Auf dieser Seite werden IAM-Rollen beschrieben und die vordefinierten Rollen aufgelistet, die Sie Ihren Hauptkonten zuweisen können.
Eine Rolle enthält eine Reihe von Berechtigungen, mit denen Sie bestimmte Aktionen für Google Cloud-Ressourcen vornehmen können. Wenn Sie Hauptkonten Berechtigungen erteilen möchten, einschließlich Nutzern, Gruppen und Dienstkonten, weisen Sie den Hauptkonten Rollen zu.
Voraussetzungen für diese Anleitung
- Machen Sie sich mit den grundlegenden Konzepten von IAM vertraut
Rollentypen
Es gibt drei Arten von Rollen in IAM:
- Einfache Rollen, zu denen die Rollen "Inhaber", "Bearbeiter" und "Betrachter" gehören und die es schon vor der Einführung von IAM gab.
- Vordefinierte Rollen, die detaillierten Zugriff auf einen bestimmten Dienst bieten und von Google Cloud verwaltet werden.
- Benutzerdefinierte Rollen, die detaillierten Zugriff gemäß einer vom Nutzer angegebenen Liste von Berechtigungen bieten.
Mit einer der folgenden Methoden können Sie ermitteln, ob eine Berechtigung in einer einfachen, vordefinierten oder benutzerdefinierten Rolle enthalten ist:
- Führen Sie den Befehl
gcloud iam roles describe
aus, um die Berechtigungen der Rolle aufzulisten: - Rufen Sie die REST API-Methode
roles.get()
auf, um die Berechtigungen in der Rolle aufzulisten. - Nur für einfache und vordefinierte Rollen: Suchen Sie in der Berechtigungsreferenz, ob die Berechtigung von der Rolle gewährt wird.
- Nur für vordefinierte Rollen: Suchen Sie auf dieser Seite in den vordefinierten Rollenbeschreibungen, um zu sehen, welche Berechtigungen die Rolle enthält.
In den folgenden Abschnitten werden die einzelnen Rollentypen beschrieben und Beispiele für deren Verwendung gegeben.
Einfache Rollen
Vor der Einführung von IAM gab es mehrere einfache Rollen: "Inhaber", "Bearbeiter" und "Betrachter". Diese Rollen sind konzentrisch, was bedeutet, dass die Inhaberrolle die Berechtigungen der Bearbeiterrolle und die Bearbeiterrolle die Berechtigungen der Betrachterrolle beinhaltet. Sie wurden ursprünglich als „einfache Rollen“ bezeichnet.
In der folgenden Tabelle sind die Berechtigungen zusammengefasst, die die einfachen Rollen in allen Google Cloud-Diensten enthalten:
Definitionen für einfache Rollen
Name | Titel | Berechtigungen |
---|---|---|
roles/viewer |
Betrachter | Berechtigungen für schreibgeschützte Aktionen, die sich nicht auf den Status auswirken, z. B. Anzeigen (aber nicht Ändern) vorhandener Ressourcen oder Daten |
roles/editor |
Bearbeiter | Alle Berechtigungen des Betrachters sowie Berechtigungen für Aktionen, durch die der Status geändert wird, z. B. das Ändern vorhandener Ressourcen Hinweis: Die Bearbeiterrolle enthält Berechtigungen zum Erstellen und Löschen von Ressourcen für die meisten Google Cloud-Dienste. Es enthält jedoch nicht die Berechtigung, sämtliche Aktionen für alle Dienste auszuführen. Weitere Informationen dazu, wie Sie prüfen können, ob eine Rolle die erforderlichen Berechtigungen hat, finden Sie auf dieser Seite unter Rollentypen.
|
roles/owner |
Inhaber | Alle Berechtigungen des Bearbeiters und Berechtigungen für die folgenden Aktionen:
Hinweis:
|
Sie können einfache Rollen mit der Google Cloud Console, der API und der gcloud-Befehlszeile zuweisen. Informationen zum Zuweisen einfacher Rollen für ein Projekt, einen Ordner oder eine Organisation finden Sie unter Zugriff auf Projekte, Ordner und Organisationen verwalten. Informationen zum Zuweisen einfacher Rollen für andere Ressourcen finden Sie unter Zugriff auf andere Ressourcen verwalten.
Vordefinierte Rollen
Zusätzlich zu den einfachen Rollen bietet IAM weitere vordefinierte Rollen, die detaillierten Zugriff auf bestimmte Ressourcen von Google Cloud ermöglichen und unerwünschten Zugriff auf andere Ressourcen verhindern. Vordefinierte Rollen werden von Google erstellt und verwaltet. Google aktualisiert seine Berechtigungen bei Bedarf automatisch, z. B. wenn Google Cloud neue Features oder Dienste hinzufügt.
Die folgende Tabelle enthält diese Rollen, ihre Beschreibung und den Ressourcentyp der untersten Ebene, für den Rollen festgelegt werden. Eine bestimmte Rolle kann diesem Ressourcentyp oder in den meisten Fällen einem übergeordneten Typ in der Google Cloud-Ressourcen-Hierarchie zugewiesen werden.
Sie können demselben Nutzer auf jeder Ebene der Ressourcenhierarchie mehrere Rollen zuweisen. Zum Beispiel kann ein Nutzer die Rollen "Compute-Netzwerkadministrator" und "Logbetrachter" für ein Projekt und auch die Rolle "Pub/Sub-Publisher" für ein Pub/Sub-Thema in diesem Projekt haben. Informationen zum Auflisten der in einer Rolle enthaltenen Berechtigungen finden Sie unter Rollenmetadaten abrufen.
Informationen zur Auswahl der am besten geeigneten vordefinierten Rollen finden Sie unter Vordefinierte Rollen auswählen.
Rollen zur Zugriffsgenehmigung
Rolle | Berechtigungen |
---|---|
Genehmiger für Zugriffsgenehmigungen( Kann Anfragen für Zugriffsgenehmigungen ansehen und bearbeiten sowie Konfigurationen ansehen |
accessapproval.requests.*
accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Bearbeiter der Zugriffsgenehmigungskonfiguration( Kann die Zugriffsgenehmigungskonfiguration aktualisieren |
accessapproval. accessapproval.settings.*
resourcemanager.projects.get resourcemanager.projects.list |
Annullierfunktion für die Zugriffsgenehmigung( Funktion zur Annullierung bereits genehmigter Genehmigungsanfragen |
accessapproval. accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Zugriffsgenehmigungsbetrachter( Kann Anfragen für Zugriffsgenehmigungen und Konfigurationen ansehen |
accessapproval.requests.get accessapproval.requests.list accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager-Rollen
Role | Permissions |
---|---|
Cloud Access Binding Admin( Create, edit, and change Cloud access bindings. |
accesscontextmanager.
|
Cloud Access Binding Reader( Read access to Cloud access bindings. |
accesscontextmanager. accesscontextmanager. |
Access Context Manager Admin( Full access to policies, access levels, access zones and authorized orgs descs. |
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
cloudasset. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager Editor( Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs. |
accesscontextmanager.
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager.
accesscontextmanager.
cloudasset. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager Reader( Read access to policies, access levels, access zones and authorized orgs descs. |
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
VPC Service Controls Troubleshooter Viewer(
|
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.sinks.get logging.sinks.list logging.usage.get resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Actions-Rollen
Role | Permissions |
---|---|
Actions Admin( Access to edit and deploy an action |
actions.*
firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Actions Viewer( Access to view an action |
actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
AI Notebooks-Rollen
Role | Permissions |
---|---|
Notebooks Admin( Full access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Legacy Admin( Full access to Notebooks all resources through compute API. |
compute.*
notebooks.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Legacy Viewer( Read-only access to Notebooks all resources through compute API. |
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Runner( Restricted access for running scheduled Notebooks. |
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Viewer( Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
AI Platform-Rollen
Role | Permissions |
---|---|
AI Platform Admin( Provides full access to AI Platform resources, and its jobs, operations, models, and versions. Lowest-level resources where you can grant this role:
|
ml.*
resourcemanager.projects.get |
AI Platform Developer( Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Lowest-level resources where you can grant this role:
|
ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.*
ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.*
ml.trials.*
ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get |
AI Platform Job Owner( Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Lowest-level resources where you can grant this role:
|
ml.jobs.*
|
AI Platform Model Owner( Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Lowest-level resources where you can grant this role:
|
ml.models.*
ml.versions.*
|
AI Platform Model User( Provides permissions to read the model and its versions, and use them for prediction. Lowest-level resources where you can grant this role:
|
ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict |
AI Platform Operation Owner( Provides full access to all permissions for a particular operation resource. Lowest-level resources where you can grant this role:
|
ml.operations.*
|
AI Platform Viewer( Provides read-only access to AI Platform resources. Lowest-level resources where you can grant this role:
|
ml.jobs.get ml.jobs.list ml.locations.*
ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get |
Analytics Hub-Rollen
Role | Permissions |
---|---|
Analytics Hub Admin( Administer Data Exchanges and Listings |
analyticshub. analyticshub. analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub. analyticshub. analyticshub. analyticshub.listings.create analyticshub.listings.delete analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. analyticshub.listings.update analyticshub. analyticshub.subscriptions.*
resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Listing Admin( Grants full control over the Listing, including updating, deleting and setting ACLs |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.delete analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. analyticshub.listings.update analyticshub. resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Publisher( Can publish to Data Exchanges thus creating Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.create analyticshub.listings.get analyticshub. analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Subscriber( Can browse Data Exchanges and subscribe to Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Subscription Owner( Grants full control over the Subscription, including updating and deleting |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub.subscriptions.*
resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Viewer( Can browse Data Exchanges and Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list |
Android Management-Rollen
Role | Permissions |
---|---|
Android Management User( Full access to manage devices. |
androidmanagement. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Anthos Multi-Cloud-Rollen
Role | Permissions |
---|---|
Anthos Multi-cloud Admin( Admin access to Anthos Multi-cloud resources. |
gkemulticloud.*
resourcemanager.projects.get resourcemanager.projects.list |
Anthos Multi-cloud Telemetry Writer( Grant access to write cluster telemetry data such as logs, metrics, and resource metadata. |
logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring.
monitoring.
monitoring.timeSeries.create opsconfigmonitoring. |
Anthos Multi-cloud Viewer( Viewer access to Anthos Multi-cloud resources. |
gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud. gkemulticloud. gkemulticloud.azureClients.get gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list |
API-Gateway-Rollen
Role | Permissions |
---|---|
ApiGateway Admin( Full access to ApiGateway and related resources. |
apigateway.*
monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list |
ApiGateway Viewer( Read-only access to ApiGateway and related resources. |
apigateway.apiconfigs.get apigateway. apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway. apigateway.gateways.list apigateway.locations.*
apigateway.operations.get apigateway.operations.list monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list |
Apigee-Rollen
Role | Permissions |
---|---|
Apigee Organization Admin( Full access to all apigee resource features |
apigee.*
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Analytics Agent( Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization |
apigee.datalocation.get apigee. apigee.runtimeconfigs.get |
Apigee Analytics Editor( Analytics editor for an Apigee Organization |
apigee.datacollectors.*
apigee.datastores.*
apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.*
apigee.hostqueries.*
apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee. apigee.queries.*
apigee.reports.*
resourcemanager.projects.get resourcemanager.projects.list |
Apigee Analytics Viewer( Analytics viewer for an Apigee Organization |
apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee. apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee API Admin( Full read/write access to all apigee API resources |
apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.organizations.get apigee.organizations.list apigee. apigee.proxies.*
apigee.proxyrevisions.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
resourcemanager.projects.get resourcemanager.projects.list |
Apigee API Reader( Reader of apigee resources |
apigee. apigee. apigee.apiproducts.get apigee.apiproducts.list apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee. apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee. apigee.sharedflowrevisions.get apigee. apigee. apigee.sharedflows.get apigee.sharedflows.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee Developer Admin( Developer admin of apigee resources |
apigee. apigee. apigee.apiproducts.get apigee.apiproducts.list apigee.appgroupapps.*
apigee.appgroups.*
apigee.appkeys.*
apigee.apps.*
apigee.datacollectors.*
apigee.
apigee.developerapps.*
apigee.developerattributes.*
apigee.developerbalances.*
apigee.
apigee.developers.*
apigee.
apigee.entitlements.get apigee.environments.get |