Como entender os papéis

Nesta página, descrevemos os papéis do IAM e listamos os papéis predefinidos que você pode conceder aos principais.

Um papel contém um conjunto de permissões que permitem realizar ações específicas nos recursos do Google Cloud. Para disponibilizar as permissões aos principais, incluindo usuários, grupos e contas de serviço, conceda papéis aos principais.

Pré-requisito para este guia

Tipos de papel

Existem três tipos de papéis no IAM:

  • Papéis básicos, que incluem os de proprietário, editor e visualizador que existiam antes da introdução do IAM.
  • Papéis predefinidos, que fornecem acesso granular a um serviço específico e são gerenciados pelo Google Cloud.
  • Papéis personalizados, que fornecem acesso granular de acordo com uma lista de permissões especificada pelo usuário.

Para determinar se uma permissão está incluída em um papel básico, predefinido ou personalizado, use um dos métodos a seguir:

As seções abaixo descrevem cada tipo de papel e fornecem exemplos de como usá-los.

Papéis básicos

Há vários papéis básicos que existiam antes da introdução do IAM: proprietário, editor e visualizador. Esses papéis são concêntricos, isto é, o de Proprietário inclui as permissões no papel de Editor, e este no de Leitor. Esses papéis eram conhecidos anteriormente como "papéis primários".

A tabela a seguir resume as permissões que os papéis básicos têm em todos os serviços do Google Cloud:

Definições dos papéis básicos

Nome Título Permissões
roles/viewer Leitor Permissões para ações somente leitura que não afetam o estado, como ver (mas não modificar) recursos ou dados existentes.
roles/editor Editor Todas as permissões do leitor e as permissões para ações que modificam o estado, como a alteração de recursos atuais.
Observação: o papel de editor contém permissões para criar e excluir recursos para a maioria dos serviços do Google Cloud. No entanto, ele não contém permissões para executar todas as ações de todos os serviços. Para mais informações sobre como verificar se um papel tem as permissões necessárias, consulte Tipos de papel nesta página.
roles/owner Proprietário Todas as permissões de editor e também para as seguintes ações:
  • Gerenciar papéis e permissões para um projeto e todos os recursos dentro do projeto.
  • Configurar o faturamento de um projeto
Observação:
  • A concessão do papel de proprietário em nível de recurso, como um tópico do Pub/Sub, não concede o papel de proprietário no projeto pai.
  • A concessão do papel de proprietário no nível da organização não permite que você atualize os metadados da organização. No entanto, ele permite que você modifique projetos e outros recursos nessa organização.
  • Para conceder o papel de proprietário em um projeto a um usuário fora da organização, você precisa usar o Console do Google Cloud, não a CLI gcloud. Se o projeto não fizer parte de uma organização, use o Console para conceder o papel de Proprietário.

É possível conceder papéis básicos com o console, a API e a CLI gcloud. Para conceder papéis básicos em um projeto, pasta ou organização, consulte Gerenciar o acesso a projetos, pastas e organizações. Para conceder papéis básicos em outros recursos, consulte Gerenciar o acesso a outros recursos.

Papéis predefinidos

Além dos papéis básicos, o IAM fornece outros papéis predefinidos que dão acesso granular a recursos específicos do Google Cloud e impedem o acesso indesejado a outros recursos. Esses papéis são criados e mantidos pelo Google. O Google atualiza automaticamente as permissões conforme necessário, como quando o Google Cloud adiciona novos recursos ou serviços.

A tabela a seguir lista esses papéis, as respectivas descrições e o tipo de recurso de menor nível em que os papéis podem ser configurados. Um papel específico pode ser concedido a esse tipo de recurso ou, na maioria dos casos, a qualquer tipo acima dele na hierarquia de recursos do Google Cloud.

É possível conceder vários papéis ao mesmo usuário, em qualquer nível da hierarquia de recursos. Por exemplo: é possível que o mesmo usuário tenha os papéis de administrador de rede do Compute e de visualizador de registros em um projeto, além do papel de editor do Pub/Sub em um tópico do Pub/Sub nesse projeto. Para listar as permissões contidas em um papel, consulte Como obter os metadados do papel.

Para receber ajuda para escolher os papéis predefinidos mais apropriados, consulte Escolher papéis predefinidos.

Papéis do Access Approval

Papel Permissões

Aprovador do Access Approval Beta
(roles/accessapproval.approver)

Capacidade de visualizar ou agir em solicitações de aprovação de acesso e ver as configurações

  • accessapproval.requests.*
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor de configuração do Access Approval Beta
(roles/accessapproval.configEditor)

Capacidade de atualizar a configuração de aprovação de acesso

  • accessapproval.settings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Invalidador de aprovação de acesso Beta
(roles/accessapproval.invalidator)

Poder para invalidar atuais solicitações de aprovação confirmadas

  • accessapproval.requests.invalidate
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Access Approval Beta
(roles/accessapproval.viewer)

Capacidade de visualizar solicitações de aprovação de acesso e a configuração

  • accessapproval.requests.get
  • accessapproval.requests.list
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Access Context Manager

Papel Permissões

Administrador de vinculação de acesso à nuvem
(roles/accesscontextmanager.gcpAccessAdmin)

Criar, editar e alterar vinculações de acesso à nuvem.

  • accesscontextmanager.gcpUserAccessBindings.*

Leitor de vinculação de acesso à nuvem
(roles/accesscontextmanager.gcpAccessReader)

Acesso de leitura às vinculações de acesso da nuvem.

  • accesscontextmanager.gcpUserAccessBindings.get
  • accesscontextmanager.gcpUserAccessBindings.list

Administrador do Access Context Manager
(roles/accesscontextmanager.policyAdmin)

Acesso total a políticas, níveis e zonas de acesso

  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.*
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.*
  • accesscontextmanager.servicePerimeters.*
  • cloudasset.assets.searchAllResources
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor do Access Context Manager
(roles/accesscontextmanager.policyEditor)

Acesso de edição a políticas. Cria, edita e altera níveis e zonas de acesso.

  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.create
  • accesscontextmanager.accessPolicies.delete
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessPolicies.update
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.create
  • accesscontextmanager.policies.delete
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.policies.update
  • accesscontextmanager.servicePerimeters.*
  • cloudasset.assets.searchAllResources
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Access Context Manager
(roles/accesscontextmanager.policyReader)

Acesso de leitura a políticas, níveis e zonas de acesso.

  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessZones.get
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do solucionador de problemas do VPC Service Controls
(roles/accesscontextmanager.vpcScTroubleshooterViewer)

  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.list
  • logging.logServices.list
  • logging.logs.list
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis de ações

Role Permissions

Actions Admin
(roles/actions.Admin)

Access to edit and deploy an action

  • actions.*
  • firebase.projects.get
  • firebase.projects.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Actions Viewer
(roles/actions.Viewer)

Access to view an action

  • actions.agent.get
  • actions.agentVersions.get
  • actions.agentVersions.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Papéis dos notebooks de IA

Role Permissions

Notebooks Admin
(roles/notebooks.admin)

Full access to Notebooks, all resources.

Lowest-level resources where you can grant this role:

  • Instance
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Legacy Admin
(roles/notebooks.legacyAdmin)

Full access to Notebooks all resources through compute API.

  • compute.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Legacy Viewer
(roles/notebooks.legacyViewer)

Read-only access to Notebooks all resources through compute API.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Runner
(roles/notebooks.runner)

Restricted access for running scheduled Notebooks.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.create
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.create
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.create
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.create
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Viewer
(roles/notebooks.viewer)

Read-only access to Notebooks, all resources.

Lowest-level resources where you can grant this role:

  • Instance
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Papéis do AI Platform

Papel Permissões

Administrador da AI Platform
(roles/ml.admin)

Fornece acesso total aos recursos, jobs, operações, modelos e versões do AI Platform.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Projeto
  • ml.*
  • resourcemanager.projects.get

Desenvolvedor da AI Platform
(roles/ml.developer)

Permite usar os recursos do AI Platform para criar modelos, versões e jobs de treinamento e de predição, além de enviar solicitações de predição on-line.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Projeto
  • ml.jobs.create
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.locations.*
  • ml.models.create
  • ml.models.get
  • ml.models.getIamPolicy
  • ml.models.list
  • ml.models.predict
  • ml.operations.get
  • ml.operations.list
  • ml.projects.getConfig
  • ml.studies.*
  • ml.trials.*
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict
  • resourcemanager.projects.get

Proprietário de jobs da AI Platform
(roles/ml.jobOwner)

Dá acesso total a todas as permissões para um determinado recurso de job. Esse papel é automaticamente concedido ao usuário que cria o job.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Job
  • ml.jobs.*

Proprietário de modelos da AI Platform
(roles/ml.modelOwner)

Dá acesso total ao modelo e às versões dele. Esse papel é automaticamente concedido ao usuário que cria o modelo.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Modelo
  • ml.models.*
  • ml.versions.*

Usuário de modelos da AI Platform
(roles/ml.modelUser)

Concede permissões para ler o modelo e as versões dele e usá-los para predição.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Modelo
  • ml.models.get
  • ml.models.predict
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict

Proprietário de operações da AI Platform
(roles/ml.operationOwner)

Dá acesso total a todas as permissões para um determinado recurso de operação.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Operação
  • ml.operations.*

Leitor da AI Platform
(roles/ml.viewer)

Fornece acesso somente leitura aos recursos da AI Platform.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Projeto
  • ml.jobs.get
  • ml.jobs.list
  • ml.locations.*
  • ml.models.get
  • ml.models.list
  • ml.operations.get
  • ml.operations.list
  • ml.projects.getConfig
  • ml.studies.get
  • ml.studies.getIamPolicy
  • ml.studies.list
  • ml.trials.get
  • ml.trials.list
  • ml.versions.get
  • ml.versions.list
  • resourcemanager.projects.get

Papéis do Analytics Hub

Papel Permissões

Administrador do Analytics Hub Beta
(roles/analyticshub.admin)

Administrar trocas de dados e listagens

  • analyticshub.dataExchanges.*
  • analyticshub.listings.create
  • analyticshub.listings.delete
  • analyticshub.listings.get
  • analyticshub.listings.getIamPolicy
  • analyticshub.listings.list
  • analyticshub.listings.setIamPolicy
  • analyticshub.listings.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de listagens do Analytics Hub Beta
(roles/analyticshub.listingAdmin)

Concede controle total da lista de permissões, incluindo atualização, exclusão e configuração de ACLs.

  • analyticshub.dataExchanges.get
  • analyticshub.dataExchanges.getIamPolicy
  • analyticshub.dataExchanges.list
  • analyticshub.listings.delete
  • analyticshub.listings.get
  • analyticshub.listings.getIamPolicy
  • analyticshub.listings.list
  • analyticshub.listings.setIamPolicy
  • analyticshub.listings.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor do Analytics Hub Beta
(roles/analyticshub.publisher)

Pode publicar em trocas de dados, criando assim listas

  • analyticshub.dataExchanges.get
  • analyticshub.dataExchanges.getIamPolicy
  • analyticshub.dataExchanges.list
  • analyticshub.listings.create
  • analyticshub.listings.get
  • analyticshub.listings.getIamPolicy
  • analyticshub.listings.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Assinante do Analytics Hub Beta
(roles/analyticshub.subscriber)

Pode procurar por trocas de dados e se inscrever em listagens

  • analyticshub.dataExchanges.get
  • analyticshub.dataExchanges.getIamPolicy
  • analyticshub.dataExchanges.list
  • analyticshub.listings.get
  • analyticshub.listings.getIamPolicy
  • analyticshub.listings.list
  • analyticshub.listings.subscribe
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Analytics Hub Beta
(roles/analyticshub.viewer)

Pode procurar por trocas de dados e listagens

  • analyticshub.dataExchanges.get
  • analyticshub.dataExchanges.getIamPolicy
  • analyticshub.dataExchanges.list
  • analyticshub.listings.get
  • analyticshub.listings.getIamPolicy
  • analyticshub.listings.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis de gerenciamento do Android

Role Permissions

Android Management User
(roles/androidmanagement.user)

Full access to manage devices.

  • androidmanagement.enterprises.manage
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Papéis do Anthos para várias nuvens

Papel Permissões

Administrador do Anthos em várias nuvens
(roles/gkemulticloud.admin)

Acesso de administrador aos recursos de várias nuvens do Anthos.

  • gkemulticloud.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Gravador de telemetria de várias nuvens do Anthos
(roles/gkemulticloud.telemetryWriter)

Conceder acesso para gravar dados de telemetria do cluster como registros, métricas e metadados de recursos.

  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • opsconfigmonitoring.resourceMetadata.write

Visualizador de várias nuvens do Anthos
(roles/gkemulticloud.viewer)

Acessar os recursos de várias nuvens do Anthos como leitor.

  • gkemulticloud.awsClusters.generateAccessToken
  • gkemulticloud.awsClusters.get
  • gkemulticloud.awsClusters.list
  • gkemulticloud.awsNodePools.get
  • gkemulticloud.awsNodePools.list
  • gkemulticloud.awsServerConfigs.get
  • gkemulticloud.azureClients.get
  • gkemulticloud.azureClients.list
  • gkemulticloud.azureClusters.generateAccessToken
  • gkemulticloud.azureClusters.get
  • gkemulticloud.azureClusters.list
  • gkemulticloud.azureNodePools.get
  • gkemulticloud.azureNodePools.list
  • gkemulticloud.azureServerConfigs.get
  • gkemulticloud.operations.get
  • gkemulticloud.operations.list
  • gkemulticloud.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis da API Gateway

Role Permissions

ApiGateway Admin
(roles/apigateway.admin)

Full access to ApiGateway and related resources.

  • apigateway.*
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
  • serviceusage.services.list

ApiGateway Viewer
(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

  • apigateway.apiconfigs.get
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.gateways.get
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.locations.*
  • apigateway.operations.get
  • apigateway.operations.list
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
  • serviceusage.services.list

Papéis do Apigee

Papel Permissões

Administrador da organização da Apigee
(roles/apigee.admin)

Acesso total a todas as funcionalidades de recursos da Apigee

  • apigee.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Agente de análise da Apigee
(roles/apigee.analyticsAgent)

Conjunto de permissões selecionado para que a Apigee Universal Data Collection Agent gerencie análises para uma organização da Apigee

  • apigee.datalocation.get
  • apigee.environments.getDataLocation
  • apigee.runtimeconfigs.get

Editor de análise da Apigee
(roles/apigee.analyticsEditor)

Editor do Analytics para uma organização da Apigee

  • apigee.datacollectors.*
  • apigee.datastores.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.*
  • apigee.hostqueries.*
  • apigee.hoststats.get
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.*
  • apigee.reports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Visualizador de análise da Apigee
(roles/apigee.analyticsViewer)

Visualizador do Analytics para uma organização da Apigee

  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hoststats.get
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.reports.get
  • apigee.reports.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de APIs da Apigee
(roles/apigee.apiAdminV2)

Acesso total de leitura/gravação a todos os recursos de APIs da Apigee

  • apigee.apiproductattributes.*
  • apigee.apiproducts.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.keyvaluemapentries.*
  • apigee.keyvaluemaps.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.*
  • apigee.proxyrevisions.*
  • apigee.sharedflowrevisions.*
  • apigee.sharedflows.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de API da Apigee
(roles/apigee.apiReaderV2)

Visualizador de recursos da Apigee

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.keyvaluemapentries.get
  • apigee.keyvaluemapentries.list
  • apigee.keyvaluemaps.list
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.sharedflowrevisions.deploy
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflowrevisions.undeploy
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador desenvolvedor da Apigee
(roles/apigee.developerAdmin)

Administrador desenvolvedor de recursos da apigee

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.*
  • apigee.apps.*
  • apigee.datacollectors.*
  • apigee.developerappattributes.*
  • apigee.developerapps.*
  • apigee.developerattributes.*
  • apigee.developerbalances.*
  • apigee.developermonetizationconfigs.*
  • apigee.developers.*
  • apigee.developersubscriptions.*
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.hoststats.get
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.rateplans.get
  • apigee.rateplans.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Admin do ambiente Apigee
(roles/apigee.environmentAdmin)

Acesso total de leitura/gravação aos recursos do ambiente Apigee, incluindo implantações.

  • apigee.archivedeployments.*
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.deployments.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.environments.setIamPolicy
  • apigee.environments.update
  • apigee.flowhooks.*
  • apigee.ingressconfigs.get
  • apigee.keystorealiases.*
  • apigee.keystores.*
  • apigee.keyvaluemaps.*
  • apigee.maskconfigs.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.references.*
  • apigee.resourcefiles.*
  • apigee.sharedflowrevisions.deploy
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflowrevisions.undeploy
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Administrador de monetização da Apigee
(roles/apigee.monetizationAdmin)

Todas as permissões relacionadas à monetização

  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.developerbalances.*
  • apigee.developermonetizationconfigs.*
  • apigee.developersubscriptions.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.rateplans.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador do portal da Apigee
(roles/apigee.portalAdmin)

Administrador do portal para uma organização Apigee

  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.portals.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador somente leitura da Apigee
(roles/apigee.readOnlyAdmin)

Visualizador de todos os recursos da apigee

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.get
  • apigee.apps.*
  • apigee.archivedeployments.download
  • apigee.archivedeployments.get
  • apigee.archivedeployments.list
  • apigee.caches.list
  • apigee.canaryevaluations.get
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datalocation.get
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.deployments.get
  • apigee.deployments.list
  • apigee.developerappattributes.get
  • apigee.developerappattributes.list
  • apigee.developerapps.get
  • apigee.developerapps.list
  • apigee.developerattributes.get
  • apigee.developerattributes.list
  • apigee.developerbalances.get
  • apigee.developermonetizationconfigs.get
  • apigee.developers.get
  • apigee.developers.list
  • apigee.developersubscriptions.get
  • apigee.developersubscriptions.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getDataLocation
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.flowhooks.getSharedFlow
  • apigee.flowhooks.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hostsecurityreports.get
  • apigee.hostsecurityreports.list
  • apigee.hoststats.get
  • apigee.ingressconfigs.get
  • apigee.instanceattachments.get
  • apigee.instanceattachments.list
  • apigee.instances.get
  • apigee.instances.list
  • apigee.keystorealiases.get
  • apigee.keystorealiases.list
  • apigee.keystores.get
  • apigee.keystores.list
  • apigee.keyvaluemapentries.get
  • apigee.keyvaluemapentries.list
  • apigee.keyvaluemaps.list
  • apigee.maskconfigs.get
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.portals.get
  • apigee.portals.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.rateplans.get
  • apigee.rateplans.list
  • apigee.references.get
  • apigee.references.list
  • apigee.reports.get
  • apigee.reports.list
  • apigee.resourcefiles.get
  • apigee.resourcefiles.list
  • apigee.runtimeconfigs.get
  • apigee.securityProfileEnvironments.computeScore
  • apigee.securityProfiles.*
  • apigee.securityStats.*
  • apigee.securityreports.get
  • apigee.securityreports.list
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.get
  • apigee.targetservers.list
  • apigee.tracesessions.get
  • apigee.tracesessions.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Agente do ambiente de execução da Apigee
(roles/apigee.runtimeAgent)

Conjunto de permissões selecionadas para que um agente de ambiente de execução acesse os recursos da organização da Apigee

  • apigee.canaryevaluations.*
  • apigee.ingressconfigs.get
  • apigee.instances.reportStatus
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.runtimeconfigs.get

Administrador de segurança da Apigee
(roles/apigee.securityAdmin)

Administrador de segurança para uma organização da Apigee

  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.list
  • apigee.hostsecurityreports.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.securityProfileEnvironments.*
  • apigee.securityProfiles.*
  • apigee.securityStats.*
  • apigee.securityreports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de segurança da Apigee
(roles/apigee.securityViewer)

Leitor de segurança para uma organização da Apigee

  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.list
  • apigee.hostsecurityreports.get
  • apigee.hostsecurityreports.list
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.securityProfileEnvironments.computeScore
  • apigee.securityProfiles.*
  • apigee.securityStats.*
  • apigee.securityreports.get
  • apigee.securityreports.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Gerenciador de sincronização da Apigee
(roles/apigee.synchronizerManager)

Conjunto selecionado de permissões para um sincronizador gerenciar ambientes em uma organização Apigee

  • apigee.environments.get
  • apigee.environments.manageRuntime
  • apigee.ingressconfigs.get

Administrador do Apigee Connect
(roles/apigeeconnect.Admin)

Administrador do Apigee Connect

  • apigeeconnect.connections.list

Agente do Apigee Connect
(roles/apigeeconnect.Agent)

Capacidade de configurar o agente do Apigee Connect entre clusters externos e o Google.

  • apigeeconnect.endpoints.connect

Papéis do Apigee Registry

Papel Permissões

Administrador do Cloud Apigee Registry Beta
(roles/apigeeregistry.admin)

Acesso total aos recursos de registro e ambiente de execução do Cloud Apigee.

  • apigeeregistry.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor do registro do Cloud Apigee Beta
(roles/apigeeregistry.editor)

Acesso para edição aos recursos de registro do Cloud Apigee.

  • apigeeregistry.apis.create
  • apigeeregistry.apis.delete
  • apigeeregistry.apis.get
  • apigeeregistry.apis.getIamPolicy
  • apigeeregistry.apis.list
  • apigeeregistry.apis.update
  • apigeeregistry.artifacts.create
  • apigeeregistry.artifacts.delete
  • apigeeregistry.artifacts.get
  • apigeeregistry.artifacts.getIamPolicy
  • apigeeregistry.artifacts.list
  • apigeeregistry.artifacts.update
  • apigeeregistry.deployments.*
  • apigeeregistry.specs.create
  • apigeeregistry.specs.delete
  • apigeeregistry.specs.get
  • apigeeregistry.specs.getIamPolicy
  • apigeeregistry.specs.list
  • apigeeregistry.specs.update
  • apigeeregistry.versions.create
  • apigeeregistry.versions.delete
  • apigeeregistry.versions.get
  • apigeeregistry.versions.getIamPolicy
  • apigeeregistry.versions.list
  • apigeeregistry.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Registro do Cloud Apigee Beta
(roles/apigeeregistry.viewer)

Acesso somente leitura aos recursos de registro do Cloud Apigee.

  • apigeeregistry.apis.get
  • apigeeregistry.apis.list
  • apigeeregistry.artifacts.get
  • apigeeregistry.artifacts.list
  • apigeeregistry.deployments.get
  • apigeeregistry.deployments.list
  • apigeeregistry.specs.get
  • apigeeregistry.specs.list
  • apigeeregistry.versions.get
  • apigeeregistry.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Worker do registro do Cloud Apigee Beta
(roles/apigeeregistry.worker)

O papel usado pelos workers dos aplicativos de registro da Apigee para ler e atualizar os artefatos do registro da Apigee.

  • apigeeregistry.apis.get
  • apigeeregistry.apis.list
  • apigeeregistry.apis.update
  • apigeeregistry.artifacts.create
  • apigeeregistry.artifacts.delete
  • apigeeregistry.artifacts.get
  • apigeeregistry.artifacts.list
  • apigeeregistry.artifacts.update
  • apigeeregistry.deployments.get
  • apigeeregistry.deployments.list
  • apigeeregistry.deployments.update
  • apigeeregistry.specs.get
  • apigeeregistry.specs.list
  • apigeeregistry.specs.update
  • apigeeregistry.versions.get
  • apigeeregistry.versions.list
  • apigeeregistry.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do App Engine

Papel Permissões

Administrador do App Engine
(roles/appengine.appAdmin)

Acesso de leitura/gravação/modificação a todas as configurações do aplicativo.

Para implantar novas versões, o principal precisa ter o papel de Usuário da conta de serviço (roles/iam.serviceAccountUser) na conta de serviço padrão do App Engine, bem como os papéis de Editor do Cloud Build (roles/cloudbuild.builds.editor) e Administrador de objeto do Cloud Storage (roles/storage.objectAdmin) no projeto.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.memcache.addKey
  • appengine.memcache.flush
  • appengine.memcache.get
  • appengine.memcache.update
  • appengine.operations.*
  • appengine.runtimes.actAsAdmin
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Criador do App Engine
(roles/appengine.appCreator)

Capacidade para criar o recurso do App Engine para o projeto.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do App Engine
(roles/appengine.appViewer)

Acesso somente de leitura a todas as configurações do aplicativo.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de código do App Engine
(roles/appengine.codeViewer)

Acesso somente leitura a todas as configurações e ao código-fonte implantado do aplicativo.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.getFileContents
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Implantador do App Engine
(roles/appengine.deployer)

Acesso somente de leitura a todas as configurações do aplicativo.

Para implantar novas versões, você também precisa ter o papel de usuário da conta de serviço (roles/iam.serviceAccountUser) na conta de serviço padrão do App Engine e o papel de editor do Cloud Build (roles/cloudbuild.builds.editor) e de administrador de objeto do Cloud Storage (roles/storage.objectAdmin) no projeto.

Não é possível modificar versões existentes, a não ser para excluir versões que não estejam recebendo tráfego.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador de serviço do App Engine
(roles/appengine.serviceAdmin)

Acesso somente de leitura a todas as configurações do aplicativo.

Acesso de gravação a configurações de módulo e versão. Não permite implantar versões novas.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • appengine.applications.get
  • appengine.instances.*
  • appengine.operations.*
  • appengine.services.*
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Artifact Registry

Papel Permissões

Administrador do Artifact Registry
(roles/artifactregistry.admin)

Acesso de administrador para a criação e o gerenciamento de repositórios.

  • artifactregistry.*

Leitor do Artifact Registry
(roles/artifactregistry.reader)

Acesso para leitura de itens do repositório.

  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.locations.*
  • artifactregistry.mavenartifacts.*
  • artifactregistry.npmpackages.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.pythonpackages.*
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.listEffectiveTags
  • artifactregistry.repositories.listTagBindings
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list

Administrador do repositório do Artifact Registry
(roles/artifactregistry.repoAdmin)

Acesso para gerenciar artefatos em repositórios.

  • artifactregistry.aptartifacts.create
  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.locations.*
  • artifactregistry.mavenartifacts.*
  • artifactregistry.npmpackages.*
  • artifactregistry.packages.*
  • artifactregistry.pythonpackages.*
  • artifactregistry.repositories.deleteArtifacts
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.listEffectiveTags
  • artifactregistry.repositories.listTagBindings
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.*
  • artifactregistry.versions.*
  • artifactregistry.yumartifacts.create

Gravador do Artifact Registry
(roles/artifactregistry.writer)

Acesso para leitura e gravação de itens do repositório.

  • artifactregistry.aptartifacts.create
  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.locations.*
  • artifactregistry.mavenartifacts.*
  • artifactregistry.npmpackages.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.pythonpackages.*
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.listEffectiveTags
  • artifactregistry.repositories.listTagBindings
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.create

Papéis do Assured Workloads

Role Permissions

Assured Workloads Administrator
(roles/assuredworkloads.admin)

Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

  • assuredworkloads.*
  • logging.cmekSettings.update
  • orgpolicy.policy.*
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Assured Workloads Editor
(roles/assuredworkloads.editor)

Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

  • assuredworkloads.*
  • orgpolicy.policy.*
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Assured Workloads Reader
(roles/assuredworkloads.reader)

Grants read access to all Assured Workloads resources and CRM resources - project/folder

  • assuredworkloads.operations.*
  • assuredworkloads.violations.get
  • assuredworkloads.violations.list
  • assuredworkloads.workload.get
  • assuredworkloads.workload.list
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do AutoML

Papel Permissões

Administrador do AutoML Beta
(roles/automl.admin)

Acesso total a todos os recursos do AutoML

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conjunto de dados
  • Modelo
  • automl.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

Editor do AutoML Beta
(roles/automl.editor)

Editor de todos os recursos do AutoML

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conjunto de dados
  • Modelo
  • automl.annotationSpecs.*
  • automl.annotations.*
  • automl.columnSpecs.*
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.update
  • automl.examples.*
  • automl.files.*
  • automl.humanAnnotationTasks.*
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.*
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • automl.models.undeploy
  • automl.operations.*
  • automl.tableSpecs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

Preditor do AutoML Beta
(roles/automl.predictor)

Prever com modelos

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Modelo
  • automl.models.predict
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do AutoML Beta
(roles/automl.viewer)

Acesso de leitura a todos os recursos do AutoML

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conjunto de dados
  • Modelo
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.files.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

Backup para papéis do GKE

Role Permissions

Backup for GKE Admin Beta
(roles/gkebackup.admin)

Full access to all Backup for GKE resources.

  • gkebackup.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Backup for GKE Backup Admin Beta
(roles/gkebackup.backupAdmin)

Allows administrators to manage all BackupPlan and Backup resources.

  • gkebackup.backupPlans.*
  • gkebackup.backups.*
  • gkebackup.locations.*
  • gkebackup.operations.get
  • gkebackup.operations.list
  • gkebackup.volumeBackups.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Backup for GKE Delegated Backup Admin Beta
(roles/gkebackup.delegatedBackupAdmin)

Allows administrators to manage Backup resources for specific BackupPlans

  • gkebackup.backupPlans.get
  • gkebackup.backups.*
  • gkebackup.volumeBackups.*

Backup for GKE Delegated Restore Admin Beta
(roles/gkebackup.delegatedRestoreAdmin)

Allows administrators to manage Restore resources for specific RestorePlans

  • gkebackup.restorePlans.get
  • gkebackup.restores.*
  • gkebackup.volumeRestores.*

Backup for GKE Restore Admin Beta
(roles/gkebackup.restoreAdmin)

Allows administrators to manage all RestorePlan and Restore resources.

  • gkebackup.backupPlans.get
  • gkebackup.backupPlans.list
  • gkebackup.backups.get
  • gkebackup.backups.list
  • gkebackup.locations.*
  • gkebackup.operations.get
  • gkebackup.operations.list
  • gkebackup.restorePlans.*
  • gkebackup.restores.*
  • gkebackup.volumeBackups.*
  • gkebackup.volumeRestores.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Backup for GKE Viewer Beta
(roles/gkebackup.viewer)

Read-only access to all Backup for GKE resources.

  • gkebackup.backupPlans.get
  • gkebackup.backupPlans.getIamPolicy
  • gkebackup.backupPlans.list
  • gkebackup.backups.get
  • gkebackup.backups.list
  • gkebackup.locations.*
  • gkebackup.operations.get
  • gkebackup.operations.list
  • gkebackup.restorePlans.get
  • gkebackup.restorePlans.getIamPolicy
  • gkebackup.restorePlans.list
  • gkebackup.restores.get
  • gkebackup.restores.list
  • gkebackup.volumeBackups.*
  • gkebackup.volumeRestores.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do BeyondCorp

Role Permissions

Cloud BeyondCorp Admin Beta
(roles/beyondcorp.admin)

Full access to all Cloud BeyondCorp resources.

  • beyondcorp.appConnections.*
  • beyondcorp.appConnectors.*
  • beyondcorp.appGateways.*
  • beyondcorp.clientConnectorServices.create
  • beyondcorp.clientConnectorServices.delete
  • beyondcorp.clientConnectorServices.get
  • beyondcorp.clientConnectorServices.getIamPolicy
  • beyondcorp.clientConnectorServices.list
  • beyondcorp.clientConnectorServices.setIamPolicy
  • beyondcorp.clientConnectorServices.update
  • beyondcorp.clientGateways.*
  • beyondcorp.locations.*
  • beyondcorp.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud BeyondCorp Client Connector Admin Beta
(roles/beyondcorp.clientConnectorAdmin)

Full access to all BeyondCorp Client Connector resources.

  • beyondcorp.clientConnectorServices.create
  • beyondcorp.clientConnectorServices.delete
  • beyondcorp.clientConnectorServices.get
  • beyondcorp.clientConnectorServices.getIamPolicy
  • beyondcorp.clientConnectorServices.list
  • beyondcorp.clientConnectorServices.setIamPolicy
  • beyondcorp.clientConnectorServices.update
  • beyondcorp.clientGateways.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud BeyondCorp Client Connector Service User Beta
(roles/beyondcorp.clientConnectorServiceUser)

Access Client Connector Service

  • beyondcorp.clientConnectorServices.access

Cloud BeyondCorp Client Connector Viewer Beta
(roles/beyondcorp.clientConnectorViewer)

Read-only access to all BeyondCorp Client Connector resources.

  • beyondcorp.clientConnectorServices.get
  • beyondcorp.clientConnectorServices.getIamPolicy
  • beyondcorp.clientConnectorServices.list
  • beyondcorp.clientGateways.get
  • beyondcorp.clientGateways.getIamPolicy
  • beyondcorp.clientGateways.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud BeyondCorp Viewer Beta
(roles/beyondcorp.viewer)

Read-only access to all Cloud BeyondCorp resources.

  • beyondcorp.appConnections.get
  • beyondcorp.appConnections.getIamPolicy
  • beyondcorp.appConnections.list
  • beyondcorp.appConnectors.get
  • beyondcorp.appConnectors.getIamPolicy
  • beyondcorp.appConnectors.list
  • beyondcorp.appGateways.get
  • beyondcorp.appGateways.getIamPolicy
  • beyondcorp.appGateways.list
  • beyondcorp.clientConnectorServices.get
  • beyondcorp.clientConnectorServices.getIamPolicy
  • beyondcorp.clientConnectorServices.list
  • beyondcorp.clientGateways.get
  • beyondcorp.clientGateways.getIamPolicy
  • beyondcorp.clientGateways.list
  • beyondcorp.locations.*
  • beyondcorp.operations.get
  • beyondcorp.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do BigQuery

Role Permissions

BigQuery Admin
(roles/bigquery.admin)

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

Lowest-level resources where you can grant this role:

  • Datasets
  • Row access policies
  • Tables
  • Views
  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.config.*
  • bigquery.connections.*
  • bigquery.dataPolicies.create
  • bigquery.dataPolicies.delete
  • bigquery.dataPolicies.get
  • bigquery.dataPolicies.getIamPolicy
  • bigquery.dataPolicies.list
  • bigquery.dataPolicies.setIamPolicy
  • bigquery.dataPolicies.update
  • bigquery.datasets.*
  • bigquery.jobs.*
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.overrideTimeTravelRestrictions
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.savedqueries.*
  • bigquery.tables.*
  • bigquery.transfers.*
  • bigquerymigration.translation.translate
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Connection Admin
(roles/bigquery.connectionAdmin)

  • bigquery.connections.*

BigQuery Connection User
(roles/bigquery.connectionUser)

  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use

BigQuery Data Editor
(roles/bigquery.dataEditor)

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

  • Table
  • View
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Data Owner
(roles/bigquery.dataOwner)

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Share the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

  • Table
  • View
  • bigquery.config.get
  • bigquery.dataPolicies.create
  • bigquery.dataPolicies.delete
  • bigquery.dataPolicies.get
  • bigquery.dataPolicies.getIamPolicy
  • bigquery.dataPolicies.list
  • bigquery.dataPolicies.setIamPolicy
  • bigquery.dataPolicies.update
  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Data Viewer
(roles/bigquery.dataViewer)

When applied to a table or view, this role provides permissions to:

  • Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

  • Table
  • View
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.createSnapshot
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Filtered Data Viewer
(roles/bigquery.filteredDataViewer)

Access to view filtered table data defined by a row access policy

  • bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User
(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

Lowest-level resources where you can grant this role:

  • Project
  • bigquery.config.get
  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Metadata Viewer
(roles/bigquery.metadataViewer)

When applied to a table or view, this role provides permissions to:

  • Read metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • List tables and views in the dataset.
  • Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

  • Table
  • View
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Read Session User
(roles/bigquery.readSessionUser)

Access to create and use read sessions

  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Admin
(roles/bigquery.resourceAdmin)

Administer all BigQuery resources.

  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • recommender.bigqueryCapacityCommitmentsInsights.*
  • recommender.bigqueryCapacityCommitmentsRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Editor
(roles/bigquery.resourceEditor)

Manage all BigQuery resources, but cannot make purchasing decisions.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Viewer
(roles/bigquery.resourceViewer)

View all BigQuery resources but cannot make changes or purchasing decisions.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery User
(roles/bigquery.user)

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Lowest-level resources where you can grant this role:

  • Dataset
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • bigquerymigration.translation.translate
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Masked Reader Beta
(roles/bigquerydatapolicy.maskedReader)

Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns

  • bigquery.dataPolicies.maskedGet

Papéis de faturamento

Papel Permissões

Administrador da conta de faturamento
(roles/billing.admin)

Dá acesso para visualizar e gerenciar todos os aspectos das contas de faturamento.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conta de faturamento
  • billing.accounts.close
  • billing.accounts.get
  • billing.accounts.getCarbonInformation
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.move
  • billing.accounts.redeemPromotion
  • billing.accounts.removeFromOrganization
  • billing.accounts.reopen
  • billing.accounts.setIamPolicy
  • billing.accounts.update
  • billing.accounts.updatePaymentInfo
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.credits.list
  • billing.resourceAssociations.*
  • billing.subscriptions.*
  • cloudnotifications.activities.list
  • cloudsupport.properties.get
  • cloudsupport.techCases.*
  • commerceoffercatalog.offers.get
  • consumerprocurement.accounts.*
  • consumerprocurement.orderAttributions.*
  • consumerprocurement.orders.*
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • logging.logEntries.list
  • logging.logServiceIndexes.list
  • logging.logServices.list
  • logging.logs.list
  • logging.privateLogEntries.list
  • recommender.commitmentUtilizationInsights.*
  • recommender.costInsights.*
  • recomendador.spendBasedCommitInsights.*
  • recomendador.spendBasedCommitmentRecommendations.**
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Gerente de custos da conta de faturamento
(roles/billing.costsManager)

Gerenciar orçamentos de uma conta de faturamento e visualizar, analisar e exportar informações de custo de uma conta de faturamento.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Conta de faturamento
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.resourceAssociations.list
  • recommender.costInsights.*

Criador da conta de faturamento
(roles/billing.creator)

Dá acesso para criar contas de faturamento.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Organização
  • billing.accounts.create
  • resourcemanager.organizations.get

Gerente de faturamento do projeto
(roles/billing.projectManager)

Quando concedido com o papel de usuário da conta de faturamento, fornece acesso para atribuir a conta de faturamento de um projeto ou desativar o faturamento.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Projeto
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Usuário da conta de faturamento
(roles/billing.user)

Quando concedido com o papel de proprietário ou gerente de projeto do faturamento, fornece acesso para associar projetos a contas de faturamento.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Conta de faturamento
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.redeemPromotion
  • billing.credits.list
  • billing.resourceAssociations.create

Leitor da conta de faturamento
(roles/billing.viewer)

Veja informações sobre custos e preços das contas de faturamento, transações e recomendações de faturamento e compromisso.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Conta de faturamento
  • billing.accounts.get
  • billing.accounts.getCarbonInformation
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.budgets.get
  • billing.budgets.list
  • billing.credits.list
  • billing.resourceAssociations.list
  • billing.subscriptions.get
  • billing.subscriptions.list
  • commerceoffercatalog.offers.get
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.spendBasedCommitmentInsights.get
  • recommender.spendBasedCommitmentInsights.list
  • recommender.spendBasedCommitmentRecommendations.get
  • recomendador.spendBasedCommitmentRecommendations.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list

Papéis de autorização binária

Papel Permissões

Administrador do atestador de autorização binária
(roles/binaryauthorization.attestorsAdmin)

Administrador de atestadores de autorização binária

  • binaryauthorization.attestors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor do atestador de autorização binária
(roles/binaryauthorization.attestorsEditor)

Editor de atestadores de autorização binária

  • binaryauthorization.attestors.create
  • binaryauthorization.attestors.delete
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.update
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Verificador de imagens do atestador de autorização binária
(roles/binaryauthorization.attestorsVerifier)

Autor de chamadas do "VerifyImageAttested" de atestadores de autorização binária

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Visualizador do atestador de autorização binária
(roles/binaryauthorization.attestorsViewer)

Leitor de certificações de autorização binárias

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Administrador da política de autorização binária
(roles/binaryauthorization.policyAdmin)

Administrador da política de autorização binária

  • binaryauthorization.continuousValidationConfig.*
  • binaryauthorization.platformPolicies.*
  • binaryauthorization.policy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor da política de autorização binária
(roles/binaryauthorization.policyEditor)

Editor da política de autorização binária

  • binaryauthorization.continuousValidationConfig.get
  • binaryauthorization.continuousValidationConfig.update
  • binaryauthorization.platformPolicies.*
  • binaryauthorization.policy.evaluatePolicy
  • binaryauthorization.policy.get
  • binaryauthorization.policy.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Avaliador da política de autorização binária Beta
(roles/binaryauthorization.policyEvaluator)

Avaliador da política de autorização binária

  • binaryauthorization.platformPolicies.evaluatePolicy
  • binaryauthorization.platformPolicies.get
  • binaryauthorization.platformPolicies.list
  • binaryauthorization.policy.evaluatePolicy
  • binaryauthorization.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Visualizador da política de autorização binária
(roles/binaryauthorization.policyViewer)

Visualizador da política de autorização binária

  • binaryauthorization.continuousValidationConfig.get
  • binaryauthorization.platformPolicies.get
  • binaryauthorization.platformPolicies.list
  • binaryauthorization.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do serviço de CA

Role Permissions

CA Service Admin
(roles/privateca.admin)

Full access to all CA Service resources.

  • privateca.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create

CA Service Auditor
(roles/privateca.auditor)

Read-only access to all CA Service resources.

  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service Operation Manager
(roles/privateca.caManager)

Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.

  • privateca.caPools.create
  • privateca.caPools.delete
  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.caPools.update
  • privateca.certificateAuthorities.create
  • privateca.certificateAuthorities.delete
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateAuthorities.update
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateRevocationLists.update
  • privateca.certificateTemplates.create
  • privateca.certificateTemplates.delete
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.update
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.certificates.update
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.create
  • privateca.reusableConfigs.delete
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • privateca.reusableConfigs.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create

CA Service Certificate Manager
(roles/privateca.certificateManager)

Create certificates and read-only access for CA Service resources.

  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.create
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service Certificate Requester
(roles/privateca.certificateRequester)

Request certificates from CA Service.

  • privateca.certificates.create

CA Service Certificate Template User
(roles/privateca.templateUser)

Read, list and use certificate templates.

  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.use

CA Service Workload Certificate Requester
(roles/privateca.workloadCertificateRequester)

Request certificates from CA Service with caller's identity.

  • privateca.certificates.createForSelf

Papéis do gerenciador de certificados

Papel Permissões

Editor do Gerenciador de certificados
(roles/certificatemanager.editor)

Acesso para edição de todos os recursos do Gerenciador de certificados.

  • certificatemanager.certmapentries.create
  • certificatemanager.certmapentries.get
  • certificatemanager.certmapentries.getIamPolicy
  • certificatemanager.certmapentries.list
  • certificatemanager.certmapentries.update
  • certificatemanager.certmaps.create
  • certificatemanager.certmaps.get
  • certificatemanager.certmaps.getIamPolicy
  • certificatemanager.certmaps.list
  • certificatemanager.certmaps.update
  • certificatemanager.certmaps.use
  • certificatemanager.certs.create
  • certificatemanager.certs.get
  • certificatemanager.certs.getIamPolicy
  • certificatemanager.certs.list
  • certificatemanager.certs.update
  • certificatemanager.certs.use
  • certificatemanager.dnsauthorizations.create
  • certificatemanager.dnsauthorizations.get
  • certificatemanager.dnsauthorizations.getIamPolicy
  • certificatemanager.dnsauthorizations.list
  • certificatemanager.dnsauthorizations.update
  • certificatemanager.dnsauthorizations.use
  • certificatemanager.locations.*
  • certificatemanager.operations.get
  • certificatemanager.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Proprietário do Gerenciador de certificados
(roles/certificatemanager.owner)

Acesso total ao todos os recursos do Gerenciador de certificados.

  • certificatemanager.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Visualizador do Gerenciador de certificados
(roles/certificatemanager.viewer)

Acesso somente leitura a todos os recursos do Gerenciador de certificados.

  • certificatemanager.certmapentries.get
  • certificatemanager.certmapentries.getIamPolicy
  • certificatemanager.certmapentries.list
  • certificatemanager.certmaps.get
  • certificatemanager.certmaps.getIamPolicy
  • certificatemanager.certmaps.list
  • certificatemanager.certs.get
  • certificatemanager.certs.getIamPolicy
  • certificatemanager.certs.list
  • certificatemanager.dnsauthorizations.get
  • certificatemanager.dnsauthorizations.getIamPolicy
  • certificatemanager.dnsauthorizations.list
  • certificatemanager.locations.*
  • certificatemanager.operations.get
  • certificatemanager.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud AlloyDB

Papel Permissões

Administrador do Cloud AlloyDB Beta
(roles/alloydb.admin)

Acesso total a todos os recursos do Cloud AlloyDB.

  • alloydb.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cliente do Cloud AlloyDB Beta
(roles/alloydb.client)

Acesso de conectividade a instâncias do Cloud AlloyDB.

  • alloydb.clusters.generateClientCertificate
  • alloydb.clusters.get
  • alloydb.instances.connect
  • alloydb.instances.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Cloud AlloyDB Beta
(roles/alloydb.viewer)

Acesso somente leitura a todos os recursos do Cloud AlloyDB.

  • alloydb.backups.get
  • alloydb.backups.list
  • alloydb.clusters.get
  • alloydb.clusters.list
  • alloydb.instances.get
  • alloydb.instances.list
  • alloydb.locations.*
  • alloydb.operations.get
  • alloydb.operations.list
  • alloydb.supportedDatabaseFlags.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis de recursos do Cloud

Papel Permissões

Proprietário de recursos do Cloud
(roles/cloudasset.owner)

Acesso total aos metadados de recursos do Cloud

  • cloudasset.*
  • recommender.cloudAssetInsights.*
  • recommender.locations.*

Leitor de recursos do Cloud
(roles/cloudasset.viewer)

Acesso somente leitura aos metadados de recursos do cloud

  • cloudasset.assets.*
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*

Papéis do Cloud Bigtable

Papel Permissões

Administrador do Bigtable
(roles/bigtable.admin)

Administra todas as instâncias do Bigtable em um projeto, incluindo os dados armazenados nas tabelas. Pode criar novas instâncias. Destinado a administradores de projeto.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Tabela
  • bigtable.*
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Leitor do Bigtable
(roles/bigtable.reader)

Concede acesso somente leitura aos dados armazenados em tabelas do Bigtable. Destinado a analistas de dados, geradores de painéis e outros cenários de análise de dados.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Tabela
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.list
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Usuário do Bigtable
(roles/bigtable.user)

Concede acesso de leitura e gravação aos dados armazenados em tabelas do Bigtable. Destinado a contas de serviço ou desenvolvedores de aplicativos.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Tabela
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.list
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.mutateRows
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Leitor do Bigtable
(roles/bigtable.viewer)

Não fornece acesso a dados. Serve como um conjunto mínimo de permissões para acessar o Console do Cloud para Bigtable.

Recursos de nível mais baixo em que você pode conceder esse papel:

  • Tabela
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.locations.list
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Papéis do Cloud Build

Papel Permissões

Aprovador do Cloud Build
(roles/cloudbuild.builds.approver)

Pode aprovar ou rejeitar builds pendentes.

  • cloudbuild.builds.approve
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Conta de serviço do Cloud Build
(roles/cloudbuild.builds.builder)

Concede acesso para executar builds.

  • artifactregistry.aptartifacts.create
  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.locations.*
  • artifactregistry.mavenartifacts.*
  • artifactregistry.npmpackages.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.pythonpackages.*
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.listEffectiveTags
  • artifactregistry.repositories.listTagBindings
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.create
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use:
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • logging.logEntries.list
  • logging.privateLogEntries.list
  • logging.views.access
  • pubsub.topics.create
  • pubsub.topics.publish
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Editor do Cloud Build
(roles/cloudbuild.builds.editor)

Concede acesso para criar e cancelar versões.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Cloud Build
(roles/cloudbuild.builds.viewer)

Dá acesso para visualizar versões.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor de integrações do Cloud Build
(roles/cloudbuild.integrationsEditor)

Pode atualizar as integrações

  • cloudbuild.integrations.get
  • cloudbuild.integrations.list
  • cloudbuild.integrations.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Proprietário de integrações do Cloud Build
(roles/cloudbuild.integrationsOwner)

Pode criar/excluir integrações

  • cloudbuild.integrations.*
  • compute.firewalls.create
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.networks.get
  • compute.networks.updatePolicy
  • compute.regions.get
  • compute.subnetworks.get
  • compute.subnetworks.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor de integrações do Cloud Build
(roles/cloudbuild.integrationsViewer)

Pode ver as integrações

  • cloudbuild.integrations.get
  • cloudbuild.integrations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Editor do WorkerPool do Cloud Build
(roles/cloudbuild.workerPoolEditor)

Pode atualizar e visualizar WorkerPools

  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • cloudbuild.workerpools.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Proprietário do WorkerPool do Cloud Build
(roles/cloudbuild.workerPoolOwner)

Pode criar, excluir, atualizar e visualizar WorkerPools

  • cloudbuild.workerpools.create
  • cloudbuild.workerpools.delete
  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • cloudbuild.workerpools.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Usuário do WorkerPool do Cloud Build
(roles/cloudbuild.workerPoolUser)

Pode executar builds no WorkerPool

  • cloudbuild.workerpools.use

Leitor do WorkerPool do Cloud Build
(roles/cloudbuild.workerPoolViewer)

Pode visualizar WorkerPools

  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Composer

Role Permissions

Cloud Composer v2 API Service Agent Extension
(roles/composer.ServiceAgentV2Ext)

Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.

  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy

Composer Administrator
(roles/composer.admin)

Provides full control of Cloud Composer resources.

Lowest-level resources where you can grant this role:

  • Project
  • composer.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Environment and Storage Object Administrator
(roles/composer.environmentAndStorageObjectAdmin)

Provides full control of Cloud Composer resources and of the objects in all project buckets.

Lowest-level resources where you can grant this role:

  • Project
  • composer.*
  • orgpolicy.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.multipartUploads.*
  • storage.objects.*

Environment User and Storage Object Viewer
(roles/composer.environmentAndStorageObjectViewer)

Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.

Lowest-level resources where you can grant this role:

  • Project
  • composer.dags.*
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.list
  • composer.operations.get
  • composer.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list

Composer Shared VPC Agent
(roles/composer.sharedVpcAgent)

Role that should be assigned to Composer Agent service account in Shared VPC host project

  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.updatePeering
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zones.*

Composer User
(roles/composer.user)

Provides the permissions necessary to list and get Cloud Composer environments and operations.

Lowest-level resources where you can grant this role:

  • Project
  • composer.dags.*
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.list
  • composer.operations.get
  • composer.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Composer Worker
(roles/composer.worker)

Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.

Lowest-level resources where you can grant this role:

  • Project
  • artifactregistry.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • composer.environments.get
  • container.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • logging.logEntries.list
  • logging.privateLogEntries.list
  • logging.views.access
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • orgpolicy.policy.get
  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.multipartUploads.*
  • storage.objects.*

Papéis do Cloud Connectors

Role Permissions

Connector Admin
(roles/connectors.admin)

Full access to all resources of Connectors Service.

  • connectors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Connectors Viewer
(roles/connectors.viewer)

Read-only access to Connectors all resources.

  • connectors.connections.get
  • connectors.connections.getConnectionSchemaMetadata
  • connectors.connections.getIamPolicy
  • connectors.connections.getRuntimeActionSchema
  • connectors.connections.getRuntimeEntitySchema
  • connectors.connections.list
  • connectors.connectors.*
  • connectors.locations.*
  • connectors.operations.get
  • connectors.operations.list
  • connectors.providers.*
  • connectors.runtimeconfig.get
  • connectors.versions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Data Fusion

Role Permissions

Cloud Data Fusion Admin Beta
(roles/datafusion.admin)

Full access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

  • Project
  • datafusion.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Data Fusion Runner Beta
(roles/datafusion.runner)

Access to Cloud Data Fusion runtime resources.

  • datafusion.instances.runtime

Cloud Data Fusion Viewer Beta
(roles/datafusion.viewer)

Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

  • Project
  • datafusion.instances.get
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.instances.runtime
  • datafusion.locations.*
  • datafusion.operations.get
  • datafusion.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Data Labeling

Role Permissions

Data Labeling Service Admin Beta
(roles/datalabeling.admin)

Full access to all Data Labeling resources

  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Labeling Service Editor Beta
(roles/datalabeling.editor)

Editor of all Data Labeling resources

  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Labeling Service Viewer Beta
(roles/datalabeling.viewer)

Viewer of all Data Labeling resources

  • datalabeling.annotateddatasets.get
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.get
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.*
  • datalabeling.datasets.get
  • datalabeling.datasets.list
  • datalabeling.examples.*
  • datalabeling.instructions.get
  • datalabeling.instructions.list
  • datalabeling.operations.get
  • datalabeling.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Dataplex

Papel Permissões

Administrador do Dataplex
(roles/dataplex.admin)

Acesso total a todos os recursos do Dataplex.

  • cloudasset.assets.analyzeIamPolicy
  • cloudasset.assets.searchAllIamPolicies
  • cloudasset.assets.searchAllResources
  • dataplex.assetActions.list
  • dataplex.assets.create
  • dataplex.assets.delete
  • dataplex.assets.get
  • dataplex.assets.getIamPolicy
  • dataplex.assets.list
  • dataplex.assets.setIamPolicy
  • dataplex.assets.update
  • dataplex.content.*
  • dataplex.entities.*
  • dataplex.environments.*
  • dataplex.lakeActions.list
  • dataplex.lakes.*
  • dataplex.locations.*
  • dataplex.operations.*
  • dataplex.partitions.*
  • dataplex.tasks.*
  • dataplex.zoneActions.list
  • dataplex.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Proprietário de dados do Dataplex
(roles/dataplex.dataOwner)

Acesso de proprietário aos dados. Concedido apenas aos recursos data lake, zona ou recurso do Dataplex.

  • dataplex.assets.ownData
  • dataplex.assets.readData
  • dataplex.assets.writeData

Leitor de dados do Dataplex
(roles/dataplex.dataReader)

Acesso somente leitura aos dados. Concedido apenas aos recursos data lake, zona ou recurso do Dataplex.

  • dataplex.assets.readData

Gravador de dados do Dataplex
(roles/dataplex.dataWriter)

Acesso de gravação aos dados. Concedido apenas aos recursos data lake, zona ou recurso do Dataplex.

  • dataplex.assets.writeData

Desenvolvedor do Dataplex
(roles/dataplex.developer)

Permite executar cargas de trabalho de análise de dados em um lake.

  • dataplex.content.*
  • dataplex.environments.execute
  • dataplex.environments.get
  • dataplex.environments.list
  • dataplex.tasks.cancel
  • dataplex.tasks.create
  • dataplex.tasks.delete
  • dataplex.tasks.get
  • dataplex.tasks.list
  • dataplex.tasks.update

Editor do Dataplex
(roles/dataplex.editor)

Acesso de gravação aos recursos do Dataplex.

  • cloudasset.assets.analyzeIamPolicy
  • dataplex.assetActions.list
  • dataplex.assets.create
  • dataplex.assets.delete
  • dataplex.assets.get
  • dataplex.assets.getIamPolicy
  • dataplex.assets.list
  • dataplex.assets.update
  • dataplex.content.delete
  • dataplex.content.get
  • dataplex.content.getIamPolicy
  • dataplex.content.list
  • dataplex.environments.create
  • dataplex.environments.delete
  • dataplex.environments.get
  • dataplex.environments.getIamPolicy
  • dataplex.environments.list
  • dataplex.environments.update
  • dataplex.lakeActions.list
  • dataplex.lakes.create
  • dataplex.lakes.delete
  • dataplex.lakes.get
  • dataplex.lakes.getIamPolicy
  • dataplex.lakes.list
  • dataplex.lakes.update
  • dataplex.operations.*
  • dataplex.tasks.cancel
  • dataplex.tasks.create
  • dataplex.tasks.delete
  • dataplex.tasks.get
  • dataplex.tasks.getIamPolicy
  • dataplex.tasks.list
  • dataplex.tasks.update
  • dataplex.zoneActions.list
  • dataplex.zones.create
  • dataplex.zones.delete
  • dataplex.zones.get
  • dataplex.zones.getIamPolicy
  • dataplex.zones.list
  • dataplex.zones.update

Leitor de metadados do Dataplex
(roles/dataplex.metadataReader)

Acesso somente leitura aos metadados.

  • dataplex.assets.get
  • dataplex.assets.list
  • dataplex.entities.get
  • dataplex.entities.list
  • dataplex.partitions.get
  • dataplex.partitions.list
  • dataplex.zones.get
  • dataplex.zones.list

Gravador de metadados do Dataplex
(roles/dataplex.metadataWriter)

Acesso de leitura e gravação aos metadados.

  • dataplex.assets.get
  • dataplex.assets.list
  • dataplex.entities.*
  • dataplex.partitions.*
  • dataplex.zones.get
  • dataplex.zones.list

Proprietário de dados de armazenamento do Dataplex
(roles/dataplex.storageDataOwner)

Acesso de proprietário aos dados. Não pode ser usado diretamente. Este papel é concedido pelo Dataplex aos recursos gerenciados, como buckets do Cloud Storage, conjuntos de dados do BigQuery etc.

  • bigquery.datasets.get
  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.deleteSnapshot
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Leitor de dados de armazenamento do Dataplex
(roles/dataplex.storageDataReader)

Acesso somente leitura aos dados. Não pode ser usado diretamente. Este papel é concedido pelo Dataplex aos recursos gerenciados, como buckets do Cloud Storage, conjuntos de dados do BigQuery etc.

  • bigquery.datasets.get
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • storage.buckets.get
  • storage.objects.get
  • storage.objects.list

Gravador de dados de armazenamento do Dataplex
(roles/dataplex.storageDataWriter)

Acesso de gravação aos dados. Não pode ser usado diretamente. Este papel é concedido pelo Dataplex aos recursos gerenciados, como buckets do Cloud Storage, conjuntos de dados do BigQuery etc.

  • bigquery.tables.updateData
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.update

Leitor do Dataplex
(roles/dataplex.viewer)

Acesso de leitura aos recursos do Dataplex.

  • cloudasset.assets.analyzeIamPolicy
  • dataplex.assetActions.list
  • dataplex.assets.get
  • dataplex.assets.getIamPolicy
  • dataplex.assets.list
  • dataplex.content.get
  • dataplex.content.getIamPolicy
  • dataplex.content.list
  • dataplex.environments.get
  • dataplex.environments.getIamPolicy
  • dataplex.environments.list
  • dataplex.lakeActions.list
  • dataplex.lakes.get
  • dataplex.lakes.getIamPolicy
  • dataplex.lakes.list
  • dataplex.operations.get
  • dataplex.operations.list
  • dataplex.tasks.get
  • dataplex.tasks.getIamPolicy
  • dataplex.tasks.list
  • dataplex.zoneActions.list
  • dataplex.zones.get
  • dataplex.zones.getIamPolicy
  • dataplex.zones.list

Papéis do Cloud Debugger

Papel Permissões

Agente do Cloud Debugger Beta
(roles/clouddebugger.agent)

Concede permissões para registrar o alvo da depuração, ler pontos de interrupção ativos e relatar resultados dos pontos de interrupção.

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Conta de serviço
  • clouddebugger.breakpoints.list
  • clouddebugger.breakpoints.listActive
  • clouddebugger.breakpoints.update
  • clouddebugger.debuggees.create

Usuário do Cloud Debugger Beta
(roles/clouddebugger.user)

Concede permissões para criar, visualizar, listar e excluir pontos de interrupção (instantâneos e logpoints), bem como listar alvos de depuração (depurados).

Recursos de nível mais baixo em que é possível conceder esse papel:

  • Projeto
  • clouddebugger.breakpoints.create
  • clouddebugger.breakpoints.delete
  • clouddebugger.breakpoints.get
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list

Papéis do Cloud Deploy

Papel Permissões

Administrador do Cloud Deploy Beta
(roles/clouddeploy.admin)

Controle total dos recursos do Cloud Deploy.

  • clouddeploy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Aprovador do Cloud Deploy Beta
(roles/clouddeploy.approver)

Permissão para aprovar ou rejeitar lançamentos.

  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.rollouts.approve
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Desenvolvedor do Cloud Deploy Beta
(roles/clouddeploy.developer)

Permissão para gerenciar a configuração de implantação sem permissão para acessar recursos operacionais, como destinos.

  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.*
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Executor do Cloud Deploy Beta
(roles/clouddeploy.jobRunner)

Permissão para executar o trabalho do Cloud Deploy sem permissão para entregar a um destino.

  • logging.logEntries.create
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list

Operador do Cloud Deploy Beta
(roles/clouddeploy.operator)

Permissão para gerenciar a configuração de implantação.

  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.*
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.create
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • clouddeploy.targets.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Lançador do Cloud Deploy Beta
(roles/clouddeploy.releaser)

Permissão para criar versões e lançamentos do Cloud Deploy.

  • clouddeploy.deliveryPipelines.get
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.create
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Leitor do Cloud Deploy Beta
(roles/clouddeploy.viewer)

Pode ver recursos do Cloud Deploy.

  • clouddeploy.config.get
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.locations.*
  • clouddeploy.operations.get
  • clouddeploy.operations.list
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud DLP

Role Permissions

DLP Administrator
(roles/dlp.admin)

Administer DLP including jobs and templates.

  • dlp.*
  • serviceusage.services.use

DLP Analyze Risk Templates Editor
(roles/dlp.analyzeRiskTemplatesEditor)

Edit DLP analyze risk templates.

  • dlp.analyzeRiskTemplates.*

DLP Analyze Risk Templates Reader
(roles/dlp.analyzeRiskTemplatesReader)

Read DLP analyze risk templates.

  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list

DLP Column Data Profiles Reader
(roles/dlp.columnDataProfilesReader)

Read DLP column profiles.

  • dlp.columnDataProfiles.*

DLP Data Profiles Reader
(roles/dlp.dataProfilesReader)

Read DLP profiles.

  • dlp.columnDataProfiles.*
  • dlp.projectDataProfiles.*
  • dlp.tableDataProfiles.*

DLP De-identify Templates Editor
(roles/dlp.deidentifyTemplatesEditor)

Edit DLP de-identify templates.

  • dlp.deidentifyTemplates.*

DLP De-identify Templates Reader
(roles/dlp.deidentifyTemplatesReader)

Read DLP de-identify templates.

  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list

DLP Cost Estimation
(roles/dlp.estimatesAdmin)

Manage DLP Cost Estimates.

  • dlp.estimates.*

DLP Inspect Findings Reader
(roles/dlp.inspectFindingsReader)

Read DLP stored findings.

  • dlp.inspectFindings.list

DLP Inspect Templates Editor
(roles/dlp.inspectTemplatesEditor)

Edit DLP inspect templates.

  • dlp.inspectTemplates.*

DLP Inspect Templates Reader
(roles/dlp.inspectTemplatesReader)

Read DLP inspect templates.

  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list

DLP Job Triggers Editor
(roles/dlp.jobTriggersEditor)

Edit job triggers configurations.

  • dlp.jobTriggers.*

DLP Job Triggers Reader
(roles/dlp.jobTriggersReader)

Read job triggers.

  • dlp.jobTriggers.get
  • dlp.jobTriggers.list

DLP Jobs Editor
(roles/dlp.jobsEditor)

Edit and create jobs

  • dlp.jobs.*
  • dlp.kms.encrypt

DLP Jobs Reader
(roles/dlp.jobsReader)

Read jobs

  • dlp.jobs.get
  • dlp.jobs.list

DLP Organization Data Profiles Driver
(roles/dlp.orgdriver)

Permissions needed by the DLP service account to generate data profiles within an organization or folder.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.connections.updateTag
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • bigquerymigration.translation.translate
  • cloudasset.assets.*
  • datacatalog.categories.fineGrainedGet
  • datacatalog.entries.updateTag
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • dlp.*
  • pubsub.topics.updateTag
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

DLP Project Data Profiles Reader
(roles/dlp.projectDataProfilesReader)

Read DLP project profiles.

  • dlp.projectDataProfiles.*

DLP Project Data Profiles Driver
(roles/dlp.projectdriver)

Permissions needed by the DLP service account to generate data profiles within a project.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.connections.updateTag
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • bigquerymigration.translation.translate
  • cloudasset.assets.*
  • datacatalog.categories.fineGrainedGet
  • datacatalog.entries.updateTag
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • dlp.*
  • pubsub.topics.updateTag
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

DLP Reader
(roles/dlp.reader)

Read DLP entities, such as jobs and templates.

  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list
  • dlp.inspectFindings.list
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.get
  • dlp.jobTriggers.list
  • dlp.jobs.get
  • dlp.jobs.list
  • dlp.locations.*
  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list

DLP Stored InfoTypes Editor
(roles/dlp.storedInfoTypesEditor)

Edit DLP stored info types.

  • dlp.storedInfoTypes.*

DLP Stored InfoTypes Reader
(roles/dlp.storedInfoTypesReader)

Read DLP stored info types.

  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list

DLP Table Data Profiles Reader
(roles/dlp.tableDataProfilesReader)

Read DLP table profiles.

  • dlp.tableDataProfiles.*

DLP User
(roles/dlp.user)

Inspect, Redact, and De-identify Content

  • dlp.kms.encrypt
  • dlp.locations.*
  • serviceusage.services.use

Papéis do Cloud Domains

Role Permissions

Cloud Domains Admin
(roles/domains.admin)

Full access to Cloud Domains Registrations and related resources.

  • domains.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Domains Viewer
(roles/domains.viewer)

Read-only access to Cloud Domains Registrations and related resources.

  • domains.locations.*
  • domains.operations.get
  • domains.operations.list
  • domains.registrations.get
  • domains.registrations.getIamPolicy
  • domains.registrations.list
  • domains.registrations.listEffectiveTags
  • domains.registrations.listTagBindings
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Papéis do Cloud Filestore

Role Permissions

Cloud Filestore Editor Beta
(roles/file.editor)

Read-write access to Filestore instances and related resources.

  • file.*

Cloud Filestore Viewer Beta
(roles/file.viewer)

Read-only access to Filestore instances and related resources.

  • file.backups.get
  • file.backups.list
  • file.backups.listEffectiveTags
  • file.backups.listTagBindings
  • file.instances.get
  • file.instances.list
  • file.instances.listEffectiveTags
  • file.instances.listTagBindings
  • file.locations.*
  • file.operations.get
  • file.operations.list
  • file.snapshots.listEffectiveTags
  • file.snapshots.listTagBindings

Papéis do Cloud Functions

Papel Permissões

Administrador do Cloud Functions
(roles/cloudfunctions.admin)

Acesso total a funções, operações e locais.

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.*
  • eventarc.*
  • recommender.locations.*
  • recommender.runServiceIdentityInsights.*
  • recommender.runServiceIdentityRecommendations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Desenvolvedor do Cloud Functions
(roles/cloudfunctions.developer)

Acesso de leitura e gravação a todos os recursos relacionados a funções.

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.call
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.invoke
  • cloudfunctions.functions.list
  • cloudfunctions.functions.sourceCodeGet
  • cloudfunctions.functions.sourceCodeSet
  • cloudfunctions.functions.update
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • cloudfunctions.runtimes.list
  • eventarc.channelConnections.create
  • eventarc.channelConnections.delete
  • eventarc.channelConnections.get
  • eventarc.channelConnections.getIamPolicy
  • eventarc.channelConnections.list
  • eventarc.channelConnections.publish
  • eventarc.c