当您在项目中添加新成员时,可以使用 Identity and Access Management (IAM) 政策为该成员授予一个或多个 IAM 角色。每个 IAM 角色都包含授予成员访问特定资源的权限。
Compute Engine 具有一组预定义 IAM 角色,本页对这些角色进行了说明。您还可以创建自定义角色,这些角色包含的权限子集直接对应于您的需要。
如需了解每种方法所需的权限,请参阅 Compute Engine API 参考文档:
如需了解如何授予访问权限,请参阅以下页面。
- 如需在项目级层设置 IAM 政策,请参阅 IAM 文档中的授予、更改和撤消对资源的访问权限。
- 如需针对特定 Compute Engine 资源设置政策,请阅读授予对 Compute Engine 资源的访问权限。
- 如需为 Compute Engine 服务账号分配角色,请阅读为实例创建和启用服务账号。
什么是 IAM?
Google Cloud 提供 IAM,可让您授予对特定 Google Cloud 资源的更细化访问权限,并防止对其他资源进行不必要的访问。IAM 允许您采用最小权限安全原则,您只需授予对您资源的必要访问权限。
IAM 允许您通过设置 IAM 政策来控制谁(身份)对哪些资源具有何种权限(角色)。IAM 政策可为项目成员授予一个或多个特定角色,进而授予相应身份特定权限。例如,您可以为 Google 账号分配给定资源(如项目)的 roles/compute.networkAdmin 角色,此后该账号便可控制项目中网络相关的资源,但无法管理实例和磁盘等其他资源。您还可以使用 IAM 来管理为项目团队成员授予的 Google Cloud 控制台旧版角色。
serviceAccountUser 角色
同时授予 roles/compute.instanceAdmin.v1 和 roles/iam.serviceAccountUser 角色时,后者会授予成员创建和管理使用服务账号的实例的权限。具体而言,同时授予 roles/iam.serviceAccountUser 和 roles/compute.instanceAdmin.v1 角色可让成员拥有执行以下操作的权限:
- 创建一个以服务账号身份运行的实例。
- 将永久性磁盘附加到以服务账号身份运行的实例上。
- 在以服务账号身份运行的实例上设置实例元数据。
- 通过 SSH 连接到一个以服务账号身份运行的实例。
- 将实例重新配置为以服务账号身份运行。
您可以通过以下两种方式之一授予 roles/iam.serviceAccountUser:
推荐。将该角色授予特定服务账号中的成员。这会使得该成员有权访问具有
iam.serviceAccountUser角色的服务账号,但不允许其访问不具有iam.serviceAccountUser角色的其他服务账号。在项目级层为成员授予该角色。该成员有权访问项目中的所有服务账号,包括将来创建的服务账号。
如果您对服务账号不熟悉,请详细了解服务账号。
Google Cloud Console 权限
如需使用 Google Cloud Console 访问 Compute Engine 资源,您必须拥有一个包含项目的以下权限的角色:
compute.projects.get
以 instanceAdmin 身份连接到实例
为项目成员授予 roles/compute.instanceAdmin.v1 角色后,该项目成员即可使用标准 Google Cloud 工具(例如 gcloud CLI 或在浏览器中使用 SSH)连接到虚拟机 (VM) 实例。
当成员使用 gcloud CLI 或 SSH-in-browser 时,该工具将自动生成公钥/私钥对,并将公钥添加到项目元数据中。如果成员没有修改项目元数据的权限,则该工具会将成员的公钥添加到实例元数据中。
如果成员已有想使用的现有密钥对,则可以手动将其公钥添加到实例元数据中。详细了解如何将 SSH 密钥添加到实例。
IAM 与服务账号
创建新的自定义服务账号并将 IAM 角色授予服务账号以限制访问实例的权限。将 IAM 角色与自定义服务账号结合使用,您可以:
- 通过精细的 IAM 角色限制您的实例对 Google Cloud API 的访问权限。
- 为每个实例或每组实例授予唯一身份。
- 限制您的默认服务账号的访问权限。
托管实例组和 IAM
代管式实例组 (MIG) 是代表您执行操作的资源,无需直接的用户互动。例如,MIG 可以在实例组中添加和移除虚拟机。
由 Compute Engine 执行的属于 MIG 的所有操作都是使用您项目的 Google API 服务代理完成的,此服务代理具有如下所示的电子邮件地址:PROJECT_ID@cloudservices.gserviceaccount.com
默认情况下,Google API 服务代理会在项目级层被授予 Editor 角色 (roles/editor),从而获得足够的权限根据 MIG 的配置创建资源。如果您要为 Google API 服务代理自定义访问权限,请授予 Compute Instance Admin (v1) 角色 (roles/compute.instanceAdmin.v1) 和(可选)Service Account User 角色 (roles/iam.serviceAccountUser)。仅当 MIG 创建可以服务账号身份运行的虚拟机时,才需要 Service Account User 角色。
请注意,Google API 服务代理也会被其他进程(包括 Deployment Manager)使用。
当您创建 MIG 或更新其实例模板时,Compute Engine 会验证 Google API 服务代理具有以下角色和权限:
- Service Account User 角色;如果您计划创建可以服务账号身份运行的实例,则该角色很重要
- 针对通过实例模板引用的所有资源(例如映像、磁盘、VPC 网络和子网)的权限
预定义 Compute Engine IAM 角色
使用 IAM 时,Compute Engine API 中的每个 API 方法都要求发出 API 请求的身份具有使用相应资源的适当权限。您可以通过设置政策为项目成员(用户、群组或服务账号)授予角色,进而授予相应权限。
除了基本角色(Viewer、Editor、Owner)和自定义角色之外,您还可以为项目成员分配以下 Compute Engine 预定义角色。
您可以针对同一资源向某位成员授予多个角色。例如,如果您的网络团队还负责管理防火墙规则,您可以将 roles/compute.networkAdmin 和 roles/compute.securityAdmin 同时授予该网络团队的 Google 群组。
下表描述了预定义 Compute Engine IAM 角色,以及每个角色所包含的权限。每个角色包含一组适合特定任务的权限。例如,Instance Admin 角色授予管理实例的权限,与网络相关的角色具有管理网络相关资源的权限,而安全角色具有管理安全相关资源(如防火墙和 SSL 证书)的权限。
Compute Admin 角色
| 详情 | 权限 |
|---|---|
Compute Admin( 拥有所有 Compute Engine 资源的完全控制权。
如果用户要管理配置为以服务帐号身份运行的虚拟机实例,您还必须授予 您可以授予此角色的最低级层资源:
|
compute.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Image User 角色
| 详情 | 权限 |
|---|---|
Compute Image User( 可在不具备其他映像权限的情况下列出和读取映像。在项目级层授予此角色后,获授此角色的用户可以列出项目中的所有映像,并根据项目中的映像创建实例和永久性磁盘等资源。 您可以授予此角色的最低级层资源:
|
compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Instance Admin(Beta 版)角色
| 详情 | 权限 |
|---|---|
Compute Instance Admin(Beta 版)( 拥有创建、修改和删除虚拟机实例的权限。 这包括创建、修改和删除磁盘的权限,以及配置安全强化型虚拟机设置的权限。
如果用户要管理配置为以服务帐号身份运行的虚拟机实例,您还必须授予 例如,如果贵公司的某位员工负责管理多组虚拟机实例,但不负责管理网络或安全设置,也不负责管理以服务帐号身份运行的实例,则您可以在这些实例所属的组织、文件夹或项目级层授予此角色,也可以在个别实例级层授予此角色。 您可以授予此角色的最低级层资源:
|
compute.acceleratorTypes.*
compute. compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.*
compute.diskTypes.*
compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute. compute. compute. compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use
compute.
compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly
compute.
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get compute.licenses.list compute.machineImages.*
compute.machineTypes.*
compute.
compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get
compute.
compute.regionOperations.get compute.regionOperations.list compute.regions.*
compute.reservations.get compute.reservations.list compute. compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute. compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Instance Admin (v1) 角色
| 详情 | 权限 |
|---|---|
计算实例管理员 (v1)( 拥有对 Compute Engine 实例、实例组、磁盘、快照和映像的完整控制权, 拥有所有 Compute Engine 网络资源的读取权限。 如果仅在实例级层向用户授予此角色,则该用户无法创建新实例。 |
compute.acceleratorTypes.*
compute. compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.*
compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.*
compute.disks.*
compute. compute. compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute. compute. compute.
compute.
compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.*
compute.
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.networkAttachments.get compute.
compute.
compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute.
compute.
compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.*
compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute. compute.snapshots.*
compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute. compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute. compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Load Balancer Admin 角色
| 详情 | 权限 |
|---|---|
Compute Load Balancer Admin( 拥有创建、修改和删除负载均衡器及相关资源的权限。 例如,如果您公司的负载均衡团队负责管理负载均衡器、负载均衡器的 SSL 证书、SSL 政策和其他负载均衡资源,而另一个网络团队负责管理其余网络资源,则向负载均衡团队群组授予此角色。 您可以授予此角色的最低级层资源:
|
certificatemanager. certificatemanager. certificatemanager. compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute. compute.disks.listTagBindings compute.forwardingRules.*
compute.globalAddresses.*
compute.
compute.
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute. compute.images.listTagBindings compute.instanceGroups.*
compute.instances.get compute.instances.list compute. compute. compute.instances.use compute.instances.useReadOnly
compute.
compute.networks.get compute.networks.list compute.networks.use compute.projects.get
compute.
compute.
compute.regionHealthChecks.*
compute.
compute.
compute. compute. compute.
compute.
compute.regionSslPolicies.*
compute.
compute.
compute.
compute.regionUrlMaps.*
compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute. compute. compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Load Balancer Services User 角色
| 详情 | 权限 |
|---|---|
Compute Load Balancer Services User( 拥有使用其他项目中的负载均衡器的服务的权限。 |
compute.backendServices.get compute.backendServices.list compute.backendServices.use compute.projects.get compute. compute. compute. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Network Admin 角色
| 详情 | 权限 |
|---|---|
Compute Network Admin( 拥有创建、修改和删除网络资源(不包括防火墙规则和 SSL 证书)的权限。Network Admin 角色允许以只读方式访问防火墙规则、SSL 证书和实例(以查看其临时 IP 地址),但无法让用户创建、启动、停止或删除实例。
例如,如果您公司的安全团队负责管理防火墙和 SSL 证书,而网络团队负责管理其余网络资源,则向网络团队群组授予此角色。
或者,如果您有一个负责管理安全和网络的组合团队,则向组合团队的群组授予此角色以及
您可以授予此角色的最低级层资源:
|
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.*
compute.backendServices.*
compute. compute.disks.listTagBindings compute.externalVpnGateways.*
compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute.forwardingRules.*
compute.globalAddresses.*
compute.
compute. compute. compute. compute.globalOperations.get compute.globalOperations.list compute. compute. compute. compute. compute. compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute. compute.images.listTagBindings compute. compute. compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute. compute. compute. compute.instances.list compute. compute. compute. compute. compute.instances.use compute.instances.useReadOnly
compute.
compute.
compute.
compute.interconnects.*
compute.machineTypes.*
compute.networkAttachments.*
compute. compute. compute. compute.networks.*
compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute.
compute.
compute. compute. compute.
compute.
compute.regionHealthChecks.*
compute. compute. compute.
compute.
compute.regionOperations.get compute.regionOperations.list compute. compute. compute. compute. compute. compute.regionSslPolicies.*
compute.
compute.
compute.
compute.regionUrlMaps.*
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.serviceAttachments.*
compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get compute.zoneOperations.list compute.zones.*
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networksecurity.*
networkservices.*
resourcemanager.projects.get resourcemanager.projects.list servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking.services.get servicenetworking. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.*
|
Compute Network User 角色
| 详情 | 权限 |
|---|---|
Compute Network User( 提供共享 VPC 网络的访问权限 获授此角色的服务所有者可以使用属于宿主项目的 VPC 网络和子网。例如,网络用户可以创建属于宿主项目网络的虚拟机实例,但不能在宿主项目中删除网络或者创建新网络。 您可以授予此角色的最低级层资源:
|
compute. compute. compute.addresses.get compute.addresses.list compute.addresses.useInternal compute. compute. compute. compute.firewalls.get compute.firewalls.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networkAttachments.get compute. compute.networks.access compute.networks.get compute. compute. compute.networks.list compute. compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.*
compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute. compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.*
networkconnectivity. networkconnectivity.
networkconnectivity.
networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.locations.*
networksecurity.operations.get networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.urlLists.get networksecurity.urlLists.list networksecurity.urlLists.use networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.gateways.get networkservices.gateways.list networkservices.gateways.use networkservices.grpcRoutes.get networkservices. networkservices.grpcRoutes.use networkservices. networkservices. networkservices. networkservices.httpRoutes.get networkservices. networkservices.httpRoutes.use networkservices. networkservices. networkservices. networkservices.locations.*
networkservices.meshes.get networkservices.meshes.list networkservices.meshes.use networkservices.operations.get networkservices. networkservices. networkservices. networkservices.tcpRoutes.get networkservices.tcpRoutes.list networkservices.tcpRoutes.use networkservices.tlsRoutes.get networkservices.tlsRoutes.list networkservices.tlsRoutes.use resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Network Viewer 角色
| 详情 | 权限 |
|---|---|
Compute Network Viewer( 提供所有网络资源的只读权限 例如,如果您有用于检查网络配置的软件,则可以向该软件的服务帐号授予此角色。 您可以授予此角色的最低级层资源:
|
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute. compute.disks.listTagBindings compute. compute. compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute. compute. compute. compute.instances.list compute. compute. compute. compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.machineTypes.*
compute.networkAttachments.get compute. compute.networks.get compute. compute. compute.networks.list compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.*
compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute. compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute. compute.subnetworks.get compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute. compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.*
networkconnectivity. networkconnectivity.
networkconnectivity.
networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.locations.*
networksecurity.operations.get networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.urlLists.get networksecurity.urlLists.list networkservices. networkservices. networkservices. networkservices. networkservices.gateways.get networkservices.gateways.list networkservices.grpcRoutes.get networkservices. networkservices. networkservices. networkservices.httpRoutes.get networkservices. networkservices. networkservices. networkservices.locations.*
networkservices.meshes.get networkservices.meshes.list networkservices.operations.get networkservices. networkservices. networkservices. networkservices.tcpRoutes.get networkservices.tcpRoutes.list networkservices.tlsRoutes.get networkservices.tlsRoutes.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.*
|
Compute Organization Firewall Policy Admin 角色
| 详情 | 权限 |
|---|---|
Compute Organization Firewall Policy Admin( 拥有对 Compute Engine 组织防火墙政策的完全控制权。 |
compute. compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute.firewallPolicies.move compute. compute. compute.firewallPolicies.use compute.globalOperations.get compute. compute.globalOperations.list compute. compute.projects.get
compute.
compute.regionOperations.get compute. compute.regionOperations.list compute. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Organization Firewall Policy User 角色
| 详情 | 权限 |
|---|---|
Compute Organization Firewall Policy User( 可以查看或使用 Compute Engine 防火墙政策,以便与组织或文件夹相关联。 |
compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.globalOperations.get compute. compute.globalOperations.list compute.projects.get compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Organization Security Policy Admin 角色
| 详情 | 权限 |
|---|---|
Compute Organization Security Policy Admin( 拥有对 Compute Engine 组织安全政策的完整控制权。 |
compute.firewallPolicies.*
compute.globalOperations.get compute. compute.globalOperations.list compute. compute.projects.get compute. compute. compute. compute. compute.securityPolicies.get compute. compute.securityPolicies.list compute.securityPolicies.move compute. compute. compute. compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Organization Security Policy User 角色
| 详情 | 权限 |
|---|---|
Compute Organization Security Policy User( 可以查看或使用 Compute Engine 安全政策,以便与组织或文件夹相关联。 |
compute. compute.firewallPolicies.get compute.firewallPolicies.list compute. compute.firewallPolicies.use compute.globalOperations.get compute. compute.globalOperations.list compute. compute.projects.get compute. compute.securityPolicies.get compute.securityPolicies.list compute. compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Organization Resource Admin 角色
| 详情 | 权限 |
|---|---|
Compute Organization Resource Admin( 拥有与组织或文件夹关联的 Compute Engine 防火墙政策的完全控制权。 |
compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute. compute. compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute OS Admin Login 角色
| 详情 | 权限 |
|---|---|
Compute OS Admin Login( 拥有以管理员用户身份登录 Compute Engine 实例的权限。 您可以授予此角色的最低级层资源:
|
compute. compute.disks.listTagBindings compute. compute.images.listTagBindings compute.instances.get compute.instances.list compute. compute. compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get compute. compute. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute OS Login 角色
| 详情 | 权限 |
|---|---|
Compute OS Login( 拥有以标准用户身份登录 Compute Engine 实例的权限。 您可以授予此角色的最低级层资源:
|
compute. compute.disks.listTagBindings compute. compute.images.listTagBindings compute.instances.get compute.instances.list compute. compute. compute.instances.osLogin compute.projects.get compute. compute. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute OS Login External User 角色
| 详情 | 权限 |
|---|---|
Compute OS Login External User( 此角色仅在组织级层提供。 此角色可为外部用户授予设置与该组织关联的 OS Login 信息的权限,但不授予对实例的访问权限。外部用户必须获授必要的 OS Login 角色之一,才能使用 SSH 访问实例。 您可以授予此角色的最低级层资源:
|
compute. |
Compute Packet Mirroring Admin 角色
| 详情 | 权限 |
|---|---|
Compute Packet Mirroring Admin( 指定要生成镜像的资源。 |
compute. compute.networks.mirror compute.projects.get compute.subnetworks.mirror resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Packet Mirroring User 角色
| 详情 | 权限 |
|---|---|
Compute Packet Mirroring User( 可使用 Compute Engine 数据包镜像。 |
compute.packetMirrorings.*
compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Public IP Admin 角色
| 详情 | 权限 |
|---|---|
Compute Public IP Admin( 拥有对 Compute Engine 公共 IP 地址管理的完整控制权。 |
compute.addresses.*
compute.globalAddresses.*
compute.
compute.
compute.
resourcemanager.projects.get resourcemanager.projects.list |
Compute Security Admin 角色
| 详情 | 权限 |
|---|---|
计算安全管理员( 拥有创建、修改和删除防火墙规则和 SSL 证书的权限,以及配置安全强化型虚拟机设置的权限。 例如,如果您的公司拥有一个负责管理防火墙和 SSL 证书的安全团队和一个负责管理其余网络资源的网络团队,则向安全团队群组授予此角色。 您可以授予此角色的最低级层资源:
|
compute.backendBuckets.list compute.backendServices.list compute.firewallPolicies.*
compute.firewalls.*
compute.globalOperations.get compute.globalOperations.list compute. compute.instances.list compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute.networks.updatePolicy compute.packetMirrorings.*
compute.projects.get compute.
compute.
compute.regionOperations.get compute.regionOperations.list
compute.
compute.
compute.regionSslPolicies.*
compute.regions.*
compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get compute.subnetworks.list compute.targetInstances.list compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Sole Tenant Viewer 角色
| 详情 | 权限 |
|---|---|
Compute Sole Tenant Viewer( 查看单租户节点组所需的权限 |
compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
|
Compute Storage Admin 角色
| 详情 | 权限 |
|---|---|
计算存储管理员( 拥有创建、修改和删除磁盘、映像及快照的权限。 例如,如果您公司的某位员工负责管理项目映像,但您不希望该员工拥有项目的 Editor 角色,则向其帐号授予项目的此角色。 您可以授予此角色的最低级层资源:
|
compute.diskTypes.*
compute.disks.*
compute.globalOperations.get compute.globalOperations.list compute.images.*
compute.instantSnapshots.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.zoneOperations.get compute.zoneOperations.list compute.zones.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Viewer 角色
| 详情 | 权限 |
|---|---|
Compute Viewer( 拥有以只读方式获取和列出 Compute Engine 资源的权限,但无权读取这些资源中存储的数据。 例如,获授此角色的帐号可以清点项目中的所有磁盘,但无法读取这些磁盘上的任何数据。 您可以授予此角色的最低级层资源:
|
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute.backendServices.get compute. compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute. compute.securityPolicies.list compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute. compute.subnetworks.get compute. compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute. compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Shared VPC Admin 角色
| 详情 | 权限 |
|---|---|
Compute Shared VPC Admin( 拥有管理共享 VPC 宿主项目的权限,具体来说,就是可以启用宿主项目并将共享 VPC 服务项目关联到宿主项目所在的网络。 在组织层级,此角色只能由组织管理员授予。
Google Cloud 建议将 Shared VPC Admin 设为共享 VPC 宿主项目的所有者。Shared VPC Admin 负责向服务所有者授予 Compute Network User 角色 ( 您可以授予此角色的最低级层资源:
|
compute.globalOperations.get compute.globalOperations.list compute. compute. compute. compute. compute. compute.projects.get compute. compute. resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
GuestPolicy Admin 角色
| 详情 | 权限 |
|---|---|
GuestPolicy Admin Beta 版( 拥有对 GuestPolicy 的完整管理员权限 |
osconfig.guestPolicies.*
resourcemanager.projects.get resourcemanager.projects.list |
GuestPolicy Editor 角色
| 详情 | 权限 |
|---|---|
GuestPolicy Editor Beta 版( 可以修改 GuestPolicy 资源 |
osconfig.guestPolicies.get osconfig.guestPolicies.list osconfig.guestPolicies.update resourcemanager.projects.get resourcemanager.projects.list |
GuestPolicy Viewer 角色
| 详情 | 权限 |
|---|---|
GuestPolicy Viewer Beta 版( 可以查看 GuestPolicy 资源 |
osconfig.guestPolicies.get osconfig.guestPolicies.list resourcemanager.projects.get resourcemanager.projects.list |
InstanceOSPoliciesCompliance Viewer 角色
| 详情 | 权限 |
|---|---|
InstanceOSPoliciesCompliance Viewer Beta 版( 虚拟机实例的操作系统政策合规情况的查看者 |
osconfig.
resourcemanager.projects.get resourcemanager.projects.list |
OS Inventory Viewer 角色
| 详情 | 权限 |
|---|---|
OS Inventory Viewer( 操作系统清单的查看者 |
osconfig.inventories.*
resourcemanager.projects.get resourcemanager.projects.list |
OSPolicyAssignment Admin 角色
| 详情 | 权限 |
|---|---|
OSPolicyAssignment Admin( 对操作系统政策分配具有完整管理员访问权限 |
osconfig.osPolicyAssignments.*
resourcemanager.projects.get resourcemanager.projects.list |
OSPolicyAssignment Editor 角色
| 详情 | 权限 |
|---|---|
OSPolicyAssignment Editor( 操作系统政策分配的编辑者 |
osconfig. osconfig. osconfig. resourcemanager.projects.get resourcemanager.projects.list |
OSPolicyAssignmentReport Viewer 角色
| 详情 | 权限 |
|---|---|
OSPolicyAssignmentReport Viewer( 可以查看虚拟机实例的操作系统政策分配报告 |
osconfig.
resourcemanager.projects.get resourcemanager.projects.list |
OSPolicyAssignment Viewer 角色
| 详情 | 权限 |
|---|---|
OSPolicyAssignment Viewer( 操作系统政策分配的查看者 |
osconfig. osconfig. resourcemanager.projects.get resourcemanager.projects.list |
PatchDeployment Admin 角色
| 详情 | 权限 |
|---|---|
PatchDeployment Admin( 拥有对 PatchDeployment 的完整管理员权限 |
osconfig.patchDeployments.*
resourcemanager.projects.get resourcemanager.projects.list |
PatchDeployment Viewer 角色
| 详情 | 权限 |
|---|---|
PatchDeployment Viewer( 可以查看 PatchDeployment 资源 |
osconfig.patchDeployments.get osconfig.patchDeployments.list resourcemanager.projects.get resourcemanager.projects.list |
Patch Job Executor 角色
| 详情 | 权限 |
|---|---|
Patch Job Executor( 有权执行修补作业。 |
osconfig.patchJobs.*
resourcemanager.projects.get resourcemanager.projects.list |
Patch Job Viewer 角色
| 详情 | 权限 |
|---|---|
Patch Job Viewer( 获取并列出修补作业。 |
osconfig.patchJobs.get osconfig.patchJobs.list resourcemanager.projects.get resourcemanager.projects.list |
OS VulnerabilityReport Viewer 角色
| 详情 | 权限 |
|---|---|
OS VulnerabilityReport Viewer( 操作系统漏洞报告的查看者 |
osconfig.
resourcemanager.projects.get resourcemanager.projects.list |
DNS Administrator role
| Details | Permissions |
|---|---|
DNS Administrator( Provides read-write access to all Cloud DNS resources. Lowest-level resources where you can grant this role:
|
|
DNS Peer role
| Details | Permissions |
|---|---|
DNS Peer( Access to target networks with DNS peering zones |
|
DNS Reader role
| Details | Permissions |
|---|---|
DNS Reader( Provides read-only access to all Cloud DNS resources. Lowest-level resources where you can grant this role:
|
|
Service Account Admin role
| Details | Permissions |
|---|---|
Service Account Admin( Create and manage service accounts. Lowest-level resources where you can grant this role:
|
|
Create Service Accounts role
| Details | Permissions |
|---|---|
Create Service Accounts( Access to create service accounts. |
|
Delete Service Accounts role
| Details | Permissions |
|---|---|
Delete Service Accounts( Access to delete service accounts. |
|
Service Account Key Admin role
| Details | Permissions |
|---|---|
Service Account Key Admin( Create and manage (and rotate) service account keys. Lowest-level resources where you can grant this role:
|
|
Service Account OpenID Connect Identity Token Creator role
| Details | Permissions |
|---|---|
Service Account OpenID Connect Identity Token Creator( Create OpenID Connect (OIDC) identity tokens |
|
Service Account Token Creator role
| Details | Permissions |
|---|---|
Service Account Token Creator( Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). Lowest-level resources where you can grant this role:
|
|
Service Account User role
| Details | Permissions |
|---|---|
Service Account User( Run operations as the service account. Lowest-level resources where you can grant this role:
|
|
View Service Accounts role
| Details | Permissions |
|---|---|
View Service Accounts( Read access to service accounts, metadata, and keys. |
|
Workload Identity User role
| Details | Permissions |
|---|---|
Workload Identity User( Impersonate service accounts from federated workloads. |
|