Compute Engine IAM 角色

Compute Engine 具有一组特定的 Identity and Access Management (IAM) 角色。每个预定义角色都包含一组权限。

当您在项目中添加新成员时，可以使用 IAM 政策为该成员授予一个或多个 IAM 角色。每个 IAM 角色都包含授予成员访问特定资源的权限。

如需了解如何在项目级层设置政策，请参阅 IAM 文档中的授予、更改和撤消对资源的访问权限。如需了解如何设置对 Compute Engine 资源的政策，请参阅授予对 Compute Engine 资源的访问权限。如需了解如何为 Compute Engine 服务帐号分配角色，请参阅为实例创建和启用服务帐号。如需了解如何创建包含任何权限子集的自定义角色，请参阅创建和管理自定义角色。

准备工作

阅读 Google Cloud IAM 文档。

什么是 IAM？

Google Cloud 提供 Cloud Identity and Access Management (IAM) 功能，可让您以更精细的方式授予对特定 Google Cloud 资源的访问权限，并防止对其他资源进行不必要的访问。IAM 允许您采用最小权限安全原则，因此您只需授予对您的资源的必要访问权限即可。

IAM 允许您通过设置 IAM 政策来控制谁（身份）对哪些资源具有何种权限（角色）。IAM 政策可为项目成员授予一个或多个特定角色，进而授予相应身份特定权限。例如，您可以为 Google 帐号分配给定资源（如项目）的 roles/compute.networkAdmin 角色，此后该帐号便可控制项目中网络相关的资源，但无法管理实例和磁盘等其他资源。您还可以使用 Cloud IAM 来管理为项目团队成员授予的 Cloud Console 旧版角色。

预定义的 Compute Engine Cloud IAM 角色

使用 Cloud IAM 时，Compute Engine API 中的每个 API 方法都要求发出 API 请求的身份具有使用相应资源的适当权限。您可以通过设置政策为项目成员（用户、群组或服务帐号）授予角色，进而授予相应权限。

除了旧版角色（Viewer、Editor、Owner）和自定义角色之外，您还可以为项目成员分配以下 Compute Engine 预定义角色。

您可以针对同一资源向某位项目成员授予多个角色。例如，如果您的网络团队还负责管理防火墙规则，您可以将 roles/compute.networkAdmin 和 roles/compute.securityAdmin 同时授予该网络团队的 Google 群组。

下表描述了预定义的 Compute Engine Cloud IAM 角色，以及每个角色所包含的权限。每个角色均包含一组适用于特定任务的权限。例如，前两个角色授予管理实例的权限，与网络相关的角色具有管理网络相关资源的权限，而安全角色具有管理安全相关资源（如防火墙和 SSL 证书）的权限。

Compute Admin 角色

名称说明权限

名称	说明	权限
`roles/compute.admin`	拥有所有 Compute Engine 资源的完全控制权。如果用户要管理配置为以服务帐号身份运行的虚拟机实例，您还必须授予 `roles/iam.serviceAccountUser` 角色。	`compute.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.admin

拥有所有 Compute Engine 资源的完全控制权。

如果用户要管理配置为以服务帐号身份运行的虚拟机实例，您还必须授予 roles/iam.serviceAccountUser 角色。

compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Image User 角色

名称	说明	权限
`roles/compute.imageUser`	可在不具备其他映像权限的情况下列出和读取映像。在项目级层授予此角色后，获授此角色的用户可以列出项目中的所有映像，并根据项目中的映像创建实例和永久性磁盘等资源。	`compute.images.get` `compute.images.getFromFamily` `compute.images.list` `compute.images.useReadOnly` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute Instance Admin（Beta 版）角色

名称说明权限

名称	说明	权限
`roles/compute.instanceAdmin`	拥有创建、修改和删除虚拟机实例的权限。这包括创建、修改和删除磁盘的权限，以及配置安全强化型虚拟机^{Beta 版}设置的权限。如果用户要管理配置为以服务帐号身份运行的虚拟机实例，您还必须授予 `roles/iam.serviceAccountUser` 角色。例如，如果贵公司的某位员工负责管理多组虚拟机实例，但不负责管理网络或安全设置，也不负责管理以服务帐号身份运行的实例，则您可以在这些实例所属的组织、文件夹或项目级层授予此角色，也可以在个别实例级层授予此角色。	`compute.acceleratorTypes.` `compute.addresses.get` `compute.addresses.list` `compute.addresses.use` `compute.autoscalers.` `compute.diskTypes.` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.delete` `compute.disks.get` `compute.disks.list` `compute.disks.resize` `compute.disks.setLabels` `compute.disks.update` `compute.disks.use` `compute.disks.useReadOnly` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalAddresses.use` `compute.globalOperations.get` `compute.globalOperations.list` `compute.images.get` `compute.images.getFromFamily` `compute.images.list` `compute.images.useReadOnly` `compute.instanceGroupManagers.` `compute.instanceGroups.` `compute.instanceTemplates.` `compute.instances.` `compute.licenses.get` `compute.licenses.list` `compute.machineTypes.` `compute.networkEndpointGroups.` `compute.networks.get` `compute.networks.list` `compute.networks.use` `compute.networks.useExternalIp` `compute.projects.get` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.reservations.get` `compute.reservations.list` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.targetPools.get` `compute.targetPools.list` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.instanceAdmin

拥有创建、修改和删除虚拟机实例的权限。这包括创建、修改和删除磁盘的权限，以及配置安全强化型虚拟机^{Beta 版}设置的权限。

如果用户要管理配置为以服务帐号身份运行的虚拟机实例，您还必须授予 roles/iam.serviceAccountUser 角色。

例如，如果贵公司的某位员工负责管理多组虚拟机实例，但不负责管理网络或安全设置，也不负责管理以服务帐号身份运行的实例，则您可以在这些实例所属的组织、文件夹或项目级层授予此角色，也可以在个别实例级层授予此角色。

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Instance Admin (v1) 角色

名称说明权限

名称	说明	权限
`roles/compute.instanceAdmin.v1`	拥有对 Compute Engine 实例、实例组、磁盘、快照和映像的完整控制权，拥有所有 Compute Engine 网络资源的读取权限。如果仅在实例级层向用户授予此角色，则该用户无法创建新实例。	`compute.acceleratorTypes.` `compute.addresses.get` `compute.addresses.list` `compute.addresses.use` `compute.autoscalers.` `compute.backendBuckets.get` `compute.backendBuckets.list` `compute.backendServices.get` `compute.backendServices.list` `compute.diskTypes.` `compute.disks.` `compute.externalVpnGateways.get` `compute.externalVpnGateways.list` `compute.firewalls.get` `compute.firewalls.list` `compute.forwardingRules.get` `compute.forwardingRules.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalAddresses.use` `compute.globalForwardingRules.get` `compute.globalForwardingRules.list` `compute.globalOperations.get` `compute.globalOperations.list` `compute.healthChecks.get` `compute.healthChecks.list` `compute.httpHealthChecks.get` `compute.httpHealthChecks.list` `compute.httpsHealthChecks.get` `compute.httpsHealthChecks.list` `compute.images.` `compute.instanceGroupManagers.` `compute.instanceGroups.` `compute.instanceTemplates.` `compute.instances.` `compute.interconnectAttachments.get` `compute.interconnectAttachments.list` `compute.interconnectLocations.` `compute.interconnects.get` `compute.interconnects.list` `compute.licenseCodes.` `compute.licenses.` `compute.machineTypes.` `compute.networkEndpointGroups.` `compute.networks.get` `compute.networks.list` `compute.networks.use` `compute.networks.useExternalIp` `compute.projects.get` `compute.projects.setCommonInstanceMetadata` `compute.regionBackendServices.get` `compute.regionBackendServices.list` `compute.regionHealthCheckServices.get` `compute.regionHealthCheckServices.list` `compute.regionNotificationEndpoints.get` `compute.regionNotificationEndpoints.list` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.reservations.get` `compute.reservations.list` `compute.resourcePolicies.` `compute.routers.get` `compute.routers.list` `compute.routes.get` `compute.routes.list` `compute.snapshots.` `compute.sslCertificates.get` `compute.sslCertificates.list` `compute.sslPolicies.get` `compute.sslPolicies.list` `compute.sslPolicies.listAvailableFeatures` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.targetHttpProxies.get` `compute.targetHttpProxies.list` `compute.targetHttpsProxies.get` `compute.targetHttpsProxies.list` `compute.targetInstances.get` `compute.targetInstances.list` `compute.targetPools.get` `compute.targetPools.list` `compute.targetSslProxies.get` `compute.targetSslProxies.list` `compute.targetTcpProxies.get` `compute.targetTcpProxies.list` `compute.targetVpnGateways.get` `compute.targetVpnGateways.list` `compute.urlMaps.get` `compute.urlMaps.list` `compute.vpnGateways.get` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.instanceAdmin.v1

拥有对 Compute Engine 实例、实例组、磁盘、快照和映像的完整控制权，拥有所有 Compute Engine 网络资源的读取权限。

如果仅在实例级层向用户授予此角色，则该用户无法创建新实例。

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.*
compute.licenses.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

计算负载平衡器管理员角色

名称说明权限

名称	说明	权限
`roles/compute.loadBalancerAdmin` ^{Beta 版}	拥有创建、修改和删除负载平衡器及相关资源的权限。例如，如果您公司的负载平衡团队负责管理负载平衡器、负载平衡器的 SSL 证书、SSL 政策和其他负载平衡资源，而另一个网络团队负责管理其余网络资源，则向负载平衡团队群组授予此角色。	`compute.addresses.` `compute.backendBuckets.` `compute.backendServices.` `compute.forwardingRules.` `compute.globalAddresses.` `compute.globalForwardingRules.` `compute.healthChecks.` `compute.httpHealthChecks.` `compute.httpsHealthChecks.` `compute.instanceGroups.` `compute.instances.get` `compute.instances.list` `compute.instances.use` `compute.networkEndpointGroups.` `compute.networks.get` `compute.networks.list` `compute.networks.use` `compute.projects.get` `compute.regionBackendServices.` `compute.regionHealthCheckServices.` `compute.regionNotificationEndpoints.` `compute.securityPolicies.get` `compute.securityPolicies.list` `compute.securityPolicies.use` `compute.sslCertificates.` `compute.sslPolicies.` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.use` `compute.targetHttpProxies.` `compute.targetHttpsProxies.` `compute.targetInstances.` `compute.targetPools.` `compute.targetSslProxies.` `compute.targetTcpProxies.` `compute.urlMaps.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.loadBalancerAdmin ^{Beta 版}

拥有创建、修改和删除负载平衡器及相关资源的权限。

例如，如果您公司的负载平衡团队负责管理负载平衡器、负载平衡器的 SSL 证书、SSL 政策和其他负载平衡资源，而另一个网络团队负责管理其余网络资源，则向负载平衡团队群组授予此角色。

compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.instances.use
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.projects.get
compute.regionBackendServices.*
compute.regionHealthCheckServices.*
compute.regionNotificationEndpoints.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Network Admin 角色

名称说明权限

名称	说明	权限
`roles/compute.networkAdmin`	拥有创建、修改和删除网络资源（不包括防火墙规则和 SSL 证书）的权限。Network Admin 角色允许以只读方式访问防火墙规则、SSL 证书和实例（以查看其临时 IP 地址），但无法让用户创建、启动、停止或删除实例。例如，如果您公司的安全团队负责管理防火墙和 SSL 证书，而网络团队负责管理其余网络资源，则向网络团队群组授予此角色。	`compute.acceleratorTypes.` `compute.addresses.` `compute.autoscalers.get` `compute.autoscalers.list` `compute.backendBuckets.` `compute.backendServices.` `compute.externalVpnGateways.` `compute.firewalls.get` `compute.firewalls.list` `compute.forwardingRules.` `compute.globalAddresses.` `compute.globalForwardingRules.` `compute.globalOperations.get` `compute.globalOperations.list` `compute.globalPublicDelegatedPrefixes.delete` `compute.globalPublicDelegatedPrefixes.get` `compute.globalPublicDelegatedPrefixes.list` `compute.globalPublicDelegatedPrefixes.update` `compute.globalPublicDelegatedPrefixes.updatePolicy` `compute.healthChecks.` `compute.httpHealthChecks.` `compute.httpsHealthChecks.` `compute.instanceGroupManagers.get` `compute.instanceGroupManagers.list` `compute.instanceGroupManagers.update` `compute.instanceGroupManagers.use` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instanceGroups.update` `compute.instanceGroups.use` `compute.instances.get` `compute.instances.getGuestAttributes` `compute.instances.getScreenshot` `compute.instances.getSerialPortOutput` `compute.instances.list` `compute.instances.listReferrers` `compute.instances.use` `compute.interconnectAttachments.` `compute.interconnectLocations.` `compute.interconnects.` `compute.machineTypes.` `compute.networkEndpointGroups.get` `compute.networkEndpointGroups.list` `compute.networkEndpointGroups.use` `compute.networks.` `compute.projects.get` `compute.publicDelegatedPrefixes.delete` `compute.publicDelegatedPrefixes.get` `compute.publicDelegatedPrefixes.list` `compute.publicDelegatedPrefixes.update` `compute.publicDelegatedPrefixes.updatePolicy` `compute.regionBackendServices.` `compute.regionHealthCheckServices.` `compute.regionNotificationEndpoints.` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.routers.` `compute.routes.` `compute.securityPolicies.get` `compute.securityPolicies.list` `compute.securityPolicies.use` `compute.sslCertificates.get` `compute.sslCertificates.list` `compute.sslPolicies.` `compute.subnetworks.` `compute.targetHttpProxies.` `compute.targetHttpsProxies.` `compute.targetInstances.` `compute.targetPools.` `compute.targetSslProxies.` `compute.targetTcpProxies.` `compute.targetVpnGateways.` `compute.urlMaps.` `compute.vpnGateways.` `compute.vpnTunnels.` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `servicenetworking.operations.get` `servicenetworking.services.addPeering` `servicenetworking.services.get` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.networkAdmin

拥有创建、修改和删除网络资源（不包括防火墙规则和 SSL 证书）的权限。Network Admin 角色允许以只读方式访问防火墙规则、SSL 证书和实例（以查看其临时 IP 地址），但无法让用户创建、启动、停止或删除实例。

例如，如果您公司的安全团队负责管理防火墙和 SSL 证书，而网络团队负责管理其余网络资源，则向网络团队群组授予此角色。

compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute.externalVpnGateways.*
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalOperations.get
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.instances.use
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.machineTypes.*
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.use
compute.networks.*
compute.projects.get
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.regionBackendServices.*
compute.regionHealthCheckServices.*
compute.regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Network User 角色

名称说明权限

名称	说明	权限
`roles/compute.networkUser`	提供共享 VPC 网络的访问权限获授此角色的服务所有者可以使用属于宿主项目的 VPC 网络和子网。例如，网络用户可以创建属于宿主项目网络的虚拟机实例，但不能在宿主项目中删除网络或者创建新网络。	`compute.addresses.createInternal` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.list` `compute.addresses.useInternal` `compute.externalVpnGateways.get` `compute.externalVpnGateways.list` `compute.externalVpnGateways.use` `compute.firewalls.get` `compute.firewalls.list` `compute.interconnectAttachments.get` `compute.interconnectAttachments.list` `compute.interconnectLocations.` `compute.interconnects.get` `compute.interconnects.list` `compute.interconnects.use` `compute.networks.access` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listPeeringRoutes` `compute.networks.use` `compute.networks.useExternalIp` `compute.projects.get` `compute.regions.` `compute.routers.get` `compute.routers.list` `compute.routes.get` `compute.routes.list` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.targetVpnGateways.get` `compute.targetVpnGateways.list` `compute.vpnGateways.get` `compute.vpnGateways.list` `compute.vpnGateways.use` `compute.vpnTunnels.get` `compute.vpnTunnels.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `servicenetworking.services.get` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.networkUser

提供共享 VPC 网络的访问权限

获授此角色的服务所有者可以使用属于宿主项目的 VPC 网络和子网。例如，网络用户可以创建属于宿主项目网络的虚拟机实例，但不能在宿主项目中删除网络或者创建新网络。

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.useInternal
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.firewalls.get
compute.firewalls.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networks.access
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Network Viewer 角色

名称说明权限

名称	说明	权限
`roles/compute.networkViewer`	提供所有网络资源的只读权限例如，如果您有用于检查网络配置的软件，则可以向该软件的服务帐号授予此角色。	`compute.acceleratorTypes.` `compute.addresses.get` `compute.addresses.list` `compute.autoscalers.get` `compute.autoscalers.list` `compute.backendBuckets.get` `compute.backendBuckets.list` `compute.backendServices.get` `compute.backendServices.list` `compute.firewalls.get` `compute.firewalls.list` `compute.forwardingRules.get` `compute.forwardingRules.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalForwardingRules.get` `compute.globalForwardingRules.list` `compute.healthChecks.get` `compute.healthChecks.list` `compute.httpHealthChecks.get` `compute.httpHealthChecks.list` `compute.httpsHealthChecks.get` `compute.httpsHealthChecks.list` `compute.instanceGroupManagers.get` `compute.instanceGroupManagers.list` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instances.get` `compute.instances.getGuestAttributes` `compute.instances.getScreenshot` `compute.instances.getSerialPortOutput` `compute.instances.list` `compute.instances.listReferrers` `compute.interconnectAttachments.get` `compute.interconnectAttachments.list` `compute.interconnectLocations.` `compute.interconnects.get` `compute.interconnects.list` `compute.machineTypes.` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listPeeringRoutes` `compute.projects.get` `compute.regionBackendServices.get` `compute.regionBackendServices.list` `compute.regionHealthCheckServices.get` `compute.regionHealthCheckServices.list` `compute.regionNotificationEndpoints.get` `compute.regionNotificationEndpoints.list` `compute.regions.` `compute.routers.get` `compute.routers.list` `compute.routes.get` `compute.routes.list` `compute.sslCertificates.get` `compute.sslCertificates.list` `compute.sslPolicies.get` `compute.sslPolicies.list` `compute.sslPolicies.listAvailableFeatures` `compute.subnetworks.get` `compute.subnetworks.list` `compute.targetHttpProxies.get` `compute.targetHttpProxies.list` `compute.targetHttpsProxies.get` `compute.targetHttpsProxies.list` `compute.targetInstances.get` `compute.targetInstances.list` `compute.targetPools.get` `compute.targetPools.list` `compute.targetSslProxies.get` `compute.targetSslProxies.list` `compute.targetTcpProxies.get` `compute.targetTcpProxies.list` `compute.targetVpnGateways.get` `compute.targetVpnGateways.list` `compute.urlMaps.get` `compute.urlMaps.list` `compute.vpnGateways.get` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `servicenetworking.services.get` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.networkViewer

提供所有网络资源的只读权限

例如，如果您有用于检查网络配置的软件，则可以向该软件的服务帐号授予此角色。

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.machineTypes.*
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Organization Security Policy Admin 角色

名称	说明	权限
`roles/compute.orgSecurityPolicyAdmin` ^{Beta 版}	拥有对 Compute Engine 组织安全政策的完全控制权。	`compute.globalOperations.get` `compute.globalOperations.getIamPolicy` `compute.globalOperations.list` `compute.globalOperations.setIamPolicy` `compute.projects.get` `compute.securityPolicies.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute Organization Security Policy User 角色

名称	说明	权限
`roles/compute.orgSecurityPolicyUser` ^{Beta 版}	可以查看或使用 Compute Engine 安全政策，以便与组织或文件夹相关联。	`compute.globalOperations.get` `compute.globalOperations.getIamPolicy` `compute.globalOperations.list` `compute.globalOperations.setIamPolicy` `compute.projects.get` `compute.securityPolicies.addAssociation` `compute.securityPolicies.get` `compute.securityPolicies.list` `compute.securityPolicies.removeAssociation` `compute.securityPolicies.use` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute Organization Resource Admin 角色

名称	说明	权限
`roles/compute.orgSecurityResourceAdmin` ^{Beta 版}	拥有与组织或文件夹关联的 Compute Engine 安全政策的完全控制权。	`compute.globalOperations.get` `compute.globalOperations.getIamPolicy` `compute.globalOperations.list` `compute.globalOperations.setIamPolicy` `compute.organizations.listAssociations` `compute.organizations.setSecurityPolicy` `compute.projects.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute OS Admin Login 角色

名称	说明	权限
`roles/compute.osAdminLogin`	拥有以管理员用户身份登录 Compute Engine 实例的权限。	`compute.instances.get` `compute.instances.list` `compute.instances.osAdminLogin` `compute.instances.osLogin` `compute.projects.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute OS Login 角色

名称	说明	权限
`roles/compute.osLogin`	拥有以标准用户身份登录 Compute Engine 实例的权限。	`compute.instances.get` `compute.instances.list` `compute.instances.osLogin` `compute.projects.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute OS Login External User 角色

名称说明权限

名称	说明	权限
`roles/compute.osLoginExternalUser`	此角色仅在组织级层提供。此角色可为外部用户授予设置与该组织关联的 OS Login 信息的权限，但不授予对实例的访问权限。外部用户必须获授必要的 OS Login 角色之一，才能使用 SSH 访问实例。	`compute.oslogin.*`

roles/compute.osLoginExternalUser

此角色仅在组织级层提供。

此角色可为外部用户授予设置与该组织关联的 OS Login 信息的权限，但不授予对实例的访问权限。外部用户必须获授必要的 OS Login 角色之一，才能使用 SSH 访问实例。

compute.oslogin.*

Compute Packet Mirroring Admin 角色

名称	说明	权限
`roles/compute.packetMirroringAdmin`	指定要生成镜像的资源。	`compute.networks.mirror` `compute.projects.get` `compute.subnetworks.mirror` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute Packet Mirroring User 角色

名称	说明	权限
`roles/compute.packetMirroringUser`	可使用 Compute Engine 数据包镜像。	`compute.packetMirrorings.*` `compute.projects.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute Public IP Admin 角色

名称	说明	权限
`roles/compute.publicIpAdmin` ^{Alpha 版}	拥有对 Compute Engine 公共 IP 地址管理的完整控制权。	`compute.addresses.` `compute.globalAddresses.` `compute.globalPublicDelegatedPrefixes.` `compute.publicAdvertisedPrefixes.` `compute.publicDelegatedPrefixes.*` `resourcemanager.projects.get` `resourcemanager.projects.list`

Compute Security Admin 角色

名称说明权限

名称	说明	权限
`roles/compute.securityAdmin`	拥有创建、修改和删除防火墙规则和 SSL 证书的权限，以及配置安全强化型虚拟机^{Beta 版}设置的权限。例如，如果您的公司拥有一个负责管理防火墙和 SSL 证书的安全团队和一个负责管理其余网络资源的网络团队，则向安全团队群组授予此角色。	`compute.firewalls.` `compute.globalOperations.get` `compute.globalOperations.list` `compute.instances.getEffectiveFirewalls` `compute.instances.setShieldedInstanceIntegrityPolicy` `compute.instances.setShieldedVmIntegrityPolicy` `compute.instances.updateShieldedInstanceConfig` `compute.instances.updateShieldedVmConfig` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.updatePolicy` `compute.packetMirrorings.` `compute.projects.get` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.routes.get` `compute.routes.list` `compute.securityPolicies.` `compute.sslCertificates.` `compute.sslPolicies.` `compute.subnetworks.get` `compute.subnetworks.list` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.securityAdmin

拥有创建、修改和删除防火墙规则和 SSL 证书的权限，以及配置安全强化型虚拟机^{Beta 版}设置的权限。

例如，如果您的公司拥有一个负责管理防火墙和 SSL 证书的安全团队和一个负责管理其余网络资源的网络团队，则向安全团队群组授予此角色。

compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instances.getEffectiveFirewalls
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.updatePolicy
compute.packetMirrorings.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routes.get
compute.routes.list
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Storage Admin 角色

名称说明权限

名称	说明	权限
`roles/compute.storageAdmin`	拥有创建、修改和删除磁盘、映像及快照的权限。例如，如果您公司的某位员工负责管理项目映像，但您不希望该员工拥有项目的 Editor 角色，则向其帐号授予项目的此角色。	`compute.diskTypes.` `compute.disks.` `compute.globalOperations.get` `compute.globalOperations.list` `compute.images.` `compute.licenseCodes.` `compute.licenses.` `compute.projects.get` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.resourcePolicies.` `compute.snapshots.` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.storageAdmin

拥有创建、修改和删除磁盘、映像及快照的权限。

例如，如果您公司的某位员工负责管理项目映像，但您不希望该员工拥有项目的 Editor 角色，则向其帐号授予项目的此角色。

compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Viewer 角色

名称说明权限

名称	说明	权限
`roles/compute.viewer`	拥有以只读方式获取和列出 Compute Engine 资源的权限，但无权读取这些资源中存储的数据。例如，获授此角色的帐号可以清点项目中的所有磁盘，但无法读取这些磁盘上的任何数据。	`compute.acceleratorTypes.` `compute.addresses.get` `compute.addresses.list` `compute.autoscalers.get` `compute.autoscalers.list` `compute.backendBuckets.get` `compute.backendBuckets.list` `compute.backendServices.get` `compute.backendServices.list` `compute.commitments.get` `compute.commitments.list` `compute.diskTypes.` `compute.disks.get` `compute.disks.getIamPolicy` `compute.disks.list` `compute.externalVpnGateways.get` `compute.externalVpnGateways.list` `compute.firewalls.get` `compute.firewalls.list` `compute.forwardingRules.get` `compute.forwardingRules.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalForwardingRules.get` `compute.globalForwardingRules.list` `compute.globalOperations.get` `compute.globalOperations.getIamPolicy` `compute.globalOperations.list` `compute.globalPublicDelegatedPrefixes.get` `compute.globalPublicDelegatedPrefixes.list` `compute.healthChecks.get` `compute.healthChecks.list` `compute.httpHealthChecks.get` `compute.httpHealthChecks.list` `compute.httpsHealthChecks.get` `compute.httpsHealthChecks.list` `compute.images.get` `compute.images.getFromFamily` `compute.images.getIamPolicy` `compute.images.list` `compute.instanceGroupManagers.get` `compute.instanceGroupManagers.list` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instanceTemplates.get` `compute.instanceTemplates.getIamPolicy` `compute.instanceTemplates.list` `compute.instances.get` `compute.instances.getEffectiveFirewalls` `compute.instances.getGuestAttributes` `compute.instances.getIamPolicy` `compute.instances.getScreenshot` `compute.instances.getSerialPortOutput` `compute.instances.getShieldedInstanceIdentity` `compute.instances.getShieldedVmIdentity` `compute.instances.list` `compute.instances.listReferrers` `compute.interconnectAttachments.get` `compute.interconnectAttachments.list` `compute.interconnectLocations.` `compute.interconnects.get` `compute.interconnects.list` `compute.licenseCodes.get` `compute.licenseCodes.getIamPolicy` `compute.licenseCodes.list` `compute.licenses.get` `compute.licenses.getIamPolicy` `compute.licenses.list` `compute.machineTypes.` `compute.maintenancePolicies.get` `compute.maintenancePolicies.getIamPolicy` `compute.maintenancePolicies.list` `compute.networkEndpointGroups.get` `compute.networkEndpointGroups.getIamPolicy` `compute.networkEndpointGroups.list` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listPeeringRoutes` `compute.nodeGroups.get` `compute.nodeGroups.getIamPolicy` `compute.nodeGroups.list` `compute.nodeTemplates.get` `compute.nodeTemplates.getIamPolicy` `compute.nodeTemplates.list` `compute.nodeTypes.` `compute.organizations.listAssociations` `compute.projects.get` `compute.publicAdvertisedPrefixes.get` `compute.publicAdvertisedPrefixes.list` `compute.publicDelegatedPrefixes.get` `compute.publicDelegatedPrefixes.list` `compute.regionBackendServices.get` `compute.regionBackendServices.list` `compute.regionHealthCheckServices.get` `compute.regionHealthCheckServices.list` `compute.regionNotificationEndpoints.get` `compute.regionNotificationEndpoints.list` `compute.regionOperations.get` `compute.regionOperations.getIamPolicy` `compute.regionOperations.list` `compute.regions.` `compute.reservations.get` `compute.reservations.list` `compute.resourcePolicies.get` `compute.resourcePolicies.list` `compute.routers.get` `compute.routers.list` `compute.routes.get` `compute.routes.list` `compute.securityPolicies.get` `compute.securityPolicies.getIamPolicy` `compute.securityPolicies.list` `compute.snapshots.get` `compute.snapshots.getIamPolicy` `compute.snapshots.list` `compute.sslCertificates.get` `compute.sslCertificates.list` `compute.sslPolicies.get` `compute.sslPolicies.list` `compute.sslPolicies.listAvailableFeatures` `compute.subnetworks.get` `compute.subnetworks.getIamPolicy` `compute.subnetworks.list` `compute.targetHttpProxies.get` `compute.targetHttpProxies.list` `compute.targetHttpsProxies.get` `compute.targetHttpsProxies.list` `compute.targetInstances.get` `compute.targetInstances.list` `compute.targetPools.get` `compute.targetPools.list` `compute.targetSslProxies.get` `compute.targetSslProxies.list` `compute.targetTcpProxies.get` `compute.targetTcpProxies.list` `compute.targetVpnGateways.get` `compute.targetVpnGateways.list` `compute.urlMaps.get` `compute.urlMaps.list` `compute.urlMaps.validate` `compute.vpnGateways.get` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list` `compute.zoneOperations.get` `compute.zoneOperations.getIamPolicy` `compute.zoneOperations.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.viewer

拥有以只读方式获取和列出 Compute Engine 资源的权限，但无权读取这些资源中存储的数据。

例如，获授此角色的帐号可以清点项目中的所有磁盘，但无法读取这些磁盘上的任何数据。

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Shared VPC Admin 角色

名称说明权限

名称	说明	权限
`roles/compute.xpnAdmin`	拥有管理共享 VPC 宿主项目的权限，具体来说，就是可以启用宿主项目并将共享 VPC 服务项目关联到宿主项目所在的网络。在组织层级，此角色只能由组织管理员授予。 Google Cloud 建议将 Shared VPC Admin 设为共享 VPC 宿主项目的所有者。Shared VPC Admin 负责向服务所有者授予 Compute Network User 角色 (`roles/compute.networkUser`)，共享 VPC 宿主项目的 Owner 则控制项目本身。如果单个主体（个人或群组）可以同时担任这两个角色，则项目管理会变得更加容易。	`compute.globalOperations.get` `compute.globalOperations.list` `compute.organizations.administerXpn` `compute.organizations.disableXpnHost` `compute.organizations.disableXpnResource` `compute.organizations.enableXpnHost` `compute.organizations.enableXpnResource` `compute.projects.get` `compute.subnetworks.getIamPolicy` `compute.subnetworks.setIamPolicy` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `resourcemanager.projects.list`

roles/compute.xpnAdmin

拥有管理共享 VPC 宿主项目的权限，具体来说，就是可以启用宿主项目并将共享 VPC 服务项目关联到宿主项目所在的网络。

在组织层级，此角色只能由组织管理员授予。

Google Cloud 建议将 Shared VPC Admin 设为共享 VPC 宿主项目的所有者。Shared VPC Admin 负责向服务所有者授予 Compute Network User 角色 (roles/compute.networkUser)，共享 VPC 宿主项目的 Owner 则控制项目本身。如果单个主体（个人或群组）可以同时担任这两个角色，则项目管理会变得更加容易。

compute.globalOperations.get
compute.globalOperations.list
compute.organizations.administerXpn
compute.organizations.disableXpnHost
compute.organizations.disableXpnResource
compute.organizations.enableXpnHost
compute.organizations.enableXpnResource
compute.projects.get
compute.subnetworks.getIamPolicy
compute.subnetworks.setIamPolicy
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Assignment Admin 角色

名称	说明	权限
`roles/osconfig.assignmentAdmin` ^{Beta 版}	拥有对 Assignment 的完整管理员权限	`resourcemanager.projects.get` `resourcemanager.projects.list`

Assignment Editor 角色

名称	说明	权限
`roles/osconfig.assignmentEditor` ^{Beta 版}	可以修改 Assignment 资源	`resourcemanager.projects.get` `resourcemanager.projects.list`

Assignment Viewer 角色

名称	说明	权限
`roles/osconfig.assignmentViewer` ^{Beta 版}	可以查看 Assignment 资源	`resourcemanager.projects.get` `resourcemanager.projects.list`

GuestPolicy Admin 角色

名称	说明	权限
`roles/osconfig.guestPolicyAdmin` ^{Beta 版}	拥有对 GuestPolicy 的完整管理员权限	`osconfig.guestPolicies.*` `resourcemanager.projects.get` `resourcemanager.projects.list`

GuestPolicy Editor 角色

名称	说明	权限
`roles/osconfig.guestPolicyEditor` ^{Beta 版}	可以修改 GuestPolicy 资源	`osconfig.guestPolicies.get` `osconfig.guestPolicies.list` `osconfig.guestPolicies.update` `resourcemanager.projects.get` `resourcemanager.projects.list`

GuestPolicy Viewer 角色

名称	说明	权限
`roles/osconfig.guestPolicyViewer` ^{Beta 版}	可以查看 GuestPolicy 资源	`osconfig.guestPolicies.get` `osconfig.guestPolicies.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

OsConfig Admin 角色

名称	说明	权限
`roles/osconfig.osConfigAdmin` ^{Beta 版}	拥有对 OsConfig 的完整管理员权限	`resourcemanager.projects.get` `resourcemanager.projects.list`

OsConfig Editor 角色

名称	说明	权限
`roles/osconfig.osConfigEditor` ^{Beta 版}	可以修改 OsConfig 资源	`resourcemanager.projects.get` `resourcemanager.projects.list`

OsConfig Viewer 角色

名称	说明	权限
`roles/osconfig.osConfigViewer` ^{Beta 版}	可以查看 OsConfig 资源	`resourcemanager.projects.get` `resourcemanager.projects.list`

PatchDeployment Admin 角色

名称	说明	权限
`roles/osconfig.patchDeploymentAdmin` ^{Beta 版}	拥有对 PatchDeployment 的完整管理员权限	`osconfig.patchDeployments.*` `resourcemanager.projects.get` `resourcemanager.projects.list`

PatchDeployment Viewer 角色

名称	说明	权限
`roles/osconfig.patchDeploymentViewer` ^{Beta 版}	可以查看 PatchDeployment 资源	`osconfig.patchDeployments.get` `osconfig.patchDeployments.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Patch Job Executor 角色

名称	说明	权限
`roles/osconfig.patchJobExecutor` ^{Beta 版}	有权执行修补作业。	`osconfig.patchJobs.*` `resourcemanager.projects.get` `resourcemanager.projects.list`

Patch Job Viewer 角色

名称	说明	权限
`roles/osconfig.patchJobViewer` ^{Beta 版}	获取并列出修补作业。	`osconfig.patchJobs.get` `osconfig.patchJobs.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

DNS Administrator 角色

名称	说明	权限
`roles/dns.admin`	提供对所有 Cloud DNS 资源的读写权限。	`compute.networks.get` `compute.networks.list` `dns.changes.` `dns.dnsKeys.` `dns.managedZoneOperations.` `dns.managedZones.` `dns.networks.` `dns.policies.create` `dns.policies.delete` `dns.policies.get` `dns.policies.list` `dns.policies.update` `dns.projects.` `dns.resourceRecordSets.*` `resourcemanager.projects.get` `resourcemanager.projects.list`

DNS Peer 角色

名称	说明	权限
`roles/dns.peer`	拥有访问具有 DNS 对等互连地区的目标网络的权限	`dns.networks.targetWithPeeringZone`

DNS Reader 角色

名称	说明	权限
`roles/dns.reader`	提供对所有 Cloud DNS 资源的只读权限。	`compute.networks.get` `dns.changes.get` `dns.changes.list` `dns.dnsKeys.` `dns.managedZoneOperations.` `dns.managedZones.get` `dns.managedZones.list` `dns.policies.get` `dns.policies.list` `dns.projects.*` `dns.resourceRecordSets.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Account Admin 角色

名称	说明	权限
`roles/iam.serviceAccountAdmin`	可创建和管理服务帐号。	`iam.serviceAccounts.create` `iam.serviceAccounts.delete` `iam.serviceAccounts.get` `iam.serviceAccounts.getIamPolicy` `iam.serviceAccounts.list` `iam.serviceAccounts.setIamPolicy` `iam.serviceAccounts.update` `resourcemanager.projects.get` `resourcemanager.projects.list`

Create Service Accounts 角色

名称	说明	权限
`roles/iam.serviceAccountCreator`	拥有创建服务帐号的权限。	`iam.serviceAccounts.create` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Delete Service Accounts 角色

名称	说明	权限
`roles/iam.serviceAccountDeleter`	拥有删除服务帐号的权限。	`iam.serviceAccounts.delete` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Account Key Admin 角色

名称	说明	权限
`roles/iam.serviceAccountKeyAdmin`	可创建和管理（及轮替）服务帐号密钥。	`iam.serviceAccountKeys.*` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Account Token Creator 角色

名称	说明	权限
`roles/iam.serviceAccountTokenCreator`	可以模拟服务帐号（创建 OAuth2 访问令牌、签署 Blob 或 JWT 等）。	`iam.serviceAccounts.get` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `iam.serviceAccounts.implicitDelegation` `iam.serviceAccounts.list` `iam.serviceAccounts.signBlob` `iam.serviceAccounts.signJwt` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Account User 角色

名称	说明	权限
`roles/iam.serviceAccountUser`	可以服务帐号身份运行操作。	`iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Workload Identity User 角色

名称	说明	权限
`roles/iam.workloadIdentityUser`	从 GKE 工作负载模拟服务帐号	`iam.serviceAccounts.get` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `iam.serviceAccounts.list`

serviceAccountUser 角色

同时授予 roles/compute.instanceAdmin.v1 和 roles/iam.serviceAccountUser 角色时，后者会授予成员创建和管理使用服务帐号的实例的权限。具体而言，同时授予 roles/iam.serviceAccountUser 和 roles/compute.instanceAdmin.v1 角色可让成员拥有执行以下操作的权限：

创建一个以服务帐号身份运行的实例。
将永久性磁盘挂接到以服务帐号身份运行的实例上。
在以服务帐号身份运行的实例上设置实例元数据。
通过 SSH 连接到一个以服务帐号身份运行的实例。
将实例重新配置为以服务帐号身份运行。

您可以通过以下两种方式之一授予 roles/iam.serviceAccountUser：

推荐。将该角色授予特定服务帐号中的成员。这让成员有权访问其作为 iam.serviceAccountUser 的服务帐号，但对于其他服务帐号，如果该成员不是 iam.serviceAccountUser，则无法访问。
在项目级层为成员授予该角色。该成员将有权访问项目中的所有服务帐号，包括将来创建的服务帐号。

如果您对服务帐号不熟悉，请详细了解服务帐号。

以 instanceAdmin 身份连接到实例

为项目成员授予 roles/compute.instanceAdmin.v1 角色后，该项目成员即可使用标准 Google Cloud 工具（例如 gcloud 工具）或通过浏览器发起 SSH 连接，连接到虚拟机 (VM) 实例。

当成员使用 gcloud 命令行工具或通过浏览器发起 SSH 连接时，该工具将自动生成公钥/私钥对，并将公钥添加到项目元数据中。如果成员没有修改项目元数据的权限，则该工具会将成员的公钥添加到实例元数据中。

如果成员已有想使用的现有密钥对，则可以手动将其公钥添加到实例元数据中。详细了解如何将 SSH 密钥添加到实例或从中移除。

IAM 与服务帐号

创建新的自定义服务帐号并为服务帐号授予 Cloud IAM 角色，以限制其访问您的实例的权限。将 Cloud IAM 角色与自定义服务帐号结合使用，您可以：

通过精细的 Cloud IAM 角色限制您的实例对 Google Cloud API 的访问权限。
为每个实例或每组实例授予唯一身份。
限制您的默认服务帐号的访问权限。

详细了解服务帐号。

托管实例组和 Cloud IAM

托管实例组（尤其当配置为自动扩缩时）是可代表您执行操作的资源，无需直接的用户互动。托管实例组通过服务帐号身份来创建、删除和管理实例组中的实例。如需了解详情，请参阅托管实例组和 Cloud IAM 文档。

不支持的操作

您无法使用 Cloud IAM 角色授予在实例组上执行滚动更新的权限。

如需授予执行这些操作的权限，请使用权限更大的所有者、修改者或查看者角色。

Compute Engine IAM 角色

准备工作

什么是 IAM？

预定义的 Compute Engine Cloud IAM 角色

Compute Admin 角色

Compute Image User 角色

Compute Instance Admin（Beta 版）角色

Compute Instance Admin (v1) 角色

计算负载平衡器管理员角色

Compute Network Admin 角色

Compute Network User 角色

Compute Network Viewer 角色

Compute Organization Security Policy Admin 角色

Compute Organization Security Policy User 角色

Compute Organization Resource Admin 角色

Compute OS Admin Login 角色

Compute OS Login 角色

Compute OS Login External User 角色

Compute Packet Mirroring Admin 角色

Compute Packet Mirroring User 角色

Compute Public IP Admin 角色

Compute Security Admin 角色

Compute Storage Admin 角色

Compute Viewer 角色

Compute Shared VPC Admin 角色

Assignment Admin 角色

Assignment Editor 角色

Assignment Viewer 角色

GuestPolicy Admin 角色

GuestPolicy Editor 角色

GuestPolicy Viewer 角色

OsConfig Admin 角色

OsConfig Editor 角色

OsConfig Viewer 角色

PatchDeployment Admin 角色

PatchDeployment Viewer 角色

Patch Job Executor 角色

Patch Job Viewer 角色

DNS Administrator 角色

DNS Peer 角色

DNS Reader 角色

Service Account Admin 角色

Create Service Accounts 角色

Delete Service Accounts 角色

Service Account Key Admin 角色

Service Account Token Creator 角色

Service Account User 角色

Workload Identity User 角色

serviceAccountUser 角色

以 instanceAdmin 身份连接到实例

IAM 与服务帐号

托管实例组和 Cloud IAM

不支持的操作

后续步骤