Compute Engine IAM 角色和权限


当您在项目中添加新成员时,可以使用 Identity and Access Management (IAM) 政策为该成员授予一个或多个 IAM 角色。每个 IAM 角色都包含授予成员访问特定资源的权限。

Compute Engine 具有一组预定义 IAM 角色,本页对这些角色进行了说明。您还可以创建自定义角色,这些角色包含的权限子集直接对应于您的需要。

如需了解每种方法所需的权限,请参阅 Compute Engine API 参考文档:

如需了解如何授予访问权限,请参阅以下页面。

什么是 IAM?

Google Cloud 提供 IAM,可让您授予对特定 Google Cloud 资源的更细化访问权限,并防止对其他资源进行不必要的访问。IAM 允许您采用最小权限安全原则,您只需授予对您资源的必要访问权限。

IAM 允许您通过设置 IAM 政策来控制谁(身份)对哪些资源具有何种权限(角色)。IAM 政策可为项目成员授予一个或多个特定角色,进而授予相应身份特定权限。例如,您可以为 Google 账号分配给定资源(如项目)的 roles/compute.networkAdmin 角色,此后该账号便可控制项目中网络相关的资源,但无法管理实例和磁盘等其他资源。您还可以使用 IAM 来管理为项目团队成员授予的 Google Cloud 控制台旧版角色

serviceAccountUser 角色

同时授予 roles/compute.instanceAdmin.v1roles/iam.serviceAccountUser 角色时,后者会授予成员创建和管理使用服务账号的实例的权限。具体而言,同时授予 roles/iam.serviceAccountUserroles/compute.instanceAdmin.v1 角色可让成员拥有执行以下操作的权限:

  • 创建一个以服务账号身份运行的实例。
  • 将永久性磁盘附加到以服务账号身份运行的实例上。
  • 在以服务账号身份运行的实例上设置实例元数据。
  • 通过 SSH 连接到一个以服务账号身份运行的实例。
  • 将实例重新配置为以服务账号身份运行。

您可以通过以下两种方式之一授予 roles/iam.serviceAccountUser

  • 推荐。将该角色授予特定服务账号中的成员。这会使得该成员有权访问具有 iam.serviceAccountUser 角色的服务账号,但不允许其访问不具有 iam.serviceAccountUser 角色的其他服务账号。

  • 项目级层为成员授予该角色。该成员有权访问项目中的所有服务账号,包括将来创建的服务账号。

如果您对服务账号不熟悉,请详细了解服务账号

Google Cloud Console 权限

如需使用 Google Cloud Console 访问 Compute Engine 资源,您必须拥有一个包含项目的以下权限的角色:

compute.projects.get

以 instanceAdmin 身份连接到实例

为项目成员授予 roles/compute.instanceAdmin.v1 角色后,该项目成员即可使用标准 Google Cloud 工具(例如 gcloud CLI在浏览器中使用 SSH)连接到虚拟机 (VM) 实例。

当成员使用 gcloud CLI 或 SSH-in-browser 时,该工具将自动生成公钥/私钥对,并将公钥添加到项目元数据中。如果成员没有修改项目元数据的权限,则该工具会将成员的公钥添加到实例元数据中。

如果成员已有想使用的现有密钥对,则可以手动将其公钥添加到实例元数据中。详细了解如何将 SSH 密钥添加到实例

IAM 与服务账号

创建新的自定义服务账号并将 IAM 角色授予服务账号以限制访问实例的权限。将 IAM 角色与自定义服务账号结合使用,您可以:

  • 通过精细的 IAM 角色限制您的实例对 Google Cloud API 的访问权限。
  • 为每个实例或每组实例授予唯一身份。
  • 限制您的默认服务账号的访问权限。

详细了解服务账号

托管实例组和 IAM

代管式实例组 (MIG) 是代表您执行操作的资源,无需直接的用户互动。例如,MIG 可以在实例组中添加和移除虚拟机。

由 Compute Engine 执行的属于 MIG 的所有操作都是使用您项目的 Google API 服务代理完成的,此服务代理具有如下所示的电子邮件地址:PROJECT_ID@cloudservices.gserviceaccount.com

默认情况下,Google API 服务代理会在项目级层被授予 Editor 角色 (roles/editor),从而获得足够的权限根据 MIG 的配置创建资源。如果您要为 Google API 服务代理自定义访问权限,请授予 Compute Instance Admin (v1) 角色 (roles/compute.instanceAdmin.v1) 和(可选)Service Account User 角色 (roles/iam.serviceAccountUser)。仅当 MIG 创建可以服务账号身份运行的虚拟机时,才需要 Service Account User 角色。

请注意,Google API 服务代理也会被其他进程(包括 Deployment Manager)使用。

当您创建 MIG 或更新其实例模板时,Compute Engine 会验证 Google API 服务代理具有以下角色和权限:

  • Service Account User 角色;如果您计划创建可以服务账号身份运行的实例,则该角色很重要
  • 针对通过实例模板引用的所有资源(例如映像、磁盘、VPC 网络和子网)的权限

预定义 Compute Engine IAM 角色

使用 IAM 时,Compute Engine API 中的每个 API 方法都要求发出 API 请求的身份具有使用相应资源的适当权限。您可以通过设置政策为项目成员(用户、群组或服务账号)授予角色,进而授予相应权限。

除了基本角色(Viewer、Editor、Owner)和自定义角色之外,您还可以为项目成员分配以下 Compute Engine 预定义角色。

您可以针对同一资源向某位成员授予多个角色。例如,如果您的网络团队还负责管理防火墙规则,您可以将 roles/compute.networkAdminroles/compute.securityAdmin 同时授予该网络团队的 Google 群组

下表描述了预定义 Compute Engine IAM 角色,以及每个角色所包含的权限。每个角色包含一组适合特定任务的权限。例如,Instance Admin 角色授予管理实例的权限,与网络相关的角色具有管理网络相关资源的权限,而安全角色具有管理安全相关资源(如防火墙和 SSL 证书)的权限。

Compute Admin role

Details Permissions

(roles/compute.admin)

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Node group
  • Node template
  • Snapshot Beta

compute.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list
  • compute.addresses.create
  • compute.addresses.createInternal
  • compute.addresses.delete
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.setLabels
  • compute.addresses.use
  • compute.addresses.useInternal
  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.autoscalers.update
  • compute.backendBuckets.addSignedUrlKey
  • compute.backendBuckets.create
  • compute.backendBuckets.createTagBinding
  • compute.backendBuckets.delete
  • compute.backendBuckets.deleteSignedUrlKey
  • compute.backendBuckets.deleteTagBinding
  • compute.backendBuckets.get
  • compute.backendBuckets.getIamPolicy
  • compute.backendBuckets.list
  • compute.backendBuckets.listEffectiveTags
  • compute.backendBuckets.listTagBindings
  • compute.backendBuckets.setIamPolicy
  • compute.backendBuckets.setSecurityPolicy
  • compute.backendBuckets.update
  • compute.backendBuckets.use
  • compute.backendServices.addSignedUrlKey
  • compute.backendServices.create
  • compute.backendServices.createTagBinding
  • compute.backendServices.delete
  • compute.backendServices.deleteSignedUrlKey
  • compute.backendServices.deleteTagBinding
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.backendServices.listEffectiveTags
  • compute.backendServices.listTagBindings
  • compute.backendServices.setIamPolicy
  • compute.backendServices.setSecurityPolicy
  • compute.backendServices.update
  • compute.backendServices.use
  • compute.commitments.create
  • compute.commitments.get
  • compute.commitments.list
  • compute.commitments.update
  • compute.commitments.updateReservations
  • compute.diskTypes.get
  • compute.diskTypes.list
  • compute.disks.addResourcePolicies
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.createTagBinding
  • compute.disks.delete
  • compute.disks.deleteTagBinding
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.disks.removeResourcePolicies
  • compute.disks.resize
  • compute.disks.setIamPolicy
  • compute.disks.setLabels
  • compute.disks.startAsyncReplication
  • compute.disks.stopAsyncReplication
  • compute.disks.stopGroupAsyncReplication
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.externalVpnGateways.create
  • compute.externalVpnGateways.delete
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.setLabels
  • compute.externalVpnGateways.use
  • compute.firewallPolicies.addAssociation
  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.copyRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.createTagBinding
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.deleteTagBinding
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.listEffectiveTags
  • compute.firewallPolicies.listTagBindings
  • compute.firewallPolicies.move
  • compute.firewallPolicies.removeAssociation
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use
  • compute.firewalls.create
  • compute.firewalls.createTagBinding
  • compute.firewalls.delete
  • compute.firewalls.deleteTagBinding
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.firewalls.listEffectiveTags
  • compute.firewalls.listTagBindings
  • compute.firewalls.update
  • compute.forwardingRules.create
  • compute.forwardingRules.createTagBinding
  • compute.forwardingRules.delete
  • compute.forwardingRules.deleteTagBinding
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.forwardingRules.listEffectiveTags
  • compute.forwardingRules.listTagBindings
  • compute.forwardingRules.pscCreate
  • compute.forwardingRules.pscDelete
  • compute.forwardingRules.pscSetLabels
  • compute.forwardingRules.pscSetTarget
  • compute.forwardingRules.pscUpdate
  • compute.forwardingRules.setLabels
  • compute.forwardingRules.setTarget
  • compute.forwardingRules.update
  • compute.forwardingRules.use
  • compute.futureReservations.cancel
  • compute.futureReservations.create
  • compute.futureReservations.delete
  • compute.futureReservations.get
  • compute.futureReservations.getIamPolicy
  • compute.futureReservations.list
  • compute.futureReservations.setIamPolicy
  • compute.futureReservations.update
  • compute.globalAddresses.create
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.delete
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.setLabels
  • compute.globalAddresses.use
  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.createTagBinding
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.deleteTagBinding
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.listEffectiveTags
  • compute.globalForwardingRules.listTagBindings
  • compute.globalForwardingRules.pscCreate
  • compute.globalForwardingRules.pscDelete
  • compute.globalForwardingRules.pscGet
  • compute.globalForwardingRules.pscSetLabels
  • compute.globalForwardingRules.pscSetTarget
  • compute.globalForwardingRules.pscUpdate
  • compute.globalForwardingRules.setLabels
  • compute.globalForwardingRules.setTarget
  • compute.globalForwardingRules.update
  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.createTagBinding
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.deleteTagBinding
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.listEffectiveTags
  • compute.globalNetworkEndpointGroups.listTagBindings
  • compute.globalNetworkEndpointGroups.use
  • compute.globalOperations.delete
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.globalPublicDelegatedPrefixes.create
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.globalPublicDelegatedPrefixes.use
  • compute.healthChecks.create
  • compute.healthChecks.createTagBinding
  • compute.healthChecks.delete
  • compute.healthChecks.deleteTagBinding
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.healthChecks.listEffectiveTags
  • compute.healthChecks.listTagBindings
  • compute.healthChecks.update
  • compute.healthChecks.use
  • compute.healthChecks.useReadOnly
  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.createTagBinding
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.deleteTagBinding
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpHealthChecks.listEffectiveTags
  • compute.httpHealthChecks.listTagBindings
  • compute.httpHealthChecks.update
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly
  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.createTagBinding
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.deleteTagBinding
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.httpsHealthChecks.listEffectiveTags
  • compute.httpsHealthChecks.listTagBindings
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly
  • compute.images.create
  • compute.images.createTagBinding
  • compute.images.delete
  • compute.images.deleteTagBinding
  • compute.images.deprecate
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.images.setIamPolicy
  • compute.images.setLabels
  • compute.images.update
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use
  • compute.instanceSettings.get
  • compute.instanceSettings.update
  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instanceTemplates.useReadOnly
  • compute.instances.addAccessConfig
  • compute.instances.addMaintenancePolicies
  • compute.instances.addResourcePolicies
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.createTagBinding
  • compute.instances.delete
  • compute.instances.deleteAccessConfig
  • compute.instances.deleteTagBinding
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.instances.pscInterfaceCreate
  • compute.instances.removeMaintenancePolicies
  • compute.instances.removeResourcePolicies
  • compute.instances.reset
  • compute.instances.resume
  • compute.instances.sendDiagnosticInterrupt
  • compute.instances.setDeletionProtection
  • compute.instances.setDiskAutoDelete
  • compute.instances.setIamPolicy
  • compute.instances.setLabels
  • compute.instances.setMachineResources
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setName
  • compute.instances.setScheduling
  • compute.instances.setSecurityPolicy
  • compute.instances.setServiceAccount
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.setTags
  • compute.instances.simulateMaintenanceEvent
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.suspend
  • compute.instances.update
  • compute.instances.updateAccessConfig
  • compute.instances.updateDisplayDevice
  • compute.instances.updateNetworkInterface
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.instantSnapshots.create
  • compute.instantSnapshots.delete
  • compute.instantSnapshots.export
  • compute.instantSnapshots.get
  • compute.instantSnapshots.getIamPolicy
  • compute.instantSnapshots.list
  • compute.instantSnapshots.setIamPolicy
  • compute.instantSnapshots.setLabels
  • compute.instantSnapshots.useReadOnly
  • compute.interconnectAttachments.create
  • compute.interconnectAttachments.delete
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.setLabels
  • compute.interconnectAttachments.update
  • compute.interconnectAttachments.use
  • compute.interconnectLocations.get
  • compute.interconnectLocations.list
  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list
  • compute.interconnects.create
  • compute.interconnects.delete
  • compute.interconnects.get
  • compute.interconnects.getMacsecConfig
  • compute.interconnects.list
  • compute.interconnects.setLabels
  • compute.interconnects.update
  • compute.interconnects.use
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenseCodes.setIamPolicy
  • compute.licenseCodes.update
  • compute.licenseCodes.use
  • compute.licenses.create
  • compute.licenses.delete
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.licenses.setIamPolicy
  • compute.machineImages.create
  • compute.machineImages.delete
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineImages.useReadOnly
  • compute.machineTypes.get
  • compute.machineTypes.list
  • compute.maintenancePolicies.create
  • compute.maintenancePolicies.delete
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.maintenancePolicies.setIamPolicy
  • compute.maintenancePolicies.use
  • compute.networkAttachments.create
  • compute.networkAttachments.delete
  • compute.networkAttachments.get
  • compute.networkAttachments.getIamPolicy
  • compute.networkAttachments.list
  • compute.networkAttachments.setIamPolicy
  • compute.networkAttachments.update
  • compute.networkEdgeSecurityServices.create
  • compute.networkEdgeSecurityServices.delete
  • compute.networkEdgeSecurityServices.get
  • compute.networkEdgeSecurityServices.list
  • compute.networkEdgeSecurityServices.update
  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.createTagBinding
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.deleteTagBinding
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.listEffectiveTags
  • compute.networkEndpointGroups.listTagBindings
  • compute.networkEndpointGroups.setIamPolicy
  • compute.networkEndpointGroups.use
  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.create
  • compute.networks.createTagBinding
  • compute.networks.delete
  • compute.networks.deleteTagBinding
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listEffectiveTags
  • compute.networks.listPeeringRoutes
  • compute.networks.listTagBindings
  • compute.networks.mirror
  • compute.networks.removePeering
  • compute.networks.setFirewallPolicy
  • compute.networks.switchToCustomMode
  • compute.networks.update
  • compute.networks.updatePeering
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.nodeGroups.addNodes
  • compute.nodeGroups.create
  • compute.nodeGroups.delete
  • compute.nodeGroups.deleteNodes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeGroups.performMaintenance
  • compute.nodeGroups.setIamPolicy
  • compute.nodeGroups.setNodeTemplate
  • compute.nodeGroups.simulateMaintenanceEvent
  • compute.nodeGroups.update
  • compute.nodeTemplates.create
  • compute.nodeTemplates.delete
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTemplates.setIamPolicy
  • compute.nodeTypes.get
  • compute.nodeTypes.list
  • compute.organizations.administerXpn
  • compute.organizations.disableXpnHost
  • compute.organizations.disableXpnResource
  • compute.organizations.enableXpnHost
  • compute.organizations.enableXpnResource
  • compute.organizations.listAssociations
  • compute.organizations.setFirewallPolicy
  • compute.organizations.setSecurityPolicy
  • compute.oslogin.updateExternalUser
  • compute.packetMirrorings.create
  • compute.packetMirrorings.delete
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.packetMirrorings.update
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.projects.setDefaultNetworkTier
  • compute.projects.setDefaultServiceAccount
  • compute.projects.setManagedProtectionTier
  • compute.projects.setUsageExportBucket
  • compute.publicAdvertisedPrefixes.create
  • compute.publicAdvertisedPrefixes.delete
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicAdvertisedPrefixes.update
  • compute.publicAdvertisedPrefixes.updatePolicy
  • compute.publicAdvertisedPrefixes.use
  • compute.publicDelegatedPrefixes.create
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.publicDelegatedPrefixes.use
  • compute.regionBackendServices.create
  • compute.regionBackendServices.createTagBinding
  • compute.regionBackendServices.delete
  • compute.regionBackendServices.deleteTagBinding
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionBackendServices.listEffectiveTags
  • compute.regionBackendServices.listTagBindings
  • compute.regionBackendServices.setIamPolicy
  • compute.regionBackendServices.setSecurityPolicy
  • compute.regionBackendServices.update
  • compute.regionBackendServices.use
  • compute.regionFirewallPolicies.cloneRules
  • compute.regionFirewallPolicies.create
  • compute.regionFirewallPolicies.createTagBinding
  • compute.regionFirewallPolicies.delete
  • compute.regionFirewallPolicies.deleteTagBinding
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.listEffectiveTags
  • compute.regionFirewallPolicies.listTagBindings
  • compute.regionFirewallPolicies.setIamPolicy
  • compute.regionFirewallPolicies.update
  • compute.regionFirewallPolicies.use
  • compute.regionHealthCheckServices.create
  • compute.regionHealthCheckServices.delete
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthCheckServices.update
  • compute.regionHealthCheckServices.use
  • compute.regionHealthChecks.create
  • compute.regionHealthChecks.createTagBinding
  • compute.regionHealthChecks.delete
  • compute.regionHealthChecks.deleteTagBinding
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionHealthChecks.listEffectiveTags
  • compute.regionHealthChecks.listTagBindings
  • compute.regionHealthChecks.update
  • compute.regionHealthChecks.use
  • compute.regionHealthChecks.useReadOnly
  • compute.regionNetworkEndpointGroups.attachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.createTagBinding
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.deleteTagBinding
  • compute.regionNetworkEndpointGroups.detachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.listEffectiveTags
  • compute.regionNetworkEndpointGroups.listTagBindings
  • compute.regionNetworkEndpointGroups.use
  • compute.regionNotificationEndpoints.create
  • compute.regionNotificationEndpoints.delete
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionNotificationEndpoints.update
  • compute.regionNotificationEndpoints.use
  • compute.regionOperations.delete
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionOperations.setIamPolicy
  • compute.regionSecurityPolicies.create
  • compute.regionSecurityPolicies.createTagBinding
  • compute.regionSecurityPolicies.delete
  • compute.regionSecurityPolicies.deleteTagBinding
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSecurityPolicies.listEffectiveTags
  • compute.regionSecurityPolicies.listTagBindings
  • compute.regionSecurityPolicies.update
  • compute.regionSecurityPolicies.use
  • compute.regionSslCertificates.create
  • compute.regionSslCertificates.createTagBinding
  • compute.regionSslCertificates.delete
  • compute.regionSslCertificates.deleteTagBinding
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionSslCertificates.listEffectiveTags
  • compute.regionSslCertificates.listTagBindings
  • compute.regionSslPolicies.create
  • compute.regionSslPolicies.delete
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionSslPolicies.update
  • compute.regionSslPolicies.use
  • compute.regionTargetHttpProxies.create
  • compute.regionTargetHttpProxies.createTagBinding
  • compute.regionTargetHttpProxies.delete
  • compute.regionTargetHttpProxies.deleteTagBinding
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpProxies.listEffectiveTags
  • compute.regionTargetHttpProxies.listTagBindings
  • compute.regionTargetHttpProxies.setUrlMap
  • compute.regionTargetHttpProxies.update
  • compute.regionTargetHttpProxies.use
  • compute.regionTargetHttpsProxies.create
  • compute.regionTargetHttpsProxies.createTagBinding
  • compute.regionTargetHttpsProxies.delete
  • compute.regionTargetHttpsProxies.deleteTagBinding
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetHttpsProxies.listEffectiveTags
  • compute.regionTargetHttpsProxies.listTagBindings
  • compute.regionTargetHttpsProxies.setSslCertificates
  • compute.regionTargetHttpsProxies.setUrlMap
  • compute.regionTargetHttpsProxies.update
  • compute.regionTargetHttpsProxies.use
  • compute.regionTargetTcpProxies.create
  • compute.regionTargetTcpProxies.delete
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionTargetTcpProxies.use
  • compute.regionUrlMaps.create
  • compute.regionUrlMaps.createTagBinding
  • compute.regionUrlMaps.delete
  • compute.regionUrlMaps.deleteTagBinding
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.invalidateCache
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.listEffectiveTags
  • compute.regionUrlMaps.listTagBindings
  • compute.regionUrlMaps.update
  • compute.regionUrlMaps.use
  • compute.regionUrlMaps.validate
  • compute.regions.get
  • compute.regions.list
  • compute.reservations.create
  • compute.reservations.delete
  • compute.reservations.get
  • compute.reservations.list
  • compute.reservations.resize
  • compute.reservations.update
  • compute.resourcePolicies.create
  • compute.resourcePolicies.delete
  • compute.resourcePolicies.get
  • compute.resourcePolicies.getIamPolicy
  • compute.resourcePolicies.list
  • compute.resourcePolicies.setIamPolicy
  • compute.resourcePolicies.update
  • compute.resourcePolicies.use
  • compute.resourcePolicies.useReadOnly
  • compute.routers.create
  • compute.routers.delete
  • compute.routers.get
  • compute.routers.list
  • compute.routers.update
  • compute.routers.use
  • compute.routes.create
  • compute.routes.createTagBinding
  • compute.routes.delete
  • compute.routes.deleteTagBinding
  • compute.routes.get
  • compute.routes.list
  • compute.routes.listEffectiveTags
  • compute.routes.listTagBindings
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.copyRules
  • compute.securityPolicies.create
  • compute.securityPolicies.createTagBinding
  • compute.securityPolicies.delete
  • compute.securityPolicies.deleteTagBinding
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.securityPolicies.listEffectiveTags
  • compute.securityPolicies.listTagBindings
  • compute.securityPolicies.move
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.setIamPolicy
  • compute.securityPolicies.setLabels
  • compute.securityPolicies.update
  • compute.securityPolicies.use
  • compute.serviceAttachments.create
  • compute.serviceAttachments.delete
  • compute.serviceAttachments.get
  • compute.serviceAttachments.getIamPolicy
  • compute.serviceAttachments.list
  • compute.serviceAttachments.setIamPolicy
  • compute.serviceAttachments.update
  • compute.serviceAttachments.use
  • compute.snapshotSettings.get
  • compute.snapshotSettings.update
  • compute.snapshots.create
  • compute.snapshots.createTagBinding
  • compute.snapshots.delete
  • compute.snapshots.deleteTagBinding
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.snapshots.setIamPolicy
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly
  • compute.sslCertificates.create
  • compute.sslCertificates.createTagBinding
  • compute.sslCertificates.delete
  • compute.sslCertificates.deleteTagBinding
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslCertificates.listEffectiveTags
  • compute.sslCertificates.listTagBindings
  • compute.sslPolicies.create
  • compute.sslPolicies.createTagBinding
  • compute.sslPolicies.delete
  • compute.sslPolicies.deleteTagBinding
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.sslPolicies.listEffectiveTags
  • compute.sslPolicies.listTagBindings
  • compute.sslPolicies.update
  • compute.sslPolicies.use
  • compute.subnetworks.create
  • compute.subnetworks.createTagBinding
  • compute.subnetworks.delete
  • compute.subnetworks.deleteTagBinding
  • compute.subnetworks.expandIpCidrRange
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.subnetworks.listEffectiveTags
  • compute.subnetworks.listTagBindings
  • compute.subnetworks.mirror
  • compute.subnetworks.setIamPolicy
  • compute.subnetworks.setPrivateIpGoogleAccess
  • compute.subnetworks.update
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.create
  • compute.targetGrpcProxies.delete
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetGrpcProxies.update
  • compute.targetGrpcProxies.use
  • compute.targetHttpProxies.create
  • compute.targetHttpProxies.createTagBinding
  • compute.targetHttpProxies.delete
  • compute.targetHttpProxies.deleteTagBinding
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpProxies.listEffectiveTags
  • compute.targetHttpProxies.listTagBindings
  • compute.targetHttpProxies.setUrlMap
  • compute.targetHttpProxies.update
  • compute.targetHttpProxies.use
  • compute.targetHttpsProxies.create
  • compute.targetHttpsProxies.createTagBinding
  • compute.targetHttpsProxies.delete
  • compute.targetHttpsProxies.deleteTagBinding
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetHttpsProxies.listEffectiveTags
  • compute.targetHttpsProxies.listTagBindings
  • compute.targetHttpsProxies.setCertificateMap
  • compute.targetHttpsProxies.setQuicOverride
  • compute.targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.setSslPolicy
  • compute.targetHttpsProxies.setUrlMap
  • compute.targetHttpsProxies.update
  • compute.targetHttpsProxies.use
  • compute.targetInstances.create
  • compute.targetInstances.createTagBinding
  • compute.targetInstances.delete
  • compute.targetInstances.deleteTagBinding
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetInstances.listEffectiveTags
  • compute.targetInstances.listTagBindings
  • compute.targetInstances.setSecurityPolicy
  • compute.targetInstances.use
  • compute.targetPools.addHealthCheck
  • compute.targetPools.addInstance
  • compute.targetPools.create
  • compute.targetPools.createTagBinding
  • compute.targetPools.delete
  • compute.targetPools.deleteTagBinding
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetPools.listEffectiveTags
  • compute.targetPools.listTagBindings
  • compute.targetPools.removeHealthCheck
  • compute.targetPools.removeInstance
  • compute.targetPools.setSecurityPolicy
  • compute.targetPools.update
  • compute.targetPools.use
  • compute.targetSslProxies.create
  • compute.targetSslProxies.createTagBinding
  • compute.targetSslProxies.delete
  • compute.targetSslProxies.deleteTagBinding
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetSslProxies.listEffectiveTags
  • compute.targetSslProxies.listTagBindings
  • compute.targetSslProxies.setBackendService
  • compute.targetSslProxies.setCertificateMap
  • compute.targetSslProxies.setProxyHeader
  • compute.targetSslProxies.setSslCertificates
  • compute.targetSslProxies.setSslPolicy
  • compute.targetSslProxies.update
  • compute.targetSslProxies.use
  • compute.targetTcpProxies.create
  • compute.targetTcpProxies.createTagBinding
  • compute.targetTcpProxies.delete
  • compute.targetTcpProxies.deleteTagBinding
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetTcpProxies.listEffectiveTags
  • compute.targetTcpProxies.listTagBindings
  • compute.targetTcpProxies.update
  • compute.targetTcpProxies.use
  • compute.targetVpnGateways.create
  • compute.targetVpnGateways.delete
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.targetVpnGateways.setLabels
  • compute.targetVpnGateways.use
  • compute.urlMaps.create
  • compute.urlMaps.createTagBinding
  • compute.urlMaps.delete
  • compute.urlMaps.deleteTagBinding
  • compute.urlMaps.get
  • compute.urlMaps.invalidateCache
  • compute.urlMaps.list
  • compute.urlMaps.listEffectiveTags
  • compute.urlMaps.listTagBindings
  • compute.urlMaps.update
  • compute.urlMaps.use
  • compute.urlMaps.validate
  • compute.vpnGateways.create
  • compute.vpnGateways.delete
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.setLabels
  • compute.vpnGateways.use
  • compute.vpnTunnels.create
  • compute.vpnTunnels.delete
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.vpnTunnels.setLabels
  • compute.zoneOperations.delete
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zoneOperations.setIamPolicy
  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Future Reservation Admin role

Details Permissions

(roles/compute.futureReservationAdmin)

compute.acceleratorTypes.list

compute.futureReservations.cancel

compute.futureReservations.create

compute.futureReservations.delete

compute.futureReservations.get

compute.futureReservations.list

compute.futureReservations.update

compute.instanceTemplates.list

compute.machineTypes.list

compute.regions.list

compute.reservations.create

compute.zones.list

Compute Future Reservation User role

Details Permissions

(roles/compute.futureReservationUser)

compute.acceleratorTypes.list

compute.futureReservations.create

compute.futureReservations.delete

compute.futureReservations.get

compute.futureReservations.list

compute.futureReservations.update

compute.instanceTemplates.list

compute.machineTypes.list

compute.regions.list

compute.reservations.create

compute.zones.list

Compute Future Reservation Viewer role

Details Permissions

(roles/compute.futureReservationViewer)

compute.acceleratorTypes.list

compute.futureReservations.get

compute.futureReservations.list

compute.instanceTemplates.list

compute.machineTypes.list

compute.regions.list

compute.zones.list

Compute Image User role

Details Permissions

(roles/compute.imageUser)

Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

Lowest-level resources where you can grant this role:

  • ImageBeta

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Instance Admin (beta) role

Details Permissions

(roles/compute.instanceAdmin)

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Snapshot Beta

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.autoscalers.update

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.createTagBinding
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.deleteTagBinding
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.listEffectiveTags
  • compute.globalNetworkEndpointGroups.listTagBindings
  • compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use

compute.instanceGroups.*

  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use

compute.instanceSettings.get

compute.instanceTemplates.*

  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instanceTemplates.useReadOnly

compute.instances.*

  • compute.instances.addAccessConfig
  • compute.instances.addMaintenancePolicies
  • compute.instances.addResourcePolicies
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.createTagBinding
  • compute.instances.delete
  • compute.instances.deleteAccessConfig
  • compute.instances.deleteTagBinding
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.instances.pscInterfaceCreate
  • compute.instances.removeMaintenancePolicies
  • compute.instances.removeResourcePolicies
  • compute.instances.reset
  • compute.instances.resume
  • compute.instances.sendDiagnosticInterrupt
  • compute.instances.setDeletionProtection
  • compute.instances.setDiskAutoDelete
  • compute.instances.setIamPolicy
  • compute.instances.setLabels
  • compute.instances.setMachineResources
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setName
  • compute.instances.setScheduling
  • compute.instances.setSecurityPolicy
  • compute.instances.setServiceAccount
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.setTags
  • compute.instances.simulateMaintenanceEvent
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.suspend
  • compute.instances.update
  • compute.instances.updateAccessConfig
  • compute.instances.updateDisplayDevice
  • compute.instances.updateNetworkInterface
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.instances.use
  • compute.instances.useReadOnly

compute.licenses.get

compute.licenses.list

compute.machineImages.*

  • compute.machineImages.create
  • compute.machineImages.delete
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineImages.useReadOnly

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networkEndpointGroups.*

  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.createTagBinding
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.deleteTagBinding
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.listEffectiveTags
  • compute.networkEndpointGroups.listTagBindings
  • compute.networkEndpointGroups.setIamPolicy
  • compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regionNetworkEndpointGroups.*

  • compute.regionNetworkEndpointGroups.attachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.createTagBinding
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.deleteTagBinding
  • compute.regionNetworkEndpointGroups.detachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.listEffectiveTags
  • compute.regionNetworkEndpointGroups.listTagBindings
  • compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.useReadOnly

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list