Compute Engine IAM 角色和权限

使用集合让一切井井有条 根据您的偏好保存内容并对其进行分类。

当您在项目中添加新成员时,可以使用 Identity and Access Management (IAM) 政策为该成员授予一个或多个 IAM 角色。每个 IAM 角色都包含授予成员访问特定资源的权限。

Compute Engine 具有一组预定义 IAM 角色,本页对这些角色进行了说明。您还可以创建自定义角色,这些角色包含的权限子集直接对应于您的需要。

如需了解每种方法所需的权限,请参阅 Compute Engine API 参考文档:

如需了解如何授予访问权限,请参阅以下页面。

准备工作

  • 阅读 IAM 文档。

什么是 IAM?

Google Cloud 提供 IAM,可让您授予对特定 Google Cloud 资源的更细化访问权限,并防止对其他资源进行不必要的访问。IAM 允许您采用最小权限安全原则,您只需授予对您资源的必要访问权限。

IAM 允许您通过设置 IAM 政策来控制谁(身份)对哪些资源具有何种权限(角色)。IAM 政策可为项目成员授予一个或多个特定角色,进而授予相应身份特定权限。例如,您可以为 Google 帐号分配给定资源(如项目)的 roles/compute.networkAdmin 角色,此后该帐号便可控制项目中网络相关的资源,但无法管理实例和磁盘等其他资源。您还可以使用 IAM 来管理为项目团队成员授予的 Google Cloud 控制台旧版角色

serviceAccountUser 角色

同时授予 roles/compute.instanceAdmin.v1roles/iam.serviceAccountUser 角色时,后者会授予成员创建和管理使用服务帐号的实例的权限。具体而言,同时授予 roles/iam.serviceAccountUserroles/compute.instanceAdmin.v1 角色可让成员拥有执行以下操作的权限:

  • 创建一个以服务帐号身份运行的实例。
  • 将永久性磁盘附加到以服务帐号身份运行的实例上。
  • 在以服务帐号身份运行的实例上设置实例元数据。
  • 通过 SSH 连接到一个以服务帐号身份运行的实例。
  • 将实例重新配置为以服务帐号身份运行。

您可以通过以下两种方式之一授予 roles/iam.serviceAccountUser

  • 推荐。将该角色授予特定服务帐号中的成员。这会使得该成员有权访问具有 iam.serviceAccountUser 角色的服务帐号,但不允许其访问不具有 iam.serviceAccountUser 角色的其他服务帐号。

  • 项目级层为成员授予该角色。该成员有权访问项目中的所有服务帐号,包括将来创建的服务帐号。

如果您对服务帐号不熟悉,请详细了解服务帐号

Google Cloud Console 权限

如需使用 Google Cloud Console 访问 Compute Engine 资源,您必须拥有一个包含项目的以下权限的角色:

compute.projects.get

以 instanceAdmin 身份连接到实例

为项目成员授予 roles/compute.instanceAdmin.v1 角色后,该项目成员即可使用标准 Google Cloud 工具(例如 gcloud CLI在浏览器中使用 SSH)连接到虚拟机 (VM) 实例。

当成员使用 gcloud CLI 或 SSH-in-browser 时,该工具将自动生成公钥/私钥对,并将公钥添加到项目元数据中。如果成员没有修改项目元数据的权限,则该工具会将成员的公钥添加到实例元数据中。

如果成员已有想使用的现有密钥对,则可以手动将其公钥添加到实例元数据中。详细了解如何将 SSH 密钥添加到实例

IAM 与服务帐号

创建新的自定义服务帐号并将 IAM 角色授予服务帐号以限制访问实例的权限。将 IAM 角色与自定义服务帐号结合使用,您可以:

  • 通过精细的 IAM 角色限制您的实例对 Google Cloud API 的访问权限。
  • 为每个实例或每组实例授予唯一身份。
  • 限制您的默认服务帐号的访问权限。

详细了解服务帐号

托管实例组和 IAM

代管式实例组 (MIG) 是代表您执行操作的资源,无需直接的用户互动。例如,MIG 可以在实例组中添加和移除虚拟机。

由 Compute Engine 执行的属于 MIG 的所有操作都是使用您项目的 Google API 服务代理完成的,此服务代理具有如下所示的电子邮件地址:PROJECT_ID@cloudservices.gserviceaccount.com

默认情况下,Google API 服务代理会在项目级层被授予 Editor 角色 (roles/editor),从而获得足够的权限根据 MIG 的配置创建资源。如果您要为 Google API 服务代理自定义访问权限,请授予 Compute Instance Admin (v1) 角色 (roles/compute.instanceAdmin.v1) 和(可选)Service Account User 角色 (roles/iam.serviceAccountUser)。仅当 MIG 创建可以服务帐号身份运行的虚拟机时,才需要 Service Account User 角色。

请注意,Google API 服务代理也会被其他进程(包括 Deployment Manager)使用。

当您创建 MIG 或更新其实例模板时,Compute Engine 会验证 Google API 服务代理具有以下角色和权限:

  • Service Account User 角色;如果您计划创建可以服务帐号身份运行的实例,则该角色很重要
  • 针对通过实例模板引用的所有资源(例如映像、磁盘、VPC 网络和子网)的权限

预定义 Compute Engine IAM 角色

使用 IAM 时,Compute Engine API 中的每个 API 方法都要求发出 API 请求的身份具有使用相应资源的适当权限。您可以通过设置政策为项目成员(用户、群组或服务帐号)授予角色,进而授予相应权限。

除了基本角色(Viewer、Editor、Owner)和自定义角色之外,您还可以为项目成员分配以下 Compute Engine 预定义角色。

您可以针对同一资源向某位成员授予多个角色。例如,如果您的网络团队还负责管理防火墙规则,您可以将 roles/compute.networkAdminroles/compute.securityAdmin 同时授予该网络团队的 Google 群组

下表描述了预定义 Compute Engine IAM 角色,以及每个角色所包含的权限。每个角色包含一组适合特定任务的权限。例如,Instance Admin 角色授予管理实例的权限,与网络相关的角色具有管理网络相关资源的权限,而安全角色具有管理安全相关资源(如防火墙和 SSL 证书)的权限。

某些权限通过 标记为所有者权限如果满足以下任一条件,则权限为所有者权限:

  • 该权限包含在 Owner 基本角色中,但未包含在 Viewer 或 Editor 基本角色中。
  • 该权限未包含在任何基本角色中,但允许主帐号执行帐号所有者可能执行的任务,例如管理结算。

Compute Admin 角色

角色和名称 说明 权限
Compute Admin
(roles/compute.admin)

拥有所有 Compute Engine 资源的完全控制权。

如果用户要管理配置为以服务帐号身份运行的虚拟机实例,您还必须授予 roles/iam.serviceAccountUser 角色。

您可以授予此角色的最低级层资源:

  • 磁盘
  • 映像
  • 实例
  • 实例模板
  • 节点组
  • 节点模板
  • 快照Beta 版
  • compute.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Image User 角色

角色和名称 说明 权限
Compute Image User
(roles/compute.imageUser)

可在不具备其他映像权限的情况下列出和读取映像。在项目级层授予此角色后,获授此角色的用户可以列出项目中的所有映像,并根据项目中的映像创建实例和永久性磁盘等资源。

您可以授予此角色的最低级层资源:

  • 映像测试版
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Instance Admin(Beta 版)角色

角色和名称 说明 权限
Compute Instance Admin (beta)
(roles/compute.instanceAdmin)

拥有创建、修改和删除虚拟机实例的权限。 这包括创建、修改和删除磁盘的权限,以及配置安全强化型虚拟机设置的权限。

如果用户要管理配置为以服务帐号身份运行的虚拟机实例,您还必须授予 roles/iam.serviceAccountUser 角色。

例如,如果贵公司的某位员工负责管理多组虚拟机实例,但不负责管理网络或安全设置,也不负责管理以服务帐号身份运行的实例,则您可以在这些实例所属的组织、文件夹或项目级层授予此角色,也可以在个别实例级层授予此角色。

您可以授予此角色的最低级层资源:

  • 磁盘
  • 映像
  • 实例
  • 实例模板
  • 快照Beta 版
  • compute.acceleratorTypes.*
  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.addresses.useInternal
  • compute.autoscalers.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.resize
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regionNetworkEndpointGroups.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Instance Admin (v1) 角色

角色和名称 说明 权限
Compute Instance Admin (v1)
(roles/compute.instanceAdmin.v1)

拥有对 Compute Engine 实例、实例组、磁盘、快照和映像的完整控制权, 拥有所有 Compute Engine 网络资源的读取权限。

如果仅在实例级层向用户授予此角色,则该用户无法创建新实例。

  • compute.acceleratorTypes.*
  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.addresses.useInternal
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkAttachments.get
  • compute.networkAttachments.list
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Load Balancer Admin 角色

角色和名称 说明 权限
Compute Load Balancer Admin
(roles/compute.loadBalancerAdmin) Beta 版

拥有创建、修改和删除负载均衡器及相关资源的权限。

例如,如果您公司的负载均衡团队负责管理负载均衡器、负载均衡器的 SSL 证书、SSL 政策和其他负载均衡资源,而另一个网络团队负责管理其余网络资源,则向负载均衡团队群组授予此角色。

您可以授予此角色的最低级层资源:

  • 实例测试版
  • certificatemanager.certmaps.get
  • certificatemanager.certmaps.list
  • certificatemanager.certmaps.use
  • compute.addresses.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.*
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroups.*
  • compute.instances.get
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listTagBindings
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.projects.get
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.*
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSecurityPolicies.use
  • compute.regionSslCertificates.*
  • compute.regionSslPolicies.*
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionTargetTcpProxies.*
  • compute.regionUrlMaps.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.urlMaps.*
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.use
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Load Balancer Services User 角色

角色和名称 说明 权限
Compute Load Balancer Services User
(roles/compute.loadBalancerServiceUser) Beta 版
拥有使用其他项目中的负载均衡器的服务的权限。
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.backendServices.use
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionBackendServices.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Network Admin 角色

角色和名称 说明 权限
Compute Network Admin
(roles/compute.networkAdmin)

拥有创建、修改和删除网络资源(不包括防火墙规则和 SSL 证书)的权限。Network Admin 角色允许以只读方式访问防火墙规则、SSL 证书和实例(以查看其临时 IP 地址),但无法让用户创建、启动、停止或删除实例。

例如,如果您公司的安全团队负责管理防火墙和 SSL 证书,而网络团队负责管理其余网络资源,则向网络团队群组授予此角色。 或者,如果您有一个负责管理安全和网络的组合团队,则向组合团队的群组授予此角色以及 roles/compute.securityAdmin 角色。

您可以授予此角色的最低级层资源:

  • 实例测试版
  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.*
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.use
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.updateSecurity
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.machineTypes.*
  • compute.networkAttachments.*
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.use
  • compute.networks.*
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.use
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.use
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSecurityPolicies.use
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionSslPolicies.*
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionTargetTcpProxies.*
  • compute.regionUrlMaps.*
  • compute.regions.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.serviceAttachments.*
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.*
  • networkconnectivity.policyBasedRoutes.*
  • networksecurity.*
  • networkservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.createPeeredDnsDomain
  • servicenetworking.services.deleteConnection
  • servicenetworking.services.deletePeeredDnsDomain
  • servicenetworking.services.disableVpcServiceControls
  • servicenetworking.services.enableVpcServiceControls
  • servicenetworking.services.get
  • servicenetworking.services.listPeeredDnsDomains
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • trafficdirector.*

Compute Network User 角色

角色和名称 说明 权限
Compute Network User
(roles/compute.networkUser)

提供共享 VPC 网络的访问权限

获授此角色的服务所有者可以使用属于宿主项目的 VPC 网络和子网。例如,网络用户可以创建属于宿主项目网络的虚拟机实例,但不能在宿主项目中删除网络或者创建新网络。

您可以授予此角色的最低级层资源:

  • 项目
  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.useInternal
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.interconnects.use
  • compute.networkAttachments.get
  • compute.networkAttachments.list
  • compute.networks.access
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.use
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list
  • networkconnectivity.policyBasedRoutes.get
  • networkconnectivity.policyBasedRoutes.list
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.use
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.use
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.use
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.use
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.list
  • networkservices.endpointPolicies.use
  • networkservices.gateways.get
  • networkservices.gateways.list
  • networkservices.gateways.use
  • networkservices.grpcRoutes.get
  • networkservices.grpcRoutes.list
  • networkservices.grpcRoutes.use
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpFilters.use
  • networkservices.httpRoutes.get
  • networkservices.httpRoutes.list
  • networkservices.httpRoutes.use
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.httpfilters.use
  • networkservices.locations.*
  • networkservices.meshes.get
  • networkservices.meshes.list
  • networkservices.meshes.use
  • networkservices.operations.get
  • networkservices.operations.list
  • networkservices.serviceBindings.get
  • networkservices.serviceBindings.list
  • networkservices.tcpRoutes.get
  • networkservices.tcpRoutes.list
  • networkservices.tcpRoutes.use
  • networkservices.tlsRoutes.get
  • networkservices.tlsRoutes.list
  • networkservices.tlsRoutes.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Network Viewer 角色

角色和名称 说明 权限
Compute Network Viewer
(roles/compute.networkViewer)

提供所有网络资源的只读权限

例如,如果您有用于检查网络配置的软件,则可以向该软件的服务帐号授予此角色。

您可以授予此角色的最低级层资源:

  • 实例测试版
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.machineTypes.*
  • compute.networkAttachments.get
  • compute.networkAttachments.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list
  • networkconnectivity.policyBasedRoutes.get
  • networkconnectivity.policyBasedRoutes.list
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.list
  • networkservices.gateways.get
  • networkservices.gateways.list
  • networkservices.grpcRoutes.get
  • networkservices.grpcRoutes.list
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpRoutes.get
  • networkservices.httpRoutes.list
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.locations.*
  • networkservices.meshes.get
  • networkservices.meshes.list
  • networkservices.operations.get
  • networkservices.operations.list
  • networkservices.serviceBindings.get
  • networkservices.serviceBindings.list
  • networkservices.tcpRoutes.get
  • networkservices.tcpRoutes.list
  • networkservices.tlsRoutes.get
  • networkservices.tlsRoutes.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • trafficdirector.*

Compute Organization Firewall Policy Admin 角色

角色和名称 说明 权限
Compute Organization Firewall Policy Admin
(roles/compute.orgFirewallPolicyAdmin)
拥有对 Compute Engine 组织防火墙政策的完全控制权。
  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.move
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.regionFirewallPolicies.*
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionOperations.setIamPolicy
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Firewall Policy User 角色

角色和名称 说明 权限
Compute Organization Firewall Policy User
(roles/compute.orgFirewallPolicyUser)
可以查看或使用 Compute Engine 防火墙政策,以便与组织或文件夹相关联。
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.projects.get
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.use
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Security Policy Admin 角色

角色和名称 说明 权限
Compute Organization Security Policy Admin
(roles/compute.orgSecurityPolicyAdmin)
拥有对 Compute Engine 组织安全政策的完整控制权。
  • compute.firewallPolicies.*
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.copyRules
  • compute.securityPolicies.create
  • compute.securityPolicies.delete
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.securityPolicies.move
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.setIamPolicy
  • compute.securityPolicies.update
  • compute.securityPolicies.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Security Policy User 角色

角色和名称 说明 权限
Compute Organization Security Policy User
(roles/compute.orgSecurityPolicyUser)
可以查看或使用 Compute Engine 安全政策,以便与组织或文件夹相关联。
  • compute.firewallPolicies.addAssociation
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.removeAssociation
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Resource Admin 角色

角色和名称 说明 权限
Compute Organization Resource Admin
(roles/compute.orgSecurityResourceAdmin)
拥有与组织或文件夹关联的 Compute Engine 防火墙政策的完全控制权。
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.organizations.listAssociations
  • compute.organizations.setFirewallPolicy
  • compute.organizations.setSecurityPolicy
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Admin Login 角色

角色和名称 说明 权限
Compute OS Admin Login
(roles/compute.osAdminLogin)

拥有以管理员用户身份登录 Compute Engine 实例的权限。

您可以授予此角色的最低级层资源:

  • 实例测试版
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instances.get
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.projects.get
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Login 角色

角色和名称 说明 权限
Compute OS Login
(roles/compute.osLogin)

拥有以标准用户身份登录 Compute Engine 实例的权限。

您可以授予此角色的最低级层资源:

  • 实例测试版
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instances.get
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listTagBindings
  • compute.instances.osLogin
  • compute.projects.get
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Login External User 角色

角色和名称 说明 权限
Compute OS Login External User
(roles/compute.osLoginExternalUser)

此角色仅在组织级层提供。

此角色可为外部用户授予设置与该组织关联的 OS Login 信息的权限,但不授予对实例的访问权限。外部用户必须获授必要的 OS Login 角色之一,才能使用 SSH 访问实例。

您可以授予此角色的最低级层资源:

  • 组织
  • compute.oslogin.updateExternalUser

Compute Packet Mirroring Admin 角色

角色和名称 说明 权限
Compute packet mirroring admin
(roles/compute.packetMirroringAdmin)
指定要生成镜像的资源。
  • compute.instances.updateSecurity
  • compute.networks.mirror
  • compute.projects.get
  • compute.subnetworks.mirror
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Packet Mirroring User 角色

角色和名称 说明 权限
Compute packet mirroring user
(roles/compute.packetMirroringUser)
可使用 Compute Engine 数据包镜像。
  • compute.packetMirrorings.*
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Public IP Admin 角色

角色和名称 说明 权限
Compute Public IP Admin
(roles/compute.publicIpAdmin)
拥有对 Compute Engine 公共 IP 地址管理的完整控制权。
  • compute.addresses.*
  • compute.globalAddresses.*
  • compute.globalPublicDelegatedPrefixes.*
  • compute.publicAdvertisedPrefixes.*
  • compute.publicDelegatedPrefixes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Compute Security Admin 角色

角色和名称 说明 权限
Compute Security Admin
(roles/compute.securityAdmin)

拥有创建、修改和删除防火墙规则和 SSL 证书的权限,以及配置安全强化型虚拟机设置的权限。

例如,如果您的公司拥有一个负责管理防火墙和 SSL 证书的安全团队和一个负责管理其余网络资源的网络团队,则向安全团队群组授予此角色。

您可以授予此角色的最低级层资源:

  • 实例测试版
  • compute.backendBuckets.list
  • compute.backendServices.list
  • compute.firewallPolicies.*
  • compute.firewalls.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.instances.getEffectiveFirewalls
  • compute.instances.list
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.updatePolicy
  • compute.packetMirrorings.*
  • compute.projects.get
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSecurityPolicies.*
  • compute.regionSslCertificates.*
  • compute.regionSslPolicies.*
  • compute.regions.*
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.*
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetInstances.list
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Sole Tenant Viewer 角色

角色和名称 说明 权限
Compute Sole Tenant Viewer
(roles/compute.soleTenantViewer)
查看单租户节点组所需的权限
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*

Compute Storage Admin 角色

角色和名称 说明 权限
Compute Storage Admin
(roles/compute.storageAdmin)

拥有创建、修改和删除磁盘、映像及快照的权限。

例如,如果您公司的某位员工负责管理项目映像,但您不希望该员工拥有项目的 Editor 角色,则向其帐号授予项目的此角色。

您可以授予此角色的最低级层资源:

  • 磁盘
  • 映像
  • 快照Beta 版
  • compute.diskTypes.*
  • compute.disks.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.resourcePolicies.*
  • compute.snapshots.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Viewer 角色

角色和名称 说明 权限
Compute Viewer
(roles/compute.viewer)

拥有以只读方式获取和列出 Compute Engine 资源的权限,但无权读取这些资源中存储的数据。

例如,获授此角色的帐号可以清点项目中的所有磁盘,但无法读取这些磁盘上的任何数据。

您可以授予此角色的最低级层资源:

  • 磁盘
  • 映像
  • 实例
  • 实例模板
  • 节点组
  • 节点模板
  • 快照Beta 版
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.getIamPolicy
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkAttachments.get
  • compute.networkAttachments.list
  • compute.networkEdgeSecurityServices.get
  • compute.networkEdgeSecurityServices.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.getIamPolicy
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.getIamPolicy
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Shared VPC Admin 角色

角色和名称 说明 权限
Compute Shared VPC Admin
(roles/compute.xpnAdmin)

拥有管理共享 VPC 宿主项目的权限,具体来说,就是可以启用宿主项目并将共享 VPC 服务项目关联到宿主项目所在的网络。

在组织层级,此角色只能由组织管理员授予。

Google Cloud 建议将 Shared VPC Admin 设为共享 VPC 宿主项目的所有者。Shared VPC Admin 负责向服务所有者授予 Compute Network User 角色 (roles/compute.networkUser),共享 VPC 宿主项目的 Owner 则控制项目本身。如果单个主体(个人或群组)可以同时担任这两个角色,则项目管理会变得更加容易。

您可以授予此角色的最低级层资源:

  • 文件夹
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.organizations.administerXpn
  • compute.organizations.disableXpnHost
  • compute.organizations.disableXpnResource
  • compute.organizations.enableXpnHost
  • compute.organizations.enableXpnResource
  • compute.projects.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.setIamPolicy
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

GuestPolicy Admin 角色

角色和名称 说明 权限
GuestPolicy Admin
(roles/osconfig.guestPolicyAdmin) Beta 版
拥有对 GuestPolicy 的完整管理员权限
  • osconfig.guestPolicies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

GuestPolicy Editor 角色

角色和名称 说明 权限
GuestPolicy Editor
(roles/osconfig.guestPolicyEditor) Beta 版
可以修改 GuestPolicy 资源
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • osconfig.guestPolicies.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

GuestPolicy Viewer 角色

角色和名称 说明 权限
GuestPolicy Viewer
(roles/osconfig.guestPolicyViewer) Beta 版
可以查看 GuestPolicy 资源
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

InstanceOSPoliciesCompliance Viewer 角色

角色和名称 说明 权限
InstanceOSPoliciesCompliance Viewer
(roles/osconfig.instanceOSPoliciesComplianceViewer) Beta 版
虚拟机实例的操作系统政策合规情况的查看者
  • osconfig.instanceOSPoliciesCompliances.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OS Inventory Viewer 角色

角色和名称 说明 权限
OS Inventory Viewer
(roles/osconfig.inventoryViewer)
操作系统清单的查看者
  • osconfig.inventories.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Admin 角色

角色和名称 说明 权限
OSPolicyAssignment Admin
(roles/osconfig.osPolicyAssignmentAdmin)
对操作系统政策分配具有完整管理员访问权限
  • osconfig.osPolicyAssignments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Editor 角色

角色和名称 说明 权限
OSPolicyAssignment Editor
(roles/osconfig.osPolicyAssignmentEditor)
操作系统政策分配的编辑者
  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • osconfig.osPolicyAssignments.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignmentReport Viewer 角色

角色和名称 说明 权限
OSPolicyAssignmentReport Viewer
(roles/osconfig.osPolicyAssignmentReportViewer)
可以查看虚拟机实例的操作系统政策分配报告
  • osconfig.osPolicyAssignmentReports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Viewer 角色

角色和名称 说明 权限
OSPolicyAssignment Viewer
(roles/osconfig.osPolicyAssignmentViewer)
操作系统政策分配的查看者
  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

PatchDeployment Admin 角色

角色和名称 说明 权限
PatchDeployment Admin
(roles/osconfig.patchDeploymentAdmin)
拥有对 PatchDeployment 的完整管理员权限
  • osconfig.patchDeployments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

PatchDeployment Viewer 角色

角色和名称 说明 权限
PatchDeployment Viewer
(roles/osconfig.patchDeploymentViewer)
可以查看 PatchDeployment 资源
  • osconfig.patchDeployments.get
  • osconfig.patchDeployments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Patch Job Executor 角色

角色和名称 说明 权限
Patch Job Executor
(roles/osconfig.patchJobExecutor)
有权执行修补作业。
  • osconfig.patchJobs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Patch Job Viewer 角色

角色和名称 说明 权限
Patch Job Viewer
(roles/osconfig.patchJobViewer)
获取并列出修补作业。
  • osconfig.patchJobs.get
  • osconfig.patchJobs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OS VulnerabilityReport Viewer 角色

角色和名称 说明 权限
OS VulnerabilityReport Viewer
(roles/osconfig.vulnerabilityReportViewer)
操作系统漏洞报告的查看者
  • osconfig.vulnerabilityReports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

DNS Administrator role

Details Permissions

(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Project

compute.networks.get

compute.networks.list

dns.changes.*

  • dns.changes.create
  • dns.changes.get
  • dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

  • dns.networks.bindDNSResponsePolicy
  • dns.networks.bindPrivateDNSPolicy
  • dns.networks.bindPrivateDNSZone
  • dns.networks.targetWithPeeringZone

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.getIamPolicy

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

dns.responsePolicies.*

  • dns.responsePolicies.create
  • dns.responsePolicies.delete
  • dns.responsePolicies.get
  • dns.responsePolicies.list
  • dns.responsePolicies.update

dns.responsePolicyRules.*

  • dns.responsePolicyRules.create
  • dns.responsePolicyRules.delete
  • dns.responsePolicyRules.get
  • dns.responsePolicyRules.list
  • dns.responsePolicyRules.update

resourcemanager.projects.get

resourcemanager.projects.list

DNS Peer role

Details Permissions

(roles/dns.peer)

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

DNS Reader role

Details Permissions

(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Project

compute.networks.get

dns.changes.get

dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.get

dns.managedZones.list

dns.policies.get

dns.policies.list

dns.projects.get

dns.resourceRecordSets.get

dns.resourceRecordSets.list

dns.responsePolicies.get

dns.responsePolicies.list

dns.responsePolicyRules.get

dns.responsePolicyRules.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Account Admin role

Details Permissions

(roles/iam.serviceAccountAdmin)

Create and manage service accounts.

Lowest-level resources where you can grant this role:

  • Service Account

Contains 2 owner permissions

iam.serviceAccounts.create

iam.serviceAccounts.delete

iam.serviceAccounts.disable

iam.serviceAccounts.enable

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

iam.serviceAccounts.setIamPolicy

iam.serviceAccounts.undelete

iam.serviceAccounts.update

resourcemanager.projects.get

resourcemanager.projects.list

Create Service Accounts role

Details Permissions

(roles/iam.serviceAccountCreator)

Access to create service accounts.

iam.serviceAccounts.create

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Delete Service Accounts role

Details Permissions

(roles/iam.serviceAccountDeleter)

Access to delete service accounts.

iam.serviceAccounts.delete

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Account Key Admin role

Details Permissions

(roles/iam.serviceAccountKeyAdmin)

Create and manage (and rotate) service account keys.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccountKeys.*

  • iam.serviceAccountKeys.create
  • iam.serviceAccountKeys.delete
  • iam.serviceAccountKeys.disable
  • iam.serviceAccountKeys.enable
  • iam.serviceAccountKeys.get
  • iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Account OpenID Connect Identity Token Creator role

Details Permissions

(roles/iam.serviceAccountOpenIdTokenCreator)

Create OpenID Connect (OIDC) identity tokens

Contains 1 owner permission

iam.serviceAccounts.getOpenIdToken

Service Account Token Creator role

Details Permissions

(roles/iam.serviceAccountTokenCreator)

Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).

Lowest-level resources where you can grant this role:

  • Service Account

Contains 5 owner permissions

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

resourcemanager.projects.get

resourcemanager.projects.list

Service Account User role

Details Permissions

(roles/iam.serviceAccountUser)

Run operations as the service account.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

View Service Accounts role

Details Permissions

(roles/iam.serviceAccountViewer)

Read access to service accounts, metadata, and keys.

iam.serviceAccountKeys.get

iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Workload Identity User role

Details Permissions

(roles/iam.workloadIdentityUser)

Impersonate service accounts from GKE Workloads

Contains 2 owner permissions

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.list

后续步骤