Compute Engine IAM 角色和权限


当您在项目中添加新成员时,可以使用 Identity and Access Management (IAM) 政策为该成员授予一个或多个 IAM 角色。每个 IAM 角色都包含授予成员访问特定资源的权限。

Compute Engine 具有一组预定义 IAM 角色,本页对这些角色进行了说明。您还可以创建自定义角色,这些角色包含的权限子集直接对应于您的需要。

如需了解每种方法所需的权限,请参阅 Compute Engine API 参考文档:

如需了解如何授予访问权限,请参阅以下页面。

什么是 IAM?

Google Cloud 提供 IAM,可让您授予对特定 Google Cloud 资源的更细化访问权限,并防止对其他资源进行不必要的访问。IAM 允许您采用最小权限安全原则,您只需授予对您资源的必要访问权限。

IAM 允许您通过设置 IAM 政策来控制谁(身份)对哪些资源具有何种权限(角色)。IAM 政策可为项目成员授予一个或多个特定角色,进而授予相应身份特定权限。例如,您可以为 Google 账号分配给定资源(如项目)的 roles/compute.networkAdmin 角色,此后该账号便可控制项目中网络相关的资源,但无法管理实例和磁盘等其他资源。您还可以使用 IAM 来管理为项目团队成员授予的 Google Cloud 控制台旧版角色

serviceAccountUser 角色

同时授予 roles/compute.instanceAdmin.v1roles/iam.serviceAccountUser 角色时,后者会授予成员创建和管理使用服务账号的实例的权限。具体而言,同时授予 roles/iam.serviceAccountUserroles/compute.instanceAdmin.v1 角色可让成员拥有执行以下操作的权限:

  • 创建一个以服务账号身份运行的实例。
  • 将永久性磁盘附加到以服务账号身份运行的实例上。
  • 在以服务账号身份运行的实例上设置实例元数据。
  • 通过 SSH 连接到一个以服务账号身份运行的实例。
  • 将实例重新配置为以服务账号身份运行。

您可以通过以下两种方式之一授予 roles/iam.serviceAccountUser

  • 推荐。将该角色授予特定服务账号中的成员。这会使得该成员有权访问具有 iam.serviceAccountUser 角色的服务账号,但不允许其访问不具有 iam.serviceAccountUser 角色的其他服务账号。

  • 项目级层为成员授予该角色。该成员有权访问项目中的所有服务账号,包括将来创建的服务账号。

如果您对服务账号不熟悉,请详细了解服务账号

Google Cloud Console 权限

如需使用 Google Cloud Console 访问 Compute Engine 资源,您必须拥有一个包含项目的以下权限的角色:

compute.projects.get

以 instanceAdmin 身份连接到实例

为项目成员授予 roles/compute.instanceAdmin.v1 角色后,该项目成员即可使用标准 Google Cloud 工具(例如 gcloud CLI在浏览器中使用 SSH)连接到虚拟机 (VM) 实例。

当成员使用 gcloud CLI 或 SSH-in-browser 时,该工具将自动生成公钥/私钥对,并将公钥添加到项目元数据中。如果成员没有修改项目元数据的权限,则该工具会将成员的公钥添加到实例元数据中。

如果成员已有想使用的现有密钥对,则可以手动将其公钥添加到实例元数据中。详细了解如何将 SSH 密钥添加到实例

IAM 与服务账号

创建新的自定义服务账号并将 IAM 角色授予服务账号以限制访问实例的权限。将 IAM 角色与自定义服务账号结合使用,您可以:

  • 通过精细的 IAM 角色限制您的实例对 Google Cloud API 的访问权限。
  • 为每个实例或每组实例授予唯一身份。
  • 限制您的默认服务账号的访问权限。

详细了解服务账号

托管实例组和 IAM

代管式实例组 (MIG) 是代表您执行操作的资源,无需直接的用户互动。例如,MIG 可以在实例组中添加和移除虚拟机。

由 Compute Engine 执行的属于 MIG 的所有操作都是使用您项目的 Google API 服务代理完成的,此服务代理具有如下所示的电子邮件地址:PROJECT_ID@cloudservices.gserviceaccount.com

默认情况下,Google API 服务代理会在项目级层被授予 Editor 角色 (roles/editor),从而获得足够的权限根据 MIG 的配置创建资源。如果您要为 Google API 服务代理自定义访问权限,请授予 Compute Instance Admin (v1) 角色 (roles/compute.instanceAdmin.v1) 和(可选)Service Account User 角色 (roles/iam.serviceAccountUser)。仅当 MIG 创建可以服务账号身份运行的虚拟机时,才需要 Service Account User 角色。

请注意,Google API 服务代理也会被其他进程(包括 Deployment Manager)使用。

当您创建 MIG 或更新其实例模板时,Compute Engine 会验证 Google API 服务代理具有以下角色和权限:

  • Service Account User 角色;如果您计划创建可以服务账号身份运行的实例,则该角色很重要
  • 针对通过实例模板引用的所有资源(例如映像、磁盘、VPC 网络和子网)的权限

预定义 Compute Engine IAM 角色

使用 IAM 时,Compute Engine API 中的每个 API 方法都要求发出 API 请求的身份具有使用相应资源的适当权限。您可以通过设置政策为项目成员(用户、群组或服务账号)授予角色,进而授予相应权限。

除了基本角色(Viewer、Editor、Owner)和自定义角色之外,您还可以为项目成员分配以下 Compute Engine 预定义角色。

您可以针对同一资源向某位成员授予多个角色。例如,如果您的网络团队还负责管理防火墙规则,您可以将 roles/compute.networkAdminroles/compute.securityAdmin 同时授予该网络团队的 Google 群组

下表描述了预定义 Compute Engine IAM 角色,以及每个角色所包含的权限。每个角色包含一组适合特定任务的权限。例如,Instance Admin 角色授予管理实例的权限,与网络相关的角色具有管理网络相关资源的权限,而安全角色具有管理安全相关资源(如防火墙和 SSL 证书)的权限。

Compute Admin 角色

详情 权限

(roles/compute.admin)

拥有所有 Compute Engine 资源的完全控制权。

如果用户要管理配置为以服务帐号身份运行的虚拟机实例,您还必须授予 roles/iam.serviceAccountUser 角色。

您可以授予此角色的最低级层资源:

  • 磁盘
  • 映像
  • 实例
  • 实例模板
  • 节点组
  • 节点模板
  • 快照Beta 版

compute.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list
  • compute.addresses.create
  • compute.addresses.createInternal
  • compute.addresses.delete
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.setLabels
  • compute.addresses.use
  • compute.addresses.useInternal
  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.autoscalers.update
  • compute.backendBuckets.addSignedUrlKey
  • compute.backendBuckets.create
  • compute.backendBuckets.delete
  • compute.backendBuckets.deleteSignedUrlKey
  • compute.backendBuckets.get
  • compute.backendBuckets.getIamPolicy
  • compute.backendBuckets.list
  • compute.backendBuckets.setIamPolicy
  • compute.backendBuckets.setSecurityPolicy
  • compute.backendBuckets.update
  • compute.backendBuckets.use
  • compute.backendServices.addSignedUrlKey
  • compute.backendServices.create
  • compute.backendServices.delete
  • compute.backendServices.deleteSignedUrlKey
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.backendServices.setIamPolicy
  • compute.backendServices.setSecurityPolicy
  • compute.backendServices.update
  • compute.backendServices.use
  • compute.commitments.create
  • compute.commitments.get
  • compute.commitments.list
  • compute.commitments.update
  • compute.commitments.updateReservations
  • compute.diskTypes.get
  • compute.diskTypes.list
  • compute.disks.addResourcePolicies
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.createTagBinding
  • compute.disks.delete
  • compute.disks.deleteTagBinding
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.disks.removeResourcePolicies
  • compute.disks.resize
  • compute.disks.setIamPolicy
  • compute.disks.setLabels
  • compute.disks.startAsyncReplication
  • compute.disks.stopAsyncReplication
  • compute.disks.stopGroupAsyncReplication
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.externalVpnGateways.create
  • compute.externalVpnGateways.delete
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.setLabels
  • compute.externalVpnGateways.use
  • compute.firewallPolicies.addAssociation
  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.copyRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.move
  • compute.firewallPolicies.removeAssociation
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use
  • compute.firewalls.create
  • compute.firewalls.delete
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.firewalls.update
  • compute.forwardingRules.create
  • compute.forwardingRules.delete
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.forwardingRules.pscCreate
  • compute.forwardingRules.pscDelete
  • compute.forwardingRules.pscSetLabels
  • compute.forwardingRules.pscSetTarget
  • compute.forwardingRules.pscUpdate
  • compute.forwardingRules.setLabels
  • compute.forwardingRules.setTarget
  • compute.forwardingRules.update
  • compute.forwardingRules.use
  • compute.globalAddresses.create
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.delete
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.setLabels
  • compute.globalAddresses.use
  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscCreate
  • compute.globalForwardingRules.pscDelete
  • compute.globalForwardingRules.pscGet
  • compute.globalForwardingRules.pscSetLabels
  • compute.globalForwardingRules.pscSetTarget
  • compute.globalForwardingRules.pscUpdate
  • compute.globalForwardingRules.setLabels
  • compute.globalForwardingRules.setTarget
  • compute.globalForwardingRules.update
  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.use
  • compute.globalOperations.delete
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.globalPublicDelegatedPrefixes.create
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.globalPublicDelegatedPrefixes.use
  • compute.healthChecks.create
  • compute.healthChecks.delete
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.healthChecks.update
  • compute.healthChecks.use
  • compute.healthChecks.useReadOnly
  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpHealthChecks.update
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly
  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly
  • compute.images.create
  • compute.images.createTagBinding
  • compute.images.delete
  • compute.images.deleteTagBinding
  • compute.images.deprecate
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.images.setIamPolicy
  • compute.images.setLabels
  • compute.images.update
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use
  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instanceTemplates.useReadOnly
  • compute.instances.addAccessConfig
  • compute.instances.addMaintenancePolicies
  • compute.instances.addResourcePolicies
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.createTagBinding
  • compute.instances.delete
  • compute.instances.deleteAccessConfig
  • compute.instances.deleteTagBinding
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.instances.removeMaintenancePolicies
  • compute.instances.removeResourcePolicies
  • compute.instances.reset
  • compute.instances.resume
  • compute.instances.sendDiagnosticInterrupt
  • compute.instances.setDeletionProtection
  • compute.instances.setDiskAutoDelete
  • compute.instances.setIamPolicy
  • compute.instances.setLabels
  • compute.instances.setMachineResources
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setName
  • compute.instances.setScheduling
  • compute.instances.setSecurityPolicy
  • compute.instances.setServiceAccount
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.setTags
  • compute.instances.simulateMaintenanceEvent
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.suspend
  • compute.instances.update
  • compute.instances.updateAccessConfig
  • compute.instances.updateDisplayDevice
  • compute.instances.updateNetworkInterface
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.instantSnapshots.create
  • compute.instantSnapshots.delete
  • compute.instantSnapshots.export
  • compute.instantSnapshots.get
  • compute.instantSnapshots.getIamPolicy
  • compute.instantSnapshots.list
  • compute.instantSnapshots.setIamPolicy
  • compute.instantSnapshots.setLabels
  • compute.instantSnapshots.useReadOnly
  • compute.interconnectAttachments.create
  • compute.interconnectAttachments.delete
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.setLabels
  • compute.interconnectAttachments.update
  • compute.interconnectAttachments.use
  • compute.interconnectLocations.get
  • compute.interconnectLocations.list
  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list
  • compute.interconnects.create
  • compute.interconnects.delete
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.interconnects.setLabels
  • compute.interconnects.update
  • compute.interconnects.use
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenseCodes.setIamPolicy
  • compute.licenseCodes.update
  • compute.licenseCodes.use
  • compute.licenses.create
  • compute.licenses.delete
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.licenses.setIamPolicy
  • compute.machineImages.create
  • compute.machineImages.delete
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineImages.useReadOnly
  • compute.machineTypes.get
  • compute.machineTypes.list
  • compute.maintenancePolicies.create
  • compute.maintenancePolicies.delete
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.maintenancePolicies.setIamPolicy
  • compute.maintenancePolicies.use
  • compute.networkAttachments.create
  • compute.networkAttachments.delete
  • compute.networkAttachments.get
  • compute.networkAttachments.list
  • compute.networkEdgeSecurityServices.create
  • compute.networkEdgeSecurityServices.delete
  • compute.networkEdgeSecurityServices.get
  • compute.networkEdgeSecurityServices.list
  • compute.networkEdgeSecurityServices.update
  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.setIamPolicy
  • compute.networkEndpointGroups.use
  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.create
  • compute.networks.delete
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.mirror
  • compute.networks.removePeering
  • compute.networks.setFirewallPolicy
  • compute.networks.switchToCustomMode
  • compute.networks.update
  • compute.networks.updatePeering
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.nodeGroups.addNodes
  • compute.nodeGroups.create
  • compute.nodeGroups.delete
  • compute.nodeGroups.deleteNodes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeGroups.setIamPolicy
  • compute.nodeGroups.setNodeTemplate
  • compute.nodeGroups.simulateMaintenanceEvent
  • compute.nodeGroups.update
  • compute.nodeTemplates.create
  • compute.nodeTemplates.delete
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTemplates.setIamPolicy
  • compute.nodeTypes.get
  • compute.nodeTypes.list
  • compute.organizations.administerXpn
  • compute.organizations.disableXpnHost
  • compute.organizations.disableXpnResource
  • compute.organizations.enableXpnHost
  • compute.organizations.enableXpnResource
  • compute.organizations.listAssociations
  • compute.organizations.setFirewallPolicy
  • compute.organizations.setSecurityPolicy
  • compute.oslogin.updateExternalUser
  • compute.packetMirrorings.create
  • compute.packetMirrorings.delete
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.packetMirrorings.update
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.projects.setDefaultNetworkTier
  • compute.projects.setDefaultServiceAccount
  • compute.projects.setUsageExportBucket
  • compute.publicAdvertisedPrefixes.create
  • compute.publicAdvertisedPrefixes.delete
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicAdvertisedPrefixes.update
  • compute.publicAdvertisedPrefixes.updatePolicy
  • compute.publicAdvertisedPrefixes.use
  • compute.publicDelegatedPrefixes.create
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.publicDelegatedPrefixes.use
  • compute.regionBackendServices.create
  • compute.regionBackendServices.delete
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionBackendServices.setIamPolicy
  • compute.regionBackendServices.setSecurityPolicy
  • compute.regionBackendServices.update
  • compute.regionBackendServices.use
  • compute.regionFirewallPolicies.cloneRules
  • compute.regionFirewallPolicies.create
  • compute.regionFirewallPolicies.delete
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.setIamPolicy
  • compute.regionFirewallPolicies.update
  • compute.regionFirewallPolicies.use
  • compute.regionHealthCheckServices.create
  • compute.regionHealthCheckServices.delete
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthCheckServices.update
  • compute.regionHealthCheckServices.use
  • compute.regionHealthChecks.create
  • compute.regionHealthChecks.delete
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionHealthChecks.update
  • compute.regionHealthChecks.use
  • compute.regionHealthChecks.useReadOnly
  • compute.regionNetworkEndpointGroups.attachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.detachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.use
  • compute.regionNotificationEndpoints.create
  • compute.regionNotificationEndpoints.delete
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionNotificationEndpoints.update
  • compute.regionNotificationEndpoints.use
  • compute.regionOperations.delete
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionOperations.setIamPolicy
  • compute.regionSecurityPolicies.create
  • compute.regionSecurityPolicies.delete
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSecurityPolicies.update
  • compute.regionSecurityPolicies.use
  • compute.regionSslCertificates.create
  • compute.regionSslCertificates.delete
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionSslPolicies.create
  • compute.regionSslPolicies.delete
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionSslPolicies.update
  • compute.regionSslPolicies.use
  • compute.regionTargetHttpProxies.create
  • compute.regionTargetHttpProxies.delete
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpProxies.setUrlMap
  • compute.regionTargetHttpProxies.update
  • compute.regionTargetHttpProxies.use
  • compute.regionTargetHttpsProxies.create
  • compute.regionTargetHttpsProxies.delete
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetHttpsProxies.setSslCertificates
  • compute.regionTargetHttpsProxies.setUrlMap
  • compute.regionTargetHttpsProxies.update
  • compute.regionTargetHttpsProxies.use
  • compute.regionTargetTcpProxies.create
  • compute.regionTargetTcpProxies.delete
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionTargetTcpProxies.use
  • compute.regionUrlMaps.create
  • compute.regionUrlMaps.delete
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.invalidateCache
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.update
  • compute.regionUrlMaps.use
  • compute.regionUrlMaps.validate
  • compute.regions.get
  • compute.regions.list
  • compute.reservations.create
  • compute.reservations.delete
  • compute.reservations.get
  • compute.reservations.list
  • compute.reservations.resize
  • compute.reservations.update
  • compute.resourcePolicies.create
  • compute.resourcePolicies.delete
  • compute.resourcePolicies.get
  • compute.resourcePolicies.getIamPolicy
  • compute.resourcePolicies.list
  • compute.resourcePolicies.setIamPolicy
  • compute.resourcePolicies.update
  • compute.resourcePolicies.use
  • compute.resourcePolicies.useReadOnly
  • compute.routers.create
  • compute.routers.delete
  • compute.routers.get
  • compute.routers.list
  • compute.routers.update
  • compute.routers.use
  • compute.routes.create
  • compute.routes.delete
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.copyRules
  • compute.securityPolicies.create
  • compute.securityPolicies.delete
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.securityPolicies.move
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.setIamPolicy
  • compute.securityPolicies.setLabels
  • compute.securityPolicies.update
  • compute.securityPolicies.use
  • compute.serviceAttachments.create
  • compute.serviceAttachments.delete
  • compute.serviceAttachments.get
  • compute.serviceAttachments.getIamPolicy
  • compute.serviceAttachments.list
  • compute.serviceAttachments.setIamPolicy
  • compute.serviceAttachments.update
  • compute.serviceAttachments.use
  • compute.snapshots.create
  • compute.snapshots.createTagBinding
  • compute.snapshots.delete
  • compute.snapshots.deleteTagBinding
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.snapshots.setIamPolicy
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly
  • compute.sslCertificates.create
  • compute.sslCertificates.delete
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.create
  • compute.sslPolicies.delete
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.sslPolicies.update
  • compute.sslPolicies.use
  • compute.subnetworks.create
  • compute.subnetworks.delete
  • compute.subnetworks.expandIpCidrRange
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.subnetworks.mirror
  • compute.subnetworks.setIamPolicy
  • compute.subnetworks.setPrivateIpGoogleAccess
  • compute.subnetworks.update
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.create
  • compute.targetGrpcProxies.delete
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetGrpcProxies.update
  • compute.targetGrpcProxies.use
  • compute.targetHttpProxies.create
  • compute.targetHttpProxies.delete
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpProxies.setUrlMap
  • compute.targetHttpProxies.update
  • compute.targetHttpProxies.use
  • compute.targetHttpsProxies.create
  • compute.targetHttpsProxies.delete
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetHttpsProxies.setCertificateMap
  • compute.targetHttpsProxies.setQuicOverride
  • compute.targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.setSslPolicy
  • compute.targetHttpsProxies.setUrlMap
  • compute.targetHttpsProxies.update
  • compute.targetHttpsProxies.use
  • compute.targetInstances.create
  • compute.targetInstances.delete
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetInstances.setSecurityPolicy
  • compute.targetInstances.use
  • compute.targetPools.addHealthCheck
  • compute.targetPools.addInstance
  • compute.targetPools.create
  • compute.targetPools.delete
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetPools.removeHealthCheck
  • compute.targetPools.removeInstance
  • compute.targetPools.setSecurityPolicy
  • compute.targetPools.update
  • compute.targetPools.use
  • compute.targetSslProxies.create
  • compute.targetSslProxies.delete
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetSslProxies.setBackendService
  • compute.targetSslProxies.setCertificateMap
  • compute.targetSslProxies.setProxyHeader
  • compute.targetSslProxies.setSslCertificates
  • compute.targetSslProxies.setSslPolicy
  • compute.targetSslProxies.update
  • compute.targetSslProxies.use
  • compute.targetTcpProxies.create
  • compute.targetTcpProxies.delete
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetTcpProxies.update
  • compute.targetTcpProxies.use
  • compute.targetVpnGateways.create
  • compute.targetVpnGateways.delete
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.targetVpnGateways.setLabels
  • compute.targetVpnGateways.use
  • compute.urlMaps.create
  • compute.urlMaps.delete
  • compute.urlMaps.get
  • compute.urlMaps.invalidateCache
  • compute.urlMaps.list
  • compute.urlMaps.update
  • compute.urlMaps.use
  • compute.urlMaps.validate
  • compute.vpnGateways.create
  • compute.vpnGateways.delete
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.setLabels
  • compute.vpnGateways.use
  • compute.vpnTunnels.create
  • compute.vpnTunnels.delete
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.vpnTunnels.setLabels
  • compute.zoneOperations.delete
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zoneOperations.setIamPolicy
  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Image User 角色

详情 权限

(roles/compute.imageUser)

可在不具备其他映像权限的情况下列出和读取映像。在项目级层授予此角色后,获授此角色的用户可以列出项目中的所有映像,并根据项目中的映像创建实例和永久性磁盘等资源。

您可以授予此角色的最低级层资源:

  • 映像测试版

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Instance Admin(Beta 版)角色

详情 权限

(roles/compute.instanceAdmin)

拥有创建、修改和删除虚拟机实例的权限。 这包括创建、修改和删除磁盘的权限,以及配置安全强化型虚拟机设置的权限。

如果用户要管理配置为以服务帐号身份运行的虚拟机实例,您还必须授予 roles/iam.serviceAccountUser 角色。

例如,如果贵公司的某位员工负责管理多组虚拟机实例,但不负责管理网络或安全设置,也不负责管理以服务帐号身份运行的实例,则您可以在这些实例所属的组织、文件夹或项目级层授予此角色,也可以在个别实例级层授予此角色。

您可以授予此角色的最低级层资源:

  • 磁盘
  • 映像
  • 实例
  • 实例模板
  • 快照Beta 版

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.autoscalers.update

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use

compute.instanceGroups.*

  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use

compute.instanceTemplates.*

  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instanceTemplates.useReadOnly

compute.instances.*

  • compute.instances.addAccessConfig
  • compute.instances.addMaintenancePolicies
  • compute.instances.addResourcePolicies
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.createTagBinding
  • compute.instances.delete
  • compute.instances.deleteAccessConfig
  • compute.instances.deleteTagBinding
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.instances.removeMaintenancePolicies
  • compute.instances.removeResourcePolicies
  • compute.instances.reset
  • compute.instances.resume
  • compute.instances.sendDiagnosticInterrupt
  • compute.instances.setDeletionProtection
  • compute.instances.setDiskAutoDelete
  • compute.instances.setIamPolicy
  • compute.instances.setLabels
  • compute.instances.setMachineResources
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setName
  • compute.instances.setScheduling
  • compute.instances.setSecurityPolicy
  • compute.instances.setServiceAccount
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.setTags
  • compute.instances.simulateMaintenanceEvent
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.suspend
  • compute.instances.update
  • compute.instances.updateAccessConfig
  • compute.instances.updateDisplayDevice
  • compute.instances.updateNetworkInterface
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.instances.use
  • compute.instances.useReadOnly

compute.licenses.get

compute.licenses.list

compute.machineImages.*

  • compute.machineImages.create
  • compute.machineImages.delete
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineImages.useReadOnly

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networkEndpointGroups.*

  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.setIamPolicy
  • compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regionNetworkEndpointGroups.*

  • compute.regionNetworkEndpointGroups.attachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.detachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.useReadOnly

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Instance Admin (v1) 角色

详情 权限

(roles/compute.instanceAdmin.v1)

拥有对 Compute Engine 实例、实例组、磁盘、快照和映像的完整控制权, 拥有所有 Compute Engine 网络资源的读取权限。

如果仅在实例级层向用户授予此角色,则该用户无法创建新实例。

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.autoscalers.update

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.list

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.*

  • compute.disks.addResourcePolicies
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.createTagBinding
  • compute.disks.delete
  • compute.disks.deleteTagBinding
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.disks.removeResourcePolicies
  • compute.disks.resize
  • compute.disks.setIamPolicy
  • compute.disks.setLabels
  • compute.disks.startAsyncReplication
  • compute.disks.stopAsyncReplication
  • compute.disks.stopGroupAsyncReplication
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.*

  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.*

  • compute.images.create
  • compute.images.createTagBinding
  • compute.images.delete
  • compute.images.deleteTagBinding
  • compute.images.deprecate
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.images.setIamPolicy
  • compute.images.setLabels
  • compute.images.update
  • compute.images.useReadOnly

compute.instanceGroupManagers.*

  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use

compute.instanceGroups.*

  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use

compute.instanceTemplates.*

  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instanceTemplates.useReadOnly

compute.instances.*

  • compute.instances.addAccessConfig
  • compute.instances.addMaintenancePolicies
  • compute.instances.addResourcePolicies
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.createTagBinding
  • compute.instances.delete
  • compute.instances.deleteAccessConfig
  • compute.instances.deleteTagBinding
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.instances.removeMaintenancePolicies
  • compute.instances.removeResourcePolicies
  • compute.instances.reset
  • compute.instances.resume
  • compute.instances.sendDiagnosticInterrupt
  • compute.instances.setDeletionProtection
  • compute.instances.setDiskAutoDelete
  • compute.instances.setIamPolicy
  • compute.instances.setLabels
  • compute.instances.setMachineResources
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setName
  • compute.instances.setScheduling
  • compute.instances.setSecurityPolicy
  • compute.instances.setServiceAccount
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.setTags
  • compute.instances.simulateMaintenanceEvent
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.suspend
  • compute.instances.update
  • compute.instances.updateAccessConfig
  • compute.instances.updateDisplayDevice
  • compute.instances.updateNetworkInterface
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.instances.use
  • compute.instances.useReadOnly

compute.instantSnapshots.*

  • compute.instantSnapshots.create
  • compute.instantSnapshots.delete
  • compute.instantSnapshots.export
  • compute.instantSnapshots.get
  • compute.instantSnapshots.getIamPolicy
  • compute.instantSnapshots.list
  • compute.instantSnapshots.setIamPolicy
  • compute.instantSnapshots.setLabels
  • compute.instantSnapshots.useReadOnly

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.*

  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenseCodes.setIamPolicy
  • compute.licenseCodes.update
  • compute.licenseCodes.use

compute.licenses.*

  • compute.licenses.create
  • compute.licenses.delete
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.licenses.setIamPolicy

compute.machineImages.*

  • compute.machineImages.create
  • compute.machineImages.delete
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineImages.useReadOnly

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEndpointGroups.*

  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.setIamPolicy
  • compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.*

  • compute.regionNetworkEndpointGroups.attachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.detachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

  • compute.resourcePolicies.create
  • compute.resourcePolicies.delete
  • compute.resourcePolicies.get
  • compute.resourcePolicies.getIamPolicy
  • compute.resourcePolicies.list
  • compute.resourcePolicies.setIamPolicy
  • compute.resourcePolicies.update
  • compute.resourcePolicies.use
  • compute.resourcePolicies.useReadOnly

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.*

  • compute.snapshots.create
  • compute.snapshots.createTagBinding
  • compute.snapshots.delete
  • compute.snapshots.deleteTagBinding
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.snapshots.setIamPolicy
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Load Balancer Admin 角色

详情 权限

(roles/compute.loadBalancerAdmin)

拥有创建、修改和删除负载均衡器及相关资源的权限。

例如,如果您公司的负载均衡团队负责管理负载均衡器、负载均衡器的 SSL 证书、SSL 政策和其他负载均衡资源,而另一个网络团队负责管理其余网络资源,则向负载均衡团队群组授予此角色。

您可以授予此角色的最低级层资源:

  • 实例测试版

certificatemanager.certmaps.get

certificatemanager.certmaps.list

certificatemanager.certmaps.use

compute.addresses.*

  • compute.addresses.create
  • compute.addresses.createInternal
  • compute.addresses.delete
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.setLabels
  • compute.addresses.use
  • compute.addresses.useInternal

compute.backendBuckets.*

  • compute.backendBuckets.addSignedUrlKey
  • compute.backendBuckets.create
  • compute.backendBuckets.delete
  • compute.backendBuckets.deleteSignedUrlKey
  • compute.backendBuckets.get
  • compute.backendBuckets.getIamPolicy
  • compute.backendBuckets.list
  • compute.backendBuckets.setIamPolicy
  • compute.backendBuckets.setSecurityPolicy
  • compute.backendBuckets.update
  • compute.backendBuckets.use

compute.backendServices.*

  • compute.backendServices.addSignedUrlKey
  • compute.backendServices.create
  • compute.backendServices.delete
  • compute.backendServices.deleteSignedUrlKey
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.backendServices.setIamPolicy
  • compute.backendServices.setSecurityPolicy
  • compute.backendServices.update
  • compute.backendServices.use

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.forwardingRules.*

  • compute.forwardingRules.create
  • compute.forwardingRules.delete
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.forwardingRules.pscCreate
  • compute.forwardingRules.pscDelete
  • compute.forwardingRules.pscSetLabels
  • compute.forwardingRules.pscSetTarget
  • compute.forwardingRules.pscUpdate
  • compute.forwardingRules.setLabels
  • compute.forwardingRules.setTarget
  • compute.forwardingRules.update
  • compute.forwardingRules.use

compute.globalAddresses.*

  • compute.globalAddresses.create
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.delete
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.setLabels
  • compute.globalAddresses.use

compute.globalForwardingRules.*

  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscCreate
  • compute.globalForwardingRules.pscDelete
  • compute.globalForwardingRules.pscGet
  • compute.globalForwardingRules.pscSetLabels
  • compute.globalForwardingRules.pscSetTarget
  • compute.globalForwardingRules.pscUpdate
  • compute.globalForwardingRules.setLabels
  • compute.globalForwardingRules.setTarget
  • compute.globalForwardingRules.update

compute.globalNetworkEndpointGroups.*

  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.use

compute.healthChecks.*

  • compute.healthChecks.create
  • compute.healthChecks.delete
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.healthChecks.update
  • compute.healthChecks.use
  • compute.healthChecks.useReadOnly

compute.httpHealthChecks.*

  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpHealthChecks.update
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.*

  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroups.*

  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.use

compute.instances.useReadOnly

compute.networkEndpointGroups.*

  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.setIamPolicy
  • compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.use

compute.projects.get

compute.regionBackendServices.*

  • compute.regionBackendServices.create
  • compute.regionBackendServices.delete
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionBackendServices.setIamPolicy
  • compute.regionBackendServices.setSecurityPolicy
  • compute.regionBackendServices.update
  • compute.regionBackendServices.use

compute.regionHealthCheckServices.*

  • compute.regionHealthCheckServices.create
  • compute.regionHealthCheckServices.delete
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthCheckServices.update
  • compute.regionHealthCheckServices.use

compute.regionHealthChecks.*

  • compute.regionHealthChecks.create
  • compute.regionHealthChecks.delete
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionHealthChecks.update
  • compute.regionHealthChecks.use
  • compute.regionHealthChecks.useReadOnly

compute.regionNetworkEndpointGroups.*

  • compute.regionNetworkEndpointGroups.attachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.detachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.*

  • compute.regionNotificationEndpoints.create
  • compute.regionNotificationEndpoints.delete
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionNotificationEndpoints.update
  • compute.regionNotificationEndpoints.use

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.use

compute.regionSslCertificates.*

  • compute.regionSslCertificates.create
  • compute.regionSslCertificates.delete
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list

compute.regionSslPolicies.*

  • compute.regionSslPolicies.create
  • compute.regionSslPolicies.delete
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionSslPolicies.update
  • compute.regionSslPolicies.use

compute.regionTargetHttpProxies.*

  • compute.regionTargetHttpProxies.create
  • compute.regionTargetHttpProxies.delete
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpProxies.setUrlMap
  • compute.regionTargetHttpProxies.update
  • compute.regionTargetHttpProxies.use

compute.regionTargetHttpsProxies.*

  • compute.regionTargetHttpsProxies.create
  • compute.regionTargetHttpsProxies.delete
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetHttpsProxies.setSslCertificates
  • compute.regionTargetHttpsProxies.setUrlMap
  • compute.regionTargetHttpsProxies.update
  • compute.regionTargetHttpsProxies.use

compute.regionTargetTcpProxies.*

  • compute.regionTargetTcpProxies.create
  • compute.regionTargetTcpProxies.delete
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionTargetTcpProxies.use

compute.regionUrlMaps.*

  • compute.regionUrlMaps.create
  • compute.regionUrlMaps.delete
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.invalidateCache
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.update
  • compute.regionUrlMaps.use
  • compute.regionUrlMaps.validate

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.use

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.*

  • compute.sslCertificates.create
  • compute.sslCertificates.delete
  • compute.sslCertificates.get
  • compute.sslCertificates.list

compute.sslPolicies.*

  • compute.sslPolicies.create
  • compute.sslPolicies.delete
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.sslPolicies.update
  • compute.sslPolicies.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.targetGrpcProxies.*

  • compute.targetGrpcProxies.create
  • compute.targetGrpcProxies.delete
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetGrpcProxies.update
  • compute.targetGrpcProxies.use

compute.targetHttpProxies.*

  • compute.targetHttpProxies.create
  • compute.targetHttpProxies.delete
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpProxies.setUrlMap
  • compute.targetHttpProxies.update
  • compute.targetHttpProxies.use

compute.targetHttpsProxies.*

  • compute.targetHttpsProxies.create
  • compute.targetHttpsProxies.delete
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetHttpsProxies.setCertificateMap
  • compute.targetHttpsProxies.setQuicOverride
  • compute.targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.setSslPolicy
  • compute.targetHttpsProxies.setUrlMap
  • compute.targetHttpsProxies.update
  • compute.targetHttpsProxies.use

compute.targetInstances.*

  • compute.targetInstances.create
  • compute.targetInstances.delete
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetInstances.setSecurityPolicy
  • compute.targetInstances.use

compute.targetPools.*

  • compute.targetPools.addHealthCheck
  • compute.targetPools.addInstance
  • compute.targetPools.create
  • compute.targetPools.delete
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetPools.removeHealthCheck
  • compute.targetPools.removeInstance
  • compute.targetPools.setSecurityPolicy
  • compute.targetPools.update
  • compute.targetPools.use

compute.targetSslProxies.*

  • compute.targetSslProxies.create
  • compute.targetSslProxies.delete
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetSslProxies.setBackendService
  • compute.targetSslProxies.setCertificateMap
  • compute.targetSslProxies.setProxyHeader
  • compute.targetSslProxies.setSslCertificates
  • compute.targetSslProxies.setSslPolicy
  • compute.targetSslProxies.update
  • compute.targetSslProxies.use

compute.targetTcpProxies.*

  • compute.targetTcpProxies.create
  • compute.targetTcpProxies.delete
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetTcpProxies.update
  • compute.targetTcpProxies.use

compute.urlMaps.*

  • compute.urlMaps.create
  • compute.urlMaps.delete
  • compute.urlMaps.get
  • compute.urlMaps.invalidateCache
  • compute.urlMaps.list
  • compute.urlMaps.update
  • compute.urlMaps.use
  • compute.urlMaps.validate

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.use

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Load Balancer Services User 角色

详情 权限

(roles/compute.loadBalancerServiceUser)

拥有使用其他项目中的负载均衡器的服务的权限。

compute.backendServices.get

compute.backendServices.list

compute.backendServices.use

compute.projects.get

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Network Admin 角色

详情 权限

roles/compute.networkAdmin

拥有创建、修改和删除网络资源(不包括防火墙规则和 SSL 证书)的权限。Network Admin 角色允许以只读方式访问防火墙规则、SSL 证书和实例(以查看其临时 IP 地址),但无法让用户创建、启动、停止或删除实例。

例如,如果您公司的安全团队负责管理防火墙和 SSL 证书,而网络团队负责管理其余网络资源,则向网络团队群组授予此角色。 或者,如果您有一个负责管理安全和网络的组合团队,则向组合团队的群组授予此角色以及 roles/compute.securityAdmin 角色。

您可以授予此角色的最低级层资源:

  • 实例测试版

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.*

  • compute.addresses.create
  • compute.addresses.createInternal
  • compute.addresses.delete
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.setLabels
  • compute.addresses.use
  • compute.addresses.useInternal

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.*

  • compute.backendBuckets.addSignedUrlKey
  • compute.backendBuckets.create
  • compute.backendBuckets.delete
  • compute.backendBuckets.deleteSignedUrlKey
  • compute.backendBuckets.get
  • compute.backendBuckets.getIamPolicy
  • compute.backendBuckets.list
  • compute.backendBuckets.setIamPolicy
  • compute.backendBuckets.setSecurityPolicy
  • compute.backendBuckets.update
  • compute.backendBuckets.use

compute.backendServices.*

  • compute.backendServices.addSignedUrlKey
  • compute.backendServices.create
  • compute.backendServices.delete
  • compute.backendServices.deleteSignedUrlKey
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.backendServices.setIamPolicy
  • compute.backendServices.setSecurityPolicy
  • compute.backendServices.update
  • compute.backendServices.use

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.*

  • compute.externalVpnGateways.create
  • compute.externalVpnGateways.delete
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.setLabels
  • compute.externalVpnGateways.use

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.use

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.*

  • compute.forwardingRules.create
  • compute.forwardingRules.delete
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.forwardingRules.pscCreate
  • compute.forwardingRules.pscDelete
  • compute.forwardingRules.pscSetLabels
  • compute.forwardingRules.pscSetTarget
  • compute.forwardingRules.pscUpdate
  • compute.forwardingRules.setLabels
  • compute.forwardingRules.setTarget
  • compute.forwardingRules.update
  • compute.forwardingRules.use

compute.globalAddresses.*

  • compute.globalAddresses.create
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.delete
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.setLabels
  • compute.globalAddresses.use

compute.globalForwardingRules.*

  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscCreate
  • compute.globalForwardingRules.pscDelete
  • compute.globalForwardingRules.pscGet
  • compute.globalForwardingRules.pscSetLabels
  • compute.globalForwardingRules.pscSetTarget
  • compute.globalForwardingRules.pscUpdate
  • compute.globalForwardingRules.setLabels
  • compute.globalForwardingRules.setTarget
  • compute.globalForwardingRules.update

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.delete

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.globalPublicDelegatedPrefixes.update

compute.globalPublicDelegatedPrefixes.updatePolicy

compute.healthChecks.*

  • compute.healthChecks.create
  • compute.healthChecks.delete
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.healthChecks.update
  • compute.healthChecks.use
  • compute.healthChecks.useReadOnly

compute.httpHealthChecks.*

  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpHealthChecks.update
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.*

  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.update

compute.instanceGroupManagers.use

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceGroups.update

compute.instanceGroups.use

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instances.updateSecurity

compute.instances.use

compute.instances.useReadOnly

compute.interconnectAttachments.*

  • compute.interconnectAttachments.create
  • compute.interconnectAttachments.delete
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.setLabels
  • compute.interconnectAttachments.update
  • compute.interconnectAttachments.use

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list

compute.interconnects.*

  • compute.interconnects.create
  • compute.interconnects.delete
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.interconnects.setLabels
  • compute.interconnects.update
  • compute.interconnects.use

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networkAttachments.*

  • compute.networkAttachments.create
  • compute.networkAttachments.delete
  • compute.networkAttachments.get
  • compute.networkAttachments.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.use

compute.networks.*

  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.create
  • compute.networks.delete
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.mirror
  • compute.networks.removePeering
  • compute.networks.setFirewallPolicy
  • compute.networks.switchToCustomMode
  • compute.networks.update
  • compute.networks.updatePeering
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.networks.useExternalIp

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicDelegatedPrefixes.delete

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.update

compute.publicDelegatedPrefixes.updatePolicy

compute.regionBackendServices.*

  • compute.regionBackendServices.create
  • compute.regionBackendServices.delete
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionBackendServices.setIamPolicy
  • compute.regionBackendServices.setSecurityPolicy
  • compute.regionBackendServices.update
  • compute.regionBackendServices.use

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.use

compute.regionHealthCheckServices.*

  • compute.regionHealthCheckServices.create
  • compute.regionHealthCheckServices.delete
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthCheckServices.update
  • compute.regionHealthCheckServices.use

compute.regionHealthChecks.*

  • compute.regionHealthChecks.create
  • compute.regionHealthChecks.delete
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionHealthChecks.update
  • compute.regionHealthChecks.use
  • compute.regionHealthChecks.useReadOnly

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.*

  • compute.regionNotificationEndpoints.create
  • compute.regionNotificationEndpoints.delete
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionNotificationEndpoints.update
  • compute.regionNotificationEndpoints.use

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.use

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.*

  • compute.regionSslPolicies.create
  • compute.regionSslPolicies.delete
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionSslPolicies.update
  • compute.regionSslPolicies.use

compute.regionTargetHttpProxies.*

  • compute.regionTargetHttpProxies.create
  • compute.regionTargetHttpProxies.delete
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpProxies.setUrlMap
  • compute.regionTargetHttpProxies.update
  • compute.regionTargetHttpProxies.use

compute.regionTargetHttpsProxies.*

  • compute.regionTargetHttpsProxies.create
  • compute.regionTargetHttpsProxies.delete
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetHttpsProxies.setSslCertificates
  • compute.regionTargetHttpsProxies.setUrlMap
  • compute.regionTargetHttpsProxies.update
  • compute.regionTargetHttpsProxies.use

compute.regionTargetTcpProxies.*

  • compute.regionTargetTcpProxies.create
  • compute.regionTargetTcpProxies.delete
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionTargetTcpProxies.use

compute.regionUrlMaps.*

  • compute.regionUrlMaps.create
  • compute.regionUrlMaps.delete
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.invalidateCache
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.update
  • compute.regionUrlMaps.use
  • compute.regionUrlMaps.validate

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.routers.*

  • compute.routers.create
  • compute.routers.delete
  • compute.routers.get
  • compute.routers.list
  • compute.routers.update
  • compute.routers.use

compute.routes.*

  • compute.routes.create
  • compute.routes.delete
  • compute.routes.get
  • compute.routes.list

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.use

compute.serviceAttachments.*

  • compute.serviceAttachments.create
  • compute.serviceAttachments.delete
  • compute.serviceAttachments.get
  • compute.serviceAttachments.getIamPolicy
  • compute.serviceAttachments.list
  • compute.serviceAttachments.setIamPolicy
  • compute.serviceAttachments.update
  • compute.serviceAttachments.use

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.*

  • compute.sslPolicies.create
  • compute.sslPolicies.delete
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.sslPolicies.update
  • compute.sslPolicies.use

compute.subnetworks.*

  • compute.subnetworks.create
  • compute.subnetworks.delete
  • compute.subnetworks.expandIpCidrRange
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.subnetworks.mirror
  • compute.subnetworks.setIamPolicy
  • compute.subnetworks.setPrivateIpGoogleAccess
  • compute.subnetworks.update
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp

compute.targetGrpcProxies.*

  • compute.targetGrpcProxies.create
  • compute.targetGrpcProxies.delete
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetGrpcProxies.update
  • compute.targetGrpcProxies.use

compute.targetHttpProxies.*

  • compute.targetHttpProxies.create
  • compute.targetHttpProxies.delete
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpProxies.setUrlMap
  • compute.targetHttpProxies.update
  • compute.targetHttpProxies.use

compute.targetHttpsProxies.*

  • compute.targetHttpsProxies.create
  • compute.targetHttpsProxies.delete
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetHttpsProxies.setCertificateMap
  • compute.targetHttpsProxies.setQuicOverride
  • compute.targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.setSslPolicy
  • compute.targetHttpsProxies.setUrlMap
  • compute.targetHttpsProxies.update
  • compute.targetHttpsProxies.use

compute.targetInstances.*

  • compute.targetInstances.create
  • compute.targetInstances.delete
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetInstances.setSecurityPolicy
  • compute.targetInstances.use

compute.targetPools.*

  • compute.targetPools.addHealthCheck
  • compute.targetPools.addInstance
  • compute.targetPools.create
  • compute.targetPools.delete
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetPools.removeHealthCheck
  • compute.targetPools.removeInstance
  • compute.targetPools.setSecurityPolicy
  • compute.targetPools.update
  • compute.targetPools.use

compute.targetSslProxies.*

  • compute.targetSslProxies.create
  • compute.targetSslProxies.delete
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetSslProxies.setBackendService
  • compute.targetSslProxies.setCertificateMap
  • compute.targetSslProxies.setProxyHeader
  • compute.targetSslProxies.setSslCertificates
  • compute.targetSslProxies.setSslPolicy
  • compute.targetSslProxies.update
  • compute.targetSslProxies.use

compute.targetTcpProxies.*

  • compute.targetTcpProxies.create
  • compute.targetTcpProxies.delete
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetTcpProxies.update
  • compute.targetTcpProxies.use

compute.targetVpnGateways.*

  • compute.targetVpnGateways.create
  • compute.targetVpnGateways.delete
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.targetVpnGateways.setLabels
  • compute.targetVpnGateways.use

compute.urlMaps.*

  • compute.urlMaps.create
  • compute.urlMaps.delete
  • compute.urlMaps.get
  • compute.urlMaps.invalidateCache
  • compute.urlMaps.list
  • compute.urlMaps.update
  • compute.urlMaps.use
  • compute.urlMaps.validate

compute.vpnGateways.*

  • compute.vpnGateways.create
  • compute.vpnGateways.delete
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.setLabels
  • compute.vpnGateways.use

compute.vpnTunnels.*

  • compute.vpnTunnels.create
  • compute.vpnTunnels.delete
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.vpnTunnels.setLabels

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

networkconnectivity.internalRanges.*

  • networkconnectivity.internalRanges.create
  • networkconnectivity.internalRanges.delete
  • networkconnectivity.internalRanges.get
  • networkconnectivity.internalRanges.getIamPolicy
  • networkconnectivity.internalRanges.list
  • networkconnectivity.internalRanges.setIamPolicy
  • networkconnectivity.internalRanges.update

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.*

  • networkconnectivity.policyBasedRoutes.create
  • networkconnectivity.policyBasedRoutes.delete
  • networkconnectivity.policyBasedRoutes.get
  • networkconnectivity.policyBasedRoutes.getIamPolicy
  • networkconnectivity.policyBasedRoutes.list
  • networkconnectivity.policyBasedRoutes.setIamPolicy

networksecurity.*

  • networksecurity.authorizationPolicies.create
  • networksecurity.authorizationPolicies.delete
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.getIamPolicy
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.setIamPolicy
  • networksecurity.authorizationPolicies.update
  • networksecurity.authorizationPolicies.use
  • networksecurity.clientTlsPolicies.create
  • networksecurity.clientTlsPolicies.delete
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.getIamPolicy
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.setIamPolicy
  • networksecurity.clientTlsPolicies.update
  • networksecurity.clientTlsPolicies.use
  • networksecurity.gatewaySecurityPolicies.create
  • networksecurity.gatewaySecurityPolicies.delete
  • networksecurity.gatewaySecurityPolicies.get
  • networksecurity.gatewaySecurityPolicies.list
  • networksecurity.gatewaySecurityPolicies.update
  • networksecurity.gatewaySecurityPolicies.use
  • networksecurity.gatewaySecurityPolicyRules.create
  • networksecurity.gatewaySecurityPolicyRules.delete
  • networksecurity.gatewaySecurityPolicyRules.get
  • networksecurity.gatewaySecurityPolicyRules.list
  • networksecurity.gatewaySecurityPolicyRules.update
  • networksecurity.gatewaySecurityPolicyRules.use
  • networksecurity.locations.get
  • networksecurity.locations.list
  • networksecurity.operations.cancel
  • networksecurity.operations.delete
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.create
  • networksecurity.serverTlsPolicies.delete
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.getIamPolicy
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.setIamPolicy
  • networksecurity.serverTlsPolicies.update
  • networksecurity.serverTlsPolicies.use
  • networksecurity.tlsInspectionPolicies.create
  • networksecurity.tlsInspectionPolicies.delete
  • networksecurity.tlsInspectionPolicies.get
  • networksecurity.tlsInspectionPolicies.list
  • networksecurity.tlsInspectionPolicies.update
  • networksecurity.tlsInspectionPolicies.use
  • networksecurity.urlLists.create
  • networksecurity.urlLists.delete
  • networksecurity.urlLists.get
  • networksecurity.urlLists.list
  • networksecurity.urlLists.update
  • networksecurity.urlLists.use

networkservices.*

  • networkservices.endpointConfigSelectors.create
  • networkservices.endpointConfigSelectors.delete
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.getIamPolicy
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.setIamPolicy
  • networkservices.endpointConfigSelectors.update
  • networkservices.endpointConfigSelectors.use
  • networkservices.endpointPolicies.create
  • networkservices.endpointPolicies.delete
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.getIamPolicy
  • networkservices.endpointPolicies.list
  • networkservices.endpointPolicies.setIamPolicy
  • networkservices.endpointPolicies.update
  • networkservices.endpointPolicies.use
  • networkservices.gateways.create
  • networkservices.gateways.delete
  • networkservices.gateways.get
  • networkservices.gateways.list
  • networkservices.gateways.update
  • networkservices.gateways.use
  • networkservices.grpcRoutes.create
  • networkservices.grpcRoutes.delete
  • networkservices.grpcRoutes.get
  • networkservices.grpcRoutes.getIamPolicy
  • networkservices.grpcRoutes.list
  • networkservices.grpcRoutes.setIamPolicy
  • networkservices.grpcRoutes.update
  • networkservices.grpcRoutes.use
  • networkservices.httpFilters.create
  • networkservices.httpFilters.delete
  • networkservices.httpFilters.get
  • networkservices.httpFilters.getIamPolicy
  • networkservices.httpFilters.list
  • networkservices.httpFilters.setIamPolicy
  • networkservices.httpFilters.update
  • networkservices.httpFilters.use
  • networkservices.httpRoutes.create
  • networkservices.httpRoutes.delete
  • networkservices.httpRoutes.get
  • networkservices.httpRoutes.getIamPolicy
  • networkservices.httpRoutes.list
  • networkservices.httpRoutes.setIamPolicy
  • networkservices.httpRoutes.update
  • networkservices.httpRoutes.use
  • networkservices.httpfilters.create
  • networkservices.httpfilters.delete
  • networkservices.httpfilters.get
  • networkservices.httpfilters.getIamPolicy
  • networkservices.httpfilters.list
  • networkservices.httpfilters.setIamPolicy
  • networkservices.httpfilters.update
  • networkservices.httpfilters.use
  • networkservices.locations.get
  • networkservices.locations.list
  • networkservices.meshes.create
  • networkservices.meshes.delete
  • networkservices.meshes.get
  • networkservices.meshes.getIamPolicy
  • networkservices.meshes.list
  • networkservices.meshes.setIamPolicy
  • networkservices.meshes.update
  • networkservices.meshes.use
  • networkservices.operations.cancel
  • networkservices.operations.delete
  • networkservices.operations.get
  • networkservices.operations.list
  • networkservices.serviceBindings.create
  • networkservices.serviceBindings.delete
  • networkservices.serviceBindings.get
  • networkservices.serviceBindings.list
  • networkservices.serviceBindings.update
  • networkservices.tcpRoutes.create
  • networkservices.tcpRoutes.delete
  • networkservices.tcpRoutes.get
  • networkservices.tcpRoutes.getIamPolicy
  • networkservices.tcpRoutes.list
  • networkservices.tcpRoutes.setIamPolicy
  • networkservices.tcpRoutes.update
  • networkservices.tcpRoutes.use
  • networkservices.tlsRoutes.create
  • networkservices.tlsRoutes.delete
  • networkservices.tlsRoutes.get
  • networkservices.tlsRoutes.list
  • networkservices.tlsRoutes.update
  • networkservices.tlsRoutes.use

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

servicenetworking.operations.get

servicenetworking.services.addPeering

servicenetworking.services.createPeeredDnsDomain

servicenetworking.services.deleteConnection

servicenetworking.services.deletePeeredDnsDomain

servicenetworking.services.disableVpcServiceControls

servicenetworking.services.enableVpcServiceControls

servicenetworking.services.get

servicenetworking.services.listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

trafficdirector.*

  • trafficdirector.networks.getConfigs
  • trafficdirector.networks.reportMetrics

Compute Network User 角色

详情 权限

roles/compute.networkUser

提供共享 VPC 网络的访问权限

获授此角色的服务所有者可以使用属于宿主项目的 VPC 网络和子网。例如,网络用户可以创建属于宿主项目网络的虚拟机实例,但不能在宿主项目中删除网络或者创建新网络。

您可以授予此角色的最低级层资源:

  • 项目

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.useInternal

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.use

compute.firewalls.get

compute.firewalls.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.interconnects.use

compute.networkAttachments.get

compute.networkAttachments.list

compute.networks.access

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.use

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.get

networkconnectivity.policyBasedRoutes.list

networksecurity.authorizationPolicies.get

networksecurity.authorizationPolicies.list

networksecurity.authorizationPolicies.use

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.use

networksecurity.gatewaySecurityPolicies.get

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicies.use

networksecurity.gatewaySecurityPolicyRules.get

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.gatewaySecurityPolicyRules.use

networksecurity.locations.*

  • networksecurity.locations.get
  • networksecurity.locations.list

networksecurity.operations.get

networksecurity.operations.list

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.use

networksecurity.tlsInspectionPolicies.get

networksecurity.tlsInspectionPolicies.list

networksecurity.tlsInspectionPolicies.use

networksecurity.urlLists.get

networksecurity.urlLists.list

networksecurity.urlLists.use

networkservices.endpointConfigSelectors.get

networkservices.endpointConfigSelectors.list

networkservices.endpointConfigSelectors.use

networkservices.endpointPolicies.get

networkservices.endpointPolicies.list

networkservices.endpointPolicies.use

networkservices.gateways.get

networkservices.gateways.list

networkservices.gateways.use

networkservices.grpcRoutes.get

networkservices.grpcRoutes.list

networkservices.grpcRoutes.use

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpFilters.use

networkservices.httpRoutes.get

networkservices.httpRoutes.list

networkservices.httpRoutes.use

networkservices.httpfilters.get

networkservices.httpfilters.list

networkservices.httpfilters.use

networkservices.locations.*

  • networkservices.locations.get
  • networkservices.locations.list

networkservices.meshes.get

networkservices.meshes.list

networkservices.meshes.use

networkservices.operations.get

networkservices.operations.list

networkservices.serviceBindings.get

networkservices.serviceBindings.list

networkservices.tcpRoutes.get

networkservices.tcpRoutes.list

networkservices.tcpRoutes.use

networkservices.tlsRoutes.get

networkservices.tlsRoutes.list

networkservices.tlsRoutes.use

resourcemanager.projects.get

resourcemanager.projects.list

servicenetworking.services.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Network Viewer 角色

详情 权限

roles/compute.networkViewer

提供所有网络资源的只读权限

例如,如果您有用于检查网络配置的软件,则可以向该软件的服务帐号授予此角色。

您可以授予此角色的最低级层资源:

  • 实例测试版

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.list

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.get

networkconnectivity.policyBasedRoutes.list

networksecurity.authorizationPolicies.get

networksecurity.authorizationPolicies.list

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.gatewaySecurityPolicies.get

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicyRules.get

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.locations.*

  • networksecurity.locations.get
  • networksecurity.locations.list

networksecurity.operations.get

networksecurity.operations.list

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.tlsInspectionPolicies.get

networksecurity.tlsInspectionPolicies.list

networksecurity.urlLists.get

networksecurity.urlLists.list

networkservices.endpointConfigSelectors.get

networkservices.endpointConfigSelectors.list

networkservices.endpointPolicies.get

networkservices.endpointPolicies.list

networkservices.gateways.get

networkservices.gateways.list

networkservices.grpcRoutes.get

networkservices.grpcRoutes.list

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpRoutes.get

networkservices.httpRoutes.list

networkservices.httpfilters.get

networkservices.httpfilters.list

networkservices.locations.*

  • networkservices.locations.get
  • networkservices.locations.list

networkservices.meshes.get

networkservices.meshes.list

networkservices.operations.get

networkservices.operations.list

networkservices.serviceBindings.get

networkservices.serviceBindings.list

networkservices.tcpRoutes.get

networkservices.tcpRoutes.list

networkservices.tlsRoutes.get

networkservices.tlsRoutes.list

resourcemanager.projects.get

resourcemanager.projects.list

servicenetworking.services.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

trafficdirector.*

  • trafficdirector.networks.getConfigs
  • trafficdirector.networks.reportMetrics

Compute Organization Firewall Policy Admin 角色

详情 权限

roles/compute.orgFirewallPolicyAdmin

拥有对 Compute Engine 组织防火墙政策的完全控制权。

compute.firewallPolicies.cloneRules

compute.firewallPolicies.create

compute.firewallPolicies.delete

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.move

compute.firewallPolicies.setIamPolicy

compute.firewallPolicies.update

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.regionFirewallPolicies.*

  • compute.regionFirewallPolicies.cloneRules
  • compute.regionFirewallPolicies.create
  • compute.regionFirewallPolicies.delete
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.setIamPolicy
  • compute.regionFirewallPolicies.update
  • compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionOperations.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Firewall Policy User 角色

详情 权限

roles/compute.orgFirewallPolicyUser

可以查看或使用 Compute Engine 防火墙政策,以便与组织或文件夹相关联。

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.projects.get

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Security Policy Admin 角色

详情 权限

roles/compute.orgSecurityPolicyAdmin

拥有对 Compute Engine 组织安全政策的完整控制权。

compute.firewallPolicies.*

  • compute.firewallPolicies.addAssociation
  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.copyRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.move
  • compute.firewallPolicies.removeAssociation
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.securityPolicies.addAssociation

compute.securityPolicies.copyRules

compute.securityPolicies.create

compute.securityPolicies.delete

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.move

compute.securityPolicies.removeAssociation

compute.securityPolicies.setIamPolicy

compute.securityPolicies.update

compute.securityPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Security Policy User 角色

详情 权限

roles/compute.orgSecurityPolicyUser

可以查看或使用 Compute Engine 安全政策,以便与组织或文件夹相关联。

compute.firewallPolicies.addAssociation

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.removeAssociation

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.securityPolicies.addAssociation

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.removeAssociation

compute.securityPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Resource Admin 角色

详情 权限

roles/compute.orgSecurityResourceAdmin

拥有与组织或文件夹关联的 Compute Engine 防火墙政策的完全控制权。

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.organizations.listAssociations

compute.organizations.setFirewallPolicy

compute.organizations.setSecurityPolicy

compute.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute OS Admin Login 角色

详情 权限

roles/compute.osAdminLogin

拥有以管理员用户身份登录 Compute Engine 实例的权限。

您可以授予此角色的最低级层资源:

  • 实例测试版

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.osAdminLogin

compute.instances.osLogin

compute.projects.get

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute OS Login 角色

详情 权限

roles/compute.osLogin

拥有以标准用户身份登录 Compute Engine 实例的权限。

您可以授予此角色的最低级层资源:

  • 实例测试版

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.osLogin

compute.projects.get

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute OS Login External User 角色

详情 权限

roles/compute.osLoginExternalUser

此角色仅在组织级层提供。

此角色可为外部用户授予设置与该组织关联的 OS Login 信息的权限,但不授予对实例的访问权限。外部用户必须获授必要的 OS Login 角色之一,才能使用 SSH 访问实例。

您可以授予此角色的最低级层资源:

  • 组织

compute.oslogin.updateExternalUser

Compute Packet Mirroring Admin 角色

详情 权限

roles/compute.packetMirroringAdmin

指定要生成镜像的资源。

compute.instances.updateSecurity

compute.networks.mirror

compute.projects.get

compute.subnetworks.mirror

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Packet Mirroring User 角色

详情 权限

roles/compute.packetMirroringUser

可使用 Compute Engine 数据包镜像。

compute.packetMirrorings.*

  • compute.packetMirrorings.create
  • compute.packetMirrorings.delete
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.packetMirrorings.update

compute.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Public IP Admin 角色

详情 权限

roles/compute.publicIpAdmin

拥有对 Compute Engine 公共 IP 地址管理的完整控制权。

compute.addresses.*

  • compute.addresses.create
  • compute.addresses.createInternal
  • compute.addresses.delete
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.setLabels
  • compute.addresses.use
  • compute.addresses.useInternal

compute.globalAddresses.*

  • compute.globalAddresses.create
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.delete
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.setLabels
  • compute.globalAddresses.use

compute.globalPublicDelegatedPrefixes.*

  • compute.globalPublicDelegatedPrefixes.create
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.globalPublicDelegatedPrefixes.use

compute.publicAdvertisedPrefixes.*

  • compute.publicAdvertisedPrefixes.create
  • compute.publicAdvertisedPrefixes.delete
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicAdvertisedPrefixes.update
  • compute.publicAdvertisedPrefixes.updatePolicy
  • compute.publicAdvertisedPrefixes.use

compute.publicDelegatedPrefixes.*

  • compute.publicDelegatedPrefixes.create
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.publicDelegatedPrefixes.use

resourcemanager.projects.get

resourcemanager.projects.list

Compute Security Admin 角色

详情 权限

roles/compute.securityAdmin

拥有创建、修改和删除防火墙规则和 SSL 证书的权限,以及配置安全强化型虚拟机设置的权限。

例如,如果您的公司拥有一个负责管理防火墙和 SSL 证书的安全团队和一个负责管理其余网络资源的网络团队,则向安全团队群组授予此角色。

您可以授予此角色的最低级层资源:

  • 实例测试版

compute.backendBuckets.list

compute.backendServices.list

compute.firewallPolicies.*

  • compute.firewallPolicies.addAssociation
  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.copyRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.move
  • compute.firewallPolicies.removeAssociation
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use

compute.firewalls.*

  • compute.firewalls.create
  • compute.firewalls.delete
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.firewalls.update

compute.globalOperations.get

compute.globalOperations.list

compute.instances.getEffectiveFirewalls

compute.instances.list

compute.instances.setShieldedInstanceIntegrityPolicy

compute.instances.setShieldedVmIntegrityPolicy

compute.instances.updateSecurity

compute.instances.updateShieldedInstanceConfig

compute.instances.updateShieldedVmConfig

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.updatePolicy

compute.packetMirrorings.*

  • compute.packetMirrorings.create
  • compute.packetMirrorings.delete
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.packetMirrorings.update

compute.projects.get

compute.regionBackendServices.list

compute.regionFirewallPolicies.*

  • compute.regionFirewallPolicies.cloneRules
  • compute.regionFirewallPolicies.create
  • compute.regionFirewallPolicies.delete
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.setIamPolicy
  • compute.regionFirewallPolicies.update
  • compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.*

  • compute.regionSecurityPolicies.create
  • compute.regionSecurityPolicies.delete
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSecurityPolicies.update
  • compute.regionSecurityPolicies.use

compute.regionSslCertificates.*

  • compute.regionSslCertificates.create
  • compute.regionSslCertificates.delete
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list

compute.regionSslPolicies.*

  • compute.regionSslPolicies.create
  • compute.regionSslPolicies.delete
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionSslPolicies.update
  • compute.regionSslPolicies.use

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.securityPolicies.*

  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.copyRules
  • compute.securityPolicies.create
  • compute.securityPolicies.delete
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.securityPolicies.move
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.setIamPolicy
  • compute.securityPolicies.setLabels
  • compute.securityPolicies.update
  • compute.securityPolicies.use

compute.sslCertificates.*

  • compute.sslCertificates.create
  • compute.sslCertificates.delete
  • compute.sslCertificates.get
  • compute.sslCertificates.list

compute.sslPolicies.*

  • compute.sslPolicies.create
  • compute.sslPolicies.delete
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.sslPolicies.update
  • compute.sslPolicies.use

compute.subnetworks.get

compute.subnetworks.list

compute.targetInstances.list

compute.targetPools.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Sole Tenant Viewer 角色

详情 权限

(roles/compute.soleTenantViewer)

查看单租户节点组所需的权限

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

  • compute.nodeTypes.get
  • compute.nodeTypes.list

Compute Storage Admin 角色

详情 权限

roles/compute.storageAdmin

拥有创建、修改和删除磁盘、映像及快照的权限。

例如,如果您公司的某位员工负责管理项目映像,但您不希望该员工拥有项目的 Editor 角色,则向其帐号授予项目的此角色。

您可以授予此角色的最低级层资源:

  • 磁盘
  • 映像
  • 快照Beta 版

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.*

  • compute.disks.addResourcePolicies
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.createTagBinding
  • compute.disks.delete
  • compute.disks.deleteTagBinding
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.disks.removeResourcePolicies
  • compute.disks.resize
  • compute.disks.setIamPolicy
  • compute.disks.setLabels
  • compute.disks.startAsyncReplication
  • compute.disks.stopAsyncReplication
  • compute.disks.stopGroupAsyncReplication
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly

compute.globalOperations.get

compute.globalOperations.list

compute.images.*

  • compute.images.create
  • compute.images.createTagBinding
  • compute.images.delete
  • compute.images.deleteTagBinding
  • compute.images.deprecate
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.images.setIamPolicy
  • compute.images.setLabels
  • compute.images.update
  • compute.images.useReadOnly

compute.instantSnapshots.*

  • compute.instantSnapshots.create
  • compute.instantSnapshots.delete
  • compute.instantSnapshots.export
  • compute.instantSnapshots.get
  • compute.instantSnapshots.getIamPolicy
  • compute.instantSnapshots.list
  • compute.instantSnapshots.setIamPolicy
  • compute.instantSnapshots.setLabels
  • compute.instantSnapshots.useReadOnly

compute.licenseCodes.*

  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenseCodes.setIamPolicy
  • compute.licenseCodes.update
  • compute.licenseCodes.use

compute.licenses.*

  • compute.licenses.create
  • compute.licenses.delete
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.licenses.setIamPolicy

compute.projects.get

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.resourcePolicies.*

  • compute.resourcePolicies.create
  • compute.resourcePolicies.delete
  • compute.resourcePolicies.get
  • compute.resourcePolicies.getIamPolicy
  • compute.resourcePolicies.list
  • compute.resourcePolicies.setIamPolicy
  • compute.resourcePolicies.update
  • compute.resourcePolicies.use
  • compute.resourcePolicies.useReadOnly

compute.snapshots.*

  • compute.snapshots.create
  • compute.snapshots.createTagBinding
  • compute.snapshots.delete
  • compute.snapshots.deleteTagBinding
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.snapshots.setIamPolicy
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Viewer 角色

详情 权限

roles/compute.viewer

拥有以只读方式获取和列出 Compute Engine 资源的权限,但无权读取这些资源中存储的数据。

例如,获授此角色的帐号可以清点项目中的所有磁盘,但无法读取这些磁盘上的任何数据。

您可以授予此角色的最低级层资源:

  • 磁盘
  • 映像
  • 实例
  • 实例模板
  • 节点组
  • 节点模板
  • 快照Beta 版

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

  • compute.nodeTypes.get
  • compute.nodeTypes.list

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.validate

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Shared VPC Admin 角色

详情 权限

roles/compute.xpnAdmin

拥有管理共享 VPC 宿主项目的权限,具体来说,就是可以启用宿主项目并将共享 VPC 服务项目关联到宿主项目所在的网络。

在组织层级,此角色只能由组织管理员授予。

Google Cloud 建议将 Shared VPC Admin 设为共享 VPC 宿主项目的所有者。Shared VPC Admin 负责向服务所有者授予 Compute Network User 角色 (roles/compute.networkUser),共享 VPC 宿主项目的 Owner 则控制项目本身。如果单个主体(个人或群组)可以同时担任这两个角色,则项目管理会变得更加容易。

您可以授予此角色的最低级层资源:

  • 文件夹

compute.globalOperations.get

compute.globalOperations.list

compute.organizations.administerXpn

compute.organizations.disableXpnHost

compute.organizations.disableXpnResource

compute.organizations.enableXpnHost

compute.organizations.enableXpnResource

compute.projects.get

compute.subnetworks.getIamPolicy

compute.subnetworks.setIamPolicy

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

GuestPolicy Admin 角色

详情 权限

roles/osconfig.guestPolicyAdmin

拥有对 GuestPolicy 的完整管理员权限

osconfig.guestPolicies.*

  • osconfig.guestPolicies.create
  • osconfig.guestPolicies.delete
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • osconfig.guestPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

GuestPolicy Editor 角色

详情 权限

roles/osconfig.guestPolicyEditor

可以修改 GuestPolicy 资源

osconfig.guestPolicies.get

osconfig.guestPolicies.list

osconfig.guestPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

GuestPolicy Viewer 角色

详情 权限

roles/osconfig.guestPolicyViewer

可以查看 GuestPolicy 资源

osconfig.guestPolicies.get

osconfig.guestPolicies.list

resourcemanager.projects.get

resourcemanager.projects.list

InstanceOSPoliciesCompliance Viewer 角色

详情 权限

roles/osconfig.instanceOSPoliciesComplianceViewer

虚拟机实例的操作系统政策合规情况的查看者

osconfig.instanceOSPoliciesCompliances.*

  • osconfig.instanceOSPoliciesCompliances.get
  • osconfig.instanceOSPoliciesCompliances.list

resourcemanager.projects.get

resourcemanager.projects.list

OS Inventory Viewer 角色

详情 权限

roles/osconfig.inventoryViewer

操作系统清单的查看者

osconfig.inventories.*

  • osconfig.inventories.get
  • osconfig.inventories.list

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignment Admin 角色

详情 权限

roles/osconfig.osPolicyAssignmentAdmin

对操作系统政策分配具有完整管理员访问权限

osconfig.osPolicyAssignments.*

  • osconfig.osPolicyAssignments.create
  • osconfig.osPolicyAssignments.delete
  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • osconfig.osPolicyAssignments.update

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignment Editor 角色

详情 权限

roles/osconfig.osPolicyAssignmentEditor

操作系统政策分配的编辑者

osconfig.osPolicyAssignments.get

osconfig.osPolicyAssignments.list

osconfig.osPolicyAssignments.update

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignmentReport Viewer 角色

详情 权限

roles/osconfig.osPolicyAssignmentReportViewer

可以查看虚拟机实例的操作系统政策分配报告

osconfig.osPolicyAssignmentReports.*

  • osconfig.osPolicyAssignmentReports.get
  • osconfig.osPolicyAssignmentReports.list

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignment Viewer 角色

详情 权限

roles/osconfig.osPolicyAssignmentViewer

操作系统政策分配的查看者

osconfig.osPolicyAssignments.get

osconfig.osPolicyAssignments.list

resourcemanager.projects.get

resourcemanager.projects.list

PatchDeployment Admin 角色

详情 权限

roles/osconfig.patchDeploymentAdmin

拥有对 PatchDeployment 的完整管理员权限

osconfig.patchDeployments.*

  • osconfig.patchDeployments.create
  • osconfig.patchDeployments.delete
  • osconfig.patchDeployments.execute
  • osconfig.patchDeployments.get
  • osconfig.patchDeployments.list
  • osconfig.patchDeployments.pause
  • osconfig.patchDeployments.resume
  • osconfig.patchDeployments.update

resourcemanager.projects.get

resourcemanager.projects.list

PatchDeployment Viewer 角色

详情 权限

roles/osconfig.patchDeploymentViewer

可以查看 PatchDeployment 资源

osconfig.patchDeployments.get

osconfig.patchDeployments.list

resourcemanager.projects.get

resourcemanager.projects.list

Patch Job Executor 角色

详情 权限

roles/osconfig.patchJobExecutor

有权执行修补作业。

osconfig.patchJobs.*

  • osconfig.patchJobs.exec
  • osconfig.patchJobs.get
  • osconfig.patchJobs.list

resourcemanager.projects.get

resourcemanager.projects.list

Patch Job Viewer 角色

详情 权限

roles/osconfig.patchJobViewer

获取并列出修补作业。

osconfig.patchJobs.get

osconfig.patchJobs.list

resourcemanager.projects.get

resourcemanager.projects.list

OS VulnerabilityReport Viewer 角色

详情 权限

roles/osconfig.vulnerabilityReportViewer

操作系统漏洞报告的查看者

osconfig.vulnerabilityReports.*

  • osconfig.vulnerabilityReports.get
  • osconfig.vulnerabilityReports.list

resourcemanager.projects.get

resourcemanager.projects.list

DNS Administrator role

Details Permissions

(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

compute.networks.list

dns.changes.*

  • dns.changes.create
  • dns.changes.get
  • dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.gkeClusters.*

  • dns.gkeClusters.bindDNSResponsePolicy
  • dns.gkeClusters.bindPrivateDNSZone

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

  • dns.networks.bindDNSResponsePolicy
  • dns.networks.bindPrivateDNSPolicy
  • dns.networks.bindPrivateDNSZone
  • dns.networks.targetWithPeeringZone
  • dns.networks.useHealthSignals

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.getIamPolicy

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

dns.responsePolicies.*

  • dns.responsePolicies.create
  • dns.responsePolicies.delete
  • dns.responsePolicies.get
  • dns.responsePolicies.list
  • dns.responsePolicies.update

dns.responsePolicyRules.*

  • dns.responsePolicyRules.create
  • dns.responsePolicyRules.delete
  • dns.responsePolicyRules.get
  • dns.responsePolicyRules.list
  • dns.responsePolicyRules.update

resourcemanager.projects.get

resourcemanager.projects.list

DNS Peer role

Details Permissions

(roles/dns.peer)

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

DNS Reader role

Details Permissions

(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

dns.changes.get

dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.get

dns.managedZones.list

dns.policies.get

dns.policies.list

dns.projects.get

dns.resourceRecordSets.get

dns.resourceRecordSets.list

dns.responsePolicies.get

dns.responsePolicies.list

dns.responsePolicyRules.get

dns.responsePolicyRules.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Account Admin role

Details Permissions

(roles/iam.serviceAccountAdmin)

Create and manage service accounts.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccounts.create

iam.serviceAccounts.createTagBinding

iam.serviceAccounts.delete

iam.serviceAccounts.deleteTagBinding

iam.serviceAccounts.disable

iam.serviceAccounts.enable

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

iam.serviceAccounts.listEffectiveTags

iam.serviceAccounts.listTagBindings

iam.serviceAccounts.setIamPolicy

iam.serviceAccounts.undelete

iam.serviceAccounts.update

resourcemanager.projects.get

resourcemanager.projects.list

Create Service Accounts role

Details Permissions

(roles/iam.serviceAccountCreator)

Access to create service accounts.

iam.serviceAccounts.create

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Delete Service Accounts role

Details Permissions

(roles/iam.serviceAccountDeleter)

Access to delete service accounts.

iam.serviceAccounts.delete

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Account Key Admin role

Details Permissions

(roles/iam.serviceAccountKeyAdmin)

Create and manage (and rotate) service account keys.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccountKeys.*

  • iam.serviceAccountKeys.create
  • iam.serviceAccountKeys.delete
  • iam.serviceAccountKeys.disable
  • iam.serviceAccountKeys.enable
  • iam.serviceAccountKeys.get
  • iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Account OpenID Connect Identity Token Creator role

Details Permissions

(roles/iam.serviceAccountOpenIdTokenCreator)

Create OpenID Connect (OIDC) identity tokens

iam.serviceAccounts.getOpenIdToken

Service Account Token Creator role

Details Permissions

(roles/iam.serviceAccountTokenCreator)

Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

resourcemanager.projects.get

resourcemanager.projects.list

Service Account User role

Details Permissions

(roles/iam.serviceAccountUser)

Run operations as the service account.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

View Service Accounts role

Details Permissions

(roles/iam.serviceAccountViewer)

Read access to service accounts, metadata, and keys.

iam.serviceAccountKeys.get

iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

iam.serviceAccounts.listEffectiveTags

iam.serviceAccounts.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

Workload Identity User role

Details Permissions

(roles/iam.workloadIdentityUser)

Impersonate service accounts from federated workloads.

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.list

后续步骤