Compute Engine-IAM-Rollen und -Berechtigungen

Wenn Sie ein neues Mitglied in Ihr Projekt aufnehmen, können Sie diesem Mitglied mithilfe einer Richtlinie für die Identitäts- und Zugriffsverwaltung (IAM) eine oder mehrere IAM-Rollen zuweisen. Jede IAM-Rolle enthält Berechtigungen, die dem Mitglied Zugriff auf bestimmte Ressourcen gewähren.

Compute Engine bietet eine Reihe vordefinierter IAM-Rollen. Diese werden auf dieser Seite beschrieben. Sie können auch benutzerdefinierte Rollen erstellen, die Teilmengen von Berechtigungen enthalten, die sich direkt Ihren Anforderungen zuordnen lassen.

Informationen zu den für die einzelnen Methoden erforderlichen Berechtigungen finden Sie in der Referenzdokumentation zur Compute Engine API:

Informationen zum Gewähren des Zugriffs finden Sie auf den folgenden Seiten.

Hinweis

Was ist IAM?

Google Cloud bietet mit der Identitäts- und Zugriffsverwaltung, abgekürzt IAM (für Identity and Access Management), die Möglichkeit, den Zugriff auf einzelne Google Cloud-Ressourcen präzise zu steuern und unerwünschten Zugriff auf andere Ressourcen zu verhindern. Durch IAM können Sie das Prinzip der geringsten Berechtigung anwenden und somit nur den notwendigen Zugriff auf Ihre Ressourcen gewähren.

Durch das Festlegen von IAM-Richtlinien können Sie steuern, wer (Identität) welche (Rollen) Berechtigungen für welche Ressourcen hat. Anhand von IAM-Richtlinien werden einem Projektmitglied bestimmte Rollen zugewiesen, mit denen wiederum bestimmte Berechtigungen verknüpft sind. Für eine bestimmte Ressource, z. B. ein Projekt, können Sie einem Google-Konto die Rolle roles/compute.networkAdmin zuweisen. Dieses Konto kann netzwerkbezogene Ressourcen im Projekt steuern, aber keine anderen Ressourcen wie Instanzen und Laufwerke verwalten. Mit IAM können Sie auch die Legacy-Rollen der Cloud Console verwalten, die Projektteammitgliedern gewährt wurden.

Rolle "serviceAccountUser"

Wird diese Rolle zusammen mit roles/compute.instanceAdmin.v1 erteilt, können Mitglieder durch roles/iam.serviceAccountUser Instanzen erstellen und verwalten, für die ein Dienstkonto verwendet wird. Wenn Sie die Rollen roles/iam.serviceAccountUser und roles/compute.instanceAdmin.v1 zusammen erteilen, erhalten die Mitglieder die folgenden Berechtigungen:

  • Instanz erstellen, die als Dienstkonto ausgeführt wird.
  • Nichtflüchtigen Speicher zu einer Instanz hinzufügen, die als Dienstkonto ausgeführt wird.
  • Instanzmetadaten für eine Instanz festlegen, die als Dienstkonto ausgeführt wird.
  • SSH verwenden, um eine Verbindung zu einer Instanz herzustellen, die als Dienstkonto ausgeführt wird.
  • Instanz neu konfigurieren, sodass sie als Dienstkonto ausgeführt wird.

roles/iam.serviceAccountUser kann auf zwei Arten zugewiesen werden:

  • Empfohlen. Weisen Sie einem Mitglied die Rolle für ein bestimmtes Dienstkonto zu. So erhält ein Mitglied Zugriff auf das Dienstkonto, für das er ein iam.serviceAccountUser ist. Der Zugriff auf andere Dienstkonten, für die das Mitglied kein iam.serviceAccountUser ist, wird hingegen verhindert.

  • Gewähren Sie einem Mitglied die Rolle auf Projektebene. Das Mitglied kann auf alle Dienstkonten in dem Projekt zugreifen, darunter auch Dienstkonten, die erst zukünftig erstellt werden.

Weitere Informationen zu Dienstkonten.

Berechtigung für Google Cloud Console

Wenn Sie über die Google Cloud Console auf Compute Engine-Ressourcen zugreifen möchten, müssen Sie eine Rolle haben, die die folgende Berechtigung für das Projekt umfasst:

compute.projects.get

Als "instanceAdmin" eine Verbindung zu einer Instanz herstellen

Nachdem Sie einem Projektmitglied die Rolle roles/compute.instanceAdmin.v1 zugewiesen haben, kann es über standardmäßige Google Cloud-Tools wie das gcloud-Tool oder SSH über den Browser Verbindungen zu VM-Instanzen herstellen.

Wenn ein Mitglied das gcloud-Tool oder SSH über den Browser verwendet, generieren die Tools automatisch ein Paar aus öffentlichem und privatem Schlüssel und fügen den öffentlichen Schlüssel den Projektmetadaten hinzu. Wenn das Mitglied nicht berechtigt ist, Projektmetadaten zu bearbeiten, fügt das Tool stattdessen den öffentlichen Schlüssel des Mitglieds den Instanzmetadaten hinzu.

Verfügt das Mitglied bereits über ein Schlüsselpaar, das es verwenden möchte, kann es seinen öffentlichen Schlüssel manuell den Instanzmetadaten hinzufügen. Weitere Informationen zum Hinzufügen oder Entfernen von SSH-Schlüsseln aus einer Instanz

IAM mit Dienstkonten

Durch die Erstellung neuer benutzerdefinierter Dienstkonten und die Zuweisung von IAM-Rollen zu Dienstkonten haben Sie die Möglichkeit, den Zugriff auf Ihre Instanzen zu beschränken. Wenn Sie IAM-Rollen mit benutzerdefinierten Dienstkonten verwenden, können Sie Folgendes tun:

  • Mithilfe detaillierter IAM-Rollen den Zugriff Ihrer Instanzen auf Google Cloud APIs beschränken
  • Jeder Instanz oder jeder Gruppe von Instanzen eine eindeutige Identität verleihen
  • Den Zugriff auf Ihr Standarddienstkonto beschränken

Hier erfahren Sie mehr über Dienstkonten.

Verwaltete Instanzgruppen und IAM

Verwaltete Instanzgruppen sind Ressourcen, die ohne direkte Nutzerinteraktion Vorgänge in Ihrem Namen ausführen. Dies gilt insbesondere, wenn sie so konfiguriert sind, dass sie automatisch skaliert werden. Verwaltete Instanzgruppen verwenden eine Dienstkontoidentität, um Instanzen in der Instanzgruppe zu erstellen, zu löschen und zu verwalten. Weitere Informationen finden Sie in der Dokumentation zu verwalteten Instanzgruppen und IAM.

Nicht unterstützte Vorgänge

Sie können keinen Zugriff gewähren, um mit IAM-Rollen Rolling Updates für Instanzgruppen auszuführen.

Verwenden Sie die umfassenderen Rollen "Inhaber", "Bearbeiter" oder "Betrachter", um die Berechtigung zur Ausführung dieser Vorgänge zu gewähren.

Vordefinierte Compute Engine-Rollen

Bei IAM erfordert jede API-Methode in der Compute Engine API, dass die Identität, die die API-Anfrage stellt, die entsprechenden Berechtigungen zur Verwendung der Ressource hat. Berechtigungen werden durch Festlegen von Richtlinien erteilt, die einem Mitglied (Nutzer, Gruppe oder Dienstkonto) Ihres Projekts Rollen zuweisen.

Neben den einfachen Rollen (Betrachter, Bearbeiter und Inhaber) und benutzerdefinierten Rollen können Sie den Mitgliedern Ihres Projekts die unten beschriebenen vordefinierten Compute Engine-Rollen zuweisen.

Sie können einem Projektmitglied mehrere Rollen für dieselbe Ressource zuweisen. Wenn Ihr Netzwerkteam z. B. auch Firewallregeln verwaltet, können Sie der Google-Gruppe des Netzwerkteams sowohl roles/compute.networkAdmin als auch roles/compute.securityAdmin gewähren.

In den folgenden Tabellen werden die vordefinierten IAM-Rollen von Compute Engine sowie die in den einzelnen Rollen enthaltenen Berechtigungen beschrieben. Jede Rolle enthält eine Reihe von Berechtigungen, die für eine bestimmte Aufgabe geeignet sind. Durch die Instanzadministrator-Rollen werden beispielsweise Berechtigungen zum Verwalten von Instanzen gewährt, die netzwerkbezogenen Rollen gewähren Berechtigungen zum Verwalten von netzwerkbezogenen Ressourcen und die Sicherheitsrolle gewährt Berechtigungen zum Verwalten von sicherheitsbezogenen Ressourcen wie Firewalls und SSL-Zertifikaten.

Compute Admin role

Name Description Permissions
roles/compute.admin

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

  • compute.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Image User role

Name Description Permissions
roles/compute.imageUser

Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Instance Admin (beta) role

Name Description Permissions
roles/compute.instanceAdmin

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VMBETA settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.resize
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regionNetworkEndpointGroups.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Instance Admin (v1) role

Name Description Permissions
roles/compute.instanceAdmin.v1

Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.

If you grant a user this role only at an instance level, then that user cannot create new instances.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Load Balancer Admin role

Name Description Permissions
roles/compute.loadBalancerAdmin Beta

Permissions to create, modify, and delete load balancers and associate resources.

For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.

  • compute.addresses.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.*
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.instanceGroups.*
  • compute.instances.get
  • compute.instances.list
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.projects.get
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.*
  • compute.regionSslCertificates.*
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.urlMaps.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Network Admin role

Name Description Permissions
roles/compute.networkAdmin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group.

  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.externalVpnGateways.*
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.use
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.instances.updateSecurity
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.use
  • compute.networks.*
  • compute.projects.get
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.use
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.regions.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.serviceAttachments.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.*
  • networksecurity.*
  • networkservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • trafficdirector.*

Compute Network User role

Name Description Permissions
roles/compute.networkUser

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.useInternal
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.interconnects.use
  • compute.networks.access
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.use
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.use
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.use
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.use
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.use
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.list
  • networkservices.endpointPolicies.use
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpFilters.use
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.httpfilters.use
  • networkservices.locations.*
  • networkservices.operations.get
  • networkservices.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Network Viewer role

Name Description Permissions
roles/compute.networkViewer

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.list
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.locations.*
  • networkservices.operations.get
  • networkservices.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • trafficdirector.*

Compute Organization Firewall Policy Admin role

Name Description Permissions
roles/compute.orgFirewallPolicyAdmin Full control of Compute Engine Organization Firewall Policies.
  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.move
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionOperations.setIamPolicy
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Firewall Policy User role

Name Description Permissions
roles/compute.orgFirewallPolicyUser View or use Compute Engine Firewall Policies to associate with the organization or folders.
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Security Policy Admin role

Name Description Permissions
roles/compute.orgSecurityPolicyAdmin Full control of Compute Engine Organization Security Policies.
  • compute.firewallPolicies.*
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Security Policy User role

Name Description Permissions
roles/compute.orgSecurityPolicyUser View or use Compute Engine Security Policies to associate with the organization or folders.
  • compute.firewallPolicies.addAssociation
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.removeAssociation
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Resource Admin role

Name Description Permissions
roles/compute.orgSecurityResourceAdmin Full control of Compute Engine Firewall Policy associations to the organization or folders.
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.organizations.listAssociations
  • compute.organizations.setFirewallPolicy
  • compute.organizations.setSecurityPolicy
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Admin Login role

Name Description Permissions
roles/compute.osAdminLogin

Access to log in to a Compute Engine instance as an administrator user.

  • compute.instances.get
  • compute.instances.list
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Login role

Name Description Permissions
roles/compute.osLogin

Access to log in to a Compute Engine instance as a standard user.

  • compute.instances.get
  • compute.instances.list
  • compute.instances.osLogin
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Login External User role

Name Description Permissions
roles/compute.osLoginExternalUser

Available only at the organization level.

Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

  • compute.oslogin.*

Compute packet mirroring admin role

Name Description Permissions
roles/compute.packetMirroringAdmin Specify resources to be mirrored.
  • compute.instances.updateSecurity
  • compute.networks.mirror
  • compute.projects.get
  • compute.subnetworks.mirror
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute packet mirroring user role

Name Description Permissions
roles/compute.packetMirroringUser Use Compute Engine packet mirrorings.
  • compute.packetMirrorings.*
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Public IP Admin role

Name Description Permissions
roles/compute.publicIpAdmin Full control of public IP address management for Compute Engine.
  • compute.addresses.*
  • compute.globalAddresses.*
  • compute.globalPublicDelegatedPrefixes.*
  • compute.publicAdvertisedPrefixes.*
  • compute.publicDelegatedPrefixes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Compute Security Admin role

Name Description Permissions
roles/compute.securityAdmin

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VMBETA settings.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group.

  • compute.firewallPolicies.*
  • compute.firewalls.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.instances.getEffectiveFirewalls
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.updatePolicy
  • compute.packetMirrorings.*
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.*
  • compute.regions.*
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.*
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Storage Admin role

Name Description Permissions
roles/compute.storageAdmin

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.

  • compute.diskTypes.*
  • compute.disks.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.resourcePolicies.*
  • compute.snapshots.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Viewer role

Name Description Permissions
roles/compute.viewer

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them.

For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Shared VPC Admin role

Name Description Permissions
roles/compute.xpnAdmin

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

At the organization level, this role can only be granted by an organization admin.

Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (roles/compute.networkUser) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.organizations.administerXpn
  • compute.organizations.disableXpnHost
  • compute.organizations.disableXpnResource
  • compute.organizations.enableXpnHost
  • compute.organizations.enableXpnResource
  • compute.projects.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.setIamPolicy
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

GuestPolicy Admin role

Name Description Permissions
roles/osconfig.guestPolicyAdmin Beta Full admin access to GuestPolicies
  • osconfig.guestPolicies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

GuestPolicy Editor role

Name Description Permissions
roles/osconfig.guestPolicyEditor Beta Editor of GuestPolicy resources
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • osconfig.guestPolicies.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

GuestPolicy Viewer role

Name Description Permissions
roles/osconfig.guestPolicyViewer Beta Viewer of GuestPolicy resources
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

InstanceOSPoliciesCompliance Viewer role

Name Description Permissions
roles/osconfig.instanceOSPoliciesComplianceViewer Beta Viewer of OS Policies Compliance of VM instances
  • osconfig.instanceOSPoliciesCompliances.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OS Inventory Viewer role

Name Description Permissions
roles/osconfig.inventoryViewer Viewer of OS Inventories
  • osconfig.inventories.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Admin role

Name Description Permissions
roles/osconfig.osPolicyAssignmentAdmin Beta Full admin access to OS Policy Assignments
  • osconfig.osPolicyAssignments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Editor role

Name Description Permissions
roles/osconfig.osPolicyAssignmentEditor Beta Editor of OS Policy Assignments
  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • osconfig.osPolicyAssignments.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Viewer role

Name Description Permissions
roles/osconfig.osPolicyAssignmentViewer Beta Viewer of OS Policy Assignments
  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

PatchDeployment Admin role

Name Description Permissions
roles/osconfig.patchDeploymentAdmin Full admin access to PatchDeployments
  • osconfig.patchDeployments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

PatchDeployment Viewer role

Name Description Permissions
roles/osconfig.patchDeploymentViewer Viewer of PatchDeployment resources
  • osconfig.patchDeployments.get
  • osconfig.patchDeployments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Patch Job Executor role

Name Description Permissions
roles/osconfig.patchJobExecutor Access to execute Patch Jobs.
  • osconfig.patchJobs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Patch Job Viewer role

Name Description Permissions
roles/osconfig.patchJobViewer Get and list Patch Jobs.
  • osconfig.patchJobs.get
  • osconfig.patchJobs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OS VulnerabilityReport Viewer role

Name Description Permissions
roles/osconfig.vulnerabilityReportViewer Viewer of OS VulnerabilityReports
  • osconfig.vulnerabilityReports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

DNS-Administrator-Rolle

Name Beschreibung Berechtigungen
roles/dns.admin

Lese- und Schreibzugriff auf alle Cloud DNS-Ressourcen

  • compute.networks.get
  • compute.networks.list
  • dns.changes.*
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.*
  • dns.networks.*
  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.list
  • dns.policies.update
  • dns.projects.*
  • dns.resourceRecordSets.*
  • dns.responsePolicies.*
  • dns.responsePolicyRules.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

DNS-Peer-Rolle

Name Beschreibung Berechtigungen
roles/dns.peer Zugriff auf Zielnetzwerke mit DNS-Peering-Zonen
  • dns.networks.targetWithPeeringZone

DNS-Leser-Rolle

Name Beschreibung Berechtigungen
roles/dns.reader

Lesezugriff auf alle Cloud DNS-Ressourcen

  • compute.networks.get
  • dns.changes.get
  • dns.changes.list
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.policies.get
  • dns.policies.list
  • dns.projects.*
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.responsePolicies.get
  • dns.responsePolicies.list
  • dns.responsePolicyRules.get
  • dns.responsePolicyRules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Rolle "Dienstkonto-Administrator"

Name Beschreibung Berechtigungen
roles/iam.serviceAccountAdmin Dienstkonten erstellen und verwalten
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.disable
  • iam.serviceAccounts.enable
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • iam.serviceAccounts.setIamPolicy
  • iam.serviceAccounts.undelete
  • iam.serviceAccounts.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Rolle "Dienstkonten erstellen"

Name Beschreibung Berechtigungen
roles/iam.serviceAccountCreator Kann Dienstkonten erstellen.
  • iam.serviceAccounts.create
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Rolle "Dienstkonten löschen"

Name Beschreibung Berechtigungen
roles/iam.serviceAccountDeleter Zugriff zum Löschen von Dienstkonten.
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Rolle "Dienstkontoschlüssel-Administrator"

Name Beschreibung Berechtigungen
roles/iam.serviceAccountKeyAdmin Dienstkontoschlüssel erstellen und verwalten (und rotieren)
  • iam.serviceAccountKeys.*
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Rolle "Dienstkonto-Token-Ersteller"

Name Beschreibung Berechtigungen
roles/iam.serviceAccountTokenCreator Übernahme der Identität von Dienstkonten (OAuth2-Zugriffstoken erstellen, Blobs oder JWTs signieren usw.).
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.list
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Rolle "Dienstkontonutzer"

Name Beschreibung Berechtigungen
roles/iam.serviceAccountUser Vorgänge als Dienstkonto ausführen
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Workload Identity-Nutzerrolle

Name Beschreibung Berechtigungen
roles/iam.workloadIdentityUser Identität von Dienstkonten von GKE-Arbeitslasten übernehmen
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.list

Nächste Schritte