当主账号尝试访问其无权访问的资源时,主账号访问权限边界政策会阻止其使用某些(但不是所有)Identity and Access Management (IAM) 权限来访问该资源。
如果主账号访问边界政策阻止某项权限,IAM 会针对该权限强制执行主账号访问边界政策。换言之,它会阻止任何不符合访问资源条件的主账号使用该权限访问资源。
如果主账号访问权限边界政策不会阻止某项权限,则主账号访问权限边界政策对主账号能否使用该权限没有任何影响。
IAM 会定期添加新的主账号访问边界强制执行版本,以阻止额外的权限。每个新版本还可以屏蔽上一个版本中的所有权限。
本页面列出了每个强制执行版本可以屏蔽的权限。
如需详细了解主账号访问权限边界政策版本号,请参阅主账号访问权限边界政策概览。
强制执行版本 1
下表列出了具有强制执行版本 1
的主账号访问边界政策可以阻止的权限。
每行都包含以下信息:
服务 |
权限 |
异常 |
Access Approval |
- accessapproval.googleapis.com/serviceaccounts.get
- accessapproval.googleapis.com/settings.*
- accessapproval.googleapis.com/requests.list
|
无
|
Access Context Manager |
- accesscontextmanager.googleapis.com/*
|
- accesscontextmanager.googleapis.com/gcpUserAccessBindings.*
|
Vertex AI |
- aiplatform.googleapis.com/*
|
- aiplatform.googleapis.com/operations.*
|
BigQuery |
- bigquery.googleapis.com/datasets.create
- bigquery.googleapis.com/datasets.delete
- bigquery.googleapis.com/datasets.get
- bigquery.googleapis.com/datasets.update
- bigquery.googleapis.com/datasets.setIamPolicy
- bigquery.googleapis.com/jobs.get
- bigquery.googleapis.com/jobs.create
- bigquery.googleapis.com/jobs.delete
- bigquery.googleapis.com/jobs.list
- bigquery.googleapis.com/models.create
- bigquery.googleapis.com/models.delete
- bigquery.googleapis.com/models.list
- bigquery.googleapis.com/models.updateMetadata
- bigquery.googleapis.com/routines.create
- bigquery.googleapis.com/routines.delete
- bigquery.googleapis.com/routines.list
- bigquery.googleapis.com/routines.update
|
无 |
Binary Authorization |
- binaryauthorization.googleapis.com/*
|
无 |
Dataflow |
- dataflow.googleapis.com/jobs.*
- dataflow.googleapis.com/metrics.get
- dataflow.googleapis.com/workItems.*
- dataflow.googleapis.com/messages.list
- dataflow.googleapis.com/snapshots.list
|
- dataflow.googleapis.com/jobs.snapshot
|
Datastore |
- datastore.googleapis.com/databases.get
- datastore.googleapis.com/databases.getMetadata
- datastore.googleapis.com/databases.create
- datastore.googleapis.com/databases.delete
- datastore.googleapis.com/databases.list
|
无 |
Firebase 安全规则 |
- firebaserules.googleapis.com/*
|
无 |
GKE Hub |
- gkehub.googleapis.com/features.*
- gkehub.googleapis.com/fleet.create
- gkehub.googleapis.com/fleet.get
- gkehub.googleapis.com/fleet.patch
- gkehub.googleapis.com/locations.*
- gkehub.googleapis.com/membershipbindings.*
- gkehub.googleapis.com/memberships.*
- gkehub.googleapis.com/rbacrolebindings.*
- gkehub.googleapis.com/scopes.*
|
- 以
createTagBinding 结尾的权限
- 以
deleteTagBinding 结尾的权限
- 以
listEffectiveTags 结尾的权限
- 以
listTagBindings 结尾的权限
|
Cloud Logging |
- logging.googleapis.com/logEntries.create
- logging.googleapis.com/logMetrics.*
|
无 |
Pub/Sub |
|
- pubsub.googleapis.com/schemas.delete
- pubsub.googleapis.com/schemas.validate
- pubsub.googleapis.com/subscriptions.consume
- 以
getIamPolicy 结尾的权限
- 以
setIamPolicy 结尾的权限
|
Memorystore for Redis |
- redis.googleapis.com/instances.create
- redis.googleapis.com/instances.delete
- redis.googleapis.com/instances.get
- redis.googleapis.com/instances.failover
- redis.googleapis.com/instances.getAuthString
- redis.googleapis.com/instances.list
- redis.googleapis.com/instances.upgrade
- redis.googleapis.com/instances.update
|
无 |
Cloud Run |
- run.googleapis.com/authorizeddomains.*
- run.googleapis.com/configurations.get
- run.googleapis.com/configurations.list
- run.googleapis.com/domainmappings.*
- run.googleapis.com/executions.*
- run.googleapis.com/jobs.create
- run.googleapis.com/jobs.delete
- run.googleapis.com/jobs.get
- run.googleapis.com/jobs.list
- run.googleapis.com/jobs.run
- run.googleapis.com/revisions.*
- run.googleapis.com/routes.get
- run.googleapis.com/routes.list
- run.googleapis.com/services.create
- run.googleapis.com/services.delete
- run.googleapis.com/services.get
- run.googleapis.com/services.list
- run.googleapis.com/services.update
- run.googleapis.com/tasks.*
|
无 |
Cloud Storage |
- storage.googleapis.com/buckets.get
- storage.googleapis.com/buckets.update
- storage.googleapis.com/buckets.list
- storage.googleapis.com/buckets.getIamPolicy
- storage.googleapis.com/buckets.setIamPolicy
- storage.googleapis.com/hmacKeys.update
- storage.googleapis.com/objects.get
- storage.googleapis.com/objects.setRetention
- storage.googleapis.com/objects.delete
|
无 |