本页面介绍 IAM 角色,并列出了您可以授予主帐号的预定义角色。
一个角色包含一组权限,可让您对 Google Cloud 资源执行特定操作。如需向主帐号(包括用户、群组和服务帐号)提供权限,您可以向主帐号授予角色。
本指南的先决条件
- 了解 IAM 的基本概念
角色类型
IAM 中有三种类型的角色:
- 基本角色:包括在引入 IAM 之前已存在的 Owner、Editor 和 Viewer 角色。
- 预定义角色:针对特定服务提供精细访问权限,并由 Google Cloud 管理。
- 自定义角色:根据用户指定的权限列表提供精细访问权限。
要确定基本角色、预定义角色或自定义角色中是否包含某项权限,您可以使用以下方法之一:
- 运行
gcloud iam roles describe
命令可以列出角色中的权限。 - 调用
roles.get()
REST API 方法可以列出角色中的权限。 - 仅适用于基本角色和预定义角色:搜索权限参考以查看该角色是否授予权限。
- 仅适用于预定义角色:在本页上搜索预定义角色说明以查看该角色包含的权限。
以下各部分介绍了每种角色类型并提供了有关如何使用它们的示例。
基本角色
在引入 IAM 之前已存在多个基本角色:Owner、Editor 和 Viewer。这些角色是嵌套的;也就是说,Owner 角色具有 Editor 角色的权限,而 Editor 角色又具有 Viewer 角色的权限。它们最初称为“原初角色”。
下表汇总了基本角色针对所有 Google Cloud 服务所具有的权限:
基本角色定义
名称 | 称谓 | 权限 |
---|---|---|
roles/viewer |
Viewer | 拥有执行不会影响状态的只读操作的权限,例如查看(但无法修改)现有资源或数据。 |
roles/editor |
Editor | 拥有所有查看权限,以及修改状态的操作(例如更改现有资源)的权限。 注意:Editor 角色包含为大多数 Google Cloud 服务创建和删除资源的权限。但是,它不包含对所有服务执行所有操作的权限。如需详细了解如何检查某个角色是否具有您所需的权限,请参阅本页面中的角色类型。
|
roles/owner |
所有者 |
拥有 Editor 的所有权限,此外还有权执行以下操作:
注意:
|
您可以使用 Google Cloud 控制台、API 和 gcloud CLI 授予基本角色。如需授予项目、文件夹或组织的基本角色,请参阅管理对项目、文件夹和组织的访问权限。如需授予其他资源的基本角色,请参阅管理对其他资源的访问权限。
预定义角色
除了基本角色之外,IAM 还提供其他预定义角色,这些角色可提供对特定 Google Cloud 资源的精细访问权限,同时阻止对其他资源的不必要的访问。 这些角色由 Google 创建和维护。Google 会根据需要自动更新其权限,例如 Google Cloud 添加新功能或服务时。
下表列出了这些角色、说明以及可设置这些角色的最低级层的资源类型。您可以为此资源类型授予特定角色,或者在大多数情况下可以为该类型在 Google Cloud 资源层次结构中的任何上级类型授予特定角色。
您可以在资源层次结构的任何级层向同一用户授予多个角色。例如,同一位用户可以拥有项目上的 Compute Network Admin 和 Logs Viewer 角色,并且对该项目中的 Pub/Sub 主题具有 Pub/Sub Publisher 角色。如需列出角色中包含的权限,请参阅获取角色元数据。
如需有关选择最合适的预定义角色的帮助,请参阅选择预定义角色。
Access Approval 角色
Role | Permissions |
---|---|
Access Approval Approver Beta( Ability to view or act on access approval requests and view configuration Contains 3 owner permissions |
accessapproval.requests.*
accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Approval Config Editor Beta( Ability to update the Access Approval configuration Contains 2 owner permissions |
accessapproval. accessapproval.settings.*
resourcemanager.projects.get resourcemanager.projects.list |
Access Approval Invalidator Beta( Ability to invalidate existing approved approval requests Contains 1 owner permission |
manage_accounts
accessapproval. accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Approval Viewer Beta( Ability to view access approval requests and configuration |
accessapproval.requests.get accessapproval.requests.list accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager 角色
Role | Permissions |
---|---|
Cloud Access Binding Admin( Create, edit, and change Cloud access bindings. |
accesscontextmanager.
|
Cloud Access Binding Reader( Read access to Cloud access bindings. |
accesscontextmanager. accesscontextmanager. |
Access Context Manager Admin( Full access to policies, access levels, access zones and authorized orgs descs. Contains 2 owner permissions |
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
cloudasset. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager Editor( Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs. |
accesscontextmanager.
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager.
accesscontextmanager.
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager.
accesscontextmanager.
cloudasset. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager Reader( Read access to policies, access levels, access zones and authorized orgs descs. |
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
VPC Service Controls Troubleshooter Viewer(
|
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.sinks.get logging.sinks.list logging.usage.get resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
操作角色
Role | Permissions |
---|---|
Actions Admin( Access to edit and deploy an action |
actions.*
firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Actions Viewer( Access to view an action |
actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
AI Notebooks 角色
Role | Permissions |
---|---|
Notebooks Admin( Full access to Notebooks, all resources. Lowest-level resources where you can grant this role:
Contains 5 owner permissions |
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute.backendServices.get compute. compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute. compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute. compute.securityPolicies.list compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute. compute.subnetworks.get compute. compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute. compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Legacy Admin( Full access to Notebooks all resources through compute API. Contains 38 owner permissions |
compute.*
notebooks.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Legacy Viewer( Read-only access to Notebooks all resources through compute API. |
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute.backendServices.get compute. compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute. compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute. compute.securityPolicies.list compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute. compute.subnetworks.get compute. compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute. compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Runner( Restricted access for running scheduled Notebooks. |
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute.backendServices.get compute. compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute. compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute. compute.securityPolicies.list compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute. compute.subnetworks.get compute. compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute. compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Viewer( Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute.backendServices.get compute. compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute. compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute. compute.securityPolicies.list compute.serviceAttachments.get compute. compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute. compute.subnetworks.get compute. compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute. compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
AI Platform 角色
Role | Permissions |
---|---|
AI Platform Admin( Provides full access to AI Platform resources, and its jobs, operations, models, and versions. Lowest-level resources where you can grant this role:
Contains 3 owner permissions |
ml.*
resourcemanager.projects.get |
AI Platform Developer( Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Lowest-level resources where you can grant this role:
Contains 1 owner permission |
ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.*
ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.*
ml.trials.*
ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get |
AI Platform Job Owner( Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Lowest-level resources where you can grant this role:
Contains 1 owner permission |
ml.jobs.*
|
AI Platform Model Owner( Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Lowest-level resources where you can grant this role:
Contains 1 owner permission |
ml.models.*
ml.versions.*
|
AI Platform Model User( Provides permissions to read the model and its versions, and use them for prediction. Lowest-level resources where you can grant this role:
|
ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict |
AI Platform Operation Owner( Provides full access to all permissions for a particular operation resource. Lowest-level resources where you can grant this role:
|
ml.operations.*
|
AI Platform Viewer( Provides read-only access to AI Platform resources. Lowest-level resources where you can grant this role:
|
ml.jobs.get ml.jobs.list ml.locations.*
ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get |
Analytics Hub 角色
角色 | 权限 |
---|---|
Analytics Hub Admin( 可以管理数据交换和清单 包含 2 项所有者权限 |
analyticshub.dataExchanges.*
analyticshub.listings.create analyticshub.listings.delete analyticshub.listings.get analyticshub. analyticshub.listings.list
analyticshub. analyticshub.listings.update resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Listing Admin( 授予对商家信息的完全控制权,包括更新、删除和设置 ACL 包含 1 项所有者权限 |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.delete analyticshub.listings.get analyticshub. analyticshub.listings.list
analyticshub. analyticshub.listings.update resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Publisher( 可以发布到数据交换,从而创建清单 |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.create analyticshub.listings.get analyticshub. analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Subscriber( 可以浏览数据交换并订阅清单 包含 1 项所有者权限 |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list
analyticshub. resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Viewer( 可以浏览数据交换和清单 |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list |
Android 管理角色
Role | Permissions |
---|---|
Android Management User( Full access to manage devices. |
androidmanagement. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Anthos 多云端角色
Role | Permissions |
---|---|
Anthos Multi-cloud Admin( Admin access to Anthos Multi-cloud resources. Contains 2 owner permissions |
gkemulticloud.*
resourcemanager.projects.get resourcemanager.projects.list |
Anthos Multi-cloud Telemetry Writer( Grant access to write cluster telemetry data such as logs, metrics, and resource metadata. |
logging.logEntries.create monitoring. monitoring. monitoring.
monitoring.
monitoring.timeSeries.create opsconfigmonitoring. |
Anthos Multi-cloud Viewer( Viewer access to Anthos Multi-cloud resources. |
gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud. gkemulticloud. gkemulticloud.azureClients.get gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list |
API Gateway 角色
Role | Permissions |
---|---|
ApiGateway Admin( Full access to ApiGateway and related resources. Contains 3 owner permissions |
apigateway.*
monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list |
ApiGateway Viewer( Read-only access to ApiGateway and related resources. |
apigateway.apiconfigs.get apigateway. apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway. apigateway.gateways.list apigateway.locations.*
apigateway.operations.get apigateway.operations.list monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list |
Apigee 角色
角色 | 权限 |
---|---|
Apigee Organization Admin( 拥有对所有 Apigee 资源功能的完全访问权限 包含 1 项所有者权限 |
apigee.*
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Analytics Agent( 提供一组特选权限,可让 Apigee Universal Data Collection Agent 管理 Apigee 组织的分析数据 |
apigee.datalocation.get apigee. apigee.runtimeconfigs.get |
Apigee Analytics Editor( 可修改 Apigee 组织的分析数据 |
apigee.datacollectors.*
apigee.datastores.*
apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.*
apigee.hostqueries.*
apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.queries.*
apigee.reports.*
resourcemanager.projects.get resourcemanager.projects.list |
Apigee Analytics Viewer( 可查看 Apigee 组织的分析数据 |
apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee API Admin( 拥有对所有 Apigee API 资源的完整读写权限 |
apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.organizations.get apigee.organizations.list apigee.proxies.*
apigee.proxyrevisions.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
resourcemanager.projects.get resourcemanager.projects.list |
Apigee API Reader( 可以读取 apigee 资源 |
apigee. apigee. apigee.apiproducts.get |