当您在项目中添加新成员时,可以使用 Identity and Access Management (IAM) 政策为该成员授予一个或多个 IAM 角色。每个 IAM 角色都包含授予成员访问特定资源的权限。
Compute Engine 具有一组预定义 IAM 角色,本页对这些角色进行了说明。您还可以创建自定义角色,这些角色包含的权限子集直接对应于您的需要。
如需了解每种方法所需的权限,请参阅 Compute Engine API 参考文档:
如需了解如何授予访问权限,请参阅以下页面。
准备工作
什么是 IAM?
Google Cloud 提供 IAM,可让您授予对特定 Google Cloud 资源的更细化访问权限,并防止对其他资源进行不必要的访问。IAM 允许您采用最小权限安全原则,您只需授予对您资源的必要访问权限。
IAM 允许您通过设置 IAM 政策来控制谁(身份)对哪些资源具有何种权限(角色)。IAM 政策可为项目成员授予一个或多个特定角色,进而授予相应身份特定权限。例如,您可以为 Google 帐号分配给定资源(如项目)的 roles/compute.networkAdmin 角色,此后该帐号便可控制项目中网络相关的资源,但无法管理实例和磁盘等其他资源。您还可以使用 IAM 来管理为项目团队成员授予的 Google Cloud 控制台旧版角色。
serviceAccountUser 角色
同时授予 roles/compute.instanceAdmin.v1 和 roles/iam.serviceAccountUser 角色时,后者会授予成员创建和管理使用服务帐号的实例的权限。具体而言,同时授予 roles/iam.serviceAccountUser 和 roles/compute.instanceAdmin.v1 角色可让成员拥有执行以下操作的权限:
- 创建一个以服务帐号身份运行的实例。
- 将永久性磁盘附加到以服务帐号身份运行的实例上。
- 在以服务帐号身份运行的实例上设置实例元数据。
- 通过 SSH 连接到一个以服务帐号身份运行的实例。
- 将实例重新配置为以服务帐号身份运行。
您可以通过以下两种方式之一授予 roles/iam.serviceAccountUser:
如果您对服务帐号不熟悉,请详细了解服务帐号。
Google Cloud Console 权限
如需使用 Google Cloud Console 访问 Compute Engine 资源,您必须拥有一个包含项目的以下权限的角色:
compute.projects.get
以 instanceAdmin 身份连接到实例
为项目成员授予 roles/compute.instanceAdmin.v1 角色后,该项目成员即可使用标准 Google Cloud 工具(例如 gcloud CLI 或在浏览器中使用 SSH)连接到虚拟机 (VM) 实例。
当成员使用 gcloud CLI 或 SSH-in-browser 时,该工具将自动生成公钥/私钥对,并将公钥添加到项目元数据中。如果成员没有修改项目元数据的权限,则该工具会将成员的公钥添加到实例元数据中。
如果成员已有想使用的现有密钥对,则可以手动将其公钥添加到实例元数据中。详细了解如何将 SSH 密钥添加到实例。
IAM 与服务帐号
创建新的自定义服务帐号并将 IAM 角色授予服务帐号以限制访问实例的权限。将 IAM 角色与自定义服务帐号结合使用,您可以:
- 通过精细的 IAM 角色限制您的实例对 Google Cloud API 的访问权限。
- 为每个实例或每组实例授予唯一身份。
- 限制您的默认服务帐号的访问权限。
详细了解服务帐号。
托管实例组和 IAM
代管式实例组 (MIG) 是代表您执行操作的资源,无需直接的用户互动。例如,MIG 可以在实例组中添加和移除虚拟机。
由 Compute Engine 执行的属于 MIG 的所有操作都是使用您项目的 Google API 服务代理完成的,此服务代理具有如下所示的电子邮件地址:PROJECT_ID@cloudservices.gserviceaccount.com
默认情况下,Google API 服务代理会在项目级层被授予 Editor 角色 (roles/editor),从而获得足够的权限根据 MIG 的配置创建资源。如果您要为 Google API 服务代理自定义访问权限,请授予 Compute Instance Admin (v1) 角色 (roles/compute.instanceAdmin.v1) 和(可选)Service Account User 角色 (roles/iam.serviceAccountUser)。仅当 MIG 创建可以服务帐号身份运行的虚拟机时,才需要 Service Account User 角色。
请注意,Google API 服务代理也会被其他进程(包括 Deployment Manager)使用。
当您创建 MIG 或更新其实例模板时,Compute Engine 会验证 Google API 服务代理具有以下角色和权限:
- Service Account User 角色;如果您计划创建可以服务帐号身份运行的实例,则该角色很重要
- 针对通过实例模板引用的所有资源(例如映像、磁盘、VPC 网络和子网)的权限
预定义 Compute Engine IAM 角色
使用 IAM 时,Compute Engine API 中的每个 API 方法都要求发出 API 请求的身份具有使用相应资源的适当权限。您可以通过设置政策为项目成员(用户、群组或服务帐号)授予角色,进而授予相应权限。
除了基本角色(Viewer、Editor、Owner)和自定义角色之外,您还可以为项目成员分配以下 Compute Engine 预定义角色。
您可以针对同一资源向某位成员授予多个角色。例如,如果您的网络团队还负责管理防火墙规则,您可以将 roles/compute.networkAdmin 和 roles/compute.securityAdmin 同时授予该网络团队的 Google 群组。
下表描述了预定义 Compute Engine IAM 角色,以及每个角色所包含的权限。每个角色包含一组适合特定任务的权限。例如,Instance Admin 角色授予管理实例的权限,与网络相关的角色具有管理网络相关资源的权限,而安全角色具有管理安全相关资源(如防火墙和 SSL 证书)的权限。
Compute Admin role
| Title and name |
Description |
Permissions |
Compute Admin
(roles/compute.admin)
|
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
Lowest-level resources where you can grant this role:
-
Disk
-
Image
-
Instance
-
Instance template
-
Node group
-
Node template
-
Snapshot Beta
|
compute.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Image User role
| Title and name |
Description |
Permissions |
Compute Image User
(roles/compute.imageUser)
|
Permission to list and read images without having other permissions on the image. Granting this role
at the project level gives users the ability to list all images in the project and create resources,
such as instances and persistent disks, based on images in the project.
Lowest-level resources where you can grant this role:
|
compute.images.getcompute.images.getFromFamilycompute.images.listcompute.images.useReadOnlyresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Instance Admin (beta) role
| Title and name |
Description |
Permissions |
Compute Instance Admin (beta)
(roles/compute.instanceAdmin)
|
Permissions to create, modify, and delete virtual machine instances.
This includes permissions to create, modify, and delete disks, and also to
configure Shielded VM
settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
For example, if your company has someone who manages groups of virtual
machine instances but does not manage network or security settings and
does not manage instances that run as service accounts, you can grant this
role on the organization, folder, or project that contains the instances,
or you can grant it on individual instances.
Lowest-level resources where you can grant this role:
-
Disk
-
Image
-
Instance
-
Instance template
-
Snapshot Beta
|
compute.acceleratorTypes.*compute.addresses.createInternalcompute.addresses.deleteInternalcompute.addresses.getcompute.addresses.listcompute.addresses.usecompute.addresses.useInternalcompute.autoscalers.*compute.diskTypes.*compute.disks.createcompute.disks.createSnapshotcompute.disks.deletecompute.disks.getcompute.disks.listcompute.disks.resizecompute.disks.setLabelscompute.disks.updatecompute.disks.usecompute.disks.useReadOnlycompute.globalAddresses.getcompute.globalAddresses.listcompute.globalAddresses.usecompute.globalNetworkEndpointGroups.*compute.globalOperations.getcompute.globalOperations.listcompute.images.getcompute.images.getFromFamilycompute.images.listcompute.images.useReadOnlycompute.instanceGroupManagers.*compute.instanceGroups.*compute.instanceTemplates.*compute.instances.*compute.licenses.getcompute.licenses.listcompute.machineImages.*compute.machineTypes.*compute.networkEndpointGroups.*compute.networks.getcompute.networks.listcompute.networks.usecompute.networks.useExternalIpcompute.projects.getcompute.regionNetworkEndpointGroups.*compute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.reservations.getcompute.reservations.listcompute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.subnetworks.useExternalIpcompute.targetPools.getcompute.targetPools.listcompute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Instance Admin (v1) role
Compute Load Balancer Admin role
| Title and name |
Description |
Permissions |
Compute Load Balancer Admin
(roles/compute.loadBalancerAdmin)
Beta
|
Permissions to create, modify, and delete load balancers and associate
resources.
For example, if your company has a load balancing team that manages load
balancers, SSL certificates for load balancers, SSL policies, and other
load balancing resources, and a separate networking team that manages
the rest of the networking resources, then grant this role to the load
balancing team's group.
Lowest-level resources where you can grant this role:
|
certificatemanager.certmaps.getcertificatemanager.certmaps.listcertificatemanager.certmaps.usecompute.addresses.*compute.backendBuckets.*compute.backendServices.*compute.disks.listEffectiveTagscompute.disks.listTagBindingscompute.forwardingRules.*compute.globalAddresses.*compute.globalForwardingRules.*compute.globalNetworkEndpointGroups.*compute.healthChecks.*compute.httpHealthChecks.*compute.httpsHealthChecks.*compute.images.listEffectiveTagscompute.images.listTagBindingscompute.instanceGroups.*compute.instances.getcompute.instances.listcompute.instances.listEffectiveTagscompute.instances.listTagBindingscompute.instances.usecompute.instances.useReadOnlycompute.networkEndpointGroups.*compute.networks.getcompute.networks.listcompute.networks.usecompute.projects.getcompute.regionBackendServices.*compute.regionHealthCheckServices.*compute.regionHealthChecks.*compute.regionNetworkEndpointGroups.*compute.regionNotificationEndpoints.*compute.regionSslCertificates.*compute.regionTargetHttpProxies.*compute.regionTargetHttpsProxies.*compute.regionUrlMaps.*compute.securityPolicies.getcompute.securityPolicies.listcompute.securityPolicies.usecompute.snapshots.listEffectiveTagscompute.snapshots.listTagBindingscompute.sslCertificates.*compute.sslPolicies.*compute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.targetGrpcProxies.*compute.targetHttpProxies.*compute.targetHttpsProxies.*compute.targetInstances.*compute.targetPools.*compute.targetSslProxies.*compute.targetTcpProxies.*compute.urlMaps.*networksecurity.clientTlsPolicies.getnetworksecurity.clientTlsPolicies.listnetworksecurity.clientTlsPolicies.usenetworksecurity.serverTlsPolicies.getnetworksecurity.serverTlsPolicies.listnetworksecurity.serverTlsPolicies.useresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Load Balancer Services User role
| Title and name |
Description |
Permissions |
Compute Load Balancer Services User
(roles/compute.loadBalancerServiceUser)
Beta
|
Permissions to use services from a load balancer in other projects.
|
compute.backendServices.getcompute.backendServices.listcompute.backendServices.usecompute.projects.getcompute.regionBackendServices.getcompute.regionBackendServices.listcompute.regionBackendServices.useresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Network Admin role
| Title and name |
Description |
Permissions |
Compute Network Admin
(roles/compute.networkAdmin)
|
Permissions to create, modify, and delete networking resources,
except for firewall rules and SSL certificates. The network admin role
allows read-only access to firewall rules, SSL certificates, and instances
(to view their ephemeral IP addresses). The network admin role does not
allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the networking team's group.
Or, if you have a combined team that manages both security and networking,
then grant this role as well as the
roles/compute.securityAdmin role to the combined team's group.
Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.*compute.addresses.*compute.autoscalers.getcompute.autoscalers.listcompute.backendBuckets.*compute.backendServices.*compute.disks.listEffectiveTagscompute.disks.listTagBindingscompute.externalVpnGateways.*compute.firewallPolicies.getcompute.firewallPolicies.listcompute.firewallPolicies.usecompute.firewalls.getcompute.firewalls.listcompute.forwardingRules.*compute.globalAddresses.*compute.globalForwardingRules.*compute.globalNetworkEndpointGroups.getcompute.globalNetworkEndpointGroups.listcompute.globalNetworkEndpointGroups.usecompute.globalOperations.getcompute.globalOperations.listcompute.globalPublicDelegatedPrefixes.deletecompute.globalPublicDelegatedPrefixes.getcompute.globalPublicDelegatedPrefixes.listcompute.globalPublicDelegatedPrefixes.updatecompute.globalPublicDelegatedPrefixes.updatePolicycompute.healthChecks.*compute.httpHealthChecks.*compute.httpsHealthChecks.*compute.images.listEffectiveTagscompute.images.listTagBindingscompute.instanceGroupManagers.getcompute.instanceGroupManagers.listcompute.instanceGroupManagers.updatecompute.instanceGroupManagers.usecompute.instanceGroups.getcompute.instanceGroups.listcompute.instanceGroups.updatecompute.instanceGroups.usecompute.instances.getcompute.instances.getGuestAttributescompute.instances.getScreenshotcompute.instances.getSerialPortOutputcompute.instances.listcompute.instances.listEffectiveTagscompute.instances.listReferrerscompute.instances.listTagBindingscompute.instances.updateSecuritycompute.instances.usecompute.instances.useReadOnlycompute.interconnectAttachments.*compute.interconnectLocations.*compute.interconnects.*compute.machineTypes.*compute.networkEndpointGroups.getcompute.networkEndpointGroups.listcompute.networkEndpointGroups.usecompute.networks.*compute.packetMirrorings.getcompute.packetMirrorings.listcompute.projects.getcompute.publicDelegatedPrefixes.deletecompute.publicDelegatedPrefixes.getcompute.publicDelegatedPrefixes.listcompute.publicDelegatedPrefixes.updatecompute.publicDelegatedPrefixes.updatePolicycompute.regionBackendServices.*compute.regionFirewallPolicies.getcompute.regionFirewallPolicies.listcompute.regionFirewallPolicies.usecompute.regionHealthCheckServices.*compute.regionHealthChecks.*compute.regionNetworkEndpointGroups.getcompute.regionNetworkEndpointGroups.listcompute.regionNetworkEndpointGroups.usecompute.regionNotificationEndpoints.*compute.regionOperations.getcompute.regionOperations.listcompute.regionSslCertificates.getcompute.regionSslCertificates.listcompute.regionTargetHttpProxies.*compute.regionTargetHttpsProxies.*compute.regionUrlMaps.*compute.regions.*compute.routers.*compute.routes.*compute.securityPolicies.getcompute.securityPolicies.listcompute.securityPolicies.usecompute.serviceAttachments.*compute.snapshots.listEffectiveTagscompute.snapshots.listTagBindingscompute.sslCertificates.getcompute.sslCertificates.listcompute.sslPolicies.*compute.subnetworks.*compute.targetGrpcProxies.*compute.targetHttpProxies.*compute.targetHttpsProxies.*compute.targetInstances.*compute.targetPools.*compute.targetSslProxies.*compute.targetTcpProxies.*compute.targetVpnGateways.*compute.urlMaps.*compute.vpnGateways.*compute.vpnTunnels.*compute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*networkconnectivity.locations.*networkconnectivity.operations.*networksecurity.*networkservices.*resourcemanager.projects.getresourcemanager.projects.listservicedirectory.namespaces.createservicedirectory.namespaces.deleteservicedirectory.services.createservicedirectory.services.deleteservicenetworking.operations.getservicenetworking.services.addPeeringservicenetworking.services.createPeeredDnsDomainservicenetworking.services.deletePeeredDnsDomainservicenetworking.services.getservicenetworking.services.listPeeredDnsDomainsserviceusage.quotas.getserviceusage.services.getserviceusage.services.listtrafficdirector.*
|
Compute Network User role
| Title and name |
Description |
Permissions |
Compute Network User
(roles/compute.networkUser)
|
Provides access to a shared VPC network
Once granted, service owners can use VPC networks and subnets that belong
to the host project. For example, a network user can create a VM instance
that belongs to a host project network but they cannot delete or create
new networks in the host project.
Lowest-level resources where you can grant this role:
|
compute.addresses.createInternalcompute.addresses.deleteInternalcompute.addresses.getcompute.addresses.listcompute.addresses.useInternalcompute.externalVpnGateways.getcompute.externalVpnGateways.listcompute.externalVpnGateways.usecompute.firewalls.getcompute.firewalls.listcompute.interconnectAttachments.getcompute.interconnectAttachments.listcompute.interconnectLocations.*compute.interconnects.getcompute.interconnects.listcompute.interconnects.usecompute.networks.accesscompute.networks.getcompute.networks.getEffectiveFirewallscompute.networks.getRegionEffectiveFirewallscompute.networks.listcompute.networks.listPeeringRoutescompute.networks.usecompute.networks.useExternalIpcompute.projects.getcompute.regions.*compute.routers.getcompute.routers.listcompute.routes.getcompute.routes.listcompute.serviceAttachments.getcompute.serviceAttachments.listcompute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.subnetworks.useExternalIpcompute.targetVpnGateways.getcompute.targetVpnGateways.listcompute.vpnGateways.getcompute.vpnGateways.listcompute.vpnGateways.usecompute.vpnTunnels.getcompute.vpnTunnels.listcompute.zones.*networkconnectivity.locations.*networkconnectivity.operations.getnetworkconnectivity.operations.listnetworksecurity.authorizationPolicies.getnetworksecurity.authorizationPolicies.listnetworksecurity.authorizationPolicies.usenetworksecurity.clientTlsPolicies.getnetworksecurity.clientTlsPolicies.listnetworksecurity.clientTlsPolicies.usenetworksecurity.locations.*networksecurity.operations.getnetworksecurity.operations.listnetworksecurity.serverTlsPolicies.getnetworksecurity.serverTlsPolicies.listnetworksecurity.serverTlsPolicies.usenetworkservices.endpointConfigSelectors.getnetworkservices.endpointConfigSelectors.listnetworkservices.endpointConfigSelectors.usenetworkservices.endpointPolicies.getnetworkservices.endpointPolicies.listnetworkservices.endpointPolicies.usenetworkservices.gateways.getnetworkservices.gateways.listnetworkservices.gateways.usenetworkservices.grpcRoutes.getnetworkservices.grpcRoutes.listnetworkservices.grpcRoutes.usenetworkservices.httpFilters.getnetworkservices.httpFilters.listnetworkservices.httpFilters.usenetworkservices.httpRoutes.getnetworkservices.httpRoutes.listnetworkservices.httpRoutes.usenetworkservices.httpfilters.getnetworkservices.httpfilters.listnetworkservices.httpfilters.usenetworkservices.locations.*networkservices.meshes.getnetworkservices.meshes.listnetworkservices.meshes.usenetworkservices.operations.getnetworkservices.operations.listnetworkservices.serviceBindings.getnetworkservices.serviceBindings.listnetworkservices.tcpRoutes.getnetworkservices.tcpRoutes.listnetworkservices.tcpRoutes.usenetworkservices.tlsRoutes.getnetworkservices.tlsRoutes.listnetworkservices.tlsRoutes.useresourcemanager.projects.getresourcemanager.projects.listservicenetworking.services.getserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Network Viewer role
Compute Organization Firewall Policy Admin role
| Title and name |
Description |
Permissions |
Compute Organization Firewall Policy Admin
(roles/compute.orgFirewallPolicyAdmin)
|
Full control of Compute Engine Organization Firewall Policies.
|
compute.firewallPolicies.cloneRulescompute.firewallPolicies.createcompute.firewallPolicies.deletecompute.firewallPolicies.getcompute.firewallPolicies.getIamPolicycompute.firewallPolicies.listcompute.firewallPolicies.movecompute.firewallPolicies.setIamPolicycompute.firewallPolicies.updatecompute.firewallPolicies.usecompute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.globalOperations.setIamPolicycompute.projects.getcompute.regionFirewallPolicies.*compute.regionOperations.getcompute.regionOperations.getIamPolicycompute.regionOperations.listcompute.regionOperations.setIamPolicyresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Organization Firewall Policy User role
| Title and name |
Description |
Permissions |
Compute Organization Firewall Policy User
(roles/compute.orgFirewallPolicyUser)
|
View or use Compute Engine Firewall Policies to associate with the organization or folders.
|
compute.firewallPolicies.getcompute.firewallPolicies.listcompute.firewallPolicies.usecompute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.projects.getcompute.regionFirewallPolicies.getcompute.regionFirewallPolicies.listcompute.regionFirewallPolicies.usecompute.regionOperations.getcompute.regionOperations.getIamPolicycompute.regionOperations.listresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Organization Security Policy Admin role
| Title and name |
Description |
Permissions |
Compute Organization Security Policy Admin
(roles/compute.orgSecurityPolicyAdmin)
|
Full control of Compute Engine Organization Security Policies.
|
compute.firewallPolicies.*compute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.globalOperations.setIamPolicycompute.projects.getcompute.securityPolicies.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Organization Security Policy User role
| Title and name |
Description |
Permissions |
Compute Organization Security Policy User
(roles/compute.orgSecurityPolicyUser)
|
View or use Compute Engine Security Policies to associate with the organization or folders.
|
compute.firewallPolicies.addAssociationcompute.firewallPolicies.getcompute.firewallPolicies.listcompute.firewallPolicies.removeAssociationcompute.firewallPolicies.usecompute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.globalOperations.setIamPolicycompute.projects.getcompute.securityPolicies.addAssociationcompute.securityPolicies.getcompute.securityPolicies.listcompute.securityPolicies.removeAssociationcompute.securityPolicies.useresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Organization Resource Admin role
| Title and name |
Description |
Permissions |
Compute Organization Resource Admin
(roles/compute.orgSecurityResourceAdmin)
|
Full control of Compute Engine Firewall Policy associations to the organization or folders.
|
compute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.globalOperations.setIamPolicycompute.organizations.listAssociationscompute.organizations.setFirewallPolicycompute.organizations.setSecurityPolicycompute.projects.getresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute OS Admin Login role
| Title and name |
Description |
Permissions |
Compute OS Admin Login
(roles/compute.osAdminLogin)
|
Access to log in to a Compute Engine instance as an administrator
user.
Lowest-level resources where you can grant this role:
|
compute.disks.listEffectiveTagscompute.disks.listTagBindingscompute.images.listEffectiveTagscompute.images.listTagBindingscompute.instances.getcompute.instances.listcompute.instances.listEffectiveTagscompute.instances.listTagBindingscompute.instances.osAdminLogincompute.instances.osLogincompute.projects.getcompute.snapshots.listEffectiveTagscompute.snapshots.listTagBindingsresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute OS Login role
| Title and name |
Description |
Permissions |
Compute OS Login
(roles/compute.osLogin)
|
Access to log in to a Compute Engine instance as a standard user.
Lowest-level resources where you can grant this role:
|
compute.disks.listEffectiveTagscompute.disks.listTagBindingscompute.images.listEffectiveTagscompute.images.listTagBindingscompute.instances.getcompute.instances.listcompute.instances.listEffectiveTagscompute.instances.listTagBindingscompute.instances.osLogincompute.projects.getcompute.snapshots.listEffectiveTagscompute.snapshots.listTagBindingsresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute OS Login External User role
| Title and name |
Description |
Permissions |
Compute OS Login External User
(roles/compute.osLoginExternalUser)
|
Available only at the organization level.
Access for an external user to set OS Login information associated with
this organization. This role does not grant access to instances. External
users must be granted one of the required
OS Login roles
in order to allow access to instances using SSH.
Lowest-level resources where you can grant this role:
|
compute.oslogin.updateExternalUser
|
Compute packet mirroring admin role
| Title and name |
Description |
Permissions |
Compute packet mirroring admin
(roles/compute.packetMirroringAdmin)
|
Specify resources to be mirrored.
|
compute.instances.updateSecuritycompute.networks.mirrorcompute.projects.getcompute.subnetworks.mirrorresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute packet mirroring user role
| Title and name |
Description |
Permissions |
Compute packet mirroring user
(roles/compute.packetMirroringUser)
|
Use Compute Engine packet mirrorings.
|
compute.packetMirrorings.*compute.projects.getresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Public IP Admin role
| Title and name |
Description |
Permissions |
Compute Public IP Admin
(roles/compute.publicIpAdmin)
|
Full control of public IP address management for Compute Engine.
|
compute.addresses.*compute.globalAddresses.*compute.globalPublicDelegatedPrefixes.*compute.publicAdvertisedPrefixes.*compute.publicDelegatedPrefixes.*resourcemanager.projects.getresourcemanager.projects.list
|
Compute Security Admin role
| Title and name |
Description |
Permissions |
Compute Security Admin
(roles/compute.securityAdmin)
|
Permissions to create, modify, and delete firewall rules and SSL
certificates, and also to
configure Shielded VM
settings.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the security team's group.
Lowest-level resources where you can grant this role:
|
compute.firewallPolicies.*compute.firewalls.*compute.globalOperations.getcompute.globalOperations.listcompute.instances.getEffectiveFirewallscompute.instances.setShieldedInstanceIntegrityPolicycompute.instances.setShieldedVmIntegrityPolicycompute.instances.updateSecuritycompute.instances.updateShieldedInstanceConfigcompute.instances.updateShieldedVmConfigcompute.networks.getcompute.networks.getEffectiveFirewallscompute.networks.getRegionEffectiveFirewallscompute.networks.listcompute.networks.updatePolicycompute.packetMirrorings.*compute.projects.getcompute.regionFirewallPolicies.*compute.regionOperations.getcompute.regionOperations.listcompute.regionSslCertificates.*compute.regions.*compute.routes.getcompute.routes.listcompute.securityPolicies.*compute.sslCertificates.*compute.sslPolicies.*compute.subnetworks.getcompute.subnetworks.listcompute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Sole Tenant Viewer role
| Title and name |
Description |
Permissions |
Compute Sole Tenant Viewer
(roles/compute.soleTenantViewer)
Beta
|
Permissions to view sole tenancy node groups
|
compute.nodeGroups.getcompute.nodeGroups.getIamPolicycompute.nodeGroups.listcompute.nodeTemplates.getcompute.nodeTemplates.getIamPolicycompute.nodeTemplates.listcompute.nodeTypes.*
|
Compute Storage Admin role
| Title and name |
Description |
Permissions |
Compute Storage Admin
(roles/compute.storageAdmin)
|
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and
you don't want them to have the editor role on the project, then grant
this role to their account on the project.
Lowest-level resources where you can grant this role:
|
compute.diskTypes.*compute.disks.*compute.globalOperations.getcompute.globalOperations.listcompute.images.*compute.licenseCodes.*compute.licenses.*compute.projects.getcompute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.resourcePolicies.*compute.snapshots.*compute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Viewer role
Compute Shared VPC Admin role
| Title and name |
Description |
Permissions |
Compute Shared VPC Admin
(roles/compute.xpnAdmin)
|
Permissions to administer shared VPC host projects,
specifically enabling the host projects and associating shared VPC service projects to the host
project's network.
At the organization level, this role can only be granted by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
(roles/compute.networkUser) to service owners, and the shared VPC host project owner
controls the project itself. Managing the project is easier if a single principal (individual or
group) can fulfill both roles.
Lowest-level resources where you can grant this role:
|
compute.globalOperations.getcompute.globalOperations.listcompute.organizations.administerXpncompute.organizations.disableXpnHostcompute.organizations.disableXpnResourcecompute.organizations.enableXpnHostcompute.organizations.enableXpnResourcecompute.projects.getcompute.subnetworks.getIamPolicycompute.subnetworks.setIamPolicyresourcemanager.organizations.getresourcemanager.projects.getresourcemanager.projects.getIamPolicyresourcemanager.projects.list
|
GuestPolicy Admin role
| Title and name |
Description |
Permissions |
GuestPolicy Admin
(roles/osconfig.guestPolicyAdmin)
Beta
|
Full admin access to GuestPolicies
|
osconfig.guestPolicies.*resourcemanager.projects.getresourcemanager.projects.list
|
GuestPolicy Editor role
| Title and name |
Description |
Permissions |
GuestPolicy Editor
(roles/osconfig.guestPolicyEditor)
Beta
|
Editor of GuestPolicy resources
|
osconfig.guestPolicies.getosconfig.guestPolicies.listosconfig.guestPolicies.updateresourcemanager.projects.getresourcemanager.projects.list
|
GuestPolicy Viewer role
| Title and name |
Description |
Permissions |
GuestPolicy Viewer
(roles/osconfig.guestPolicyViewer)
Beta
|
Viewer of GuestPolicy resources
|
osconfig.guestPolicies.getosconfig.guestPolicies.listresourcemanager.projects.getresourcemanager.projects.list
|
InstanceOSPoliciesCompliance Viewer role
| Title and name |
Description |
Permissions |
InstanceOSPoliciesCompliance Viewer
(roles/osconfig.instanceOSPoliciesComplianceViewer)
Beta
|
Viewer of OS Policies Compliance of VM instances
|
osconfig.instanceOSPoliciesCompliances.*resourcemanager.projects.getresourcemanager.projects.list
|
OS Inventory Viewer role
| Title and name |
Description |
Permissions |
OS Inventory Viewer
(roles/osconfig.inventoryViewer)
|
Viewer of OS Inventories
|
osconfig.inventories.*resourcemanager.projects.getresourcemanager.projects.list
|
OSPolicyAssignment Admin role
| Title and name |
Description |
Permissions |
OSPolicyAssignment Admin
(roles/osconfig.osPolicyAssignmentAdmin)
|
Full admin access to OS Policy Assignments
|
osconfig.osPolicyAssignments.*resourcemanager.projects.getresourcemanager.projects.list
|
OSPolicyAssignment Editor role
| Title and name |
Description |
Permissions |
OSPolicyAssignment Editor
(roles/osconfig.osPolicyAssignmentEditor)
|
Editor of OS Policy Assignments
|
osconfig.osPolicyAssignments.getosconfig.osPolicyAssignments.listosconfig.osPolicyAssignments.updateresourcemanager.projects.getresourcemanager.projects.list
|
OSPolicyAssignmentReport Viewer role
| Title and name |
Description |
Permissions |
OSPolicyAssignmentReport Viewer
(roles/osconfig.osPolicyAssignmentReportViewer)
|
Viewer of OS policy assignment reports for VM instances
|
osconfig.osPolicyAssignmentReports.*resourcemanager.projects.getresourcemanager.projects.list
|
OSPolicyAssignment Viewer role
| Title and name |
Description |
Permissions |
OSPolicyAssignment Viewer
(roles/osconfig.osPolicyAssignmentViewer)
|
Viewer of OS Policy Assignments
|
osconfig.osPolicyAssignments.getosconfig.osPolicyAssignments.listresourcemanager.projects.getresourcemanager.projects.list
|
PatchDeployment Admin role
| Title and name |
Description |
Permissions |
PatchDeployment Admin
(roles/osconfig.patchDeploymentAdmin)
|
Full admin access to PatchDeployments
|
osconfig.patchDeployments.*resourcemanager.projects.getresourcemanager.projects.list
|
PatchDeployment Viewer role
| Title and name |
Description |
Permissions |
PatchDeployment Viewer
(roles/osconfig.patchDeploymentViewer)
|
Viewer of PatchDeployment resources
|
osconfig.patchDeployments.getosconfig.patchDeployments.listresourcemanager.projects.getresourcemanager.projects.list
|
Patch Job Executor role
| Title and name |
Description |
Permissions |
Patch Job Executor
(roles/osconfig.patchJobExecutor)
|
Access to execute Patch Jobs.
|
osconfig.patchJobs.*resourcemanager.projects.getresourcemanager.projects.list
|
Patch Job Viewer role
| Title and name |
Description |
Permissions |
Patch Job Viewer
(roles/osconfig.patchJobViewer)
|
Get and list Patch Jobs.
|
osconfig.patchJobs.getosconfig.patchJobs.listresourcemanager.projects.getresourcemanager.projects.list
|
OS VulnerabilityReport Viewer role
| Title and name |
Description |
Permissions |
OS VulnerabilityReport Viewer
(roles/osconfig.vulnerabilityReportViewer)
|
Viewer of OS VulnerabilityReports
|
osconfig.vulnerabilityReports.*resourcemanager.projects.getresourcemanager.projects.list
|
DNS Administrator role
| Title and name |
Description |
Permissions |
DNS Administrator
(roles/dns.admin)
|
Provides read-write access to all Cloud DNS resources.
Lowest-level resources where you can grant this role:
|
compute.networks.getcompute.networks.listdns.changes.*dns.dnsKeys.*dns.managedZoneOperations.*dns.managedZones.createdns.managedZones.deletedns.managedZones.getdns.managedZones.getIamPolicydns.managedZones.listdns.managedZones.updatedns.networks.*dns.policies.createdns.policies.deletedns.policies.getdns.policies.getIamPolicydns.policies.listdns.policies.updatedns.projects.getdns.resourceRecordSets.*dns.responsePolicies.*dns.responsePolicyRules.*resourcemanager.projects.getresourcemanager.projects.list
|
DNS Peer role
| Title and name |
Description |
Permissions |
DNS Peer
(roles/dns.peer)
|
Access to target networks with DNS peering zones
|
dns.networks.targetWithPeeringZone
|
DNS Reader role
| Title and name |
Description |
Permissions |
DNS Reader
(roles/dns.reader)
|
Provides read-only access to all Cloud DNS resources.
Lowest-level resources where you can grant this role:
|
compute.networks.getdns.changes.getdns.changes.listdns.dnsKeys.*dns.managedZoneOperations.*dns.managedZones.getdns.managedZones.listdns.policies.getdns.policies.listdns.projects.getdns.resourceRecordSets.getdns.resourceRecordSets.listdns.responsePolicies.getdns.responsePolicies.listdns.responsePolicyRules.getdns.responsePolicyRules.listresourcemanager.projects.getresourcemanager.projects.list
|
Service Account Admin 角色
| 角色和名称 |
说明 |
权限 |
Service Account Admin
(roles/iam.serviceAccountAdmin)
|
可创建和管理服务帐号。
您可以授予此角色的最低级层资源:
|
iam.serviceAccounts.createiam.serviceAccounts.deleteiam.serviceAccounts.disableiam.serviceAccounts.enableiam.serviceAccounts.getiam.serviceAccounts.getIamPolicyiam.serviceAccounts.listiam.serviceAccounts.setIamPolicyiam.serviceAccounts.undeleteiam.serviceAccounts.updateresourcemanager.projects.getresourcemanager.projects.list
|
Create Service Accounts 角色
| 角色和名称 |
说明 |
权限 |
Create Service Accounts
(roles/iam.serviceAccountCreator)
|
拥有创建服务帐号的权限。
|
iam.serviceAccounts.createiam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Delete Service Accounts 角色
| 角色和名称 |
说明 |
权限 |
Delete Service Accounts
(roles/iam.serviceAccountDeleter)
|
拥有删除服务帐号的权限。
|
iam.serviceAccounts.deleteiam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Service Account Key Admin 角色
| 角色和名称 |
说明 |
权限 |
Service Account Key Admin
(roles/iam.serviceAccountKeyAdmin)
|
可创建和管理(及轮替)服务帐号密钥。
您可以授予此角色的最低级层资源:
|
iam.serviceAccountKeys.*iam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Service Account Token Creator 角色
| 角色和名称 |
说明 |
权限 |
Service Account Token Creator
(roles/iam.serviceAccountTokenCreator)
|
可以模拟服务帐号(创建 OAuth2 访问令牌、签署 Blob 或 JWT 等)。
您可以授予此角色的最低级层资源:
|
iam.serviceAccounts.getiam.serviceAccounts.getAccessTokeniam.serviceAccounts.getOpenIdTokeniam.serviceAccounts.implicitDelegationiam.serviceAccounts.listiam.serviceAccounts.signBlobiam.serviceAccounts.signJwtresourcemanager.projects.getresourcemanager.projects.list
|
服务帐号用户角色
| 角色和名称 |
说明 |
权限 |
Service Account User
(roles/iam.serviceAccountUser)
|
可以服务帐号身份运行操作。
您可以授予此角色的最低级层资源:
|
iam.serviceAccounts.actAsiam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
View Service Accounts 角色
| 角色和名称 |
说明 |
权限 |
View Service Accounts
(roles/iam.serviceAccountViewer)
|
拥有对服务帐号、元数据和密钥的读取权限。
|
iam.serviceAccountKeys.getiam.serviceAccountKeys.listiam.serviceAccounts.getiam.serviceAccounts.getIamPolicyiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Workload Identity User 角色
| 角色和名称 |
说明 |
权限 |
Workload Identity User
(roles/iam.workloadIdentityUser)
|
从 GKE 工作负载模拟服务帐号
|
iam.serviceAccounts.getiam.serviceAccounts.getAccessTokeniam.serviceAccounts.getOpenIdTokeniam.serviceAccounts.list
|
后续步骤
