenciada pelo usuário está localizada:

    1. Conceda o papel Criador de token da conta de serviço à conta de serviço padrão do Compute Engine do projeto em que o ambiente está localizado (SERVICE_PROJECT_NUMBER-compute@developer.gserviceaccount.com).

    2. Conceda o papel Criador de token da conta de serviço ao agente de serviço do Cloud Composer do projeto em que o ambiente está localizado (service-SERVICE_PROJECT_NUMBER@cloudcomposer-accounts.iam.gserviceaccount.com).

  2. Edite a política de permissão do projeto em que o ambiente está localizado. Conceda os papéis necessários a uma conta de serviço gerenciada pelo usuário, conforme descrito em Conceder papéis a uma conta de serviço gerenciada pelo usuário. Por exemplo, em uma configuração de IP público, sua conta de serviço gerenciada pelo usuário exige o papel de Worker do Composer.

A seguir