Cette page décrit les rôles IAM et répertorie les rôles prédéfinis que vous pouvez attribuer à vos comptes principaux.
Un rôle contient un ensemble d'autorisations qui vous permet d'effectuer des actions spécifiques sur les ressources Google Cloud. Pour mettre les autorisations à la disposition des comptes principaux, y compris les utilisateurs, les groupes et les comptes de service, vous attribuez des rôles aux comptes principaux.
Condition préalable à l'utilisation de ce guide
- Comprendre les concepts fondamentaux de Cloud IAM
Types de rôles
Il existe trois types de rôles dans IAM :
- Les rôles de base qui comprennent les rôles "Propriétaire", "Éditeur" et "Lecteur" qui existaient avant la mise en place d'IAM.
- Les rôles prédéfinis qui fournissent un accès précis à un service spécifique et sont gérés par Google Cloud.
- Les rôles personnalisés qui fournissent un accès précis en fonction d'une liste d'autorisations spécifiée par l'utilisateur.
Pour déterminer si une autorisation est incluse dans un rôle de base, prédéfini ou personnalisé, vous pouvez employer l'une des méthodes suivantes :
- Exécutez la commande
gcloud iam roles describe
pour répertorier les autorisations du rôle. - Appelez la méthode API REST
roles.get()
pour répertorier les autorisations du rôle. - Pour les rôles de base et prédéfinis seulement : recherchez dans la documentation de référence sur les autorisations pour savoir si l'autorisation est accordée par le rôle.
- Pour les rôles prédéfinis seulement : recherchez dans les descriptions des rôles prédéfinis sur cette page pour connaître les autorisations associées au rôle.
Les sections ci-dessous décrivent chaque type de rôle et donnent des exemples d'utilisation.
Rôles de base
Les rôles de base incluent trois rôles qui existaient avant le lancement d'IAM : "Propriétaire", "Éditeur" et "Lecteur". Ces rôles sont concentriques, c'est-à-dire que le rôle "Propriétaire" inclut les autorisations comprises dans le rôle "Éditeur", qui inclut à son tour les autorisations du rôle "Lecteur". Ils étaient initialement appelés "rôles primitifs".
Le tableau suivant récapitule les autorisations que les rôles de base incluent sur tous les services Google Cloud :
Définition des rôles de base
Nom | Titre | Autorisations |
---|---|---|
roles/viewer |
Lecteur | Autorisations permettant de réaliser des actions en lecture seule qui n'affectent pas l'état du projet, comme consulter (mais pas modifier) des ressources ou des données existantes. |
roles/editor |
Éditeur | Toutes les autorisations accordées au rôle "Lecteur" et les autorisations permettant de réaliser des actions qui modifient l'état du projet, comme modifier des ressources existantes. Remarque : Le rôle d'éditeur contient des autorisations permettant de créer et de supprimer des ressources pour la plupart des services Google Cloud. Toutefois, il ne contient pas les autorisations permettant d'effectuer toutes les actions pour tous les services. Pour savoir comment vérifier si un rôle dispose des autorisations dont vous avez besoin, consultez la section Types de rôles sur cette page.
|
roles/owner |
Propriétaire |
Toutes les autorisations accordées au rôle d'éditeur et les autorisations permettant de réaliser les actions suivantes :
Remarque :
|
Vous pouvez attribuer des rôles de base avec la console Google Cloud, l'API et gcloud CLI. Pour attribuer des rôles de base sur un projet, un dossier ou une organisation, consultez la page Gérer l'accès aux projets, aux dossiers et aux organisations. Pour attribuer des rôles de base sur d'autres ressources, consultez la page Gérer l'accès aux autres ressources.
Rôles prédéfinis
Outre les rôles de base, IAM fournit des rôles prédéfinis supplémentaires qui accordent un accès précis à des ressources Google Cloud spécifiques et empêchent tout accès indésirable à d'autres ressources. Ces rôles sont créés et gérés par Google. Google met automatiquement à jour ses autorisations si nécessaire, par exemple lorsque Google Cloud ajoute de nouvelles fonctionnalités ou de nouveaux services.
Les tableaux suivants répertorient ces rôles, leur description et le type de ressource le plus bas pour lequel les rôles peuvent être définis. Un rôle particulier peut être accordé à ce type de ressource ou, dans la plupart des cas, à tout type supérieur à celui-ci dans la hiérarchie de ressources Google Cloud.
Vous pouvez attribuer plusieurs rôles au même utilisateur, à n'importe quel niveau de la hiérarchie de ressources. Par exemple, celui-ci peut disposer des rôles d'administrateur réseau Compute et de lecteur de journaux sur un projet, ainsi que d'un rôle d'éditeur Pub/Sub pour un sujet Pub/Sub au sein de ce projet. Pour répertorier les autorisations contenues dans un rôle, consultez la section Obtenir les métadonnées du rôle.
Pour obtenir de l'aide sur le choix des rôles prédéfinis les plus appropriés, consultez la section Choisir des rôles prédéfinis.
Rôles des autorisations d'accès
Rôle | Autorisations |
---|---|
Approbateur des autorisations d'accès( Permet d'afficher ou de traiter les demandes d'autorisation d'accès, et d'afficher la configuration. |
accessapproval.requests.*
accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Éditeur pour la configuration des autorisations d'accès( Dispose des droits requis pour mettre à jour la configuration des autorisations d'accès |
accessapproval. accessapproval.settings.*
resourcemanager.projects.get resourcemanager.projects.list |
Fonction d'invalidation des autorisations d'accès( Possibilité d'invalider les demandes d'approbation approuvées existantes |
accessapproval. accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Lecteur des autorisations d'accès( Dispose des droits pour afficher les demandes d'autorisation d'accès et la configuration |
accessapproval.requests.get accessapproval.requests.list accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Rôles Access Context Manager
Role | Permissions |
---|---|
Cloud Access Binding Admin( Create, edit, and change Cloud access bindings. |
accesscontextmanager.
|
Cloud Access Binding Reader( Read access to Cloud access bindings. |
accesscontextmanager. accesscontextmanager. |
Access Context Manager Admin( Full access to policies, access levels, access zones and authorized orgs descs. |
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
cloudasset. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager Editor( Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs. |
accesscontextmanager.
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager.
accesscontextmanager.
cloudasset. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager Reader( Read access to policies, access levels, access zones and authorized orgs descs. |
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
VPC Service Controls Troubleshooter Viewer(
|
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.sinks.get logging.sinks.list logging.usage.get resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Rôles associés aux actions
Role | Permissions |
---|---|
Actions Admin( Access to edit and deploy an action |
actions.*
firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Actions Viewer( Access to view an action |
actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Rôles AI Notebooks
Role | Permissions |
---|---|
Notebooks Admin( Full access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Legacy Admin( Full access to Notebooks all resources through compute API. |
compute.*
notebooks.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Legacy Viewer( Read-only access to Notebooks all resources through compute API. |
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Runner( Restricted access for running scheduled Notebooks. |
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Viewer( Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Rôles AI Platform
Role | Permissions |
---|---|
AI Platform Admin( Provides full access to AI Platform resources, and its jobs, operations, models, and versions. Lowest-level resources where you can grant this role:
|
ml.*
resourcemanager.projects.get |
AI Platform Developer( Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Lowest-level resources where you can grant this role:
|
ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.*
ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.*
ml.trials.*
ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get |
AI Platform Job Owner( Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Lowest-level resources where you can grant this role:
|
ml.jobs.*
|
AI Platform Model Owner( Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Lowest-level resources where you can grant this role:
|
ml.models.*
ml.versions.*
|
AI Platform Model User( Provides permissions to read the model and its versions, and use them for prediction. Lowest-level resources where you can grant this role:
|
ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict |
AI Platform Operation Owner( Provides full access to all permissions for a particular operation resource. Lowest-level resources where you can grant this role:
|
ml.operations.*
|
AI Platform Viewer( Provides read-only access to AI Platform resources. Lowest-level resources where you can grant this role:
|
ml.jobs.get ml.jobs.list ml.locations.*
ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get |
Rôles Analytics Hub
Role | Permissions |
---|---|
Analytics Hub Admin( Administer Data Exchanges and Listings |
analyticshub. analyticshub. analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub. analyticshub. analyticshub. analyticshub.listings.create analyticshub.listings.delete analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. analyticshub.listings.update analyticshub. analyticshub.subscriptions.*
resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Listing Admin( Grants full control over the Listing, including updating, deleting and setting ACLs |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.delete analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. analyticshub.listings.update analyticshub. resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Publisher( Can publish to Data Exchanges thus creating Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.create analyticshub.listings.get analyticshub. analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Subscriber( Can browse Data Exchanges and subscribe to Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Subscription Owner( Grants full control over the Subscription, including updating and deleting |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub.subscriptions.*
resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Viewer( Can browse Data Exchanges and Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list |
Rôles Android Management
Role | Permissions |
---|---|
Android Management User( Full access to manage devices. |
androidmanagement. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Rôles multicloud Anthos
Role | Permissions |
---|---|
Anthos Multi-cloud Admin( Admin access to Anthos Multi-cloud resources. |
gkemulticloud.*
resourcemanager.projects.get resourcemanager.projects.list |
Anthos Multi-cloud Telemetry Writer( Grant access to write cluster telemetry data such as logs, metrics, and resource metadata. |
logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring.
monitoring.
monitoring.timeSeries.create opsconfigmonitoring. |
Anthos Multi-cloud Viewer( Viewer access to Anthos Multi-cloud resources. |
gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud. gkemulticloud. gkemulticloud.azureClients.get gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list |
Rôles API Gateway
Role | Permissions |
---|---|
ApiGateway Admin( Full access to ApiGateway and related resources. |
apigateway.*
monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list |
ApiGateway Viewer( Read-only access to ApiGateway and related resources. |
apigateway.apiconfigs.get apigateway. apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway. apigateway.gateways.list apigateway.locations.*
apigateway.operations.get apigateway.operations.list monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list |
Rôles Apigee
Role | Permissions |
---|---|
Apigee Organization Admin( Full access to all apigee resource features |
apigee.*
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Analytics Agent( Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization |
apigee.datalocation.get apigee. apigee.runtimeconfigs.get |
Apigee Analytics Editor( Analytics editor for an Apigee Organization |
apigee.datacollectors.*
apigee.datastores.*
apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.*
apigee.hostqueries.*
apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee. apigee.queries.*
apigee.reports.*
resourcemanager.projects.get resourcemanager.projects.list |
Apigee Analytics Viewer( Analytics viewer for an Apigee Organization |
apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee. apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee API Admin( Full read/write access to all apigee API resources |
apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.organizations.get apigee.organizations.list apigee. apigee.proxies.*
apigee.proxyrevisions.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
resourcemanager.projects.get resourcemanager.projects.list |
Apigee API Reader( Reader of apigee resources |
apigee. apigee. apigee.apiproducts.get apigee.apiproducts.list apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee. apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list |