主账号访问边界政策阻止的权限

当主账号尝试访问它们没有资格访问的资源时,主账号访问边界政策会阻止其使用某些(但不是所有)Identity and Access Management (IAM) 权限来访问该资源。

如果主账号访问权限边界政策阻止某项权限,IAM 会针对该权限强制执行主账号访问权限边界政策。换言之,它会阻止任何没有资格访问资源的主账号使用该权限访问资源。

如果主账号访问边界政策不阻止某项权限,则主账号访问边界政策对主账号能否使用该权限没有任何影响。

IAM 会定期添加新的主账号访问边界强制执行版本,以阻止其他权限。每个新版本还可以阻止上一个版本中的所有权限。

本页面列出了每个强制执行版本可以阻止的权限。

如需详细了解主账号访问边界政策版本号,请参阅主账号访问权限边界政策概览

强制执行版本 3

强制执行版本为 3 的政策可以阻止以下强制执行版本中列出的所有权限:

此外,强制执行版本为 3 的政策还可以阻止下表中列出的所有权限。

每行都包含以下信息:

  • 具有主账号访问边界政策可以阻止的权限的服务名称。

  • 主账号访问边界政策可以阻止的该服务的权限。

    在某些情况下,权限名称的一部分会替换为通配符字符 (*)。此格式表示主账号访问边界政策可以阻止与该模式匹配的所有权限。

服务 权限 异常
重要联系人
  • essentialcontacts.googleapis.com/contacts.*
    		•
    Identity and Access Management
  • iam.googleapis.com/serviceAccounts.*
  • iam.googleapis.com/serviceAccountKeys.*
  • iam.googleapis.com/roles.*
  • iam.googleapis.com/denypolicies.*
    		•
  • iam.googleapis.com/serviceAccounts.createTagBinding
  • iam.googleapis.com/serviceAccounts.deleteTagBinding
  • iam.googleapis.com/serviceAccounts.listTagBindings
  • iam.googleapis.com/serviceAccounts.listEffectiveTags
  • iam.googleapis.com/serviceAccounts.getCertificateAs
    		•
    Dataproc
  • dataproc.googleapis.com/autoscalingPolicies.*
  • dataproc.googleapis.com/batches.*
  • dataproc.googleapis.com/operations.*
  • dataproc.googleapis.com/sessionTemplates.*
  • dataproc.googleapis.com/sessions.*
  • dataproc.googleapis.com/workflowTemplates.*
  • dataproc.googleapis.com/autoscalingPolicies.*
  • dataproc.googleapis.com/clusters.*
  • dataproc.googleapis.com/jobs.*
    		•
    服务管理
  • servicemanagement.googleapis.com/services.check
  • servicemanagement.googleapis.com/services.report
    		•
    Bigtable
  • bigtable.googleapis.com/*.*
    		•
    Cloud Bigtable Admin API
  • bigtableadmin.googleapis.com/*.*
    		•
    Cloud SQL
  • cloudsql.googleapis.com/*.*
    		•
    网络服务
  • networkservices.googleapis.com/endpointPolicies.*
  • networkservices.googleapis.com/gateways.*
  • networkservices.googleapis.com/grpcRoutes.*
  • networkservices.googleapis.com/httpfilters.*
  • networkservices.googleapis.com/httpRoutes.*
  • networkservices.googleapis.com/meshes.*
  • networkservices.googleapis.com/route_views.*
  • networkservices.googleapis.com/serviceBindings.*
  • networkservices.googleapis.com/tcpRoutes.*
  • networkservices.googleapis.com/tlsRoutes.*
  • networkservices.googleapis.com/serviceLbPolicies.*
    		•
    Cloud Service Mesh
  • trafficdirector.googleapis.com/*.*
    		•
    Network Management API
  • networkmanagement.googleapis.com/*.*
    		•
    Compute Engine
  • compute.googleapis.com/healthChecks.*
  • compute.googleapis.com/regionHealthChecks.*
  • compute.googleapis.com/httpHealthChecks.*
  • compute.googleapis.com/httpsHealthChecks.*
  • compute.googleapis.com/forwardingRules.*
  • compute.googleapis.com/globalForwardingRules.*
  • compute.googleapis.com/regionBackendServices.*
  • compute.googleapis.com/targetInstances.*
  • compute.googleapis.com/targetPools.*
  • compute.googleapis.com/firewallPolicies.*
  • compute.googleapis.com/firewalls.*
  • compute.googleapis.com/regionFirewallPolicies.*
  • compute.googleapis.com/backendBuckets.*
  • compute.googleapis.com/backendServices.*
  • compute.googleapis.com/regionSslPolicies.*
  • compute.googleapis.com/regionTargetHttpProxies.*
  • compute.googleapis.com/regionTargetTcpProxies.*
  • compute.googleapis.com/regionUrlMaps.*
  • compute.googleapis.com/sslPolicies.*
  • compute.googleapis.com/targetGrpcProxies.*
  • compute.googleapis.com/targetHttpProxies.*
  • compute.googleapis.com/targetHttpsProxies.*
  • compute.googleapis.com/targetSslProxies.*
  • compute.googleapis.com/targetTcpProxies.*
  • compute.googleapis.com/urlMaps.*
  • compute.googleapis.com/addresses.*
  • compute.googleapis.com/globalAddresses.*
  • compute.googleapis.com/networks.*
  • compute.googleapis.com/packetMirrorings.*
  • compute.googleapis.com/publicAdvertisedPrefixes.*
  • compute.googleapis.com/publicDelegatedPrefixes.*
  • compute.googleapis.com/routes.*
  • compute.googleapis.com/subnetworks.*
  • compute.googleapis.com/externalVpnGateways.*
  • compute.googleapis.com/targetVpnGateways.*
  • compute.googleapis.com/vpnGateways.*
  • compute.googleapis.com/interconnectAttachments.*
  • compute.googleapis.com/interconnectLocations.*
  • compute.googleapis.com/interconnectRemoteLocations.*
  • compute.googleapis.com/interconnects.*
    		•
    Artifact Registry
  • artifactregistry.googleapis.com/*.*
    		•
    Pub/Sub
  • pubsub.googleapis.com/*.*
    		•
    Workflows
  • workflows.googleapis.com/*.*
    		•
    Google Distributed Cloud
  • gkeonprem.googleapis.com/*.*
    		•
    API 密钥

  • apikeys.googleapis.com/apikeys.*

  • apikeys.googleapis.com/keys.*
    		•
    Cloud DNS
  • dns.googleapis.com/*.*
    		•
    Datastore
  • datastore.googleapis.com/backupSchedules.*
  • datastore.googleapis.com/databases.*
  • datastore.googleapis.com/indexes.*
  • datastore.googleapis.com/entities.*
  • datastore.googleapis.com/operations.*
  • datastore.googleapis.com/userCreds.*
  • datastore.googleapis.com/backups.get
  • datastore.googleapis.com/backups.list
  • datastore.googleapis.com/backups.delete
  • datastore.googleapis.com/locations.*
    		•
    Cloud Key Management Service
  • cloudkms.googleapis.com/ekmConfigs.*
  • cloudkms.googleapis.com/keyRings.*
  • cloudkms.googleapis.com/importJobs.*
  • cloudkms.googleapis.com/cryptoKeyVersions.create
  • cloudkms.googleapis.com/cryptoKeyVersions.get
  • cloudkms.googleapis.com/cryptoKeyVersions.list
  • cloudkms.googleapis.com/cryptoKeyVersions.update
  • cloudkms.googleapis.com/cryptoKeyVersions.restore
  • cloudkms.googleapis.com/cryptoKeyVersions.useToEncrypt
  • cloudkms.googleapis.com/cryptoKeyVersions.useToDecrypt
  • cloudkms.googleapis.com/cryptoKeyVersions.useToSign
  • cloudkms.googleapis.com/cryptoKeyVersions.useToVerify
  • cloudkms.googleapis.com/cryptoKeyVersions.viewPublicKey
  • cloudkms.googleapis.com/cryptoKeyVersions.destroy
  • cloudkms.googleapis.com/keyHandles.*
  • cloudkms.googleapis.com/autokeyConfigs.*
    		•
  • cloudkms.googleapis.com/importJobs.useToImport
    		•
    组织政策服务
  • orgpolicy.googleapis.com/*.*
    		•
    Dataplex Universal Catalog
  • dataplex.googleapis.com/aspectTypes.*
  • dataplex.googleapis.com/datascans.*
  • dataplex.googleapis.com/entries.*
  • dataplex.googleapis.com/entryTypes.*
  • dataplex.googleapis.com/metadataJobs.*
  • dataplex.googleapis.com/entryGroups.import
  • dataplex.googleapis.com/entryGroups.getIamPolicy
  • dataplex.googleapis.com/entryGroups.setIamPolicy
  • dataplex.googleapis.com/entryGroups.create
  • dataplex.googleapis.com/entryGroups.get
  • dataplex.googleapis.com/entryGroups.update
  • dataplex.googleapis.com/entryGroups.delete
  • dataplex.googleapis.com/entryGroups.list
  • dataplex.googleapis.com/entryGroups.useGenericAspect
  • dataplex.googleapis.com/entryGroups.useContactsAspect
  • dataplex.googleapis.com/entryGroups.useOverviewAspect
  • dataplex.googleapis.com/entryGroups.useSchemaAspect
  • dataplex.googleapis.com/entryGroups.useGenericEntry
    		•
    Data Lineage API
  • datalineage.googleapis.com/locations.*
  • datalineage.googleapis.com/operations.*
  • datalineage.googleapis.com/processes.*
  • datalineage.googleapis.com/runs.*
  • datalineage.googleapis.com/events.*
    		•
    GKE Hub
  • gkehub.googleapis.com/fleets.*
    		•
    Cloud Run functions
  • cloudfunctions.googleapis.com/*.*
    		•
    Spanner
  • spanner.googleapis.com/*.*
    		•
    Google Kubernetes Engine
  • container.googleapis.com/*.*
    		•

    强制执行版本 2

    强制执行版本 2 的政策可以阻止强制执行版本 1 中列出的所有权限。此外,强制执行版本 2 的政策还可以阻止下表中列出的所有权限。

    每行都包含以下信息:

    • 具有主账号访问边界政策可以阻止的权限的服务名称。

    • 主账号访问边界政策可以阻止的该服务的权限。

      在某些情况下,权限名称的一部分会替换为通配符字符 (*)。此格式表示主账号访问边界政策可以阻止与该模式匹配的所有权限。

    服务 权限 异常
    Access Context Manager
    • accesscontextmanager.googleapis.com/*
    Artifact Analysis
    • containeranalysis.googleapis.com/*
    BigQuery
    • bigquery.googleapis.com/datasets.*
    • bigquery.googleapis.com/jobs.*
    • bigquery.googleapis.com/models.*
    • bigquery.googleapis.com/routines.*
    • bigquery.googleapis.com/rowAccessPolicies.*
    • bigquery.googleapis.com/tables.*
    BigQuery Data Policy
    • bigquerydatapolicy.googleapis.com/*
    BigQuery Data Transfer Service
    • bigquerydatatransfer.googleapis.com/transfers.*
    Chrome Enterprise Premium
    • beyondcorp.googleapis.com/*
    Cloud Asset Inventory
    • cloudasset.googleapis.com/*
    Cloud Billing
    • billing.googleapis.com/budgets.*
    Cloud Build
    • cloudbuild.googleapis.com/*
    Cloud Monitoring
    • monitoring.googleapis.com/*
    • monitoring.googleapis.com/timeSeries.list
    • monitoring.googleapis.com/metricsScopes.link
    Cloud Service Mesh
    • meshconfig.googleapis.com/*
    Cloud Storage
    • storage.googleapis.com/bucketOperations.*
    • storage.googleapis.com/buckets.*
    • storage.googleapis.com/folders.*
    • storage.googleapis.com/hmacKeys.*
    • storage.googleapis.com/managedFolders.*
    • storage.googleapis.com/multipartUploads.*
    • storage.googleapis.com/objects.*
    Cloud Trace
    • cloudtrace.googleapis.com/*
    Compute Engine
    • compute.googleapis.com/networkAttachments.*
    • compute.googleapis.com/networkEdgeSecurityServices.*
    • compute.googleapis.com/regionSecurityPolicies.*
    • compute.googleapis.com/routers.*
    • compute.googleapis.com/serviceAttachments.*
    • compute.googleapis.com/securityPolicies.*
    Firebase 规则
    • firebaserules.googleapis.com/*
    GKE Multi-cloud
    • gkemulticloud.googleapis.com/*
    Identity-Aware Proxy
    • iap.googleapis.com/*
    Memorystore for Redis
    • redis.googleapis.com/*
    Network Management API
    • networkmanagement.googleapis.com/*
    Network Services API
    • networkservices.googleapis.com/edgeCacheOrigins.*
    • networkservices.googleapis.com/edgeCacheKeysets.*
    • networkservices.googleapis.com/edgeCacheServices.*
    reCAPTCHA
    • recaptchaenterprise.googleapis.com/*
    Resource Manager
    • cloudresourcemanager.googleapis.com/*
    • cloudresourcemanager.googleapis.com/*.createPolicyBinding
    • cloudresourcemanager.googleapis.com/*.updatePolicyBinding
    • cloudresourcemanager.googleapis.com/*.deletePolicyBinding
    • cloudresourcemanager.googleapis.com/*.searchPolicyBindings
    Video Stitcher API
    • videostitcher.googleapis.com/*

    强制执行版本 1

    下表列出了强制执行版本为 1 的主账号访问边界政策可以阻止的权限。

    每行都包含以下信息:

    • 具有主账号访问边界政策可以阻止的权限的服务名称。

    • 主账号访问边界政策可以阻止的该服务的权限。

      在某些情况下,权限名称的一部分会替换为通配符字符 (*)。此格式表示主账号访问边界政策可以阻止与该模式匹配的所有权限。

    • 主账号访问边界无法阻止的服务权限(即使这些权限与支持的权限模式之一匹配也无法阻止)。

    服务 权限 异常
    Access Approval
    • accessapproval.googleapis.com/serviceaccounts.get
    • accessapproval.googleapis.com/settings.*
    • accessapproval.googleapis.com/requests.list
    Access Context Manager
    • accesscontextmanager.googleapis.com/*
    • accesscontextmanager.googleapis.com/gcpUserAccessBindings.*
    BigQuery
    • bigquery.googleapis.com/datasets.create
    • bigquery.googleapis.com/datasets.delete
    • bigquery.googleapis.com/datasets.get
    • bigquery.googleapis.com/datasets.update
    • bigquery.googleapis.com/datasets.setIamPolicy
    • bigquery.googleapis.com/jobs.get
    • bigquery.googleapis.com/jobs.create
    • bigquery.googleapis.com/jobs.delete
    • bigquery.googleapis.com/jobs.list
    • bigquery.googleapis.com/models.create
    • bigquery.googleapis.com/models.delete
    • bigquery.googleapis.com/models.list
    • bigquery.googleapis.com/models.updateMetadata
    • bigquery.googleapis.com/routines.create
    • bigquery.googleapis.com/routines.delete
    • bigquery.googleapis.com/routines.list
    • bigquery.googleapis.com/routines.update
    Binary Authorization
    • binaryauthorization.googleapis.com/*
    Cloud Logging
    • logging.googleapis.com/logEntries.create
    • logging.googleapis.com/logMetrics.*
    Cloud Run
    • run.googleapis.com/authorizeddomains.*
    • run.googleapis.com/configurations.get
    • run.googleapis.com/configurations.list
    • run.googleapis.com/domainmappings.*
    • run.googleapis.com/executions.*
    • run.googleapis.com/jobs.create
    • run.googleapis.com/jobs.delete
    • run.googleapis.com/jobs.get
    • run.googleapis.com/jobs.list
    • run.googleapis.com/jobs.run
    • run.googleapis.com/revisions.*
    • run.googleapis.com/routes.get
    • run.googleapis.com/routes.list
    • run.googleapis.com/services.create
    • run.googleapis.com/services.delete
    • run.googleapis.com/services.get
    • run.googleapis.com/services.list
    • run.googleapis.com/services.update
    • run.googleapis.com/tasks.*
    Cloud Storage
    • storage.googleapis.com/buckets.get
    • storage.googleapis.com/buckets.update
    • storage.googleapis.com/buckets.list
    • storage.googleapis.com/buckets.getIamPolicy
    • storage.googleapis.com/buckets.setIamPolicy
    • storage.googleapis.com/hmacKeys.update
    • storage.googleapis.com/objects.get
    • storage.googleapis.com/objects.setRetention
    • storage.googleapis.com/objects.delete
    Dataflow
    • dataflow.googleapis.com/jobs.*
    • dataflow.googleapis.com/metrics.get
    • dataflow.googleapis.com/workItems.*
    • dataflow.googleapis.com/messages.list
    • dataflow.googleapis.com/snapshots.list
    • dataflow.googleapis.com/jobs.snapshot
    Datastore
    • datastore.googleapis.com/databases.get
    • datastore.googleapis.com/databases.getMetadata
    • datastore.googleapis.com/databases.create
    • datastore.googleapis.com/databases.delete
    • datastore.googleapis.com/databases.list
    Firebase 安全规则
    • firebaserules.googleapis.com/*
    GKE Hub
    • gkehub.googleapis.com/features.*
    • gkehub.googleapis.com/fleet.create
    • gkehub.googleapis.com/fleet.get
    • gkehub.googleapis.com/fleet.patch
    • gkehub.googleapis.com/locations.*
    • gkehub.googleapis.com/membershipbindings.*
    • gkehub.googleapis.com/memberships.*
    • gkehub.googleapis.com/rbacrolebindings.*
    • gkehub.googleapis.com/scopes.*
    • gkehub.googleapis.com/*.createTagBinding
    • gkehub.googleapis.com/*.deleteTagBinding
    • gkehub.googleapis.com/*.listEffectiveTags
    • gkehub.googleapis.com/*.listTagBindings
    Pub/Sub
    • pubsub.googleapis.com/*
    • pubsub.googleapis.com/schemas.delete
    • pubsub.googleapis.com/schemas.validate
    • pubsub.googleapis.com/subscriptions.consume
    • pubsub.googleapis.com/*.getIamPolicy
    • pubsub.googleapis.com/*.setIamPolicy
    Memorystore for Redis
    • redis.googleapis.com/instances.create
    • redis.googleapis.com/instances.delete
    • redis.googleapis.com/instances.get
    • redis.googleapis.com/instances.failover
    • redis.googleapis.com/instances.getAuthString
    • redis.googleapis.com/instances.list
    • redis.googleapis.com/instances.upgrade
    • redis.googleapis.com/instances.update
    Vertex AI
    • aiplatform.googleapis.com/*
    • aiplatform.googleapis.com/operations.*