名称
gdcloud iam roles - 管理项目或组织的自定义角色。
摘要
gdcloud iam roles COMMAND [flags]
说明
管理项目或组织的自定义角色。此命令提供了一种统一的方式来操作自定义角色,让您可以定义具有自定义访问权限级别的角色。
示例
To create an organization-level custom role with specific permissions, run:
gdcloud iam roles create org-viewer --scope=organization --title="Organization Viewer" --description="Grants read-only access to storage buckets and compute instances at the organization level" --permissions=storageAdmin:compute:instances.get,storageAdmin:storage:buckets.list --stage=<BETA|GA|ALPHA>
To create a project-level custom role for deploying resources in specific project namespaces, run:
gdcloud iam roles create project-resource-manager --scope=project --title="Project Resource Manager" --description="Allows managing compute instances and disks within specific projects" --permissions=storageAdmin:compute:instances.get,storageAdmin:compute:disks.create --stage=<BETA|GA|ALPHA> --projects=project-id-1,project-id-2...
To create a project-level custom role applicable to all projects, run:
gdcloud iam roles create project-instance-operator --scope=project --title="Project Instance Operator" --description=""Grants permissions to start and stop compute instances across all projects" --permissions=admin:compute:instances.start,admin:compute:instances.stop --stage=<BETA|GA|ALPHA>
To create a custom role in a specific system namespace, run:
gdcloud iam roles create iam-role-manager --scope=organization --title="IAM Role Manager" --description="Allows creating and updating IAM roles" --permissions=iamAdmin:iam:roles:create,iamAdmin:iam:roles:update --stage=<BETA|GA|ALPHA> --namespace=<namespace-name>
To create a custom role from a YAML configuration file, run:
gdcloud iam roles create my_role --file=ROLE_FILE
To describe a role at organization scope, run:
gdcloud iam roles describe org-role
To describe a role at project scope, run:
gdcloud iam roles describe project-role --project my-project
To delete a custom role at organization scope, run:
gdcloud iam roles delete org-role
To delete a custom role at project scope, run:
gdcloud iam roles delete project-role --project my-project
To update an organization-level custom role with specific permissions, run:
gdcloud iam roles update org-viewer --permissions=storageAdmin:compute:instances.get,storageAdmin:storage:buckets.list
To update a project-level custom role for deploying resources in specific project namespaces, run:
gdcloud iam roles update project-resource-manager --permissions=storageAdmin:compute:instances.get,storageAdmin:compute:disks.create --projects=project-id-1,project-id-2
To update a project-level custom role applicable to all projects, run:
gdcloud iam roles update project-instance-operator --permissions=admin:compute:instances.start,admin:compute:instances.stop
To update title and description of a custom role, run:
gdcloud iam roles update org-viewer --title="Organization Viewer v2" --description="Grants read-only access to storage buckets and compute instances at the organization level v2"
To add additional projects to an existing project-level custom role, run:
gdcloud iam roles update project-resource-manager --projects=project-id-3,project-id-4
To update a custom role from a YAML configuration file, run:
gdcloud iam roles update my_role --file=ROLE_FILE
To list all roles, run:
gdcloud iam roles list
To list predefined roles, run:
gdcloud iam roles list --type=predefined
To list custom roles, run:
gdcloud iam roles list --type=custom
To list all roles for a specific project, run:
gdcloud iam roles list --project=my-project
To list predefined roles for a specific project, run:
gdcloud iam roles list --type=predefined --project=my-project
To list custom roles for a specific project, run:
gdcloud iam roles list --type=custom --project=my-project
GDCLOUD 全局标志
以下标志适用于所有命令:--help。
如需了解详情,请参阅 gdcloud CLI 参考概览页面。
命令
COMMAND 是以下值之一:
create
Create a custom role.
delete
Delete a custom role.
describe
Describe a role[custom/predefined].
list
List roles[custom/predefined/all].
update
Update a custom role.