役割について

Cloud Identity and Access Management では、ある ID が Google Cloud Platform API を呼び出す場合、その ID はリソースを使用するための適切な権限を保持している必要があります。権限を付与するには、ユーザー、グループ、またはサービス アカウントに役割を付与します。

このページでは、Cloud Platform リソースにアクセスするために ID に付与することができる Cloud IAM の役割について説明します。

このガイドの前提条件

役割のタイプ

Cloud IAM では、次の 3 つのタイプの役割があります。

  • 基本の役割: Cloud IAM の導入前に存在していたオーナー、編集者、閲覧者の役割が含まれます
  • 事前定義された役割: 特定のサービスの詳細なアクセス権を提供し、GCP によって管理されます
  • カスタムの役割: ユーザー指定の権限のリストに従って、詳細なアクセス権を提供します

基本の役割、事前定義された役割、カスタムの役割に 1 つ以上の権限が含まれているかどうかを確認するには、次のいずれかの方法を使用します。

次のセクションでは、各役割のタイプについて説明し、それらの使用方法の例を示します。

基本の役割

Cloud IAM の導入前に存在していたオーナー、編集者、閲覧者の 3 つの役割があります。オーナー、編集者、閲覧者の各役割は入れ子構造になっています。つまり、オーナーの役割には編集者の役割の権限が含まれており、編集者の役割には閲覧者の役割の権限が含まれています。

次の表に、GCP のすべてのサービスで、基本の役割に含まれている権限を要約します。

基本の役割の定義

氏名 役職 権限
roles/viewer 閲覧者 既存のリソースやデータの表示(ただし変更は不可能)など、状態に影響しない読み取り専用アクションに必要な権限。
roles/editor 編集者 すべての閲覧者権限に加えて状態を変更するアクション(既存のリソースの変更など)に必要な権限。
注: roles/editor の役割には、ほとんどの GCP サービスでリソースを作成および削除する権限が含まれますが、一部のサービス(Cloud Source Repositories や Stackdriver など)ではそれらの権限が含まれません。必要な権限が役割に含まれているかどうかを確認する方法については、上記のセクションをご覧ください。
roles/owner オーナー すべての編集者権限、および以下のアクションを実行するために必要な権限。
  • プロジェクトおよびプロジェクト内のすべてのリソースの権限と役割を管理する。
  • プロジェクトの課金情報を設定する。
注:
  • リソースレベル(Pub/Sub トピックなど)でオーナーの役割を付与しても、その親プロジェクトにオーナーの役割が付与されることはありません。
  • オーナーの役割には、組織リソースに対する権限は一切含まれていません。したがって、組織レベルでオーナーの役割を付与しても、その組織のメタデータを更新することはできません。ただし、その組織の下にあるプロジェクトを変更することはできます。

GCP ConsoleAPIgcloud コマンドライン ツールを使用して、プロジェクトまたはサービスのリソースレベルで基本の役割を適用できます。

招待フロー

Cloud IAM API または gcloud コマンドライン ツールを使用して、プロジェクトのメンバーにオーナー役割を付与することはできません。オーナーは、GCP Console を使用することによってのみプロジェクトに追加できます。招待はメールでメンバーに送信されます。そのメンバーがプロジェクトのオーナーになるには、その招待を受け入れる必要があります。

以下の場合、招待メールは送信されないことに注意してください。

  • オーナー以外の役割を付与している場合。
  • 組織のメンバーが、組織内のプロジェクトのオーナーとして組織の別のメンバーを追加した場合。

事前定義された役割

基本の役割に加えて、Cloud IAM は、特定の Google Cloud Platform リソースに対して、よりきめ細やかなアクセス権を付与し、他のリソースへの望ましくないアクセスを防ぐことができる事前定義済みの役割を提供します。

次の表に、定義された役割とその説明、およびそれらの役割を設定できる最低レベルのリソースタイプを示します。このリソースタイプまたはほとんどの場合に GCP 階層のそれ以上の任意のタイプに特定の役割を付与できます。1 人のユーザーに複数の役割を付与できます。たとえば、特定のユーザーに、あるプロジェクトにおけるネットワーク管理者およびログ閲覧者の役割を付与し、なおかつ、そのプロジェクト内の Pub/Sub トピックに対するパブリッシャーの役割を付与できます。役割に含まれる権限のリストについては、役割メタデータの取得をご覧ください。

Android Management の役割

roles/
androidmanagement.user
Android Management User Full access to manage devices. androidmanagement.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
役割 タイトル 説明 権限 最下位のリソース

App Engine の役割

roles/
appengine.appAdmin
App Engine 管理者 すべてのアプリケーションの構成と設定に対する読み取り / 書き込み / 変更アクセス権。 appengine.applications.get
appengine.applications.update
appengine.instances.*
appengine.operations.*
appengine.runtimes.*
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト roles/
appengine.appViewer
App Engine Viewer Read-only access to all application configuration and settings. appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
appengine.codeViewer
App Engine コード閲覧者 すべてのアプリケーションの構成、設定、デプロイされたソースコードに対する読み取り専用アクセス権。 appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト roles/
appengine.deployer
App Engine Deployer Read-only access to all application configuration and settings.

Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic.

Note: The App Engine Deployer (roles/appengine.deployer) role alone grants adequate permission to deploy using the App Engine Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Compute Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (cloudbuild.builds.editor) roles. appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
appengine.serviceAdmin
App Engine Service 管理者 すべてのアプリケーションの構成と設定への読み取り専用アクセス権。
モジュール レベルおよびバージョン レベルの設定に対する書き込みアクセス権。新しいバージョンをデプロイすることはできません。 appengine.applications.get
appengine.instances.*
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

AutoML の役割

roles/
automl.admin
AutoML 管理者 ベータ版 すべての AutoML リソースに対する完全アクセス件 automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
roles/
automl.editor
AutoML Editor Beta Editor of all AutoML resources automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
roles/
automl.predictor
AutoML Predictor Beta Predict using models automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list
roles/
automl.viewer
AutoML 閲覧者 ベータ版 すべての AutoML リソースの閲覧者 automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
役割 タイトル 説明 権限 最下位のリソース

BigQuery の役割

roles/
bigquery.admin
BigQuery 管理者 プロジェクト内のすべてのリソースを管理する権限を提供します。プロジェクト内のすべてのデータを管理でき、プロジェクト内で実行されている他のユーザーのジョブもキャンセルできます。 bigquery.*
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト roles/
bigquery.connectionAdmin
BigQuery Connection 管理者 ベータ版 bigquery.connections.*
roles/
bigquery.connectionUser
BigQuery Connection User Beta bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.use
roles/
bigquery.dataEditor
BigQuery Data Editor

When applied to a dataset, dataEditor provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataset roles/
bigquery.dataOwner
BigQuery Data Owner

When applied to a dataset, dataOwner provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataset roles/
bigquery.dataViewer
BigQuery データ閲覧者

データセットに適用した場合、dataViewer には次の権限が与えられます。

  • データセットのメタデータを読み取り、データセット内のテーブルを一覧表示する。
  • データセットのテーブルからデータとメタデータを読み取る。

プロジェクトまたは組織レベルで適用した場合、この役割はプロジェクト内のすべてのデータセットを列挙することもできます。ただし、ジョブを実行するためには追加の役割が必要です。

bigquery.datasets.get
bigquery.datasets.getIamPolicy bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list データセット roles/
bigquery.jobUser
BigQuery Job User Provides permissions to run jobs, including queries, within the project. The jobUser role can enumerate their own jobs and cancel their own jobs. bigquery.jobs.create
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
bigquery.metadataViewer
BigQuery メタデータ閲覧者

プロジェクト レベルまたは組織レベルで適用した場合、metadataViewer で次の権限が付与されます。

  • プロジェクト内のすべてのデータセットを一覧表示し、すべてのデータセットのメタデータを読み込む。
  • プロジェクト内のすべてのテーブルとビューを一覧表示し、すべてのテーブルとビューのメタデータを読み込みます。

ジョブを実行する場合は追加の役割が必要です。

bigquery.datasets.get
bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list プロジェクト roles/
bigquery.readSessionUser
BigQuery Read Session User Beta Access to create and use read sessions bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
bigquery.user
BigQuery User Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the bigquery.dataOwner role for these new datasets. bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
resourcemanager.projects.get
resourcemanager.projects.list
Project
役割 タイトル 説明 権限 最下位のリソース

Cloud Bigtable の役割

roles/
bigtable.admin
Bigtable Administrator Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. bigtable.*
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Instance roles/
bigtable.reader
Bigtable 読み取り テーブル内に保存されたデータに対する読み取り権限を付与します。データ サイエンティスト、ダッシュボード生成ツール、その他のデータ分析シナリオ向け。 bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
インスタンス roles/
bigtable.user
Bigtable User Provides read-write access to the data stored within tables. Intended for application developers or service accounts. bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Instance roles/
bigtable.viewer
Bigtable 閲覧者 データへのアクセス権は許可されません。Cloud Bigtable の GCP Console にアクセスするための最小権限セットとして使用されます。 bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
インスタンス
役割 タイトル 説明 権限 最下位のリソース

請求の役割

roles/
billing.admin
Billing Account Administrator Provides access to see and manage all aspects of billing accounts. billing.accounts.close
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.move
billing.accounts.redeemPromotion
billing.accounts.removeFromOrganization
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing.accounts.updatePaymentInfo
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.credits.*
billing.resourceAssociations.*
billing.subscriptions.*
cloudnotifications.*
logging.logEntries.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
Billing Account roles/
billing.creator
Billing Account Creator Provides access to create billing accounts. billing.accounts.create
resourcemanager.organizations.get
Project roles/
billing.projectManager
Project Billing Manager Provides access to assign a project's billing account or disable its billing. resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
Project roles/
billing.user
請求先アカウント ユーザー プロジェクトに請求先アカウントを関連付けるための権限を付与します。 billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.*
billing.resourceAssociations.create
請求先アカウント roles/
billing.viewer
請求先アカウント閲覧者 請求先アカウントのコスト情報とトランザクションを閲覧するためのアクセス権を付与します。 billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.budgets.get
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.get
billing.subscriptions.list
組織
請求先アカウント
役割 タイトル 説明 権限 最下位のリソース

Binary Authorization の役割

roles/
binaryauthorization.attestorsAdmin
Binary Authorization Attestor Admin Beta Adminstrator of Binary Authorization Attestors binaryauthorization.attestors.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsEditor
Binary Authorization 認証者編集者 ベータ版 Binary Authorization 認証者の編集者です。 binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsVerifier
Binary Authorization Attestor Image Verifier Beta Caller of Binary Authorization Attestors VerifyImageAttested binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsViewer
Binary Authorization 認証者閲覧者 ベータ版 Binary Authorization 認証者の閲覧者 binaryauthorization.attestors.get
binaryauthorization.attestors.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyAdmin
Binary Authorization Policy Administrator Beta Administrator of Binary Authorization Policy binaryauthorization.policy.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyEditor
Binary Authorization ポリシー編集者 ベータ版 Binary Authorization ポリシーの編集者です binaryauthorization.policy.get
binaryauthorization.policy.update
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyViewer
Binary Authorization Policy Viewer Beta Viewer of Binary Authorization Policy binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

クラウド アセットの役割

roles/
cloudasset.viewer
Cloud Asset Viewer Read only access to cloud assets metadata cloudasset.*
役割 タイトル 説明 権限 最下位のリソース

Cloud Build の役割

roles/
cloudbuild.builds.builder
Cloud Build サービス アカウント ビルドを実行できます。 cloudbuild.*
logging.logEntries.create
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
roles/
cloudbuild.builds.editor
Cloud Build 編集者 ビルドを作成、キャンセルするためのアクセス権を付与します。 cloudbuild.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト roles/
cloudbuild.builds.viewer
Cloud Build 閲覧者 ビルドの表示権限を付与します。 cloudbuild.builds.get
cloudbuild.builds.list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

Cloud Data Fusion の役割

roles/
datafusion.admin
Cloud Data Fusion Admin Beta Full access to Cloud Data Fusion Instances and related resources. datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datafusion.viewer
Cloud Data Fusion Viewer Beta Read-only access to Cloud Data Fusion Instances and related resources. datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

Stackdriver Debugger の役割

roles/
clouddebugger.agent
Stackdriver Debugger Agent Beta Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create
Service Account roles/
clouddebugger.user
Stackdriver Debugger ユーザー ベータ版 ブレークポイント(スナップショットとログポイント)の作成、表示、一覧表示、削除に加え、デバッグ ターゲット(デバッグ対象)の一覧表示を行う権限を付与します。 clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

Cloud Functions の役割

roles/
cloudfunctions.developer
Cloud Functions Developer Beta Read and write access to all functions-related resources. cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.invoke
cloudfunctions.functions.list
cloudfunctions.functions.sourceCodeGet
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.locations.*
cloudfunctions.operations.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
cloudfunctions.viewer
Cloud Functions Viewer Beta Read-only access to functions and locations. cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
役割 タイトル 説明 権限 最下位のリソース

Cloud IAP の役割

roles/
iap.admin
IAP Policy Admin Provides full access to Cloud Identity-Aware Proxy resources. iap.tunnel.*
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
iap.tunnelZones.*
iap.web.*
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
iap.webServices.*
iap.webTypes.*
Project roles/
iap.httpsResourceAccessor
IAP-secured Web App User Provides permission to access HTTPS resources which use Cloud Identity-Aware Proxy. iap.webServiceVersions.accessViaIAP
Project roles/
iap.tunnelResourceAccessor
IAP-secured Tunnel User Beta Access Tunnel resources which use Identity-Aware Proxy iap.tunnelInstances.accessViaIAP
役割 タイトル 説明 権限 最下位のリソース

Cloud IoT の役割

roles/
cloudiot.admin
Cloud IoT 管理者 すべての Cloud IoT リソースと権限に対するフル コントロール。 cloudiot.*
cloudiottoken.*
デバイス roles/
cloudiot.deviceController
Cloud IoT Device Controller Access to update the configuration of devices, but not to create or delete devices. cloudiot.devices.get
cloudiot.devices.list
cloudiot.devices.sendCommand
cloudiot.devices.updateConfig
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
Device roles/
cloudiot.editor
Cloud IoT Editor Read-write access to all Cloud IoT resources. cloudiot.devices.*
cloudiot.registries.create
cloudiot.registries.delete
cloudiot.registries.get
cloudiot.registries.list
cloudiot.registries.update
cloudiottoken.*
Device roles/
cloudiot.provisioner
Cloud IoT プロビジョナー レジストリに対してデバイスの作成と削除を行う権限(レジストリの変更権限は除く)。 cloudiot.devices.*
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
デバイス roles/
cloudiot.viewer
Cloud IoT 閲覧者 すべての Cloud IoT リソースへの読み取り専用アクセス権。 cloudiot.devices.get
cloudiot.devices.list
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
デバイス
役割 タイトル 説明 権限 最下位のリソース

Cloud Talent Solution の役割

roles/
cloudjobdiscovery.admin
Admin Access to Cloud Job Discovery Self-Service Tools cloudjobdiscovery.tools.*
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.jobsEditor
ジョブ編集者 すべての Cloud Job Discovery データに対する書き込み権限。 cloudjobdiscovery.companies.*
cloudjobdiscovery.events.*
cloudjobdiscovery.jobs.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.jobsViewer
ジョブ閲覧者 すべての Cloud Job Discovery データに対する読み取り権限。 cloudjobdiscovery.companies.get
cloudjobdiscovery.companies.list
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.profilesEditor
プロファイル閲覧者 Cloud Talent Solution のすべてのプロファイル データに対する書き込みアクセス権。 cloudjobdiscovery.events.*
cloudjobdiscovery.profiles.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.profilesViewer
Profile Viewer Read access to all profile data in Cloud Talent Solution. cloudjobdiscovery.profiles.get
cloudjobdiscovery.profiles.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

Cloud KMS の役割

roles/
cloudkms.admin
Cloud KMS Admin Provides full access to Cloud KMS resources, except encrypt and decrypt operations. cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeyVersions.destroy
cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.restore
cloudkms.cryptoKeyVersions.update
cloudkms.cryptoKeys.*
cloudkms.keyRings.*
resourcemanager.projects.get
CryptoKey roles/
cloudkms.cryptoKeyDecrypter
Cloud KMS CryptoKey Decrypter Provides ability to use Cloud KMS resources for decrypt operations only. cloudkms.cryptoKeyVersions.useToDecrypt
resourcemanager.projects.get
CryptoKey roles/
cloudkms.cryptoKeyEncrypter
Cloud KMS 暗号鍵の暗号化 暗号化の場合にのみ、Cloud KMS リソースの使用を許可します。 cloudkms.cryptoKeyVersions.useToEncrypt
resourcemanager.projects.get
暗号鍵 roles/
cloudkms.cryptoKeyEncrypterDecrypter
Cloud KMS 暗号鍵の暗号化 / 復号 暗号化および復号オペレーションに限り、Cloud KMS リソースを使用する権限を付与します。 cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
resourcemanager.projects.get
暗号鍵 roles/
cloudkms.publicKeyViewer
Cloud KMS CryptoKey Public Key Viewer Beta Enables GetPublicKey operations cloudkms.cryptoKeyVersions.viewPublicKey
resourcemanager.projects.get
roles/
cloudkms.signer
Cloud KMS 暗号鍵の署名者 ベータ版 AsymmetricSign オペレーションを有効にします。 cloudkms.cryptoKeyVersions.useToSign
resourcemanager.projects.get
roles/
cloudkms.signerVerifier
Cloud KMS CryptoKey Signer/Verifier Beta Enables AsymmetricSign, and GetPublicKey operations cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.viewPublicKey
resourcemanager.projects.get
役割 タイトル 説明 権限 最下位のリソース

Cloud プライベート カタログの役割

roles/
cloudprivatecatalog.consumer
Catalog Consumer Beta Can browse catalogs in the target resource context. cloudprivatecatalog.*
roles/
cloudprivatecatalogproducer.admin
カタログ管理者 ベータ版 カタログを管理し、カタログの関連付けを表示できます。 cloudprivatecatalogproducer.associations.*
cloudprivatecatalogproducer.catalogs.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
roles/
cloudprivatecatalogproducer.manager
カタログ マネージャー ベータ版 カタログとターゲット リソース間の関連付けを管理できます。 cloudprivatecatalog.*
cloudprivatecatalogproducer.associations.*
cloudprivatecatalogproducer.catalogs.get
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.targets.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
役割 タイトル 説明 権限 最下位のリソース

Stackdriver Profiler の役割

roles/
cloudprofiler.agent
Stackdriver Profiler Agent Beta Stackdriver Profiler agents are allowed to register and provide the profiling data. cloudprofiler.profiles.create
cloudprofiler.profiles.update
roles/
cloudprofiler.user
Stackdriver Profiler ユーザー ベータ版 Stackdriver Profiler ユーザーは、プロファイリング データのクエリと表示を実行できます。 cloudprofiler.profiles.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
役割 タイトル 説明 権限 最下位のリソース

Cloud Scheduler の役割

roles/
cloudscheduler.admin
Cloud Scheduler Admin Beta Full access to jobs and executions. cloudscheduler.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudscheduler.viewer
Cloud Scheduler 閲覧者 ベータ版 ジョブ、実行、ロケーションの取得と一覧表示に必要な権限。 cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

Cloud Security Scanner の役割

roles/
cloudsecurityscanner.editor
Cloud Security Scanner 編集者 すべての Cloud Security Scanner リソースに対する完全アクセス権 appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
cloudsecurityscanner.runner
Cloud Security Scanner Runner Read access to Scan and ScanRun, plus the ability to start scans cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
roles/
cloudsecurityscanner.viewer
Cloud Security Scanner Viewer Read access to all Cloud Security Scanner resources cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
役割 タイトル 説明 権限 最下位のリソース

Cloud Services の役割

roles/
servicebroker.admin
Service Broker Admin Beta Full access to ServiceBroker resources. servicebroker.*
roles/
servicebroker.operator
Service Broker Operator Beta Operational access to the ServiceBroker resources. servicebroker.bindingoperations.*
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.list
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.list
servicebroker.instanceoperations.*
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.list
servicebroker.instances.update
役割 タイトル 説明 権限 最下位のリソース

Cloud SQL の役割

roles/
cloudsql.admin
Cloud SQL Admin Provides full control of Cloud SQL resources. cloudsql.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project roles/
cloudsql.client
Cloud SQL Client Provides connectivity access to Cloud SQL instances. cloudsql.instances.connect
cloudsql.instances.get
Project roles/
cloudsql.editor
Cloud SQL 編集者 ユーザー、SSL 証明書の変更、またはリソースの削除を除いて、既存の Cloud SQL インスタンスのすべてを管理できます。 cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.instances.restart
cloudsql.instances.rotateServerCa
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
プロジェクト roles/
cloudsql.viewer
Cloud SQL 閲覧者 Cloud SQL のリソースに対する読み取り専用権限を付与します。 cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.export
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

Cloud Tasks の役割

roles/
cloudtasks.admin
Cloud Tasks 管理者 ベータ版 キューとタスクへの完全アクセス権。 cloudtasks.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.enqueuer
Cloud Tasks へのデータ追加 ベータ版 タスクを作成するためのアクセス権。 cloudtasks.tasks.create
cloudtasks.tasks.fullView
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.queueAdmin
Cloud Tasks Queue Admin Beta Admin access to queues. cloudtasks.locations.*
cloudtasks.queues.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.taskDeleter
Cloud Tasks Task Deleter Beta Access to delete tasks. cloudtasks.tasks.delete
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.taskRunner
Cloud Tasks Task Runner Beta Access to run tasks. cloudtasks.tasks.fullView
cloudtasks.tasks.run
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.viewer
Cloud Tasks Viewer Beta Get and list access to tasks, queues, and locations. cloudtasks.locations.*
cloudtasks.queues.get
cloudtasks.queues.list
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

Cloud Trace の役割

roles/
cloudtrace.admin
Cloud Trace Admin Provides full access to the Trace console and read-write access to traces. cloudtrace.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
cloudtrace.agent
Cloud Trace Agent For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace. cloudtrace.traces.patch
Project roles/
cloudtrace.user
Cloud Trace ユーザー Trace コンソールへの完全アクセス権とトレースへの読み取り権限を付与します。 cloudtrace.insights.*
cloudtrace.stats.*
cloudtrace.tasks.*
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

Cloud Translation の役割

roles/
cloudtranslate.admin
Cloud Translation API 管理者 ベータ版 Cloud Translation リソースに対する完全アクセス権 automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtranslate.editor
Cloud Translation API Editor Editor of all Cloud Translation resources automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtranslate.user
Cloud Translation API User User of Cloud Translation and AutoML models automl.models.get
automl.models.predict
cloudtranslate.generalModels.*
cloudtranslate.glossaries.batchPredict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
cloudtranslate.languageDetectionModels.*
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtranslate.viewer
Cloud Translation API Viewer Viewer of all Translation resources automl.models.get
cloudtranslate.generalModels.get
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

Codelab API キーの役割

roles/
codelabapikeys.admin
Codelab ApiKeys Admin Beta Full access to API keys resourcemanager.projects.get
resourcemanager.projects.list
roles/
codelabapikeys.editor
Codelab API Keys Editor Beta This role can view and edit all properties of API keys. resourcemanager.projects.get
resourcemanager.projects.list
roles/
codelabapikeys.viewer
Codelab API Keys Viewer Beta This role can view all properties except change history of API keys. resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

Cloud Composer の役割

roles/
composer.admin
Composer Administrator Provides full control of Cloud Composer resources. composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project roles/
composer.environmentAndStorageObjectAdmin
Environment and Storage Object Administrator Provides full control of Cloud Composer resources and of the objects in all project buckets. composer.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.*
Project roles/
composer.environmentAndStorageObjectViewer
Environment User and Storage Object Viewer Provides the permissions nessesary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. composer.environments.get
composer.environments.list
composer.imageversions.*
composer.operations.get
composer.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list
Project roles/
composer.user
Composer ユーザー Cloud Composer の環境とオペレーションを一覧表示して取得するために必要な権限を付与します。 composer.environments.get
composer.environments.list
composer.imageversions.*
composer.operations.get
composer.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
プロジェクト roles/
composer.worker
Composer ワーカー Cloud Composer 環境 VM の実行に必要な権限を付与します。サービス アカウント向けです。 cloudbuild.*
container.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.*
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

Compute Engine の役割

roles/
compute.admin
Compute 管理者

Compute Engine リソースのすべてを管理できる権限。

ユーザーがサービス アカウントとして実行するように構成されている仮想マシン インスタンスを管理する場合は、roles/iam.serviceAccountUser の役割も付与する必要があります。

compute.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list ディスク、イメージ、インスタンス、インスタンス テンプレート、ノードグループ、ノード テンプレート、スナップショットベータ版 roles/
compute.imageUser
Compute Image User

Permission to list and read images without having other permissions on the image. Granting the compute.imageUser role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
ImageBeta roles/
compute.instanceAdmin
Compute インスタンス管理者(ベータ版)

仮想マシン インスタンスを作成、変更、削除するための権限。 ディスクの作成、変更、削除を行う権限が含まれます。Shielded VMベータ版の設定を構成する権限も含まれます。

ユーザーがサービス アカウントとして実行するように構成されている仮想マシン インスタンスを管理する場合は、roles/iam.serviceAccountUser の役割も付与する必要があります。

たとえば、仮想マシン インスタンスのグループは管理しているが、ネットワークやセキュリティの設定の管理や、サービス アカウントとして実行するインスタンスの管理は行っていないというユーザーが社内にいる場合は、この役割をインスタンスが含まれている組織、フォルダ、プロジェクトあるいは個々のインスタンスに付与できます。

compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list ディスク、イメージ、インスタンス、インスタンス テンプレート、スナップショットベータ版 roles/
compute.instanceAdmin.v1
Compute インスタンス管理者(v1) Compute Engine インスタンス、インスタンス グループ、ディスク、スナップショット、イメージのすべてを管理できる権限。 すべての Compute Engine ネットワーキング リソースへの読み取り専用権権限。

この役割をユーザーにインスタンス レベルでのみ付与した場合、そのユーザーは新しいインスタンスを作成できません。

compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list roles/
compute.loadBalancerAdmin
Compute ロードバランサ管理者 ベータ版

ロードバランサを作成、変更、削除し、リソースを関連付ける権限。

たとえば、社内にロードバランサ、ロードバランサの SSL 証明書、SSL ポリシー、その他のロード バランシング リソースを管理するロード バランシング チームと、その他のネットワーク リソースを管理するネットワーク チームがある場合は、ロード バランシング チームのグループに loadBalancerAdmin の役割を付与します。

compute.addresses.*
compute.backendBuckets.* compute.backendServices.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list インスタンスベータ版 roles/
compute.networkAdmin
Compute Network Admin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the networking team's group the networkAdmin role.

compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute.externalVpnGateways.*
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.instances.use
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.use
compute.networks.*
compute.projects.get
compute.regionBackendServices.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta roles/
compute.networkUser
Compute Network User

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.useInternal
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.firewalls.get
compute.firewalls.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project roles/
compute.networkViewer
Compute Network Viewer

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant that software's service account the networkViewer role.

compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.networks.get
compute.networks.list
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta roles/
compute.osAdminLogin
Compute OS Admin Login

Access to log in to a Compute Engine instance as an administrator user.

compute.instances.get
compute.instances.list
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta roles/
compute.osLogin
Compute OS Login

Access to log in to a Compute Engine instance as a standard user.

compute.instances.get
compute.instances.list
compute.instances.osLogin
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta roles/
compute.osLoginExternalUser
Compute OS Login External User

Available only at the organization level.

Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

compute.oslogin.*
Organization roles/
compute.securityAdmin
Compute Security Admin

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VMBETA settings.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the security team's group the securityAdmin role.

compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routes.get
compute.routes.list
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta roles/
compute.storageAdmin
Compute ストレージ管理者

ディスク、イメージ、スナップショットを作成、変更、削除するための権限。

たとえば、自社のプロジェクト イメージ管理者にプロジェクトの編集者の役割を付与しない場合は、そのアカウントにプロジェクト レベルで storageAdmin 役割を付与します。

compute.diskTypes.*
compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list ディスク、イメージ、スナップショットベータ版 roles/
compute.viewer
Compute 閲覧者

Compute Engine リソースを取得して表示するための読み取り専用アクセス権。そこに格納されたデータを読み取ることはできません。

たとえば、この役割を持つアカウントはプロジェクトのすべてのディスクの一覧を作成できますが、それらのディスク内のデータは読み取ることができません。

compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.list compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list ディスク、イメージ、インスタンス、インスタンス テンプレート、ノードグループ、ノード テンプレート、スナップショットベータ版 roles/
compute.xpnAdmin
Compute Shared VPC 管理者

共有 VPC ホスト プロジェクトを管理する権限。特にホスト プロジェクトを有効にし、共有 VPC サービス プロジェクトをホスト プロジェクトのネットワークに関連付ける権限。

この役割を組織に付与できるのは、組織管理者だけです。

Google Cloud Platform では、共有 VPC ホスト プロジェクトのオーナーを共有 VPC 管理者にすることを推奨しています。共有 VPC 管理者はサービス オーナーに compute.networkUser 役割を付与し、共有 VPC ホスト プロジェクトのオーナーはプロジェクト自体を制御します。単一のプリンシパル(個人やグループ)が両方の役割を果たすことができれば、プロジェクトの管理が容易になります。

compute.globalOperations.get
compute.globalOperations.list compute.organizations.* compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list 組織
役割 タイトル 説明 権限 最下位のリソース

Kubernetes Engine の役割

roles/
container.admin
Kubernetes Engine Admin Provides access to full management of Container Clusters and their Kubernetes API objects. container.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
container.clusterAdmin
Kubernetes Engine Cluster Admin Provides access to management of Container Clusters. container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
container.clusterViewer
Kubernetes Engine Cluster Viewer Read-only access to Kubernetes Clusters. container.clusters.get
container.clusters.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
container.developer
Kubernetes Engine デベロッパー コンテナ クラスタ内の Kubernetes API オブジェクトに対する完全アクセス権を付与します。 container.apiServices.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpoints.*
container.events.*
container.horizontalPodAutoscalers.*
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.*
container.pods.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト roles/
container.hostServiceAgentUser
Kubernetes Engine Host Service Agent User Use access of the Kubernetes Engine Host Service Agent. compute.firewalls.get
container.hostServiceAgent.*
roles/
container.viewer
Kubernetes Engine 閲覧者 GKE のリソースに対する読み取り専用権限を付与します。 container.apiServices.get
container.apiServices.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getStatus
container.deployments.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.limitRanges.get
container.limitRanges.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

Container Analysis の役割

roles/
containeranalysis.admin
Container Analysis Admin Alpha Access to all resources. resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.notes.attacher
Container Analysis Notes Attacher Alpha Can attach occurrences to notes
roles/
containeranalysis.notes.editor
Container Analysis Notes Editor Alpha Can edit container analysis notes resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.notes.viewer
Container Analysis Notes Viewer Alpha Can view container analysis notes resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.occurrences.editor
Container Analysis Occurrences Editor Alpha Can edit container analysis occurrences resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.occurrences.viewer
Container Analysis Occurrences Viewer Alpha Can view container analysis occurrences resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

Dataflow の役割

roles/
dataflow.admin
Dataflow 管理者 Dataflow ジョブを作成し、管理するための最低限の役割。 compute.machineTypes.get
dataflow.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
roles/
dataflow.developer
Dataflow Developer Provides the permissions necessary to execute and manipulate Cloud Dataflow jobs. dataflow.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
dataflow.viewer
Dataflow 閲覧者 すべての Cloud Dataflow 関連リソースに対する読み取り専用アクセス権を付与します。 dataflow.jobs.get
dataflow.jobs.list
dataflow.messages.*
dataflow.metrics.*
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト roles/
dataflow.worker
Dataflow Worker Provides the permissions necessary for a Compute Engine service account to execute work units for a Cloud Dataflow pipeline. compute.instanceGroupManagers.update
compute.instances.delete
compute.instances.setDiskAutoDelete
dataflow.jobs.get
logging.logEntries.create
storage.objects.create
storage.objects.get
Project
役割 タイトル 説明 権限 最下位のリソース

Cloud Data Labeling の役割

roles/
datalabeling.admin
DataLabeling Service Admin Beta Full access to all DataLabeling resources datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datalabeling.editor
DataLabeling サービス編集者 ベータ版 すべての DataLabeling リソースの編集者 datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datalabeling.viewer
DataLabeling Service Viewer Beta Viewer of all DataLabeling resources datalabeling.annotateddatasets.get
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.get
datalabeling.annotationspecsets.list
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

Dataprep の役割

roles/
dataprep.projects.user
Dataprep User Beta Use of Dataprep. dataprep.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
役割 タイトル 説明 権限 最下位のリソース

Dataproc の役割

roles/
dataproc.admin
Dataproc 管理者 Dataproc リソースのすべてを管理できる権限。 compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.clusters.*
dataproc.jobs.*
dataproc.operations.*
dataproc.workflowTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
dataproc.editor
Dataproc Editor Provides the permissions necessary for viewing the resources required to manage Cloud Dataproc, including machine types, networks, projects and zones. compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.update
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
dataproc.viewer
Dataproc 閲覧者 Cloud Dataproc リソースに対する読み取り専用アクセス権を付与します。 compute.machineTypes.get
compute.regions.*
compute.zones.get
dataproc.clusters.get
dataproc.clusters.list
dataproc.jobs.get
dataproc.jobs.list
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.get
dataproc.workflowTemplates.list
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト roles/
dataproc.worker
Dataproc ワーカー Dataproc に対するワーカー アクセス。サービス アカウント向けです。 dataproc.agents.*
dataproc.tasks.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
storage.buckets.get
storage.objects.*
役割 タイトル 説明 権限 最下位のリソース

Datastore の役割

roles/
datastore.importExportAdmin
Cloud Datastore Import Export Admin Provides full access to manage imports and exports. appengine.applications.get
datastore.databases.export
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
datastore.indexAdmin
Cloud Datastore Index Admin Provides full access to manage index definitions. appengine.applications.get
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
datastore.owner
Cloud Datastore オーナー Cloud Datastore リソースに対する完全アクセス権を付与します。 appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト roles/
datastore.user
Cloud Datastore User Provides read/write access to data in a Cloud Datastore database. appengine.applications.get
datastore.databases.get
datastore.entities.*
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
datastore.viewer
Cloud Datastore Viewer Provides read access to Cloud Datastore resources. appengine.applications.get
datastore.databases.get
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
役割 タイトル 説明 権限 最下位のリソース

Deployment Manager の役割

roles/
deploymentmanager.editor
Deployment Manager Editor Provides the permissions necessary to create and manage deployments. deploymentmanager.compositeTypes.*
deploymentmanager.deployments.cancelPreview
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.stop
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project roles/
deploymentmanager.typeEditor
Deployment Manager タイプ編集者 すべてのタイプ レジストリ リソースに対する読み取り / 書き込みアクセス権を付与します。 deploymentmanager.compositeTypes.*
deploymentmanager.operations.get
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
プロジェクト roles/
deploymentmanager.typeViewer
Deployment Manager タイプ閲覧者 すべてのタイプ レジストリ リソースに対する読み取り専用アクセス権を付与します。 deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
プロジェクト roles/
deploymentmanager.viewer
Deployment Manager 閲覧者 すべての Cloud Deployment Manager 関連リソースに対する読み取り専用アクセス権を付与します。 deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

Dialogflow の役割

roles/
dialogflow.admin
Dialogflow API Admin Full access to Dialogflow (API only) resources. Use the roles/owner or roles/editor primitive role for access to both API and Dialogflow console (commonly needed to create an agent from the Dialogflow console). dialogflow.*
resourcemanager.projects.get
Project roles/
dialogflow.client
Dialogflow API Client Client access to Dialogflow (API only) resources. This grants permission to detect intent and read/write session properties (contexts, session entity types, etc.). dialogflow.contexts.*
dialogflow.sessionEntityTypes.*
dialogflow.sessions.*
Project roles/
dialogflow.consoleAgentEditor
Dialogflow Console Agent Editor Can edit agent in Dialogflow Console dialogflow.*
resourcemanager.projects.get
roles/
dialogflow.reader
Dialogflow API Reader Read access to Dialogflow (API only) resources. Cannot detect intent. Use the roles/viewer primitive role for similar access to both API and Dialogflow console. dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.search
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.operations.*
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
resourcemanager.projects.get
Project
役割 タイトル 説明 権限 最下位のリソース

Cloud DLP の役割

roles/
dlp.admin
DLP Administrator Administer DLP including jobs and templates. dlp.*
serviceusage.services.use
roles/
dlp.analyzeRiskTemplatesEditor
DLP Analyze Risk Templates Editor Edit DLP analyze risk templates. dlp.analyzeRiskTemplates.*
roles/
dlp.analyzeRiskTemplatesReader
DLP リスク分析テンプレート読み取り DLP リスク分析テンプレートを読み取ります。 dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
roles/
dlp.deidentifyTemplatesEditor
DLP De-identify Templates Editor Edit DLP de-identify templates. dlp.deidentifyTemplates.*
roles/
dlp.deidentifyTemplatesReader
DLP 匿名化テンプレート読み取り DLP 匿名化テンプレートを読み取ります。 dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
roles/
dlp.inspectTemplatesEditor
DLP 検査テンプレート編集者 DLP 検査テンプレートを編集します。 dlp.inspectTemplates.*
roles/
dlp.inspectTemplatesReader
DLP Inspect Templates Reader Read DLP inspect templates. dlp.inspectTemplates.get
dlp.inspectTemplates.list
roles/
dlp.jobTriggersEditor
DLP ジョブトリガー編集者 ジョブトリガーの構成を編集します。 dlp.jobTriggers.*
roles/
dlp.jobTriggersReader
DLP ジョブトリガー読み取り ジョブトリガーの読み取り。 dlp.jobTriggers.get
dlp.jobTriggers.list
roles/
dlp.jobsEditor
DLP Jobs Editor Edit and create jobs dlp.jobs.*
dlp.kms.*
roles/
dlp.jobsReader
DLP Jobs Reader Read jobs dlp.jobs.get
dlp.jobs.list
roles/
dlp.reader
DLP Reader Read DLP entities, such as jobs and templates. dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
roles/
dlp.storedInfoTypesEditor
DLP Stored InfoTypes 編集者 DLP に格納された情報タイプを編集します。 dlp.storedInfoTypes.*
roles/
dlp.storedInfoTypesReader
DLP Stored InfoTypes Reader Read DLP stored info types. dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
roles/
dlp.user
DLP ユーザー コンテンツの検査、削除、匿名化 dlp.kms.*
serviceusage.services.use
役割 タイトル 説明 権限 最下位のリソース

DNS の役割

roles/
dns.admin
DNS Administrator Provides read-write access to all Cloud DNS resources. compute.networks.get
compute.networks.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.*
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.*
dns.resourceRecordSets.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
dns.peer
DNS ピア ベータ版 DNS ピアリング ゾーンを持つターゲット ネットワークへのアクセス権 dns.networks.targetWithPeeringZone
roles/
dns.reader
DNS Reader Provides read-only access to all Cloud DNS resources. compute.networks.get
dns.changes.get
dns.changes.list
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.projects.*
dns.resourceRecordSets.list
resourcemanager.projects.get
resourcemanager.projects.list
Project
役割 タイトル 説明 権限 最下位のリソース

Endpoints の役割

roles/
endpoints.portalAdmin
Endpoints Portal Admin Beta Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the GCP Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page. endpoints.*
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
Project
役割 タイトル 説明 権限 最下位のリソース

Error Reporting の役割

roles/
errorreporting.admin
Error Reporting Admin Beta Provides full access to Error Reporting data. cloudnotifications.*
errorreporting.*
Project roles/
errorreporting.user
Error Reporting ユーザー ベータ版 Error Reporting データへの読み取り / 書き込み権限(新しいエラーイベントの送信を除く)を付与します。 cloudnotifications.*
errorreporting.applications.*
errorreporting.errorEvents.delete
errorreporting.errorEvents.list
errorreporting.groupMetadata.*
errorreporting.groups.*
プロジェクト roles/
errorreporting.viewer
Error Reporting Viewer Beta Provides read-only access to Error Reporting data. cloudnotifications.*
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groupMetadata.get
errorreporting.groups.*
Project roles/
errorreporting.writer
エラー書き込み ベータ版 Error Reporting にエラーイベントを送信する権限を付与します。 errorreporting.errorEvents.create
サービス アカウント
役割 タイトル 説明 権限 最下位のリソース

Cloud Filestore の役割

roles/
file.editor
Cloud Filestore 編集者 ベータ版 Filestore インスタンスと関連リソースに対する読み取り / 書き込み権限。 file.*
roles/
file.viewer
Cloud Filestore Viewer Beta Read-only access to Filestore instances and related resources. file.instances.get
file.instances.list
file.locations.*
file.operations.get
file.operations.list
file.snapshots.get
file.snapshots.list
役割 タイトル 説明 権限 最下位のリソース

Firebase の役割

roles/
cloudtestservice.testAdmin
Firebase Test Lab 管理者 すべての Test Lab 機能に対する完全アクセス権 cloudtestservice.*
cloudtoolresults.*
firebase.billingPlans.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list
roles/
cloudtestservice.testViewer
Firebase Test Lab Viewer Read access to Test Lab features cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
firebase.clients.get
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
roles/
firebase.admin
Firebase Admin Beta Full access to Firebase products. appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.list
clientauthconfig.clients.update
cloudconfig.*
cloudfunctions.*
cloudmessaging.*
cloudnotifications.*
cloudtestservice.*
cloudtoolresults.*
datastore.*
errorreporting.groups.*
firebase.*
firebaseabt.*
firebaseanalytics.*
firebaseauth.*
firebasecrash.*
firebasecrashlytics.*
firebasedatabase.*
firebasedynamiclinks.*
firebaseextensions.*
firebasehosting.*
firebaseinappmessaging.*
firebaseml.*
firebasenotifications.*
firebaseperformance.*
firebasepredictions.*
firebaserules.*
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.objects.*
roles/
firebase.analyticsAdmin
Firebase Analytics Admin Beta Full access to Google Analytics for Firebase. cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
firebase.analyticsViewer
Firebase 向け Google アナリティクス閲覧者 ベータ版 Firebase 向け Google アナリティクスに対する読み取りアクセス権。 cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
firebase.developAdmin
Firebase Develop 管理者 ベータ版 Firebase Develop プロダクトとアナリティクスに対する完全アクセス権。 appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudfunctions.*
cloudnotifications.*
datastore.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseauth.*
firebasedatabase.*
firebaseextensions.configs.list
firebasehosting.*
firebaseml.*
firebaserules.*
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.*
roles/
firebase.developViewer
Firebase Develop Viewer Beta Read access to Firebase Develop products and Analytics. automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudnotifications.*
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseauth.configs.get
firebaseauth.users.get
firebasedatabase.instances.get
firebasedatabase.instances.list
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
roles/
firebase.growthAdmin
Firebase Grow Admin Beta Full access to Firebase Grow products and Analytics. clientauthconfig.clients.get
clientauthconfig.clients.list
cloudconfig.*
cloudmessaging.*
cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.*
firebaseanalytics.*
firebasedynamiclinks.*
firebaseextensions.configs.list
firebaseinappmessaging.*
firebasenotifications.*
firebasepredictions.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.growthViewer
Firebase Grow Viewer Beta Read access to Firebase Grow products and Analytics. cloudconfig.configs.get
cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasepredictions.predictions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.qualityAdmin
Firebase Quality 管理者 ベータ版 Firebase Quality プロダクトとアナリティクスに対する完全アクセス権。 cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebasecrash.*
firebasecrashlytics.*
firebaseextensions.configs.list
firebaseperformance.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.qualityViewer
Firebase Quality 閲覧者 ベータ版 Firebase Quality プロダクトとアナリティクスに対する読み取りアクセス権。 cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebasecrash.reports.*
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
firebaseextensions.configs.list
firebaseperformance.data.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.viewer
Firebase Viewer Beta Read-only access to Firebase products. automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudconfig.configs.get
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudnotifications.*
cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseauth.configs.get
firebaseauth.users.get
firebasecrash.reports.*
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebaseperformance.data.*
firebasepredictions.predictions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
役割 タイトル 説明 権限 最下位のリソース

Firebase Crash Reporting の役割

roles/
firebasecrash.symbolMappingsAdmin
Firebase Crash Symbol アップローダー Firebase Crash Reporting のシンボル マッピング ファイル リソースに対する完全な読み取りアクセス権と書き込みアクセス権。 firebase.clients.get
resourcemanager.projects.get
役割 タイトル 説明 権限 最下位のリソース

Genomics の役割

roles/
genomics.admin
Genomics Admin Full access to genomics datasets and operations. genomics.*
roles/
genomics.editor
Genomics Editor Access to read and edit genomics datasets and operations. genomics.datasets.create
genomics.datasets.delete
genomics.datasets.get
genomics.datasets.list
genomics.datasets.update
genomics.operations.*
roles/
genomics.pipelinesRunner
Genomics パイプライン実行者 Genomics パイプラインの操作に対する完全アクセス権。 genomics.operations.*
roles/
genomics.viewer
Genomics Viewer Access to view genomics datasets and operations. genomics.datasets.get
genomics.datasets.list
genomics.operations.get
genomics.operations.list
役割 タイトル 説明 権限 最下位のリソース

Cloud Healthcare の役割

roles/
healthcare.annotationEditor
Healthcare Annotation 編集者 ベータ版 アノテーションの作成、削除、更新、読み取り、一覧表示を行います。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.annotationReader
Healthcare Annotation Reader Beta Read and list annotations in an Annotation store. healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.annotationStoreAdmin
Healthcare Annotation Administrator Beta Administer Annotation stores. healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.annotationStoreViewer
Healthcare Annotation ストア閲覧者 ベータ版 データセット内の Annotation ストアを一覧表示します。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.datasetAdmin
Healthcare Dataset Administrator Beta Administer Healthcare Datasets. healthcare.datasets.*
healthcare.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.datasetViewer
Healthcare Dataset Viewer Beta List the Healthcare Datasets in a project. healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomEditor
Healthcare DICOM Editor Beta Edit DICOM images individually and in bulk. healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.dicomWebWrite
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomStoreAdmin
Healthcare DICOM Store Administrator Beta Administer DICOM stores. healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare.dicomStores.delete
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.get
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.dicomStores.setIamPolicy
healthcare.dicomStores.update
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomStoreViewer
Healthcare DICOM ストア閲覧者 ベータ版 データセット内の DICOM ストアの一覧を取得するための権限。 healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomViewer
Healthcare DICOM Viewer Beta Retrieve DICOM images from a DICOM store. healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirResourceEditor
Healthcare FHIR リソース編集者 ベータ版 FHIR リソースの作成、削除、更新、読み取り、検索を行います。 healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.create
healthcare.fhirResources.delete
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare.fhirResources.update
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirResourceReader
Healthcare FHIR Resource Reader Beta Read and search FHIR resources. healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirStoreAdmin
Healthcare FHIR 管理者 Beta FHIR リソースストアを管理します。 healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.purge
healthcare.fhirStores.create
healthcare.fhirStores.delete
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.setIamPolicy
healthcare.fhirStores.update
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirStoreViewer
Healthcare FHIR Store Viewer Beta List FHIR Stores in a dataset. healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2Consumer
Healthcare HL7v2 メッセージ コンシューマ ベータ版 HL7v2 メッセージの一覧表示と読み取り、メッセージ ラベルの更新、新しいメッセージの公開を行う権限です。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.create
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare.hl7V2Messages.update
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2Editor
Healthcare HL7v2 Message Editor Beta Read, write, and delete access to HL7v2 messages. healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2Ingest
Healthcare HL7v2 メッセージ取り込み ベータ版 ソース ネットワークから受信した HL7v2 メッセージを取り込みます。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.ingest
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2StoreAdmin
Healthcare HL7v2 Store Administrator Beta Administer HL7v2 Stores. healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2StoreViewer
Healthcare HL7v2 Store Viewer Beta View HL7v2 Stores in a dataset. healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

IAM の役割

roles/
iam.securityReviewer
Security Reviewer Provides permissions to list all resources and Cloud IAM policies on them. accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.*
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.routines.list
bigquery.savedqueries.list
bigquery.tables.list
bigtable.appProfiles.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.locations.*
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.policy.getIamPolicy
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudbuild.builds.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.list
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudnotifications.*
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
cloudtranslate.glossaries.list
cloudtranslate.locations.list
cloudtranslate.operations.list
composer.environments.list
composer.imageversions.*
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getIamPolicy
compute.instances.list
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.list
compute.regionBackendServices.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.list
compute.reservations.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.list
container.apiServices.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpoints.list
container.events.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.scheduledJobs.list
container.secrets.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
datacatalog.entries.getIamPolicy
datacatalog.entryGroups.getIamPolicy
datacatalog.tagTemplates.getIamPolicy
dataflow.jobs.list
dataflow.messages.*
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.list
datafusion.operations.list
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
dataproc.agents.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
dataprocessing.featurecontrols.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.contexts.list
dialogflow.entityTypes.list
dialogflow.intents.list
dialogflow.sessionEntityTypes.list
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.storedInfoTypes.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.resourceRecordSets.list
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
file.instances.list
file.locations.list
file.operations.list
file.snapshots.list
firebase.links.list
firebaseabt.experiments.list
firebasecrashlytics.issues.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.operations.list
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.list
healthcare.hl7V2Messages.list
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.list
healthcare.operations.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iap.tunnel.getIamPolicy
iap.tunnelInstances.getIamPolicy
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.list
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.locations.list
managedidentities.operations.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.operations.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
netappcloudvolumes.activeDirectories.list
netappcloudvolumes.ipRanges.*
netappcloudvolumes.regions.*
netappcloudvolumes.serviceLevels.*
netappcloudvolumes.snapshots.list
netappcloudvolumes.volumes.list
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.topics.getIamPolicy
pubsub.topics.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.list
recommender.iamPolicyRecommendations.list
recommender.locations.list
redis.instances.list
redis.locations.list
redis.operations.list
remotebuildexecution.instances.list
remotebuildexecution.workerpools.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.configurations.list
run.locations.*
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
securitycenter.assets.list
securitycenter.findings.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
serviceconsumermanagement.tenancyu.list
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicenetworking.operations.list
serviceusage.apiKeys.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.hmacKeys.list
storage.objects.getIamPolicy
storage.objects.list
storagetransfer.jobs.list
storagetransfer.operations.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.list
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta
役割 タイトル 説明 権限 最下位のリソース

役割に関する役割

roles/
iam.organizationRoleAdmin
組織の役割の管理者 組織とその下のプロジェクト内のすべてのカスタム役割を管理するためのアクセス権を付与します。 iam.roles.*
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
組織 roles/
iam.organizationRoleViewer
Organization Role Viewer Provides read access to all custom roles in the organization and the projects below it. iam.roles.get
iam.roles.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Project roles/
iam.roleAdmin
役割の管理者 プロジェクト内のすべてのカスタム役割へのアクセスを許可します。 iam.roles.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
プロジェクト roles/
iam.roleViewer
役割の閲覧者 プロジェクト内のすべてのカスタム役割に対する読み取り権限を付与します。 iam.roles.get
iam.roles.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

サービス アカウントの役割

roles/
iam.serviceAccountAdmin
Service Account Admin Create and manage service accounts. iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list
Service Account roles/
iam.serviceAccountCreator
サービス アカウントの作成 サービス アカウントを作成するためのアクセス権。 iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
iam.serviceAccountDeleter
サービス アカウントの削除 サービス アカウントを削除するためのアクセス権。 iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
iam.serviceAccountKeyAdmin
Service Account Key Admin Create and manage (and rotate) service account keys. iam.serviceAccountKeys.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account roles/
iam.serviceAccountTokenCreator
サービス アカウント トークン作成者 サービス アカウント権限を使用できます(OAuth2 アクセス トークンを作成し、blob または JWT などに署名します)。 iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
サービス アカウント roles/
iam.serviceAccountUser
Service Account User Run operations as the service account. iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account
役割 タイトル 説明 権限 最下位のリソース

Logging の役割

roles/
logging.admin
Logging 管理者 Stackdriver Logging のすべての機能を使用するために必要なすべての権限を付与します。 logging.*
resourcemanager.projects.get
resourcemanager.projects.list
プロジェクト roles/
logging.configWriter
Logs Configuration Writer Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. logging.exclusions.*
logging.logMetrics.*
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
logging.logWriter
Logs Writer Provides the permissions to write log entries. logging.logEntries.create
Project roles/
logging.privateLogViewer
Private Logs Viewer Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.projects.get
Project roles/
logging.viewer
ログ閲覧者 ログを閲覧するためのアクセス権を付与します。 logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.projects.get
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

Machine Learning Engine の役割

roles/
ml.admin
ML Engine Admin Provides full access to AI Platform resources, and its jobs, operations, models, and versions. ml.*
resourcemanager.projects.get
Project roles/
ml.developer
ML Engine Developer Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get
Project roles/
ml.jobOwner
ML Engine ジョブオーナー 特定のジョブリソースに対する完全アクセス権を付与します。この役割はジョブを作成したユーザーに自動的に付与されます。 ml.jobs.*
ジョブ roles/
ml.modelOwner
ML Engine Model Owner Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. ml.models.*
ml.versions.*
Model roles/
ml.modelUser
ML Engine Model User Provides permissions to read the model and its versions, and use them for prediction. ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict
Model roles/
ml.operationOwner
ML Engine オペレーション オーナー 特定のオペレーション リソースに対する完全アクセス権を付与します。 ml.operations.*
オペレーション roles/
ml.viewer
ML Engine 閲覧者 AI Platform のリソースに対する読み取り専用権限を付与します。 ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.*
ml.versions.get
ml.versions.list
resourcemanager.projects.get
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

Monitoring の役割

roles/
monitoring.admin
モニタリング管理者 roles/monitoring.editor と同じアクセス権を付与します。 cloudnotifications.*
monitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.*
プロジェクト roles/
monitoring.alertPolicyEditor
Monitoring AlertPolicy Editor Beta Read/write access to alerting policies. monitoring.alertPolicies.*
roles/
monitoring.alertPolicyViewer
Monitoring AlertPolicy Viewer Beta Read-only access to alerting policies. monitoring.alertPolicies.get
monitoring.alertPolicies.list
roles/
monitoring.editor
モニタリング編集者 モニタリング データと構成に関する情報に対する完全アクセス権を付与します。 cloudnotifications.*
monitoring.alertPolicies.*
monitoring.dashboards.*
monitoring.groups.*
monitoring.metricDescriptors.*
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.publicWidgets.*
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.*
プロジェクト roles/
monitoring.metricWriter
Monitoring Metric Writer Provides write-only access to metrics. This provides exactly the permissions needed by the Stackdriver agent and other systems that send metrics. monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
Project roles/
monitoring.notificationChannelEditor
Monitoring NotificationChannel Editor Beta Read/write access to notification channels. monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
roles/
monitoring.notificationChannelViewer
Monitoring NotificationChannel Viewer Beta Read-only access to notification channels. monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
roles/
monitoring.uptimeCheckConfigEditor
稼働時間チェックのモニタリング構成の編集者 Beta 稼働時間チェック構成への読み取り / 書き込みアクセス権。 monitoring.uptimeCheckConfigs.*
roles/
monitoring.uptimeCheckConfigViewer
Monitoring Uptime Check Configuration Viewer Beta Read-only access to uptime check configurations. monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
roles/
monitoring.viewer
モニタリング閲覧者 すべてのモニタリング データや構成に関する情報を取得して一覧表示するための読み取り専用アクセス権を付与します。 cloudnotifications.*
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

組織ポリシーの役割

roles/
axt.admin
Access Transparency Admin Enable Access Transparency for Organization axt.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
orgpolicy.policyAdmin
組織のポリシー管理者 組織のポリシーでクラウド リソースの構成に制限を定義する権限を付与します。 orgpolicy.*
組織 roles/
orgpolicy.policyViewer
Organization Policy Viewer Provides access to view Organization Policies on resources. orgpolicy.policy.get
Organization
役割 タイトル 説明 権限 最下位のリソース

その他の役割

roles/
accesscontextmanager.policyAdmin
Access Context Manager 管理者 ポリシー、アクセスレベル、アクセスゾーンへの完全アクセス権 accesscontextmanager.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
accesscontextmanager.policyEditor
Access Context Manager Editor Edit access to policies. Create, edit, and change access levels and access zones. accesscontextmanager.accessLevels.*
accesscontextmanager.accessPolicies.create
accesscontextmanager.accessPolicies.delete
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.update
accesscontextmanager.accessZones.*
accesscontextmanager.policies.create
accesscontextmanager.policies.delete
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.update
accesscontextmanager.servicePerimeters.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
accesscontextmanager.policyReader
Access Context Manager Reader Read access to policies, access levels, and access zones. accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.get
accesscontextmanager.accessZones.list
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
dlpscanner.serviceAgent
DLP Scanner Service Agent Alpha Allows DLP API access for DLP Scanner.
roles/
indexstore.serviceAgent
Cloud Indexstore API Service Agent Alpha Grants Cloud Indexstore access to services and APIs in the user project
roles/
mobilecrashreporting.symbolMappingsAdmin
Firebase Crash Symbol Uploader (Deprecated) Full read/write access to symbol mapping file resources for Firebase Crash Reporting.Deprecated in favor of firebasecrash.symbolMappingsAdmin firebase.clients.get
resourcemanager.projects.get
roles/
resourcemanager.organizationCreator
組織作成者 組織を作成し、一覧を表示できるアクセス権です。
roles/
runtimeconfig.admin
Cloud RuntimeConfig 管理者 RuntimeConfig リソースへの完全アクセス権。 runtimeconfig.*
roles/
subscribewithgoogledeveloper.developer
Subscribe with Google Developer Beta Access DevTools for Subscribe with Google resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper.*
役割 タイトル 説明 権限 最下位のリソース

プロジェクトの役割

roles/
browser
参照者 フォルダ、組織、Cloud IAM ポリシーなど、プロジェクトの階層を参照するための読み取りアクセス権。この役割には、プロジェクトのリソースを表示する権限は含まれていません。 resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
プロジェクト
役割 タイトル 説明 権限 最下位のリソース

Proximity Beacon の役割

roles/
proximitybeacon.attachmentEditor
ビーコン添付ファイル編集者 添付ファイルの作成と削除、プロジェクトのビーコンの一覧表示と取得、プロジェクトの名前空間の一覧表示ができます。 proximitybeacon.attachments.*
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.namespaces.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
proximitybeacon.attachmentPublisher
Beacon Attachment Publisher Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project. proximitybeacon.beacons.attach
proximitybeacon.beacons.get
proximitybeacon.beacons.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
proximitybeacon.attachmentViewer
ビーコン添付ファイル閲覧者 名前空間内のすべての添付ファイルを表示できます(ビーコンや名前空間に対する権限はありません)。 proximitybeacon.attachments.get
proximitybeacon.attachments.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
proximitybeacon.beaconEditor
ビーコン編集者 ビーコンの登録、変更、表示に必要なアクセス権(添付ファイルや名前空間に対する権限はありません)。 proximitybeacon.beacons.create
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.beacons.update
resourcemanager.projects.get
resourcemanager.projects.list
役割 タイトル 説明 権限 最下位のリソース

Pub/Sub の役割

roles/
pubsub.admin
Pub/Sub 管理者 トピックとサブスクリプションに対する完全アクセス権を付与します。 pubsub.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
トピック roles/
pubsub.editor
Pub/Sub 編集者 トピックとサブスクリプションを変更するためのアクセスと、メッセージを送信および受信するためのアクセスを付与します。 pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
トピック roles/
pubsub.publisher
Pub/Sub Publisher Provides access to publish messages to a topic. pubsub.topics.publish
Topic roles/
pubsub.subscriber
Pub/Sub サブスクライバー サブスクリプションからメッセージを受信し、トピックにサブスクリプションを添付するための権限を付与します。 pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
トピック roles/
pubsub.viewer
Pub/Sub Viewer Provides access to view topics and subscriptions. pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Topic
役割 タイトル 説明 権限 最下位のリソース

Memorystore Redis の役割

roles/
redis.admin
Cloud Memorystore Redis Admin Beta Full control for all Cloud Memorystore resources. compute.networks.list
redis.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Instance roles/
redis.editor
Cloud Memorystore Redis 編集者 ベータ版 Cloud Memorystore インスタンスを管理します。インスタンスの作成や削除はできません。 compute.networks.list
redis.instances.get
redis.instances.list
redis.instances.update
redis.locations.*
redis.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
インスタンス roles/
redis.viewer
Cloud Memorystore Redis Viewer Beta Read-only access to all Cloud Memorystore resources. redis.instances.get
redis.instances.list
redis.locations.*
redis.operations.get
redis.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Instance
役割 タイトル 説明 権限 最下位のリソース

Resource Manager の役割

roles/
resourcemanager.folderAdmin
フォルダ管理者 フォルダの操作に使用できるすべての権限を付与します。 orgpolicy.policy.get
resourcemanager.folders.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager.projects.setIamPolicy
フォルダ roles/
resourcemanager.folderCreator
Folder Creator Provides permissions needed to browse the hierarchy and create folders. orgpolicy.policy.get
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
Folder roles/
resourcemanager.folderEditor
Folder Editor Provides permission to modify folders as well as to view a folder's Cloud IAM policy. orgpolicy.policy.get
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.undelete
resourcemanager.folders.update
resourcemanager.projects.get
resourcemanager.projects.list
Folder roles/
resourcemanager.folderIamAdmin
フォルダ IAM 管理者 フォルダの Cloud IAM ポリシーを管理する権限を付与します。 resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.setIamPolicy
フォルダ roles/
resourcemanager.folderMover
フォルダ移動 親の組織またはフォルダとの間でフォルダを移動する権限を付与します。 resourcemanager.folders.move
resourcemanager.projects.move
フォルダ roles/
resourcemanager.folderViewer
フォルダ閲覧者 フォルダを取得、およびリソース内のフォルダとプロジェクトを一覧表示する権限を付与します。 orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
フォルダ roles/
resourcemanager.lienModifier
Project Lien Modifier Provides access to modify Liens on projects. resourcemanager.projects.updateLiens
Project roles/
resourcemanager.organizationAdmin
Organization Administrator Access to administer all resources belonging to the organization. orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
roles/
resourcemanager.organizationViewer
Organization Viewer Provides access to view an organization. resourcemanager.organizations.get
Organization roles/
resourcemanager.projectCreator
Project Creator Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project. resourcemanager.organizations.get
resourcemanager.projects.create
Folder roles/
resourcemanager.projectDeleter
Project Deleter Provides access to delete GCP projects. resourcemanager.projects.delete
Folder roles/
resourcemanager.projectIamAdmin
プロジェクト IAM 管理者 プロジェクトの Cloud IAM ポリシーを管理する権限を付与します。 resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
プロジェクト roles/
resourcemanager.projectMover
Project Mover Provides access to update and move projects. resourcemanager.projects.get
resourcemanager.projects.move
resourcemanager.projects.update
Project
役割 タイトル 説明 権限 最下位のリソース

Cloud Run の役割

roles/
run.admin
Cloud Run 管理者 ベータ版 すべての Cloud Run のリソースに対する完全アクセス権。 resourcemanager.projects.get
resourcemanager.projects.list
run.*
roles/
run.invoker
Cloud Run Invoker Beta Can invoke a Cloud Run service. run.routes.invoke
roles/
run.viewer
Cloud Run Viewer Beta Can view the state of all Cloud Run resources, including IAM policies. resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
役割 タイトル 説明 権限 最下位のリソース

セキュリティ センターの役割

roles/
securitycenter.admin
Security Center Admin Admin(super user) access to security center resourcemanager.organizations.get
securitycenter.*
Organization roles/
securitycenter.adminEditor
Security Center Admin Editor Admin Read-write access to security center resourcemanager.organizations.get
securitycenter.assets.*
securitycenter.assetsecuritymarks.*
securitycenter.findings.*
securitycenter.findingsecuritymarks.*
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
Organization roles/
securitycenter.adminViewer
Security Center Admin Viewer Admin Read access to security center resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
Organization roles/
securitycenter.assetSecurityMarksWriter
セキュリティ センターのアセット セキュリティ マーク編集者 アセット セキュリティ マークに対する書き込みアクセス権 securitycenter.assetsecuritymarks.*
組織 roles/
securitycenter.assetsDiscoveryRunner
Security Center Assets Discovery Runner Run asset discovery access to assets securitycenter.assets.runDiscovery
Organization roles/
securitycenter.assetsViewer
Security Center Assets Viewer Read access to assets resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
Organization roles/
securitycenter.editor
セキュリティ センター編集者 アセット、構成、通知ストリーム、マークに対する読み取り / 書き込み権限と、スキャンに対する読み取り専用権限 resourcemanager.organizations.get
securitycenter.assets.get
securitycenter.assets.getFieldNames
securitycenter.assets.list
securitycenter.assets.triggerDiscovery
securitycenter.assets.update
securitycenter.configs.get
securitycenter.configs.getIamPolicy
securitycenter.configs.update
securitycenter.scans.*
組織 roles/
securitycenter.findingSecurityMarksWriter
Security Center Finding Security Marks Writer Write access to finding security marks securitycenter.findingsecuritymarks.*
Organization roles/
securitycenter.findingsEditor
Security Center Findings Editor Read-write access to findings resourcemanager.organizations.get
securitycenter.findings.*
securitycenter.sources.get
securitycenter.sources.list
Organization roles/
securitycenter.findingsStateSetter
Security Center Findings State Setter Set state access to findings securitycenter.findings.setState
Organization roles/
securitycenter.findingsViewer
Security Center Findings Viewer Read access to findings resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
Organization roles/
securitycenter.sourcesAdmin
Security Center Sources Admin Admin access to sources resourcemanager.organizations.get
securitycenter.sources.*
Organization roles/
securitycenter.sourcesEditor
セキュリティ センターのソース編集者 ソースに対する読み取り / 書き込みアクセス権 resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
組織 roles/
securitycenter.sourcesViewer
セキュリティ センターのソース閲覧者 ソースに対する読み取りアクセス権 resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
組織 roles/
securitycenter.viewer
Security Center Viewer Read access to assets, configs, notification streams, scans, and marks resourcemanager.organizations.get
securitycenter.assets.get
securitycenter.assets.getFieldNames
securitycenter.assets.list
securitycenter.configs.get
securitycenter.configs.getIamPolicy
securitycenter.scans.*
Organization
役割 タイトル 説明 権限 最下位のリソース

Service Consumer Management の役割

roles/
serviceconsumermanagement.tenancyUnitsAdmin
Admin of Tenancy Units Beta Administrate tenancy units serviceconsumermanagement.tenancyu.*
roles/
serviceconsumermanagement.tenancyUnitsViewer
テナンシー ユニットの閲覧者 ベータ版 テナンシー ユニットを閲覧します。 serviceconsumermanagement.tenancyu.list
役割 タイトル 説明 権限 最下位のリソース

Service Management の役割

roles/
servicemanagement.admin
Service Management 管理者 Google Service Management リソースのすべてを管理できる権限。 monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceconsumermanagement.*
servicemanagement.services.*
serviceusage.quotas.get
serviceusage.services.get
roles/
servicemanagement.configEditor
Service Config 編集者 サービス構成を更新してロールアウトを作成するためのアクセス権。 servicemanagement.services.get
servicemanagement.services.update
roles/
servicemanagement.quotaAdmin
割り当て管理者 ベータ版 サービス割り当てを管理するためのアクセス権を付与します。 monitoring.timeSeries.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.consumerSettings.*
serviceusage.quotas.*
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
プロジェクト roles/
servicemanagement.quotaViewer
Quota Viewer Beta Provides access to view service quotas. monitoring.timeSeries.list
servicemanagement.consumerSettings.get
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project roles/
servicemanagement.serviceConsumer
サービス ユーザー サービスを有効にできます。 servicemanagement.services.bind
roles/
servicemanagement.serviceController
Service Controller Runtime control of checking and reporting usage of a service. servicemanagement.services.check
servicemanagement.services.get
servicemanagement.services.quota
servicemanagement.services.report
Project
役割 タイトル 説明 権限 最下位のリソース

サービス ネットワーキングの役割

roles/
servicenetworking.networksAdmin
Service Networking Admin Beta Full control of service networking with projects. servicenetworking.*
役割 タイトル 説明 権限 最下位のリソース

Service Usage の役割

roles/
serviceusage.apiKeysAdmin
API キー管理者 ベータ版 プロジェクトの API キーを作成、削除、更新、取得、一覧表示する権限。 serviceusage.apiKeys.*
serviceusage.operations.get
roles/
serviceusage.apiKeysViewer
API Keys Viewer Beta Ability to get and list API keys for a project. serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
roles/
serviceusage.serviceUsageAdmin
Service Usage Admin Beta Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project. monitoring.timeSeries.list
serviceusage.operations.*
serviceusage.quotas.*
serviceusage.services.*
roles/
serviceusage.serviceUsageConsumer
Service Usage Consumer Beta Ability to inspect service states and operations, and consume quota and billing for a consumer project. monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
roles/
serviceusage.serviceUsageViewer
Service Usage 閲覧者 ベータ版 ユーザー プロジェクトのサービス状態とオペレーションを検査できます。 monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
役割 タイトル 説明 権限 最下位のリソース

ソースの役割

roles/
source.admin
Source Repository Administrator Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies. source.*
Project roles/
source.reader
Source Repository Reader Provides permissions to list, clone, fetch, and browse repositories. source.repos.get
source.repos.list
Project roles/
source.writer
Source Repository Writer Provides permissions to list, clone, fetch, browse, and update repositories. source.repos.get
source.repos.list
source.repos.update
Project
役割 タイトル 説明 権限 最下位のリソース

Cloud Spanner の役割

roles/
spanner.admin
Cloud Spanner Admin Permission to grant and revoke permissions to other principals, allocate and delete chargeable resources, issue get/list/modify operations on resources, read from and write to databases, and fetch project metadata. monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.*
Project roles/
spanner.databaseAdmin
Cloud Spanner Database Admin Permission to get/list all Cloud Spanner resources in a project, create/list/drop databases, grant/revoke access to project databases, and read from and write to all Cloud Spanner databases in the project. monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databaseOperations.*
spanner.databases.*
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.*
Project roles/
spanner.databaseReader
Cloud Spanner Database Reader Permission to read from the Cloud Spanner database, execute SQL queries on the database, and view the schema. spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.read
spanner.databases.select
spanner.sessions.*
Database roles/
spanner.databaseUser
Cloud Spanner Database User Permission to read from and write to the Cloud Spanner database, execute SQL queries on the database, and view and update the schema. spanner.databaseOperations.*
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.write
spanner.sessions.*
Database roles/
spanner.viewer
Cloud Spanner Viewer Permission to view all Cloud Spanner instances and databases, but not modify or read from them. monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.list
spanner.instanceConfigs.*
spanner.instances.get
spanner.instances.list
Project
役割 タイトル 説明 権限 最下位のリソース

Stackdriver の役割

roles/
stackdriver.accounts.editor
Stackdriver Accounts Editor Read/write access to manage Stackdriver account structure. resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.projects.*
roles/
stackdriver.accounts.viewer
Stackdriver Accounts Viewer Read-only access to get and list information about Stackdriver account structure. resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
roles/
stackdriver.resourceMaintenanceWindow.editor
Stackdriver リソース メンテナンス時間枠の編集者 Stackdriver リソースのメンテナンス時間枠を管理するための読み取り / 書き込み権限。
roles/
stackdriver.resourceMaintenanceWindow.viewer
Stackdriver Resource Maintenance Window Viewer Read-only access to information about Stackdriver resource maintenance windows.
roles/
stackdriver.resourceMetadata.writer
Stackdriver リソース メタデータ書き込み ベータ版 リソース メタデータへの書き込み専用アクセス権。Stackdriver メタデータ エージェントやメタデータを送信するその他のシステムが必要とする権限を厳密に付与します。 stackdriver.resourceMetadata.*
役割 タイトル 説明 権限 最下位のリソース

ストレージの役割

roles/
storage.admin
Storage Admin Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.*
storage.objects.*
Bucket roles/
storage.objectAdmin
ストレージ オブジェクト管理者 オブジェクトの一覧表示、作成、表示、削除など、オブジェクトのすべてを管理できる権限を付与します。 resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.*
バケット roles/
storage.objectCreator
Storage Object Creator Allows users to create objects. Does not give permission to view, delete, or overwrite objects. resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
Bucket roles/
storage.objectViewer
ストレージ オブジェクト閲覧者 オブジェクトとそのメタデータ(ACL を除く)を閲覧するためのアクセス権を付与します。バケット内のオブジェクトを一覧表示することもできます。 resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
バケット roles/
storagetransfer.admin
Storage Transfer 管理者 転送のジョブとオペレーションの作成、更新、管理を行います。 resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.*
roles/
storagetransfer.user
Storage Transfer ユーザー ストレージ転送のジョブとオペレーションを作成および更新します。 resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.jobs.create
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.update
storagetransfer.operations.*
storagetransfer.projects.*
roles/
storagetransfer.viewer
Storage Transfer 閲覧者 ストレージ転送のジョブとオペレーションへの読み取りアクセス。 resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.operations.get
storagetransfer.operations.list
storagetransfer.projects.*
役割 タイトル 説明 権限 最下位のリソース

ストレージのレガシーの役割

roles/
storage.legacyBucketOwner
Storage Legacy Bucket Owner Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read and edit bucket metadata, including Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.list
Bucket roles/
storage.legacyBucketReader
Storage Legacy Bucket Reader Grants permission to list a bucket's contents and read bucket metadata, excluding Cloud IAM policies. Also grants permission to read object metadata, excluding Cloud IAM policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

storage.buckets.get
storage.objects.list
Bucket roles/
storage.legacyBucketWriter
ストレージのレガシー バケット書き込み オブジェクトを作成、上書き、削除するためのアクセス権、バケット内のオブジェクトを一覧表示し、一覧表示するときに、オブジェクトのメタデータ(Cloud IAM ポリシーを除く)を読み取るためのアクセス権、バケットのメタデータ(Cloud IAM ポリシーを除く)を読み取るためのアクセス権を付与します。

この役割の使用はバケットの ACL にも反映されます。詳細については、Cloud IAM と ACL の関係をご覧ください。

storage.buckets.get
storage.objects.create storage.objects.delete storage.objects.list バケット roles/
storage.legacyObjectOwner
Storage のレガシー オブジェクト オーナー オブジェクトとそのメタデータ(ACL を含む)を閲覧し、編集する権限を付与します。 storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
バケット roles/
storage.legacyObjectReader
Storage Legacy Object Reader Grants permission to view objects and their metadata, excluding ACLs. storage.objects.get
Bucket
役割 タイトル 説明 権限 最下位のリソース

サポートの役割

roles/
cloudsupport.admin
Support Account Administrator Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information. cloudsupport.*
Organization roles/
cloudsupport.viewer
Support Account Viewer Read-only access to details of a support account. This does not allow viewing cases. cloudsupport.accounts.get
cloudsupport.accounts.getUserRoles
cloudsupport.accounts.list
Organization
役割 タイトル 説明 権限 最下位のリソース

クラウド脅威検出の役割

roles/
threatdetection.editor
Threat Detection Settings Editor Beta Read-write access to all Threat Detection settings threatdetection.*
roles/
threatdetection.viewer
脅威の検出設定編集者 ベータ版 すべての脅威検出設定に対する読み取りアクセス権。 threatdetection.detectorSettings.get
threatdetection.sinkSettings.get
threatdetection.sourceSettings.get
役割 タイトル 説明 権限 最下位のリソース

Cloud TPU の役割

roles/
tpu.admin
TPU Admin Full access to TPU nodes and related resources. resourcemanager.projects.get
resourcemanager.projects.list
tpu.*
roles/
tpu.viewer
TPU Viewer Read-only access to TPU nodes and related resources. resourcemanager.projects.get
resourcemanager.projects.list
tpu.acceleratortypes.*
tpu.locations.*
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
tpu.tensorflowversions.*
役割 タイトル 説明 権限 最下位のリソース

カスタムの役割

事前定義済みの役割に加えて、Cloud IAM はカスタマイズされた Cloud IAM の役割を作成する機能も提供します。1 つ以上の権限を持つカスタムの Cloud IAM の役割を作成し、組織の一員であるユーザーにそのカスタムの役割を付与できます。詳細については、カスタムの役割についてカスタムの役割の作成と管理をご覧ください。

プロダクト固有の Cloud IAM ドキュメント

プロダクト固有の Cloud IAM ドキュメントは、各プロダクトが提供する事前定義済みの役割の詳細について説明しています。事前定義済みの役割の詳細については、以下のページをご覧ください。

ドキュメント 説明
App Engine 用 Cloud IAM App Engine 用 Cloud IAM の役割について説明します
BigQuery 用 Cloud IAM BigQuery 用 Cloud IAM の役割について説明します
Cloud Bigtable 用 Cloud IAM Cloud Bigtable 用 Cloud IAM の役割について説明します
Cloud Billing API 用 Cloud IAM Cloud Billing API 用 Cloud IAM の役割と権限について説明します
Cloud Dataflow 用 Cloud IAM Cloud Dataflow 用 Cloud IAM の役割と権限について説明します
Cloud Dataproc 用 Cloud IAM Cloud Dataproc 用 Cloud IAM の役割と権限について説明します
Cloud Datastore 用 Cloud IAM Cloud Datastore 用 Cloud IAM の役割と権限について説明します
Cloud DNS 用 Cloud IAM Cloud DNS 用 Cloud IAM の役割と権限について説明します
Cloud KMS 用 Cloud IAM Cloud KMS 用 Cloud IAM の役割と権限について説明します
Cloud ML Engine 用 Cloud IAM Cloud ML Engine 用 Cloud IAM の役割と権限について説明します
Cloud Pub/Sub 用 Cloud IAM Cloud Pub/Sub 用 Cloud IAM の役割について説明します
Cloud Spanner 用 Cloud IAM Cloud Spanner 用 Cloud IAM の役割と権限について説明します
Cloud SQL 用 Cloud IAM Cloud SQL 用 Cloud IAM の役割について説明します
Cloud Storage 用 Cloud IAM Cloud Storage 用 Cloud IAM の役割と権限について説明します
Compute Engine 用 Cloud IAM Compute Engine 用 Cloud IAM の役割について説明します
GKE 用 Cloud IAM GKE 用 Cloud IAM の役割と権限について説明します
Cloud Deployment Manager 用 Cloud IAM Cloud Deployment Manager 用 Cloud IAM の役割と権限について説明します。
組織用 Cloud IAM 組織用 Cloud IAM の役割について説明します。
フォルダ用 Cloud IAM フォルダ用 Cloud IAM の役割について説明します。
プロジェクト用 Cloud IAM プロジェクト用 Cloud IAM の役割について説明します。
サービス管理用 Cloud IAM サービス管理用 Cloud IAM の役割と権限について説明します
Stackdriver Debugger 用 Cloud IAM Debugger 用 Cloud IAM の役割について説明します
Stackdriver Logging 用 Cloud IAM Logging 用 Cloud IAM の役割について説明します
Stackdriver Monitoring 用 Cloud IAM Monitoring 用 Cloud IAM の役割と権限について説明します
Stackdriver Trace 用 Cloud IAM Trace 用 Cloud IAM の役割と権限について説明します

次のステップ

このページは役立ちましたか?評価をお願いいたします。

フィードバックを送信...

Cloud Identity and Access Management のドキュメント