Nesta página, descrevemos os papéis do IAM e listamos
os papéis predefinidos que você pode conceder aos principais.
Um papel contém um conjunto de permissões que permitem realizar ações específicas nos
recursos do Google Cloud.
Para disponibilizar as permissões aos principais, incluindo
usuários, grupos e contas de serviço, conceda papéis aos principais.
Chame o método da API REST roles.get()
para listar as permissões do papel.
Apenas para papéis básicos e predefinidos: pesquise a referência de
permissões para ver se a permissão foi concedida pelo papel.
Somente para papéis predefinidos: pesquise as descrições de papel
predefinidas nesta página para ver quais permissões
o papel inclui.
As seções abaixo descrevem cada tipo de papel e fornecem exemplos de como usá-los.
Papéis básicos
Há vários papéis básicos que existiam antes da introdução do
IAM: proprietário, editor e visualizador. Esses papéis são concêntricos,
isto é, o de Proprietário inclui as permissões no papel de Editor, e este
no de Leitor. Esses papéis eram conhecidos
anteriormente como "papéis primários".
A tabela a seguir resume as permissões que os papéis básicos têm
em todos os serviços do Google Cloud:
Definições dos papéis básicos
Nome
Título
Permissões
roles/viewer
Leitor
Permissões para ações somente leitura que não afetam o estado, como ver (mas não modificar) recursos ou dados existentes.
roles/editor
Editor
Todas as permissões do leitor e as permissões para ações que modificam o estado, como a alteração de recursos atuais.
Observação:
o papel de editor contém permissões para criar e excluir recursos
para a maioria dos serviços do Google Cloud. No entanto, ele não contém
permissões para executar todas as ações de todos os serviços. Para mais informações sobre como verificar se um papel tem as permissões necessárias, consulte Tipos de papel nesta página.
roles/owner
Proprietário
Todas as permissões de editor e também para as seguintes ações:
Gerenciar papéis e permissões para um projeto e todos os recursos dentro do projeto.
Configurar o faturamento de um projeto
Observação:
A concessão do papel de proprietário em nível de recurso, como um
tópico do Pub/Sub, não concede o papel de proprietário no
projeto pai.
A concessão do papel de proprietário no nível da organização não permite que você
atualize os metadados da organização. No entanto, ele permite que você modifique projetos e outros recursos nessa organização.
Para conceder o papel de proprietário em um projeto a um usuário fora da
organização, você precisa usar o Console do Google Cloud, não a
CLI gcloud. Se o projeto não fizer parte de uma organização,
use o Console para conceder o papel de Proprietário.
Além dos papéis básicos, o IAM fornece outros papéis
predefinidos que dão acesso granular a recursos específicos do Google
Cloud e impedem o acesso indesejado a outros recursos. Esses papéis são
criados e mantidos pelo Google. O Google atualiza automaticamente as permissões
conforme necessário, como quando o Google Cloud adiciona novos recursos ou serviços.
A tabela a seguir lista esses papéis, as respectivas descrições e o tipo de recurso de menor nível em que os papéis podem ser configurados. Um papel específico pode ser concedido a esse tipo de recurso ou, na maioria dos casos, a qualquer tipo acima dele na hierarquia de recursos do Google Cloud.
É possível conceder vários papéis ao mesmo usuário, em qualquer nível da hierarquia de recursos. Por exemplo: é possível que o mesmo usuário tenha os papéis de administrador de rede do Compute e de visualizador de registros em um projeto, além do papel de editor do Pub/Sub em um tópico do Pub/Sub nesse projeto. Para listar as permissões contidas em um papel, consulte Como obter os metadados do papel.
Para receber ajuda para escolher os papéis predefinidos mais apropriados, consulte
Escolher papéis predefinidos.
Papéis do Access Approval
Papel
Permissões
Aprovador do Access ApprovalBeta
(roles/accessapproval.approver)
Capacidade de visualizar ou agir em solicitações de aprovação de acesso e ver as configurações
accessapproval.requests.*
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Editor de configuração do Access ApprovalBeta
(roles/accessapproval.configEditor)
Capacidade de atualizar a configuração de aprovação de acesso
accessapproval.settings.*
resourcemanager.projects.get
resourcemanager.projects.list
Invalidador de aprovação de acessoBeta
(roles/accessapproval.invalidator)
Poder para invalidar atuais solicitações de aprovação confirmadas
accessapproval.requests.invalidate
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Leitor do Access ApprovalBeta
(roles/accessapproval.viewer)
Capacidade de visualizar solicitações de aprovação de acesso e a configuração
accessapproval.requests.get
accessapproval.requests.list
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Papéis do Access Context Manager
Papel
Permissões
Administrador de vinculação de acesso à nuvem
(roles/accesscontextmanager.gcpAccessAdmin)
Criar, editar e alterar vinculações de acesso à nuvem.
accesscontextmanager.gcpUserAccessBindings.*
Leitor de vinculação de acesso à nuvem
(roles/accesscontextmanager.gcpAccessReader)
Acesso de leitura às vinculações de acesso da nuvem.
accesscontextmanager.gcpUserAccessBindings.get
accesscontextmanager.gcpUserAccessBindings.list
Administrador do Access Context Manager
(roles/accesscontextmanager.policyAdmin)
Acesso total a políticas, níveis e zonas de acesso
accesscontextmanager.accessLevels.*
accesscontextmanager.accessPolicies.*
accesscontextmanager.accessZones.*
accesscontextmanager.policies.*
accesscontextmanager.servicePerimeters.*
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Editor do Access Context Manager
(roles/accesscontextmanager.policyEditor)
Acesso de edição a políticas. Cria, edita e altera níveis e zonas de acesso.
accesscontextmanager.accessLevels.*
accesscontextmanager.accessPolicies.create
accesscontextmanager.accessPolicies.delete
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.update
accesscontextmanager.accessZones.*
accesscontextmanager.policies.create
accesscontextmanager.policies.delete
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.update
accesscontextmanager.servicePerimeters.*
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Leitor do Access Context Manager
(roles/accesscontextmanager.policyReader)
Acesso de leitura a políticas, níveis e zonas de acesso.
accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.get
accesscontextmanager.accessZones.list
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Leitor do solucionador de problemas do VPC Service Controls
(roles/accesscontextmanager.vpcScTroubleshooterViewer)
accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.get
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Papéis de ações
Role
Permissions
Actions Admin
(roles/actions.Admin)
Access to edit and deploy an action
actions.*
firebase.projects.get
firebase.projects.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Actions Viewer
(roles/actions.Viewer)
Access to view an action
actions.agent.get
actions.agentVersions.get
actions.agentVersions.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Papéis dos notebooks de IA
Role
Permissions
Notebooks Admin
(roles/notebooks.admin)
Full access to Notebooks, all resources.
Lowest-level resources where you can grant this role:
Read-only access to Notebooks all resources through compute API.
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.executions.get
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.instances.checkUpgradability
notebooks.instances.get
notebooks.instances.getHealth
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.get
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.schedules.get
notebooks.schedules.getIamPolicy
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Runner
(roles/notebooks.runner)
Restricted access for running scheduled Notebooks.
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.executions.create
notebooks.executions.get
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.instances.checkUpgradability
notebooks.instances.create
notebooks.instances.get
notebooks.instances.getHealth
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.create
notebooks.runtimes.get
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.schedules.create
notebooks.schedules.get
notebooks.schedules.getIamPolicy
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Viewer
(roles/notebooks.viewer)
Read-only access to Notebooks, all resources.
Lowest-level resources where you can grant this role:
Instance
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscGet
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.regionUrlMaps.validate
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.executions.get
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.instances.checkUpgradability
notebooks.instances.get
notebooks.instances.getHealth
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.get
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.schedules.get
notebooks.schedules.getIamPolicy
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Papéis do AI Platform
Papel
Permissões
Administrador da AI Platform
(roles/ml.admin)
Fornece acesso total aos recursos, jobs, operações, modelos e versões do AI Platform.
Recursos de nível mais baixo em que você pode conceder esse papel:
Projeto
ml.*
resourcemanager.projects.get
Desenvolvedor da AI Platform
(roles/ml.developer)
Permite usar os recursos do AI Platform para criar modelos, versões e jobs de treinamento e de predição, além de enviar solicitações de predição on-line.
Recursos de nível mais baixo em que você pode conceder esse papel:
Projeto
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.*
ml.trials.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get
Proprietário de jobs da AI Platform
(roles/ml.jobOwner)
Dá acesso total a todas as permissões para um determinado recurso de job. Esse papel é automaticamente concedido ao usuário que cria o job.
Recursos de nível mais baixo em que você pode conceder esse papel:
Job
ml.jobs.*
Proprietário de modelos da AI Platform
(roles/ml.modelOwner)
Dá acesso total ao modelo e às versões dele. Esse papel é automaticamente concedido ao usuário que cria o modelo.
Recursos de nível mais baixo em que você pode conceder esse papel:
Modelo
ml.models.*
ml.versions.*
Usuário de modelos da AI Platform
(roles/ml.modelUser)
Concede permissões para ler o modelo e as versões dele e usá-los para predição.
Recursos de nível mais baixo em que você pode conceder esse papel:
Modelo
ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict
Proprietário de operações da AI Platform
(roles/ml.operationOwner)
Dá acesso total a todas as permissões para um determinado recurso de operação.
Recursos de nível mais baixo em que você pode conceder esse papel:
Operação
ml.operations.*
Leitor da AI Platform
(roles/ml.viewer)
Fornece acesso somente leitura aos recursos da AI Platform.
Recursos de nível mais baixo em que você pode conceder esse papel:
Projeto
ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.get
ml.studies.getIamPolicy
ml.studies.list
ml.trials.get
ml.trials.list
ml.versions.get
ml.versions.list
resourcemanager.projects.get
Papéis do Analytics Hub
Papel
Permissões
Administrador do Analytics HubBeta
(roles/analyticshub.admin)
Administrar trocas de dados e listagens
analyticshub.dataExchanges.*
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.update
resourcemanager.projects.get
resourcemanager.projects.list
Administrador de listagens do Analytics HubBeta
(roles/analyticshub.listingAdmin)
Concede controle total da lista de permissões, incluindo atualização, exclusão e configuração de ACLs.
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.update
resourcemanager.projects.get
resourcemanager.projects.list
Editor do Analytics HubBeta
(roles/analyticshub.publisher)
Pode publicar em trocas de dados, criando assim listas
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.create
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list
Assinante do Analytics HubBeta
(roles/analyticshub.subscriber)
Pode procurar por trocas de dados e se inscrever em listagens
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.subscribe
resourcemanager.projects.get
resourcemanager.projects.list
Leitor do Analytics HubBeta
(roles/analyticshub.viewer)
Pode procurar por trocas de dados e listagens
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list
Papéis de gerenciamento do Android
Role
Permissions
Android Management User
(roles/androidmanagement.user)
Full access to manage devices.
androidmanagement.enterprises.manage
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Papéis do Anthos para várias nuvens
Papel
Permissões
Administrador do Anthos em várias nuvens
(roles/gkemulticloud.admin)
Acesso de administrador aos recursos de várias nuvens do Anthos.
gkemulticloud.*
resourcemanager.projects.get
resourcemanager.projects.list
Gravador de telemetria de várias nuvens do Anthos
(roles/gkemulticloud.telemetryWriter)
Conceder acesso para gravar dados de telemetria do cluster como registros, métricas e metadados de recursos.
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
opsconfigmonitoring.resourceMetadata.write
Visualizador de várias nuvens do Anthos
(roles/gkemulticloud.viewer)
Acessar os recursos de várias nuvens do Anthos como leitor.
gkemulticloud.awsClusters.generateAccessToken
gkemulticloud.awsClusters.get
gkemulticloud.awsClusters.list
gkemulticloud.awsNodePools.get
gkemulticloud.awsNodePools.list
gkemulticloud.awsServerConfigs.get
gkemulticloud.azureClients.get
gkemulticloud.azureClients.list
gkemulticloud.azureClusters.generateAccessToken
gkemulticloud.azureClusters.get
gkemulticloud.azureClusters.list
gkemulticloud.azureNodePools.get
gkemulticloud.azureNodePools.list
gkemulticloud.azureServerConfigs.get
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
Papéis da API Gateway
Role
Permissions
ApiGateway Admin
(roles/apigateway.admin)
Full access to ApiGateway and related resources.
apigateway.*
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list
ApiGateway Viewer
(roles/apigateway.viewer)
Read-only access to ApiGateway and related resources.
apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list
Papéis do Apigee
Papel
Permissões
Administrador da organização da Apigee
(roles/apigee.admin)
Acesso total a todas as funcionalidades de recursos da Apigee
apigee.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Agente de análise da Apigee
(roles/apigee.analyticsAgent)
Conjunto de permissões selecionado para que a Apigee Universal Data Collection Agent gerencie análises para uma organização da Apigee
apigee.datalocation.get
apigee.environments.getDataLocation
apigee.runtimeconfigs.get
Editor de análise da Apigee
(roles/apigee.analyticsEditor)
Editor do Analytics para uma organização da Apigee
apigee.datacollectors.*
apigee.datastores.*
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.*
apigee.hostqueries.*
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.queries.*
apigee.reports.*
resourcemanager.projects.get
resourcemanager.projects.list
Visualizador de análise da Apigee
(roles/apigee.analyticsViewer)
Visualizador do Analytics para uma organização da Apigee
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datastores.get
apigee.datastores.list
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.queries.get
apigee.queries.list
apigee.reports.get
apigee.reports.list
resourcemanager.projects.get
resourcemanager.projects.list
Administrador de APIs da Apigee
(roles/apigee.apiAdminV2)
Acesso total de leitura/gravação a todos os recursos de APIs da Apigee
apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.organizations.get
apigee.organizations.list
apigee.proxies.*
apigee.proxyrevisions.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
resourcemanager.projects.get
resourcemanager.projects.list
Leitor de API da Apigee
(roles/apigee.apiReaderV2)
Visualizador de recursos da Apigee
apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.organizations.get
apigee.organizations.list
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.sharedflowrevisions.deploy
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflowrevisions.undeploy
apigee.sharedflows.get
apigee.sharedflows.list
resourcemanager.projects.get
resourcemanager.projects.list
Administrador desenvolvedor da Apigee
(roles/apigee.developerAdmin)
Administrador desenvolvedor de recursos da apigee
apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appkeys.*
apigee.apps.*
apigee.datacollectors.*
apigee.developerappattributes.*
apigee.developerapps.*
apigee.developerattributes.*
apigee.developerbalances.*
apigee.developermonetizationconfigs.*
apigee.developers.*
apigee.developersubscriptions.*
apigee.environments.get
apigee.environments.getStats
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.rateplans.get
apigee.rateplans.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Admin do ambiente Apigee
(roles/apigee.environmentAdmin)
Acesso total de leitura/gravação aos recursos do ambiente Apigee, incluindo implantações.
apigee.archivedeployments.*
apigee.datacollectors.get
apigee.datacollectors.list
apigee.deployments.*
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.environments.setIamPolicy
apigee.environments.update
apigee.flowhooks.*
apigee.ingressconfigs.get
apigee.keystorealiases.*
apigee.keystores.*
apigee.keyvaluemaps.*
apigee.maskconfigs.*
apigee.organizations.get
apigee.organizations.list
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.references.*
apigee.resourcefiles.*
apigee.sharedflowrevisions.deploy
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflowrevisions.undeploy
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.*
apigee.tracesessions.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Administrador de monetização da Apigee
(roles/apigee.monetizationAdmin)
Todas as permissões relacionadas à monetização
apigee.apiproducts.get
apigee.apiproducts.list
apigee.developerbalances.*
apigee.developermonetizationconfigs.*
apigee.developersubscriptions.*
apigee.organizations.get
apigee.organizations.list
apigee.rateplans.*
resourcemanager.projects.get
resourcemanager.projects.list
Administrador do portal da Apigee
(roles/apigee.portalAdmin)
Administrador do portal para uma organização Apigee
apigee.organizations.get
apigee.organizations.list
apigee.portals.*
resourcemanager.projects.get
resourcemanager.projects.list
Administrador somente leitura da Apigee
(roles/apigee.readOnlyAdmin)
Visualizador de todos os recursos da apigee
apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appkeys.get
apigee.apps.*
apigee.archivedeployments.download
apigee.archivedeployments.get
apigee.archivedeployments.list
apigee.caches.list
apigee.canaryevaluations.get
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datalocation.get
apigee.datastores.get
apigee.datastores.list
apigee.deployments.get
apigee.deployments.list
apigee.developerappattributes.get
apigee.developerappattributes.list
apigee.developerapps.get
apigee.developerapps.list
apigee.developerattributes.get
apigee.developerattributes.list
apigee.developerbalances.get
apigee.developermonetizationconfigs.get
apigee.developers.get
apigee.developers.list
apigee.developersubscriptions.get
apigee.developersubscriptions.list
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getDataLocation
apigee.environments.getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.flowhooks.getSharedFlow
apigee.flowhooks.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hostsecurityreports.get
apigee.hostsecurityreports.list
apigee.hoststats.get
apigee.ingressconfigs.get
apigee.instanceattachments.get
apigee.instanceattachments.list
apigee.instances.get
apigee.instances.list
apigee.keystorealiases.get
apigee.keystorealiases.list
apigee.keystores.get
apigee.keystores.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.maskconfigs.get
apigee.operations.*
apigee.organizations.get
apigee.organizations.list
apigee.portals.get
apigee.portals.list
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.queries.get
apigee.queries.list
apigee.rateplans.get
apigee.rateplans.list
apigee.references.get
apigee.references.list
apigee.reports.get
apigee.reports.list
apigee.resourcefiles.get
apigee.resourcefiles.list
apigee.runtimeconfigs.get
apigee.securityProfileEnvironments.computeScore
apigee.securityProfiles.*
apigee.securityStats.*
apigee.securityreports.get
apigee.securityreports.list
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.get
apigee.targetservers.list
apigee.tracesessions.get
apigee.tracesessions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Agente do ambiente de execução da Apigee
(roles/apigee.runtimeAgent)
Conjunto de permissões selecionadas para que um agente de ambiente de execução acesse os recursos da organização da Apigee
apigee.canaryevaluations.*
apigee.ingressconfigs.get
apigee.instances.reportStatus
apigee.operations.*
apigee.organizations.get
apigee.runtimeconfigs.get
Administrador de segurança da Apigee
(roles/apigee.securityAdmin)
Administrador de segurança para uma organização da Apigee
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.*
apigee.organizations.get
apigee.organizations.list
apigee.securityProfileEnvironments.*
apigee.securityProfiles.*
apigee.securityStats.*
apigee.securityreports.*
resourcemanager.projects.get
resourcemanager.projects.list
Leitor de segurança da Apigee
(roles/apigee.securityViewer)
Leitor de segurança para uma organização da Apigee
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.get
apigee.hostsecurityreports.list
apigee.organizations.get
apigee.organizations.list
apigee.securityProfileEnvironments.computeScore
apigee.securityProfiles.*
apigee.securityStats.*
apigee.securityreports.get
apigee.securityreports.list
resourcemanager.projects.get
resourcemanager.projects.list
Gerenciador de sincronização da Apigee
(roles/apigee.synchronizerManager)
Conjunto selecionado de permissões para um sincronizador gerenciar ambientes em uma organização Apigee
apigee.environments.get
apigee.environments.manageRuntime
apigee.ingressconfigs.get
Administrador do Apigee Connect
(roles/apigeeconnect.Admin)
Administrador do Apigee Connect
apigeeconnect.connections.list
Agente do Apigee Connect
(roles/apigeeconnect.Agent)
Capacidade de configurar o agente do Apigee Connect entre clusters externos e o Google.
apigeeconnect.endpoints.connect
Papéis do Apigee Registry
Papel
Permissões
Administrador do Cloud Apigee RegistryBeta
(roles/apigeeregistry.admin)
Acesso total aos recursos de registro e ambiente de execução do Cloud Apigee.
apigeeregistry.*
resourcemanager.projects.get
resourcemanager.projects.list
Editor do registro do Cloud ApigeeBeta
(roles/apigeeregistry.editor)
Acesso para edição aos recursos de registro do Cloud Apigee.
apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.update
apigeeregistry.deployments.*
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Leitor do Registro do Cloud ApigeeBeta
(roles/apigeeregistry.viewer)
Acesso somente leitura aos recursos de registro do Cloud Apigee.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.versions.get
apigeeregistry.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Worker do registro do Cloud ApigeeBeta
(roles/apigeeregistry.worker)
O papel usado pelos workers dos aplicativos de registro da Apigee para ler e atualizar os artefatos do registro da Apigee.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.artifacts.update
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.get
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Papéis do App Engine
Papel
Permissões
Administrador do App Engine
(roles/appengine.appAdmin)
Acesso de leitura/gravação/modificação a todas as configurações do aplicativo.
Para implantar novas versões, o principal precisa ter o
papel de Usuário da conta de serviço
(roles/iam.serviceAccountUser) na conta de serviço padrão
do App Engine, bem como os
papéis de Editor do Cloud Build (roles/cloudbuild.builds.editor) e Administrador de objeto
do Cloud Storage (roles/storage.objectAdmin) no projeto.
Recursos de nível mais baixo em que é possível conceder esse papel:
Projeto
appengine.applications.get
appengine.applications.update
appengine.instances.*
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Criador do App Engine
(roles/appengine.appCreator)
Capacidade para criar o recurso do App Engine para o projeto.
Recursos de nível mais baixo em que é possível conceder esse papel:
Projeto
appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list
Leitor do App Engine
(roles/appengine.appViewer)
Acesso somente de leitura a todas as configurações do aplicativo.
Recursos de nível mais baixo em que é possível conceder esse papel:
Projeto
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Leitor de código do App Engine
(roles/appengine.codeViewer)
Acesso somente leitura a todas as configurações e ao código-fonte implantado do aplicativo.
Recursos de nível mais baixo em que é possível conceder esse papel:
Projeto
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Implantador do App Engine
(roles/appengine.deployer)
Acesso somente de leitura a todas as configurações do aplicativo.
Para implantar novas versões, você também precisa ter o
papel de usuário da conta de serviço
(roles/iam.serviceAccountUser) na conta de serviço padrão
do App Engine e o
papel de editor do Cloud Build (roles/cloudbuild.builds.editor) e de administrador de objeto
do Cloud Storage (roles/storage.objectAdmin) no projeto.
Não é possível modificar versões existentes, a não ser para excluir versões que não estejam recebendo tráfego.
Recursos de nível mais baixo em que é possível conceder esse papel:
Projeto
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Administrador de serviço do App Engine
(roles/appengine.serviceAdmin)
Acesso somente de leitura a todas as configurações do aplicativo.
Acesso de gravação a configurações de módulo e versão. Não permite implantar versões novas.
Recursos de nível mais baixo em que é possível conceder esse papel:
Projeto
appengine.applications.get
appengine.instances.*
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Papéis do Artifact Registry
Papel
Permissões
Administrador do Artifact Registry
(roles/artifactregistry.admin)
Acesso de administrador para a criação e o gerenciamento de repositórios.
artifactregistry.*
Leitor do Artifact Registry
(roles/artifactregistry.reader)
Acesso para leitura de itens do repositório.
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.locations.*
artifactregistry.mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.pythonpackages.*
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
Administrador do repositório do Artifact Registry
(roles/artifactregistry.repoAdmin)
Acesso para gerenciar artefatos em repositórios.
artifactregistry.aptartifacts.create
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.locations.*
artifactregistry.mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry.pythonpackages.*
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.yumartifacts.create
Gravador do Artifact Registry
(roles/artifactregistry.writer)
Acesso para leitura e gravação de itens do repositório.
Read-only access to all Cloud BeyondCorp resources.
beyondcorp.appConnections.get
beyondcorp.appConnections.getIamPolicy
beyondcorp.appConnections.list
beyondcorp.appConnectors.get
beyondcorp.appConnectors.getIamPolicy
beyondcorp.appConnectors.list
beyondcorp.appGateways.get
beyondcorp.appGateways.getIamPolicy
beyondcorp.appGateways.list
beyondcorp.clientConnectorServices.get
beyondcorp.clientConnectorServices.getIamPolicy
beyondcorp.clientConnectorServices.list
beyondcorp.clientGateways.get
beyondcorp.clientGateways.getIamPolicy
beyondcorp.clientGateways.list
beyondcorp.locations.*
beyondcorp.operations.get
beyondcorp.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Papéis do BigQuery
Role
Permissions
BigQuery Admin
(roles/bigquery.admin)
Provides permissions to manage all resources within the project. Can manage
all data within the project, and can cancel jobs from other users running
within the project.
Lowest-level resources where you can grant this role:
BigQuery Connection User
(roles/bigquery.connectionUser)
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.use
BigQuery Data Editor
(roles/bigquery.dataEditor)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
Table
View
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Owner
(roles/bigquery.dataOwner)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
Table
View
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Viewer
(roles/bigquery.dataViewer)
When applied to a table or view, this role provides permissions to:
Read data and metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Read data and metadata from the dataset's tables.
When applied at the project or organization level, this role can also
enumerate all datasets in the project. Additional roles, however, are
necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
Table
View
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Filtered Data Viewer
(roles/bigquery.filteredDataViewer)
Access to view filtered table data defined by a row access policy
bigquery.rowAccessPolicies.getFilteredData
BigQuery Job User
(roles/bigquery.jobUser)
Provides permissions to run jobs, including queries, within the project.
Lowest-level resources where you can grant this role:
View all BigQuery resources but cannot make changes or purchasing decisions.
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery User
(roles/bigquery.user)
When applied to a dataset, this role provides the ability to read the dataset's metadata and list
tables in the dataset.
When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner)
on these new datasets.
Lowest-level resources where you can grant this role:
Gerente de custos da conta de faturamento
(roles/billing.costsManager)
Gerenciar orçamentos de uma conta de faturamento e visualizar, analisar e exportar informações de custo de uma conta de
faturamento.
Recursos de nível mais baixo em que você pode conceder esse papel:
Conta de faturamento
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.resourceAssociations.list
recommender.costInsights.*
Criador da conta de faturamento
(roles/billing.creator)
Dá acesso para criar contas de faturamento.
Recursos de nível mais baixo em que é possível conceder esse papel:
Organização
billing.accounts.create
resourcemanager.organizations.get
Gerente de faturamento do projeto
(roles/billing.projectManager)
Quando concedido com o papel de usuário da conta de faturamento, fornece acesso para atribuir a
conta de faturamento de um projeto ou desativar o faturamento.
Recursos de nível mais baixo em que você pode conceder esse papel:
Projeto
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
Usuário da conta de faturamento
(roles/billing.user)
Quando concedido com o papel de proprietário ou gerente de projeto do faturamento, fornece
acesso para associar projetos a contas de faturamento.
Recursos de nível mais baixo em que você pode conceder esse papel:
Conta de faturamento
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.list
billing.resourceAssociations.create
Leitor da conta de faturamento
(roles/billing.viewer)
Veja informações sobre custos e preços das contas de faturamento, transações e recomendações de faturamento e compromisso.
Recursos de nível mais baixo em que você pode conceder esse papel:
CA Service Operation Manager
(roles/privateca.caManager)
Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.
privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.update
privateca.certificateAuthorities.create
privateca.certificateAuthorities.delete
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateAuthorities.update
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateRevocationLists.update
privateca.certificateTemplates.create
privateca.certificateTemplates.delete
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.update
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.certificates.update
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.create
privateca.reusableConfigs.delete
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
privateca.reusableConfigs.update
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
CA Service Certificate Manager
(roles/privateca.certificateManager)
Create certificates and read-only access for CA Service resources.
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificates.create
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
CA Service Certificate Requester
(roles/privateca.certificateRequester)
Request certificates from CA Service.
privateca.certificates.create
CA Service Certificate Template User
(roles/privateca.templateUser)
Read, list and use certificate templates.
privateca.certificateTemplates.get
privateca.certificateTemplates.list
privateca.certificateTemplates.use
CA Service Workload Certificate Requester
(roles/privateca.workloadCertificateRequester)
Request certificates from CA Service with caller's identity.
privateca.certificates.createForSelf
Papéis do gerenciador de certificados
Papel
Permissões
Editor do Gerenciador de certificados
(roles/certificatemanager.editor)
Acesso para edição de todos os recursos do Gerenciador de certificados.
certificatemanager.certmapentries.create
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.*
certificatemanager.operations.get
certificatemanager.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Proprietário do Gerenciador de certificados
(roles/certificatemanager.owner)
Acesso total ao todos os recursos do Gerenciador de certificados.
certificatemanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Visualizador do Gerenciador de certificados
(roles/certificatemanager.viewer)
Acesso somente leitura a todos os recursos do Gerenciador de certificados.
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.locations.*
certificatemanager.operations.get
certificatemanager.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Papéis do Cloud AlloyDB
Papel
Permissões
Administrador do Cloud AlloyDBBeta
(roles/alloydb.admin)
Acesso total a todos os recursos do Cloud AlloyDB.
alloydb.*
resourcemanager.projects.get
resourcemanager.projects.list
Cliente do Cloud AlloyDBBeta
(roles/alloydb.client)
Acesso de conectividade a instâncias do Cloud AlloyDB.
alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.instances.connect
alloydb.instances.get
resourcemanager.projects.get
resourcemanager.projects.list
Leitor do Cloud AlloyDBBeta
(roles/alloydb.viewer)
Acesso somente leitura a todos os recursos do Cloud AlloyDB.
alloydb.backups.get
alloydb.backups.list
alloydb.clusters.get
alloydb.clusters.list
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb.supportedDatabaseFlags.*
resourcemanager.projects.get
resourcemanager.projects.list
Papéis de recursos do Cloud
Papel
Permissões
Proprietário de recursos do Cloud
(roles/cloudasset.owner)
Acesso total aos metadados de recursos do Cloud
cloudasset.*
recommender.cloudAssetInsights.*
recommender.locations.*
Leitor de recursos do Cloud
(roles/cloudasset.viewer)
Acesso somente leitura aos metadados de recursos do cloud
cloudasset.assets.*
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
Papéis do Cloud Bigtable
Papel
Permissões
Administrador do Bigtable
(roles/bigtable.admin)
Administra todas as instâncias do Bigtable em um projeto, incluindo os dados armazenados nas tabelas. Pode criar novas instâncias. Destinado a administradores de projeto.
Recursos de nível mais baixo em que você pode conceder esse papel:
Tabela
bigtable.*
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Leitor do Bigtable
(roles/bigtable.reader)
Concede acesso somente leitura aos dados armazenados em tabelas do Bigtable. Destinado a analistas de dados, geradores de painéis e outros cenários de análise de dados.
Recursos de nível mais baixo em que você pode conceder esse papel:
Tabela
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Usuário do Bigtable
(roles/bigtable.user)
Concede acesso de leitura e gravação aos dados armazenados em tabelas do Bigtable. Destinado a contas de serviço ou desenvolvedores de aplicativos.
Recursos de nível mais baixo em que você pode conceder esse papel:
Tabela
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Leitor do Bigtable
(roles/bigtable.viewer)
Não fornece acesso a dados. Serve como um conjunto mínimo de permissões para acessar o Console do Cloud para Bigtable.
Recursos de nível mais baixo em que você pode conceder esse papel:
Tabela
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Papéis do Cloud Build
Papel
Permissões
Aprovador do Cloud Build
(roles/cloudbuild.builds.approver)
Pode aprovar ou rejeitar builds pendentes.
cloudbuild.builds.approve
cloudbuild.builds.get
cloudbuild.builds.list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Conta de serviço do Cloud Build
(roles/cloudbuild.builds.builder)
Concede acesso para executar builds.
artifactregistry.aptartifacts.create
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.locations.*
artifactregistry.mavenartifacts.*
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.pythonpackages.*
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.yumartifacts.create
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use:
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
logging.logEntries.create
logging.logEntries.list
logging.privateLogEntries.list
logging.views.access
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Editor do Cloud Build
(roles/cloudbuild.builds.editor)
Concede acesso para criar e cancelar versões.
Recursos de nível mais baixo em que é possível conceder esse papel:
Projeto
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Leitor do Cloud Build
(roles/cloudbuild.builds.viewer)
Dá acesso para visualizar versões.
Recursos de nível mais baixo em que é possível conceder esse papel:
Projeto
cloudbuild.builds.get
cloudbuild.builds.list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Editor de integrações do Cloud Build
(roles/cloudbuild.integrationsEditor)
Pode atualizar as integrações
cloudbuild.integrations.get
cloudbuild.integrations.list
cloudbuild.integrations.update
resourcemanager.projects.get
resourcemanager.projects.list
Proprietário de integrações do Cloud Build
(roles/cloudbuild.integrationsOwner)
Pode criar/excluir integrações
cloudbuild.integrations.*
compute.firewalls.create
compute.firewalls.get
compute.firewalls.list
compute.networks.get
compute.networks.updatePolicy
compute.regions.get
compute.subnetworks.get
compute.subnetworks.list
resourcemanager.projects.get
resourcemanager.projects.list
Leitor de integrações do Cloud Build
(roles/cloudbuild.integrationsViewer)
Pode ver as integrações
cloudbuild.integrations.get
cloudbuild.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Editor do WorkerPool do Cloud Build
(roles/cloudbuild.workerPoolEditor)
Pode atualizar e visualizar WorkerPools
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Proprietário do WorkerPool do Cloud Build
(roles/cloudbuild.workerPoolOwner)
Pode criar, excluir, atualizar e visualizar WorkerPools
cloudbuild.workerpools.create
cloudbuild.workerpools.delete
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Usuário do WorkerPool do Cloud Build
(roles/cloudbuild.workerPoolUser)
Pode executar builds no WorkerPool
cloudbuild.workerpools.use
Leitor do WorkerPool do Cloud Build
(roles/cloudbuild.workerPoolViewer)
Pode visualizar WorkerPools
cloudbuild.workerpools.get
cloudbuild.workerpools.list
resourcemanager.projects.get
resourcemanager.projects.list
Papéis do Cloud Composer
Role
Permissions
Cloud Composer v2 API Service Agent Extension
(roles/composer.ServiceAgentV2Ext)
Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy
Composer Administrator
(roles/composer.admin)
Provides full control of Cloud Composer resources.
Lowest-level resources where you can grant this role:
Project
composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Environment and Storage Object Administrator
(roles/composer.environmentAndStorageObjectAdmin)
Provides full control of Cloud Composer resources and of the objects in all project buckets.
Lowest-level resources where you can grant this role:
Project
composer.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.multipartUploads.*
storage.objects.*
Environment User and Storage Object Viewer
(roles/composer.environmentAndStorageObjectViewer)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Provides read-only access to objects in all project buckets.
Lowest-level resources where you can grant this role:
Cloud Data Fusion AdminBeta
(roles/datafusion.admin)
Full access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
Project
datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion RunnerBeta
(roles/datafusion.runner)
Access to Cloud Data Fusion runtime resources.
datafusion.instances.runtime
Cloud Data Fusion ViewerBeta
(roles/datafusion.viewer)
Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
Project
datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.runtime
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Papéis do Cloud Data Labeling
Role
Permissions
Data Labeling Service AdminBeta
(roles/datalabeling.admin)
Full access to all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service EditorBeta
(roles/datalabeling.editor)
Editor of all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service ViewerBeta
(roles/datalabeling.viewer)
Viewer of all Data Labeling resources
datalabeling.annotateddatasets.get
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.get
datalabeling.annotationspecsets.list
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Papéis do Cloud Dataplex
Papel
Permissões
Administrador do Dataplex
(roles/dataplex.admin)
Acesso total a todos os recursos do Dataplex.
cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.content.*
dataplex.entities.*
dataplex.environments.*
dataplex.lakeActions.list
dataplex.lakes.*
dataplex.locations.*
dataplex.operations.*
dataplex.partitions.*
dataplex.tasks.*
dataplex.zoneActions.list
dataplex.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
Proprietário de dados do Dataplex
(roles/dataplex.dataOwner)
Acesso de proprietário aos dados. Concedido apenas aos recursos data lake, zona ou recurso do Dataplex.
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.writeData
Leitor de dados do Dataplex
(roles/dataplex.dataReader)
Acesso somente leitura aos dados. Concedido apenas aos recursos data lake, zona ou recurso do Dataplex.
dataplex.assets.readData
Gravador de dados do Dataplex
(roles/dataplex.dataWriter)
Acesso de gravação aos dados. Concedido apenas aos recursos data lake, zona ou recurso do Dataplex.
dataplex.assets.writeData
Desenvolvedor do Dataplex
(roles/dataplex.developer)
Permite executar cargas de trabalho de análise de dados em um lake.
dataplex.content.*
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.list
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.list
dataplex.tasks.update
Editor do Dataplex
(roles/dataplex.editor)
Acesso de gravação aos recursos do Dataplex.
cloudasset.assets.analyzeIamPolicy
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.update
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.update
dataplex.operations.*
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.update
Leitor de metadados do Dataplex
(roles/dataplex.metadataReader)
Acesso somente leitura aos metadados.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.get
dataplex.entities.list
dataplex.partitions.get
dataplex.partitions.list
dataplex.zones.get
dataplex.zones.list
Gravador de metadados do Dataplex
(roles/dataplex.metadataWriter)
Acesso de leitura e gravação aos metadados.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.*
dataplex.partitions.*
dataplex.zones.get
dataplex.zones.list
Proprietário de dados de armazenamento do Dataplex
(roles/dataplex.storageDataOwner)
Acesso de proprietário aos dados. Não pode ser usado diretamente. Este papel é concedido pelo Dataplex aos recursos gerenciados, como buckets do Cloud Storage, conjuntos de dados do BigQuery etc.
bigquery.datasets.get
bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Leitor de dados de armazenamento do Dataplex
(roles/dataplex.storageDataReader)
Acesso somente leitura aos dados. Não pode ser usado diretamente. Este papel é concedido pelo Dataplex aos recursos gerenciados, como buckets do Cloud Storage, conjuntos de dados do BigQuery etc.
bigquery.datasets.get
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
storage.buckets.get
storage.objects.get
storage.objects.list
Gravador de dados de armazenamento do Dataplex
(roles/dataplex.storageDataWriter)
Acesso de gravação aos dados. Não pode ser usado diretamente. Este papel é concedido pelo Dataplex aos recursos gerenciados, como buckets do Cloud Storage, conjuntos de dados do BigQuery etc.
bigquery.tables.updateData
storage.objects.create
storage.objects.delete
storage.objects.update
Leitor do Dataplex
(roles/dataplex.viewer)
Acesso de leitura aos recursos do Dataplex.
cloudasset.assets.analyzeIamPolicy
dataplex.assetActions.list
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.lakeActions.list
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.operations.get
dataplex.operations.list
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.list
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
Papéis do Cloud Debugger
Papel
Permissões
Agente do Cloud DebuggerBeta
(roles/clouddebugger.agent)
Concede permissões para registrar o alvo da depuração, ler pontos de interrupção ativos e relatar resultados dos pontos de interrupção.
Recursos de nível mais baixo em que é possível conceder esse papel:
Conta de serviço
clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create
Usuário do Cloud DebuggerBeta
(roles/clouddebugger.user)
Concede permissões para criar, visualizar, listar e excluir pontos de interrupção (instantâneos e logpoints), bem como listar alvos de depuração (depurados).
Recursos de nível mais baixo em que é possível conceder esse papel:
Projeto
clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
Papéis do Cloud Deploy
Papel
Permissões
Administrador do Cloud DeployBeta
(roles/clouddeploy.admin)
Controle total dos recursos do Cloud Deploy.
clouddeploy.*
resourcemanager.projects.get
resourcemanager.projects.list
Aprovador do Cloud DeployBeta
(roles/clouddeploy.approver)
Permissão para aprovar ou rejeitar lançamentos.
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.rollouts.approve
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Desenvolvedor do Cloud DeployBeta
(roles/clouddeploy.developer)
Permissão para gerenciar a configuração de implantação sem permissão para acessar recursos operacionais, como destinos.
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.update
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Executor do Cloud DeployBeta
(roles/clouddeploy.jobRunner)
Permissão para executar o trabalho do Cloud Deploy sem permissão para entregar a um destino.
logging.logEntries.create
storage.objects.create
storage.objects.get
storage.objects.list
Operador do Cloud DeployBeta
(roles/clouddeploy.operator)
Permissão para gerenciar a configuração de implantação.
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.update
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.create
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.update
resourcemanager.projects.get
resourcemanager.projects.list
Lançador do Cloud DeployBeta
(roles/clouddeploy.releaser)
Permissão para criar versões e lançamentos do Cloud Deploy.
clouddeploy.deliveryPipelines.get
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
resourcemanager.projects.get
resourcemanager.projects.list
Leitor do Cloud DeployBeta
(roles/clouddeploy.viewer)