在專案中新增成員時,您可以使用身分與存取權管理 (IAM) 政策,為該成員提供一或多個 IAM 角色。每個 IAM 角色都包含了授予成員存取特定資源的權限。
Compute Engine 設有一組預先定義的 IAM 角色,本頁面將說明這些角色。您也可以建立自訂角色,並為其指定符合需求的權限子集。
如要瞭解每種方法需要哪些權限,請參閱 Compute Engine API 參考說明文件:
如要瞭解如何授予存取權,請參閱下列頁面。
- 如要在專案層級設定 IAM 政策,請參閱 IAM 說明文件中的「管理專案、資料夾和機構的存取權」一文。
- 如要設定特定 Compute Engine 資源的政策,請參閱「授予 Compute Engine 資源的存取權」一文。
- 如要為 Compute Engine 服務帳戶指派角色,請參閱建立使用使用者管理服務帳戶的 VM。
什麼是 IAM?
Google Cloud 提供 IAM,可讓您以更精細的方式授予特定Google Cloud 資源的存取權,避免其他資源遭到未經授權者擅自存取。IAM 能讓您採用最低權限安全性原則,僅授予必要的資源存取權限給使用者。
設定 IAM 政策之後,即可控管「哪些人」(身分)具備「何種」(角色)權限,可以存取「哪些」資源。身分與存取權管理政策可將特定角色授予專案成員,讓對方擁有特定權限。舉例來說,您可以將某個特定資源 (例如專案) 的Compute Network Admin 角色 (roles/compute.networkAdmin) 指派給使用者帳戶 (Google 帳戶或外部身分識別提供者的帳戶),該帳戶即可控管專案中的網路相關資源,但無法管理執行個體和磁碟這類其他的資源。您也可以使用 IAM 管理授予專案團隊成員的Google Cloud 控制台舊版角色。
serviceAccountUser 角色
服務帳戶使用者角色 (roles/iam.serviceAccountUser) 與Compute 執行個體管理員 (v1) 角色 (roles/compute.instanceAdmin.v1) 一併授予時,會讓成員能夠建立及管理使用服務帳戶的執行個體。具體來說,同時將 roles/iam.serviceAccountUser 和 roles/compute.instanceAdmin.v1 授予成員,即可授予以下權限:
- 建立以服務帳戶形式執行的執行個體。
- 將永久磁碟連結至以服務帳戶執行的執行個體。
- 為以服務帳戶執行的執行個體設定相關中繼資料。
- 透過 SSH 連線至以服務帳戶執行的執行個體。
- 重新設定以服務帳戶執行的執行個體。
您可以透過下列兩種方式授予服務帳戶使用者角色 (roles/iam.serviceAccountUser):
- 建議做法:將特定服務帳戶的該角色授予成員。這麼做可讓該成員存取其具備 - iam.serviceAccountUser角色的服務帳戶,但禁止對方存取其不具備- iam.serviceAccountUser角色的其他服務帳戶。
- 在專案層級將角色授予成員。該成員可以存取專案中的所有服務帳戶 (包括日後建立的服務帳戶)。 
如要進一步瞭解服務帳戶,請參閱說明文章。
Google Cloud 控制台權限
如要使用 Google Cloud console 存取 Compute Engine 資源,您的專案角色必須包含下列權限:
compute.projects.get
透過 instanceAdmin 連結執行個體
將 roles/compute.instanceAdmin.v1 角色授予專案成員後,對方即可透過標準 Google Cloud工具 (例如 gcloud CLI 或 透過瀏覽器使用安全殼層連線),連線到虛擬機器 (VM) 執行個體。
如果有成員使用 gcloud CLI 或透過瀏覽器建立 SSH 連線,該工具會自動產生公開/私密金鑰組合,並將公開金鑰新增至專案中繼資料。如果成員不具備編輯專案中繼資料的權限,工具則會改為將該成員的公開金鑰新增至執行個體中繼資料。
如果成員已有想要使用的現有金鑰組,可以將其公開金鑰手動新增至執行個體的中繼資料。進一步瞭解如何在執行個體上新增安全殼層金鑰。
透過服務帳戶使用 IAM 功能
建立新的自訂服務帳戶,並將身分與存取權管理角色授予服務帳戶,即可限制執行個體的存取權。透過自訂服務帳戶使用 IAM 角色,您就能執行下列操作:
- 透過精細的身分與存取權管理角色,限制執行個體對 Google Cloud API 的存取權。
- 為每個執行個體 (或一組執行個體) 提供獨特的身分。
- 限制預設服務帳戶的存取權。
代管執行個體群組和身分與存取權管理
代管執行個體群組 (MIG) 是可以代表您執行動作的資源,完全不需要使用者直接互動。舉例來說,MIG 可以在群組中新增及移除 VM。
Compute Engine 在 MIG 中執行的所有作業,都會使用您專案的「Google API 服務代理程式」執行,電子郵件地址格式如下:
PROJECT_ID@cloudservices.gserviceaccount.com
根據預設,Google API 服務代理人在專案層級會獲得編輯者角色 (roles/editor),這項權限足以根據 MIG 的設定建立資源。如要自訂 Google APIs 服務代理的存取權,請授予 Compute Instance Admin (v1) 角色 (roles/compute.instanceAdmin.v1),並視需要授予 Service Account User 角色 (roles/iam.serviceAccountUser)。只有在 MIG 建立可做為服務帳戶執行的 VM 時,才需要 Service Account User 角色。
請注意,Google API 服務代理程式也可用於其他程序,包括 Deployment Manager。
建立 MIG 或更新執行個體範本時,Compute Engine 會驗證 Google APIs 服務代理人是否具備下列角色和權限:
- 服務帳戶使用者角色 (如果您打算建立能夠以服務帳戶身分執行的執行個體,這項角色就非常重要)
- 有權存取執行個體範本所參照的所有資源,例如映像檔、磁碟、VPC 網路與子網路
預先定義的 Compute Engine 身分與存取權管理角色
若使用 IAM,Compute Engine API 中的每個 API 方法都要求提出 API 要求的身分具備使用該資源的適當權限。只要設定政策將「角色」授予專案「成員」 (使用者、群組或服務帳戶),即可授予權限。
除了基本角色 (檢視者、編輯者、擁有者) 和自訂角色之外,您可以為專案成員指派下列預先定義的 Compute Engine 角色。
您可以將多個角色授予相同資源中的同一專案成員。舉例來說,如果您的網路小組也負責管理防火牆規則,則可將 roles/compute.networkAdmin 和 roles/compute.securityAdmin 授予網路小組的 Google 群組。
下表介紹了預先定義的 Compute Engine 身分與存取權管理角色,以及各角色具有的權限。每個角色都具有一組適用於特定工作的權限。舉例來說,執行個體管理員角色可授予管理執行個體的權限,網路相關角色擁有管理網路相關資源的權限,安全性角色則有管理安全性相關資源 (例如防火牆與安全資料傳輸層 (SSL) 憑證) 的權限。使用 Compute Engine 時,您可能也需要其他服務的角色,例如 Cloud DNS 和 IAM 服務帳戶。如需完整的 IAM 角色清單,請參閱身分與存取權管理角色參考說明文件。
| Role | Permissions | 
|---|---|
| Compute Admin( Full control of all Compute Engine resources. 
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
 Lowest-level resources where you can grant this role: 
 | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
       
 
 
 
 
 
 | 
| Compute Future Reservation Admin Beta( 
 | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute Future Reservation User Beta( 
 | 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute Future Reservation Viewer Beta( 
 | 
 
 
 
 
 
 
 | 
| Compute Image User( Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project. Lowest-level resources where you can grant this role: 
 | 
 
 
 
 
 
 
 
 
 | 
| Compute Instance Admin (beta)( Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings. 
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
 For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances. Lowest-level resources where you can grant this role: 
 | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
       
 
 
 
 
 
 
 
 
 
       
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
       
 
       
 
 
       
 
       
 
 
 
       
 
       
 
       
 
       
 
 
 
 
 
 
 
 
       
 
 
 
       
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 | 
| Compute Instance Admin (v1)( Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances. | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
       
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
 
 
 
 
 
 
 
 
       
 
       
 
 
 
 
 
       
 
       
 
       
 
       
 
       
 
 
 
 
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 | 
| Instance Group Manager Service Agent( Role containing all permissions required by Managed Instance Groups to create and manage instances. | 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Interconnect Attachment Group Analyzer( Analyze Interconnect Attachment Groups via their GetOperationalStatus method. | 
 
 
 
 
 
 
 
 
 
 | 
| Interconnect Group Analyzer( Analyze Interconnect Groups via their GetOperationalStatus method. | 
 
 
 
 
 
 
 
 
 | 
| Compute Load Balancer Admin( Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group. Lowest-level resources where you can grant this role: 
 | 
 
 
 
       
 
       
 
       
 
 
 
       
 
       
 
       
 
       
 
 
 
       
 
       
 
       
 
 
 
       
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
       
 
       
 
       
 
       
 
       
 
       
 
 
 
 
 
 
 
 
       
 
       
 
       
 
       
 
       
 
       
 
 
 
 
 
 
 
 
       
 
       
 
 
 
 
 
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute Load Balancer Services User( Permissions to use services from a load balancer in other projects. | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute Network Admin( Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances. 
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the networking team's group.
Or, if you have a combined team that manages both security and networking,
then grant this role as well as the 
 Lowest-level resources where you can grant this role: 
 | 
       
 
       
 
 
 
       
 
       
 
       
 
 
 
       
 
 
 
 
 
 
 
 
 
 
       
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
       
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
 
 
 
 
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
       
 
       
 
 
 
 
 
 
       
 
       
 
       
 
       
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
 
 
 
 
 
       
 
 
 
 
 
 
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
 
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
 
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 | 
| Compute Network User( Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project. Lowest-level resources where you can grant this role: 
 | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
       
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute Network Viewer( Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account. Lowest-level resources where you can grant this role: 
 | 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
       
 
 
 
 
 
       
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 | 
| Compute Organization Firewall Policy Admin( Full control of Compute Engine Organization Firewall Policies. | 
       
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 | 
| Compute Organization Firewall Policy User( View or use Compute Engine Firewall Policies to associate with the organization or folders. | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute Organization Security Policy Admin( Full control of Compute Engine Organization Security Policies. | 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute Organization Security Policy User( View or use Compute Engine Security Policies to associate with the organization or folders. | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute Organization Resource Admin( Full control of Compute Engine Firewall Policy associations to the organization or folders. | 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute OS Admin Login( Access to log in to a Compute Engine instance as an administrator user. Lowest-level resources where you can grant this role: 
 | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute OS Login( Access to log in to a Compute Engine instance as a standard user. Lowest-level resources where you can grant this role: 
 | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute OS Login External User( Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH. Lowest-level resources where you can grant this role: 
 | 
 | 
| Compute packet mirroring admin( Specify resources to be mirrored. | 
 
 
 
 
 
 
 
 
 | 
| Compute packet mirroring user( Use Compute Engine packet mirrorings. | 
       
 
 
 
 
 
 
 | 
| Compute Peer Subnet Migration Admin( Use subnetwork whose PURPOSE is "PEER_MIGRATION" | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute Public IP Admin( Full control of public IP address management for Compute Engine. | 
       
 
       
 
       
 
       
 
       
 
 
 | 
| Compute Security Admin( Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group. Lowest-level resources where you can grant this role: 
 | 
 
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
       
 
 
 
       
 
       
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
       
 
       
 
       
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 | 
| Compute Engine Service Agent( Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts. | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| Compute Sole Tenant Viewer( Permissions to view sole tenancy node groups | 
 
 
 
 
 
 
       
 | 
| Compute Storage Admin( Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project. Lowest-level resources where you can grant this role: 
 | 
 
 
 
 
 
 
 
       
 
 
 
       
 
       
 
       
 
 
 
       
 
 
       
 
       
 
       
 
 
 
 
       
 
       
 
       
 
       
 
 
 
       
 
 
 
 
 
 | 
| Compute Viewer( Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks. Lowest-level resources where you can grant this role: 
 | 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
       
 
 
 
 
 
 | 
| Compute Shared VPC Admin( Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin. 
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
( Lowest-level resources where you can grant this role: 
 | 
 
 
 
 
 
 
 
 
 
 
 
 
 |