Comprendre les rôles

Un rôle contient un ensemble d'autorisations qui vous permet d'effectuer des actions spécifiques sur les ressources Google Cloud. Pour accorder des autorisations aux membres, y compris aux utilisateurs, aux groupes et aux comptes de service, vous leur attribuez des rôles.

Cette page décrit les rôles IAM que vous pouvez attribuer.

Condition préalable à l'utilisation de ce guide

Comprendre les concepts fondamentaux de Cloud IAM

Types de rôles

Il existe trois types de rôles dans IAM :

Les rôles de base qui comprennent les rôles "Propriétaire", "Éditeur" et "Lecteur" qui existaient avant la mise en place d'IAM.
Les rôles prédéfinis qui fournissent un accès précis à un service spécifique et sont gérés par Google Cloud.
Les rôles personnalisés qui fournissent un accès précis en fonction d'une liste d'autorisations spécifiée par l'utilisateur.

Pour déterminer si une autorisation est incluse dans un rôle de base, prédéfini ou personnalisé, vous pouvez employer l'une des méthodes suivantes :

Exécutez la commande gcloud iam roles describe pour répertorier les autorisations du rôle.
Appelez la méthode API REST roles.get() pour répertorier les autorisations du rôle.
Pour les rôles de base et prédéfinis seulement : recherchez dans la documentation de référence sur les autorisations pour savoir si l'autorisation est accordée par le rôle.
Pour les rôles prédéfinis seulement : recherchez dans les descriptions des rôles prédéfinis sur cette page pour connaître les autorisations associées au rôle.

Les sections ci-dessous décrivent chaque type de rôle et donnent des exemples d'utilisation.

Rôles de base

Les rôles de base incluent trois rôles qui existaient avant le lancement d'IAM : "Propriétaire", "Éditeur" et "Lecteur". Ces rôles sont concentriques, c'est-à-dire que le rôle "Propriétaire" inclut les autorisations comprises dans le rôle "Éditeur", qui inclut à son tour les autorisations du rôle "Lecteur". Ils étaient initialement appelés "rôles primitifs".

Le tableau suivant récapitule les autorisations que les rôles de base incluent sur tous les services Google Cloud :

Définition des rôles de base

Nom	Titre	Autorisations
`roles/viewer`	Lecteur	Autorisations permettant de réaliser des actions en lecture seule qui n'affectent pas l'état du projet, comme consulter (mais pas modifier) des ressources ou des données existantes.
`roles/editor`	Éditeur	Toutes les autorisations accordées au rôle "Lecteur" et les autorisations permettant de réaliser des actions qui modifient l'état du projet, comme modifier des ressources existantes. Remarque : Le rôle d'éditeur contient des autorisations permettant de créer et de supprimer des ressources pour la plupart des services Google Cloud. Toutefois, il ne contient pas les autorisations permettant d'effectuer toutes les actions pour tous les services. Pour savoir comment vérifier si un rôle dispose des autorisations dont vous avez besoin, consultez la section ci-dessus.
`roles/owner`	Propriétaire	Toutes les autorisations accordées au rôle d'éditeur et les autorisations permettant de réaliser les actions suivantes : Gérer les rôles et les autorisations d'un projet et de toutes ses ressources Configurer la facturation d'un projet Remarque : Si vous attribuez le rôle de propriétaire au niveau d'une ressource, telle qu'un sujet Pub/Sub, cette opération ne l'accorde pas sur le projet parent. L'attribution du rôle de propriétaire au niveau de l'organisation ne vous permet pas d'en mettre à jour les métadonnées. Toutefois, cela vous permet de modifier les projets et autres ressources sous cette organisation. Remarque : Pour accorder le rôle Propriétaire sur un projet à un utilisateur externe à votre organisation, vous devez utiliser Google Cloud Console, et non l'outil `gcloud`. Si votre projet ne fait pas partie d'une organisation, vous devez utiliser Cloud Console pour attribuer le rôle de propriétaire.

Vous pouvez appliquer des rôles de base au niveau des ressources du projet ou du service à l'aide de Cloud Console, de l'API et de l'outil gcloud. Pour savoir comment procéder, consultez la page Attribuer, modifier et révoquer les accès.

Pour savoir comment attribuer des rôles à l'aide de Cloud Console, consultez la page Accorder, modifier et révoquer des accès.

Rôles prédéfinis

Outre les rôles de base, IAM fournit des rôles prédéfinis supplémentaires qui accordent un accès précis à des ressources Google Cloud spécifiques et empêchent tout accès indésirable à d'autres ressources. Ces rôles sont créés et gérés par Google. Google met automatiquement à jour ses autorisations si nécessaire, par exemple lorsque Google Cloud ajoute de nouvelles fonctionnalités ou de nouveaux services.

Le tableau suivant répertorie ces rôles, leur description et le type de ressource le plus bas pour lequel les rôles peuvent être définis. Un rôle particulier peut être accordé à ce type de ressource ou, dans la plupart des cas, à tout type supérieur à celui-ci dans la hiérarchie Google Cloud. Vous pouvez attribuer plusieurs rôles au même utilisateur. Par exemple, celui-ci peut disposer des rôles d'administrateur réseau et de lecteur de journaux sur un projet, ainsi que d'un rôle d'éditeur pour un sujet Pub/Sub au sein de ce projet. Pour obtenir la liste des autorisations contenues dans un rôle, consultez la section Obtenir les métadonnées du rôle.

Rôles associés aux autorisations d'accès

Rôle	Titre	Description	Autorisations
`roles/accessapproval.approver`	Approbateur des autorisations d'accès^Bêta	Permet d'afficher ou de traiter les demandes d'autorisation d'accès, et d'afficher la configuration.	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.configEditor`	Éditeur de configuration des autorisations d'accès^Bêta	Permet de mettre à jour la configuration des autorisations d'accès.	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.viewer`	Lecteur des autorisations d'accès^Bêta	Dispose des droits pour afficher les demandes d'autorisation d'accès et la configuration	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Rôles Access Context Manager

Rôle	Titre	Description	Autorisations
`roles/accesscontextmanager.gcpAccessAdmin`	Administrateur de liaisons d'accès cloud	Création et modification des liaisons d'accès cloud.	accesscontextmanager.gcpUserAccessBindings.*
`roles/accesscontextmanager.gcpAccessReader`	Lecteur de liaisons d'accès cloud	Accès en lecture aux liaisons d'accès cloud.	accesscontextmanager.gcpUserAccessBindings.get accesscontextmanager.gcpUserAccessBindings.list
`roles/accesscontextmanager.policyAdmin`	Administrateur Access Context Manager	Accès complet aux stratégies, aux niveaux d'accès et aux zones d'accès.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.* accesscontextmanager.accessZones.* accesscontextmanager.policies.* accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyEditor`	Éditeur Access Context Manager	Accès en modification aux stratégies. Création et modification des niveaux et des zones d'accès.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyReader`	Lecteur Access Context Manager	Accès en lecture aux stratégies, aux niveaux d'accès et aux zones d'accès.	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.vpcScTroubleshooterViewer`	Lecteur de l'outil de dépannage de VPC Service Controls		accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Rôles associés aux actions

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/actions.Admin`	Administrateur d'actions	Accès à la modification et au déploiement d'une action	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
`roles/actions.Viewer`	Lecteur d'actions	Accès permettant de consulter une action	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

Rôles AI Notebooks

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/notebooks.admin`	Administrateur Notebooks	Accès complet à toutes les ressources Notebooks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getiamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getiamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getiamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getiamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getiamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getiamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getiamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getiamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getiamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getiamPolicy compute.zoneOperations.list compute.zones.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance
`roles/notebooks.legacyAdmin`	Ancien administrateur des notebooks	Accès intégral à toutes les ressources des notebooks via l'API Compute.	compute.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/notebooks.legacyViewer`	Ancien lecteur de notebooks	Accès en lecture seule à toutes les ressources Notebooks via l'API Compute.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getiamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getiamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getiamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getiamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getiamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getiamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getiamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getiamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getiamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getiamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/notebooks.runner`	Exécuteur de notebooks	Accès limité pour exécuter des notebooks programmés.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getiamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getiamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getiamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getiamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getiamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getiamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getiamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getiamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getiamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getiamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/notebooks.viewer`	Lecteur de Notebooks	Accès en lecture seule à toutes les ressources Notebooks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getiamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getiamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getiamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getiamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getiamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getiamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getiamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getiamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getiamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getiamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance

Rôles AI Platform

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/ml.admin`	Administrateur AI Platform	Fournit un accès complet aux ressources AI Platform ainsi qu'à ses tâches, opérations, modèles et versions.	ml.* resourcemanager.projects.get	Projet
`roles/ml.developer`	Développeur AI Platform	Permet d'utiliser les ressources AI Platform pour créer des modèles, des versions et des tâches à des fins d'entraînement et de prédiction, et pour envoyer des requêtes de prédiction en ligne.	ml.jobs.create ml.jobs.get ml.jobs.getiamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getiamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.* ml.studies.* ml.trials.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get	Projet
`roles/ml.jobOwner`	Propriétaire de tâche AI Platform	Fournit un accès complet à toutes les autorisations pour une ressource de tâche particulière. Ce rôle est automatiquement accordé à l'utilisateur qui crée la tâche.	ml.jobs.*	Tâche
`roles/ml.modelOwner`	Propriétaire de modèle AI Platform	Fournit un accès complet au modèle et à ses versions. Ce rôle est automatiquement accordé à l'utilisateur qui crée le modèle.	ml.models.* ml.versions.*	Model
`roles/ml.modelUser`	Utilisateur de modèle AI Platform	Fournit les autorisations permettant de lire le modèle et ses versions, et de les utiliser pour la prédiction.	ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict	Model
`roles/ml.operationOwner`	Propriétaire d'opération AI Platform	Fournit un accès complet à toutes les autorisations pour une ressource d'opération particulière.	ml.operations.*	Opération
`roles/ml.viewer`	Lecteur AI Platform	Accès en lecture seule aux ressources AI Platform.	ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.* ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get	Projet

Rôles Android Management

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/androidmanagement.user`	Utilisateur Android Management	Accès complet à la gestion des appareils.	androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Rôles multicloud Anthos

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/gkemulticloud.admin`	Administrateur multicloud Anthos^Bêta	Administrateur de ressources multicloud Anthos	gkemulticloud.* resourcemanager.projects.get resourcemanager.projects.list
`roles/gkemulticloud.viewer`	Lecteur multicloud Anthos^Bêta	Lecteur de ressources multicloud Anthos	gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud.awsNodePools.list gkemulticloud.awsServerConfigs.* gkemulticloud.azureClients.get gkemulticloud.azureClients.list gkemulticloud.azureClusters.get gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.get gkemulticloud.azureNodePools.list gkemulticloud.azureServerConfigs.* gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list

Rôles API Gateway

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/apigateway.admin`	administrateur ApiGateway	Accès complet à ApiGateway et aux ressources associées.	apigateway.* monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list
`roles/apigateway.viewer`	lecteur ApiGateway	Accès en lecture seule à ApiGateway et aux ressources associées.	apigateway.apiconfigs.get apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.* apigateway.operations.get apigateway.operations.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list

Rôles Apigee

Rôle	Titre	Description	Autorisations
`roles/apigee.admin`	Administrateur de l'organisation Apigee	Accès complet à toutes les fonctionnalités des ressources Apigee	apigee.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.analyticsAgent`	Agent d'analyses Apigee	Ensemble d'autorisations soigneusement sélectionnées afin de permettre à Apigee Universal Data Collection Agent de gérer les analyses pour une organisation Apigee	apigee.environments.getDataLocation apigee.runtimeconfigs.*
`roles/apigee.analyticsEditor`	Éditeur d'analyses Apigee	Éditeur de données analytiques pour une organisation Apigee	apigee.datacollectors.* apigee.datastores.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.* apigee.hostqueries.* apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.analyticsViewer`	Lecteur d'analyses Apigee	Lecteur de données analytiques pour une organisation Apigee	apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.apiAdmin`	Administrateur des API Apigee	Accès complet en lecture/écriture à toutes les ressources d'API Apigee	apigee.apiproductattributes.* apigee.apiproducts.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.* apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.apiReader`	Lecteur d'API Apigee	Lecteur de ressources Apigee	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.developerAdmin`	Administrateur développeur Apigee	Administrateur développeur des ressources Apigee	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.apps.* apigee.datacollectors.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developers.* apigee.developersubscriptions.* apigee.environments.get apigee.environments.getStats apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.rateplans.get apigee.rateplans.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.environmentAdmin`	Administrateur de l'environnement Apigee	Accès complet en lecture/écriture aux ressources de l'environnement Apigee, y compris aux déploiements.	apigee.archivedeployments.* apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.flowhooks.* apigee.ingressconfigs.* apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.monetizationAdmin`	Administrateur de la monétisation Apigee	Toutes les autorisations associées à la monétisation	apigee.apiproducts.get apigee.apiproducts.list apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developersubscriptions.* apigee.organizations.get apigee.organizations.list apigee.rateplans.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.portalAdmin`	Administrateur du portail Apigee	Administrateur de portail d'une organisation Apigee	apigee.organizations.get apigee.organizations.list apigee.portals.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.readOnlyAdmin`	Administrateur Apigee en lecture seule	Lecteur de toutes les ressources Apigee	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.archivedeployments.download apigee.archivedeployments.get apigee.archivedeployments.list apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee.developerappattributes.get apigee.developerappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developerbalances.get apigee.developermonetizationconfigs.get apigee.developers.get apigee.developers.list apigee.developersubscriptions.get apigee.developersubscriptions.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.* apigee.ingressconfigs.* apigee.instanceattachments.get apigee.instanceattachments.list apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.operations.* apigee.organizations.get apigee.organizations.list apigee.portals.get apigee.portals.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.rateplans.get apigee.rateplans.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.runtimeconfigs.* apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.runtimeAgent`	Agent d'exécution Apigee	Ensemble organisé d'autorisations permettant à un agent d'exécution d'accéder aux ressources d'organisation Apigee.	apigee.canaryevaluations.* apigee.ingressconfigs.* apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.runtimeconfigs.*
`roles/apigee.synchronizerManager`	Gestionnaire de synchronisateur Apigee	Ensemble organisé d'autorisations permettant à un synchronisateur de gérer des environnements dans une organisation Apigee	apigee.environments.get apigee.environments.manageRuntime apigee.ingressconfigs.*
`roles/apigeeconnect.Admin`	Administrateur Apigee Connect	Administrateur d'Apigee Connect	apigeeconnect.connections.*
`roles/apigeeconnect.Agent`	Agent Apigee Connect	Permet de configurer un agent Apigee Connect entre les clusters externes et Google.	apigeeconnect.endpoints.*

Rôles App Engine

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/appengine.appAdmin`	Administrateur App Engine	Accès en lecture/écriture/modification à l'ensemble de la configuration et des paramètres de l'application. Pour déployer de nouvelles versions, un membre doit disposer du rôle Utilisateur du compte de service (`roles/iam.serviceAccountUser`) sur le compte de service par défaut App Engine, ainsi que des rôles Éditeur Cloud Build (`roles/cloudbuild.builds.editor`) et Administrateur des objets Cloud Storage (`roles/storage.objectAdmin`) sur le projet.	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	Projet
`roles/appengine.appCreator`	Créateur App Engine	Permet de créer une ressource App Engine pour le projet.	appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list	Projet
`roles/appengine.appViewer`	Lecteur App Engine	Accès en lecture seule à l'ensemble de la configuration et des paramètres de l'application.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Projet
`roles/appengine.codeViewer`	Lecteur de codes App Engine	Accès en lecture seule à l'ensemble de la configuration, des paramètres et du code source déployé de l'application.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Projet
`roles/appengine.deployer`	Utilisateur à l'origine du déploiement App Engine	Accès en lecture seule à l'ensemble de la configuration et des paramètres de l'application. Pour déployer de nouvelles versions, vous devez également disposer du rôle Utilisateur du compte de service (`roles/iam.serviceAccountUser`) sur le compte de service par défaut App Engine, ainsi que des rôles Éditeur Cloud Build (`roles/cloudbuild.builds.editor`) et Administrateur des objets Cloud Storage (`roles/storage.objectAdmin`) sur le projet. Ce rôle ne permet pas de modifier des versions existantes, sauf pour supprimer des versions ne recevant pas de trafic.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Projet
`roles/appengine.serviceAdmin`	Administrateur de services App Engine	Accès en lecture seule à l'ensemble de la configuration et des paramètres de l'application. Accès en écriture aux paramètres au niveau du module et de la version. Ce rôle ne permet pas de déployer une nouvelle version.	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	Projet

Rôles Artifact Registry

Role	Title	Description	Permissions
`roles/artifactregistry.admin`	Artifact Registry Administrator	Administrator access to create and manage repositories.	artifactregistry.*
`roles/artifactregistry.reader`	Artifact Registry Reader	Access to read repository items.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
`roles/artifactregistry.repoAdmin`	Artifact Registry Repository Administrator	Access to manage artifacts in repositories.	artifactregistry.aptartifacts.* artifactregistry.files.* artifactregistry.packages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.* artifactregistry.yumartifacts.*
`roles/artifactregistry.writer`	Artifact Registry Writer	Access to read and write repository items.	artifactregistry.aptartifacts.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.*

Rôles Assured Workloads

Role	Title	Description	Permissions
`roles/assuredworkloads.admin`	Assured Workloads Administrator	Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
`roles/assuredworkloads.editor`	Assured Workloads Editor	Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
`roles/assuredworkloads.reader`	Assured Workloads Reader	Grants read access to all Assured Workloads resources and CRM resources - project/folder	assuredworkloads.operations.* assuredworkloads.workload.get assuredworkloads.workload.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Rôles AutoML

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/automl.admin`	Administrateur AutoML ^Bêta	Accès complet à toutes les ressources AutoML	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	Ensemble de données/modèle
`roles/automl.editor`	Éditeur AutoML ^Bêta	Éditeur de toutes les ressources AutoML	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	Ensemble de données/modèle
`roles/automl.predictor`	Prédicteur AutoML ^Bêta	Prédiction à l'aide de modèles	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list	Model
`roles/automl.viewer`	Lecteur AutoML ^Bêta	Accès en lecture à toutes les ressources AutoML	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	Ensemble de données/modèle

Rôles BigQuery

Role	Title	Description	Permissions	Lowest resource
`roles/bigquery.admin`	BigQuery Admin	Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/bigquery.connectionAdmin`	BigQuery Connection Admin		bigquery.connections.*
`roles/bigquery.connectionUser`	BigQuery Connection User		bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
`roles/bigquery.dataEditor`	BigQuery Data Editor	When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list	Table or view
`roles/bigquery.dataOwner`	BigQuery Data Owner	When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	Table or view
`roles/bigquery.dataViewer`	BigQuery Data Viewer	When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Table or view
`roles/bigquery.filteredDataViewer`	BigQuery Filtered Data Viewer	Access to view filtered table data defined by a row access policy	bigquery.rowAccessPolicies.getFilteredData
`roles/bigquery.jobUser`	BigQuery Job User	Provides permissions to run jobs, including queries, within the project.	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/bigquery.metadataViewer`	BigQuery Metadata Viewer	When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Table or view
`roles/bigquery.readSessionUser`	BigQuery Read Session User	Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceAdmin`	BigQuery Resource Admin	Administer all BigQuery resources.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceEditor`	BigQuery Resource Editor	Manage all BigQuery resources, but cannot make purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceViewer`	BigQuery Resource Viewer	View all BigQuery resources but cannot make changes or purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.user`	BigQuery User	When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A member with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (`roles/bigquery.dataOwner`) on these new datasets.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list	Dataset

Rôles de facturation

Role	Title	Description	Permissions	Lowest resource
`roles/billing.admin`	Billing Account Administrator	Provides access to see and manage all aspects of billing accounts.	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* commerceoffercatalog.* consumerprocurement.accounts.* consumerprocurement.orders.* dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* recommender.commitmentUtilizationInsights.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	Billing Account
`roles/billing.costsManager`	Billing Account Costs Manager	Can view and export cost information of billing accounts.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.updateUsageExportSpec billing.budgets.* billing.resourceAssociations.list
`roles/billing.creator`	Billing Account Creator	Provides access to create billing accounts.	billing.accounts.create resourcemanager.organizations.get	Organization
`roles/billing.projectManager`	Project Billing Manager	Provides access to assign a project's billing account or disable its billing.	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	Project
`roles/billing.user`	Billing Account User	Provides access to associate projects with billing accounts.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create	Billing Account
`roles/billing.viewer`	Billing Account Viewer	View billing account cost information and transactions.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list commerceoffercatalog.* consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list	Billing Account

Rôles d'autorisation binaire

Role	Title	Description	Permissions
`roles/binaryauthorization.attestorsAdmin`	Binary Authorization Attestor Admin	Administrator of Binary Authorization Attestors	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsEditor`	Binary Authorization Attestor Editor	Editor of Binary Authorization Attestors	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsVerifier`	Binary Authorization Attestor Image Verifier	Caller of Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsViewer`	Binary Authorization Attestor Viewer	Viewer of Binary Authorization Attestors	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyAdmin`	Binary Authorization Policy Administrator	Administrator of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.* binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyEditor`	Binary Authorization Policy Editor	Editor of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.continuousValidationConfig.update binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyViewer`	Binary Authorization Policy Viewer	Viewer of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

Rôles du service CA

Rôle	Titre	Description	Autorisations
`roles/privateca.admin`	Administrateur du service CA	Accès complet à toutes les ressources du service CA.	privateca.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
`roles/privateca.auditor`	Auditeur du service CA	Accès en lecture seule à toutes les ressources du service CA.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
`roles/privateca.caManager`	Responsable des opérations du service CA	Permet de créer et gérer des autorités de certification, de révoquer des certificats et de créer des modèles de certificat. Accorde un accès en lecture seule aux ressources du service CA.	privateca.caPools.create privateca.caPools.delete privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.update privateca.certificateAuthorities.create privateca.certificateAuthorities.delete privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.update privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.update privateca.certificateTemplates.create privateca.certificateTemplates.delete privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificateTemplates.update privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.update privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.create privateca.reusableConfigs.delete privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.update resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
`roles/privateca.certificateManager`	Gestionnaire de certificats du service CA	Permet de créer des certificats et de disposer d'un accès en lecture seule aux ressources du service CA.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.create privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
`roles/privateca.certificateRequester`	Demandeur de certificat du service CA	Permet de demander des certificats au service CA.	privateca.certificates.create
`roles/privateca.templateUser`	Utilisateur du modèle de certificat du service CA	Permet de lire, de répertorier et d'utiliser des modèles de certificat.	privateca.certificateTemplates.get privateca.certificateTemplates.list privateca.certificateTemplates.use
`roles/privateca.workloadCertificateRequester`	Demandeur de certificat de charge de travail du service CA	Demander des certificats au service CA avec l'identité de l'appelant	privateca.certificates.createForSelf

Rôles Cloud Asset

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/cloudasset.owner`	Propriétaire d'éléments Cloud	Accès complet aux métadonnées des éléments Cloud	cloudasset.* recommender.cloudAssetInsights.* recommender.locations.*
`roles/cloudasset.viewer`	Lecteur d'éléments Cloud	Accès en lecture seule aux métadonnées des éléments cloud.	cloudasset.assets.* recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.*

Rôles Cloud Bigtable

Role	Title	Description	Permissions	Lowest resource
`roles/bigtable.admin`	Bigtable Administrator	Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Table
`roles/bigtable.reader`	Bigtable Reader	Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Table
`roles/bigtable.user`	Bigtable User	Provides read-write access to the data stored within tables. Intended for application developers or service accounts.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Table
`roles/bigtable.viewer`	Bigtable Viewer	Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Bigtable.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Table

Rôles Cloud Build

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/cloudbuild.builds.approver`	Validateur Cloud Build	Peut approuver ou rejeter les builds en attente.	cloudbuild.builds.approve cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudbuild.builds.builder`	Compte de service Cloud Build	Permet d'effectuer des compilations.	artifactregistry.aptartifacts.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudbuild.builds.editor`	Éditeur Cloud Build	Permet de créer et d'annuler des compilations.	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	Projet
`roles/cloudbuild.builds.viewer`	Lecteur Cloud Build	Permet d'afficher des compilations.	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	Projet
`roles/cloudbuild.integrationsEditor`	Éditeur d'intégrations Cloud Build	Peut mettre à jour les intégrations	resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudbuild.integrationsOwner`	Propriétaire d'intégrations Cloud Build	Peut créer/supprimer des intégrations	compute.firewalls.create compute.firewalls.get compute.firewalls.list compute.networks.get compute.networks.updatePolicy compute.regions.get compute.subnetworks.get compute.subnetworks.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudbuild.integrationsViewer`	Lecteur d'intégrations Cloud Build	Peut afficher les intégrations	resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudbuild.workerPoolEditor`	Éditeur de pools de nœuds de calcul Cloud Build	Peut mettre à jour et afficher les pools de nœuds de calcul	cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudbuild.workerPoolOwner`	Propriétaire de pools de nœuds de calcul Cloud Build	Peut créer, supprimer, mettre à jour et afficher les pools de nœuds de calcul	cloudbuild.workerpools.create cloudbuild.workerpools.delete cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudbuild.workerPoolUser`	Utilisateur de pools de nœuds de calcul Cloud Build	Peut exécuter des builds dans le pool de nœuds de calcul	cloudbuild.workerpools.use
`roles/cloudbuild.workerPoolViewer`	Lecteur du pool de nœuds de calcul Cloud Build	Peut afficher des pools de nœuds de calcul	cloudbuild.workerpools.get cloudbuild.workerpools.list resourcemanager.projects.get resourcemanager.projects.list

Rôles Cloud Composer

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/composer.ServiceAgentV2Ext`	Extension de l'agent de service de l'API Cloud Composer v2	L'extension de l'agent de service de l'API Cloud Composer v2 est un rôle complémentaire nécessaire pour gérer les environnements Composer v2.	iam.serviceAccounts.getiamPolicy iam.serviceAccounts.setIamPolicy
`roles/composer.admin`	Administrateur Composer	Permet un contrôle total des ressources Cloud Composer.	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Projet
`roles/composer.environmentAndStorageObjectAdmin`	Administrateur de l'environnement et des objets Storage	Permet un contrôle total des ressources Cloud Composer ainsi que des objets de tous les buckets du projet.	composer.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.*	Projet
`roles/composer.environmentAndStorageObjectViewer`	Utilisateur de l'environnement et lecteur des objets Storage	Fournit les autorisations nécessaires pour répertorier et obtenir les environnements et les opérations Cloud Composer. Offre un accès en lecture seule aux objets de tous les buckets du projet.	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list	Projet
`roles/composer.sharedVpcAgent`	Agent Composer dans le VPC partagé	Rôle qui doit être attribué au compte de service de l'agent Composer dans le projet hôte VPC partagé	compute.networks.access compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.*
`roles/composer.user`	Utilisateur de Composer	Fournit les autorisations nécessaires pour répertorier et obtenir les environnements et les opérations Cloud Composer.	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Projet
`roles/composer.worker`	Nœud de calcul Composer	Fournit les autorisations nécessaires pour exécuter une VM avec environnement Cloud Composer. Destiné aux comptes de service.	artifactregistry.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use container.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.*	Projet

Rôles Cloud Data Fusion

Role	Title	Description	Permissions	Lowest resource
`roles/datafusion.admin`	Cloud Data Fusion Admin ^Beta	Full access to Cloud Data Fusion Instances, Namespaces and related resources.	datafusion.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datafusion.runner`	Cloud Data Fusion Runner ^Beta	Access to Cloud Data Fusion runtime resources.	datafusion.instances.runtime
`roles/datafusion.viewer`	Cloud Data Fusion Viewer ^Beta	Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.runtime datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list	Project

Rôles Cloud Data Labeling

Rôle	Titre	Description	Autorisations
`roles/datalabeling.admin`	Administrateur du service Data Labeling^Bêta	Accès complet à toutes les ressources DataLabeling	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.editor`	Éditeur du service Data Labeling^Bêta	Éditeur de toutes les ressources DataLabeling	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.viewer`	Lecteur du service Data Labeling^Bêta	Lecteur de toutes les ressources DataLabeling	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Rôles Cloud Debugger

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/clouddebugger.agent`	Agent Cloud Debugger ^Bêta	Fournit les autorisations nécessaires pour enregistrer la cible de débogage, lire les points d'arrêt actifs et consigner les résultats des points d'arrêt.	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create	Compte de service
`roles/clouddebugger.user`	Utilisateur Cloud Debugger ^Bêta	Fournit les autorisations nécessaires pour créer, afficher, répertorier et supprimer des points d'arrêt (instantanés et points de journalisation), ainsi que pour répertorier les cibles de débogage (éléments à déboguer).	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list	Projet

Rôles Cloud Deploy

Rôle	Titre	Description	Autorisations
`roles/clouddeploy.admin`	Administrateur Cloud Deploy ^Bêta	Contrôle complet des ressources Cloud Deploy.	clouddeploy.* resourcemanager.projects.get resourcemanager.projects.list
`roles/clouddeploy.approver`	Approbateur Cloud Deploy ^Bêta	Permet d'approuver ou de refuser des déploiements.	clouddeploy.locations.* clouddeploy.operations.* clouddeploy.rollouts.approve clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/clouddeploy.developer`	Développeur Cloud Deploy ^Bêta	Permet de gérer la configuration du déploiement, mais pas d'accéder aux ressources opérationnelles telles que les cibles.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/clouddeploy.jobRunner`	Exécuteur Cloud Deploy ^Bêta	Autorisation d'exécuter des tâches Cloud Deploy sans l'autorisation de distribuer à une cible.	logging.logEntries.create storage.objects.create storage.objects.get storage.objects.list
`roles/clouddeploy.operator`	Opérateur Cloud Deploy ^Bêta	Permet de gérer la configuration du déploiement.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.create clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list clouddeploy.targets.update resourcemanager.projects.get resourcemanager.projects.list
`roles/clouddeploy.releaser`	Lanceur Cloud Deploy ^Bêta	Permet de créer des versions et des déploiements Cloud Deploy.	clouddeploy.deliveryPipelines.get clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.create clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get resourcemanager.projects.get resourcemanager.projects.list
`roles/clouddeploy.viewer`	Lecteur Cloud Deploy ^Bêta	Peut consulter les ressources Cloud Deploy.	clouddeploy.config.* clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.locations.* clouddeploy.operations.get clouddeploy.operations.list clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list resourcemanager.projects.get resourcemanager.projects.list

Rôles Cloud DLP

Role	Title	Description	Permissions
`roles/dlp.admin`	DLP Administrator	Administer DLP including jobs and templates.	dlp.* serviceusage.services.use
`roles/dlp.analyzeRiskTemplatesEditor`	DLP Analyze Risk Templates Editor	Edit DLP analyze risk templates.	dlp.analyzeRiskTemplates.*
`roles/dlp.analyzeRiskTemplatesReader`	DLP Analyze Risk Templates Reader	Read DLP analyze risk templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
`roles/dlp.columnDataProfilesReader`	DLP Column Data Profiles Reader	Read DLP column profiles.	dlp.columnDataProfiles.*
`roles/dlp.dataProfilesReader`	DLP Data Profiles Reader	Read DLP profiles.	dlp.columnDataProfiles.* dlp.projectDataProfiles.* dlp.tableDataProfiles.*
`roles/dlp.deidentifyTemplatesEditor`	DLP De-identify Templates Editor	Edit DLP de-identify templates.	dlp.deidentifyTemplates.*
`roles/dlp.deidentifyTemplatesReader`	DLP De-identify Templates Reader	Read DLP de-identify templates.	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
`roles/dlp.estimatesAdmin`	DLP Cost Estimation	Manage DLP Cost Estimates.	dlp.estimates.*
`roles/dlp.inspectFindingsReader`	DLP Inspect Findings Reader	Read DLP stored findings.	dlp.inspectFindings.*
`roles/dlp.inspectTemplatesEditor`	DLP Inspect Templates Editor	Edit DLP inspect templates.	dlp.inspectTemplates.*
`roles/dlp.inspectTemplatesReader`	DLP Inspect Templates Reader	Read DLP inspect templates.	dlp.inspectTemplates.get dlp.inspectTemplates.list
`roles/dlp.jobTriggersEditor`	DLP Job Triggers Editor	Edit job triggers configurations.	dlp.jobTriggers.*
`roles/dlp.jobTriggersReader`	DLP Job Triggers Reader	Read job triggers.	dlp.jobTriggers.get dlp.jobTriggers.list
`roles/dlp.jobsEditor`	DLP Jobs Editor	Edit and create jobs	dlp.jobs.* dlp.kms.*
`roles/dlp.jobsReader`	DLP Jobs Reader	Read jobs	dlp.jobs.get dlp.jobs.list
`roles/dlp.orgdriver`	DLP Organization Data Profiles Driver	Permissions needed by the DLP service account to generate data profiles within an organization or folder.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
`roles/dlp.projectDataProfilesReader`	DLP Project Data Profiles Reader	Read DLP project profiles.	dlp.projectDataProfiles.*
`roles/dlp.projectdriver`	DLP Project Data Profiles Driver	Permissions needed by the DLP service account to generate data profiles within a project.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
`roles/dlp.reader`	DLP Reader	Read DLP entities, such as jobs and templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.* dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.storedInfoTypesEditor`	DLP Stored InfoTypes Editor	Edit DLP stored info types.	dlp.storedInfoTypes.*
`roles/dlp.storedInfoTypesReader`	DLP Stored InfoTypes Reader	Read DLP stored info types.	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.tableDataProfilesReader`	DLP Table Data Profiles Reader	Read DLP table profiles.	dlp.tableDataProfiles.*
`roles/dlp.user`	DLP User	Inspect, Redact, and De-identify Content	dlp.kms.* serviceusage.services.use

Rôles Cloud DocumentAI

Role	Title	Description	Permissions
`roles/documentai.admin`	Cloud DocumentAI Administrator. ^Beta	Grants full access to all resources in Cloud DocumentAI	documentai.* resourcemanager.projects.get resourcemanager.projects.list
`roles/documentai.apiUser`	Cloud DocumentAI API User ^Beta	Grants access to process documents in Cloud DocumentAI	documentai.humanReviewConfigs.review documentai.operations.* documentai.processorVersions.processBatch documentai.processorVersions.processOnline documentai.processors.processBatch documentai.processors.processOnline
`roles/documentai.editor`	Cloud DocumentAI Editor ^Beta	Grants access to use all resources in Cloud DocumentAI	documentai.* resourcemanager.projects.get resourcemanager.projects.list
`roles/documentai.viewer`	Cloud DocumentAI Viewer ^Beta	Grants access to view all resources and process documents in Cloud DocumentAI	documentai.evaluations.get documentai.evaluations.list documentai.humanReviewConfigs.get documentai.humanReviewConfigs.review documentai.labelerPools.get documentai.labelerPools.list documentai.locations.* documentai.operations.* documentai.processorTypes.* documentai.processorVersions.get documentai.processorVersions.list documentai.processorVersions.processBatch documentai.processorVersions.processOnline documentai.processors.fetchHumanReviewDetails documentai.processors.get documentai.processors.list documentai.processors.processBatch documentai.processors.processOnline resourcemanager.projects.get resourcemanager.projects.list

Rôles Cloud Domains

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/domains.admin`	Administrateur Cloud Domains^Bêta	Accès complet à Cloud Domains Registrations et aux ressources associées.	domains.* resourcemanager.projects.get resourcemanager.projects.list
`roles/domains.viewer`	Lecteur Cloud Domains^Bêta	Accès en lecture seule à Cloud Domains Registrations et aux ressources associées.	domains.locations.* domains.operations.get domains.operations.list domains.registrations.get domains.registrations.getIamPolicy domains.registrations.list resourcemanager.projects.get resourcemanager.projects.list

Rôles Cloud Filestore

Role	Title	Description	Permissions	Lowest resource
`roles/file.editor`	Cloud Filestore Editor ^Beta	Read-write access to Filestore instances and related resources.	file.*
`roles/file.viewer`	Cloud Filestore Viewer ^Beta	Read-only access to Filestore instances and related resources.	file.backups.get file.backups.list file.instances.get file.instances.list file.locations.* file.operations.get file.operations.list

Rôles Cloud Functions

Rôle	Titre	Description	Autorisations
`roles/cloudfunctions.admin`	Administrateur Cloud Functions	Accès complet aux fonctions, aux opérations et aux emplacements.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.* eventarc.* recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.developer`	Développeur Cloud Functions	Accès en lecture et en écriture à toutes les ressources liées aux fonctions.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* eventarc.locations.* eventarc.operations.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.update serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.invoker`	Demandeur Cloud Functions	Peut appeler des fonctions HTTP avec un accès limité.	cloudfunctions.functions.invoke
`roles/cloudfunctions.viewer`	Lecteur Cloud Functions	Accès en lecture seule aux fonctions et aux emplacements.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Rôles Cloud Game Services

Role	Title	Description	Permissions	Lowest resource
`roles/gameservices.admin`	Game Services API Admin	Full access to Game Services API and related resources.	gameservices.* resourcemanager.projects.get resourcemanager.projects.list
`roles/gameservices.viewer`	Game Services API Viewer	Read-only access to Game Services API and related resources.	gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list

Rôles Cloud Healthcare

Role	Title	Description	Permissions
`roles/healthcare.annotationEditor`	Healthcare Annotation Editor	Create, delete, update, read and list annotations.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationReader`	Healthcare Annotation Reader	Read and list annotations in an Annotation store.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.get healthcare.annotations.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationStoreAdmin`	Healthcare Annotation Administrator	Administer Annotation stores.	healthcare.annotationStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationStoreViewer`	Healthcare Annotation Store Viewer	List Annotation Stores in a dataset.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.attributeDefinitionEditor`	Healthcare Attribute Definition Editor	Edit AttributeDefinition objects.	healthcare.attributeDefinitions.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.attributeDefinitionReader`	Healthcare Attribute Definition Reader	Read AttributeDefinition objects in a consent store.	healthcare.attributeDefinitions.get healthcare.attributeDefinitions.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentArtifactAdmin`	Healthcare Consent Artifact Administrator	Administer ConsentArtifact objects.	healthcare.consentArtifacts.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentArtifactEditor`	Healthcare Consent Artifact Editor	Edit ConsentArtifact objects.	healthcare.consentArtifacts.create healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentArtifactReader`	Healthcare Consent Artifact Reader	Read ConsentArtifact objects in a consent store.	healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentEditor`	Healthcare Consent Editor	Edit Consent objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentReader`	Healthcare Consent Reader	Read Consent objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.get healthcare.consents.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentStoreAdmin`	Healthcare Consent Store Administrator	Administer Consent stores.	healthcare.consentStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentStoreViewer`	Healthcare Consent Store Viewer	List Consent Stores in a dataset.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.datasetAdmin`	Healthcare Dataset Administrator	Administer Healthcare Datasets.	healthcare.datasets.* healthcare.locations.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.datasetViewer`	Healthcare Dataset Viewer	List the Healthcare Datasets in a project.	healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomEditor`	Healthcare DICOM Editor	Edit DICOM images individually and in bulk.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomStoreAdmin`	Healthcare DICOM Store Administrator	Administer DICOM stores.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.deidentify healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomStoreViewer`	Healthcare DICOM Store Viewer	List DICOM Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomViewer`	Healthcare DICOM Viewer	Retrieve DICOM images from a DICOM store.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirResourceEditor`	Healthcare FHIR Resource Editor	Create, delete, update, read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.translateConceptMap healthcare.fhirResources.update healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirResourceReader`	Healthcare FHIR Resource Reader	Read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare.fhirResources.translateConceptMap healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirStoreAdmin`	Healthcare FHIR Store Administrator	Administer FHIR resource stores.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare.fhirStores.configureSearch healthcare.fhirStores.create healthcare.fhirStores.deidentify healthcare.fhirStores.delete healthcare.fhirStores.export healthcare.fhirStores.get healthcare.fhirStores.getIamPolicy healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.fhirStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirStoreViewer`	Healthcare FHIR Store Viewer	List FHIR Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Consumer`	Healthcare HL7v2 Message Consumer	List and read HL7v2 messages, update message labels, and publish new messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.create healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare.hl7V2Messages.update healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Editor`	Healthcare HL7v2 Message Editor	Read, write, and delete access to HL7v2 messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Ingest`	Healthcare HL7v2 Message Ingest	Ingest HL7v2 messages received from a source network.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.ingest healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2StoreAdmin`	Healthcare HL7v2 Store Administrator	Administer HL7v2 Stores.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2StoreViewer`	Healthcare HL7v2 Store Viewer	View HL7v2 Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.nlpServiceViewer`	Healthcare NLP Service Viewer ^Beta	Extract and analyze medical entities from a given text.	healthcare.locations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.userDataMappingEditor`	Healthcare User Data Mapping Editor	Edit UserDataMapping objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.* resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.userDataMappingReader`	Healthcare User Data Mapping Reader	Read UserDataMapping objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.get healthcare.userDataMappings.list resourcemanager.projects.get resourcemanager.projects.list

Rôles Cloud IAP

Role	Title	Description	Permissions	Lowest resource
`roles/iap.admin`	IAP Policy Admin	Provides full access to Identity-Aware Proxy resources.	iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy	Project
`roles/iap.httpsResourceAccessor`	IAP-secured Web App User	Provides permission to access HTTPS resources which use Identity-Aware Proxy.	iap.webServiceVersions.accessViaIAP
`roles/iap.settingsAdmin`	IAP Settings Admin	Administrator of IAP Settings.	iap.projects.* iap.web.getSettings iap.web.updateSettings iap.webServiceVersions.getSettings iap.webServiceVersions.updateSettings iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings
`roles/iap.tunnelResourceAccessor`	IAP-secured Tunnel User	Access Tunnel resources which use Identity-Aware Proxy	iap.tunnelInstances.accessViaIAP

Rôles Cloud IoT

Role	Title	Description	Permissions	Lowest resource
`roles/cloudiot.admin`	Cloud IoT Admin	Full control of all Cloud IoT resources and permissions.	cloudiot.* cloudiottoken.*	Device
`roles/cloudiot.deviceController`	Cloud IoT Device Controller	Access to update the device configuration, but not to create or delete devices.	cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device
`roles/cloudiot.editor`	Cloud IoT Editor	Read-write access to all Cloud IoT resources.	cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.*	Device
`roles/cloudiot.provisioner`	Cloud IoT Provisioner	Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry.	cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device
`roles/cloudiot.viewer`	Cloud IoT Viewer	Read-only access to all Cloud IoT resources.	cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device

Rôles Cloud KMS

Rôle	Titre	Description	Autorisations	Ressource la plus basse
`roles/cloudkms.admin`	Administrateur Cloud KMS	Fournit un accès complet aux ressources Cloud KMS, à l'exception des opérations de chiffrement et de déchiffrement.	cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeys.* cloudkms.importJobs.* cloudkms.keyRings.* cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get	Clé de chiffrement
`roles/cloudkms.cryptoKeyDecrypter`	Déchiffreur de clé de chiffrement Cloud KMS	Permet d'utiliser les ressources Cloud KMS pour les opérations de déchiffrement seulement.	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get	Clé de chiffrement
`roles/cloudkms.cryptoKeyEncrypter`	Chiffreur de clé de chiffrement Cloud KMS	Permet d'utiliser les ressources Cloud KMS pour les opérations de chiffrement seulement.	cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get	Clé de chiffrement
`roles/cloudkms.cryptoKeyEncrypterDecrypter`	Chiffreur/Déchiffreur de clés cryptographiques Cloud KMS	Permet d'utiliser les ressources Cloud KMS pour les opérations de chiffrement et de déchiffrement seulement.	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoOperator`	Opérateur du chiffrement Cloud KMS	Permet d'effectuer toutes les opérations de chiffrement.	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.useToVerify cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.* resourcemanager.projects.get
`roles/cloudkms.importer`	Importateur Cloud KMS	Permet d'effectuer les opérations "ImportCryptoKeyVersion", "CreateImportJob", "ListImportJobs" et "GetImportJob"	cloudkms.importJobs.create cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.importJobs.useToImport cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
`roles/cloudkms.publicKeyViewer`	Lecteur de clés publiques de CryptoKeys Cloud KMS	Active les opérations GetPublicKey	cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
`roles/cloudkms.signer`	Signataire de CryptoKeys Cloud KMS	Permet d'effectuer des opérations Sign	cloudkms.cryptoKeyVersions.useToSign cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
`roles/cloudkms.signerVerifier`	Signataire/Validateur de CryptoKeys Cloud KMS	Permet d'effectuer des opérations Sign, Verify et GetPublicKey	cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.useToVerify cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
`roles/cloudkms.verifier`	Validateur de CryptoKey Cloud KMS	Permet d'effectuer des opérations Verify et GetPublicKey	cloudkms.cryptoKeyVersions.useToVerify cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get

Rôles Cloud Life Sciences

Rôle	Titre	Description	Autorisations
`roles/lifesciences.admin`	Administrateur Cloud Life Sciences ^Bêta	Contrôle complet des ressources Cloud Life Sciences	lifesciences.*
`roles/lifesciences.editor`	Éditeur Cloud Life Sciences ^Bêta	Autorisation de consulter et de modifier des ressources Cloud Life Sciences.	lifesciences.*
`roles/lifesciences.viewer`	Lecteur Cloud Life Sciences ^Bêta	Accès en lecture aux ressources Cloud Life Sciences.	lifesciences.operations.get lifesciences.operations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/lifesciences.workflowsRunner`	Exécuteur de workflows Cloud Life Sciences ^Bêta	Accès complet pour opérer sur les workflows Cloud Life Sciences.	lifesciences.*

Rôles Cloud Managed Identities

Role	Title	Description	Permissions	Lowest resource