了解角色

当某个身份调用 Google Cloud API 时，Identity and Access Management 会要求该身份必须具有使用相应资源的适当权限。您可以通过为用户、群组或服务帐号授予角色来提供权限。

本页面介绍了您可以为身份授予以使其能够访问 Google Cloud 资源的 IAM 角色。

使用本指南的前提条件

了解 IAM 的基本概念

角色类型

IAM 中有三种角色：

原初角色：包括在引入 IAM 之前已存在的 Owner、Editor 和 Viewer 角色。
预定义角色：针对特定服务提供精细访问权限，并由 Google Cloud 管理。
自定义角色：根据用户指定的权限列表提供精细访问权限。

如需确定原初角色、预定义角色或自定义角色中是否包含一项或多项权限，您可以使用以下方法之一：

gcloud iam roles describe 命令。
roles.get() API

以下各部分介绍了每种角色类型并提供了有关如何使用它们的示例。

原初角色

在引入 IAM 之前存在三个角色：Owner、Editor 和 Viewer。这些角色是嵌套的；也就是说，Owner 角色包含 Editor 角色的权限，而 Editor 角色又包含 Viewer 角色的权限。

下表概括了原初角色在所有 Google Cloud 服务中包含的权限：

原初角色定义

名称	名称	权限
`roles/viewer`	Viewer	拥有执行不会影响状态的只读操作的权限，例如查看（但无法修改）现有资源或数据。
`roles/editor`	Editor	拥有所有查看权限，以及修改状态的操作（例如更改现有资源）的权限。注意：虽然 `roles/editor` 角色包含为大多数 Google Cloud 服务创建和删除资源的权限，但某些服务不包含这些权限。要详细了解如何检查某项角色是否具有您所需的权限，请参阅上文。
`roles/owner`	Owner	拥有所有修改权限，此外还有权执行以下操作：管理项目和项目中所有资源的角色和权限。为项目设置结算。注意：在资源级层（如 Pub/Sub 主题）授予 Owner 角色并不会授予父级项目上的 Owner 角色。因此，在组织级层获授 Owner 角色后，您不能更新组织的元数据，不过您可以修改该组织名下的项目和其他资源。

您可以使用 Cloud Console、API 和 gcloud 工具在项目级层或服务资源级层应用原初角色。如需相关说明，请参阅授予、更改和撤消访问权限。

邀请流程

您无法使用 Identity and Access Management API 或 gcloud 命令行工具将 Owner 角色授予项目的成员。您只能使用 Cloud Console 将所有者添加到项目中。系统会通过电子邮件向该成员发送邀请，该成员必须接受邀请才能成为项目的所有者。

请注意，在以下情况下，系统不会发送邀请电子邮件：

您要授予除 Owner 以外的角色时。
组织成员将其组织的其他成员添加为该组织中某个项目的 Owner。

如需了解如何使用 Cloud Console 授予角色，请参阅授予、更改和撤消访问权限。

预定义角色

除了原初角色之外，IAM 还提供其他预定义角色，后者可让您授予对特定 Google Cloud 资源的精细访问权限，同时阻止对其他资源的不必要访问。

下表列出了这些角色、说明以及可设置这些角色的最低级层的资源类型。您可以为此资源类型授予特定角色，或者在大多数情况下可以为该类型在 Google Cloud 层次结构中的任何上级类型授予特定角色。您可以为同一位用户授予多个角色。例如，同一位用户可以拥有项目上的 Network Admi 和 Log Viewer 角色，并且对该项目中的 Pub/Sub 主题具有 Publisher 角色。有关角色中包含的权限的列表，请参阅获取角色元数据。

Access Approval 角色

角色	名称	说明	权限
`roles/accessapproval.approver`	Access Approval Approver ^{Beta 版}	能够查看或处理权限审批请求并查看配置	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.configEditor`	Access Approval Config Editor ^{Beta 版}	可更新访问权限审批配置	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.viewer`	Access Approval Viewer ^{Beta 版}	可查看访问权限审批请求和配置	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Access Context Manager 角色

角色	名称	说明	权限
`roles/accesscontextmanager.policyAdmin`	Access Context Manager Admin	拥有政策、访问权限级别和访问权限区域的完整访问权限	accesscontextmanager.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyEditor`	Access Context Manager Editor	拥有对政策的修改权限。可创建、修改和更改访问权限级别和访问区域。	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyReader`	Access Context Manager Reader	拥有对政策、访问权限级别和访问区域的读取权限。	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.vpcScTroubleshooterViewer`	VPC Service Controls Troubleshooter Viewer		accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Actions 角色

角色	名称	说明	权限	最低资源要求
`roles/actions.Admin`	Actions Admin	拥有修改和部署某项操作的权限	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
`roles/actions.Viewer`	Actions Viewer	拥有查看某项操作的权限	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

Android Management 角色

角色	名称	说明	权限	最低资源要求
`roles/androidmanagement.user`	Android 管理用户	拥有管理设备的完整权限。	androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Apigee 角色

角色	名称	说明	权限
`roles/apigee.admin`	Apigee Organization Admin ^{Beta 版}	拥有对所有 Apigee 资源功能的完全访问权限	apigee.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.analyticsAgent`	Apigee Analytics Agent ^{Beta 版}	提供一组特选权限，可让 Apigee Universal Data Collection Agent 管理 Apigee 组织的分析数据	apigee.environments.getDataLocation
`roles/apigee.analyticsEditor`	Apigee Analytics Editor ^{Beta 版}	可修改 Apigee 组织的分析数据	apigee.environments.get apigee.environments.getStats apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.analyticsViewer`	Apigee Analytics Viewer ^{Beta 版}	可查看 Apigee 组织的分析数据	apigee.environments.getStats apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.apiCreator`	Apigee API Creator ^{Beta 版}	可创建 Apigee 资源	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.* apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.* apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.delete apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.update apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.deployer`	Apigee Deployer ^{Beta 版}	可部署 Apigee 资源	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.* apigee.deployments.* apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.flowhooks.* apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.developerAdmin`	Apigee Developer Admin ^{Beta 版}	可管理 Apigee 资源开发者	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developers.* apigee.environments.get apigee.environments.getStats apigee.organizations.get apigee.organizations.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.readOnlyAdmin`	Apigee Read-only Admin ^{Beta 版}	可查看所有 Apigee 资源	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.deployments.get apigee.deployments.list apigee.developerrappattributes.get apigee.developerrappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developers.get apigee.developers.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.runtimeAgent`	Apigee Runtime Agent ^{Alpha 版}	提供一组特选权限，可让运行时代理访问 Apigee 组织资源
`roles/apigee.synchronizerManager`	Apigee Synchronizer Manager ^{Beta 版}	提供一组特选权限，可让 Synchronizer 管理 Apigee 组织中的环境	apigee.environments.get apigee.environments.manageRuntime
`roles/apigeeconnect.Admin`	Apigee Connect Admin ^{Beta 版}	可以管理 Apigee Connect	apigeeconnect.connections.*
`roles/apigeeconnect.Agent`	Apigee Connect Agent ^{Beta 版}	能够在外部集群和 Google 之间设置 Apigee Connect 代理。	apigeeconnect.endpoints.*

App Engine 角色

角色	名称	说明	权限	最低资源要求
`roles/appengine.appAdmin`	App Engine Admin	拥有对所有应用配置和设置的读取/写入/修改权限。	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.appViewer`	App Engine Viewer	拥有对所有应用配置和设置的只读权限。	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.codeViewer`	App Engine Code Viewer	拥有对所有应用配置、设置和已部署源代码的只读权限。	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.deployer`	App Engine Deployer	拥有对所有应用配置和设置的只读权限。仅拥有创建新版本的写权限；无法修改现有版本，但可删除未收到流量的版本。注意：此角色包含使用 App Engine Admin API 进行部署所需的权限。要使用其他 App Engine 工具（例如 `gcloud` 命令行工具），您还必须具有 Compute Storage Admin (`roles/compute.storageAdmin`) 和 Cloud Build Editor (`roles/cloudbuild.builds.editor`) 角色。	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.serviceAdmin`	App Engine Service Admin	拥有对所有应用配置和设置的只读权限。拥有模块级和版本级设置的写权限。无权部署新版本。	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	项目

Artifact Registry 角色

角色	名称	说明	权限
`roles/artifactregistry.admin`	Artifact Registry Administrator ^{Beta 版}	拥有可创建和管理代码库的管理员权限。	artifactregistry.*
`roles/artifactregistry.reader`	Artifact Registry Reader ^{Beta 版}	可以读取代码库项。	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
`roles/artifactregistry.repoAdmin`	Artifact Registry Repository Administrator ^{Beta 版}	拥有管理代码库中的工件的权限。	artifactregistry.files.* artifactregistry.packages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.*
`roles/artifactregistry.writer`	Artifact Registry Writer ^{Beta 版}	可以读取和写入代码库项。	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list

AutoML 角色

角色	名称	说明	权限	最低资源要求
`roles/automl.admin`	AutoML Admin ^{Beta 版}	拥有所有 AutoML 资源的完整访问权限	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	数据集/模型
`roles/automl.editor`	AutoML Editor ^{Beta 版}	可修改所有 AutoML 资源	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	数据集/模型
`roles/automl.predictor`	AutoML Predictor ^{Beta 版}	可使用模型进行预测	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list	型号
`roles/automl.viewer`	AutoML Viewer ^{Beta 版}	可查看所有 AutoML 资源	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	数据集/模型

BigQuery 角色

角色	名称	说明	权限	最低资源要求
`roles/bigquery.admin`	BigQuery Admin	提供管理项目中所有资源的权限。获授此角色的用户可以管理项目中的所有数据，也可以取消其他用户正在项目中运行的作业。	bigquery.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/bigquery.connectionAdmin`	BigQuery Connection Admin ^{Beta 版}		bigquery.connections.*
`roles/bigquery.connectionUser`	BigQuery Connection User ^{Beta 版}		bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
`roles/bigquery.dataEditor`	BigQuery Data Editor	此角色在应用于表或视图时，可提供以下权限：读取和更新表或视图的数据和元数据。删除表或视图。此角色无法应用于单个模型或例程。此角色在应用于数据集时，可提供以下权限：读取数据集的元数据以及列出数据集中的表。创建、更新、获取和删除数据集的表。此角色在应用于项目或组织级层时，还可提供创建新数据集的权限。	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list	表或视图
`roles/bigquery.dataOwner`	BigQuery Data Owner	此角色在应用于表或视图时，可提供以下权限：读取和更新表或视图的数据和元数据。共享表或视图。删除表或视图。此角色无法应用于单个模型或例程。此角色在应用于数据集时，可提供以下权限：读取、更新和删除数据集。创建、更新、获取和删除数据集的表。此角色在应用于项目或组织级层时，还可提供创建新数据集的权限。	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	表或视图
`roles/bigquery.dataViewer`	BigQuery Data Viewer	此角色在应用于表或视图时，可提供以下权限：从表或视图中读取数据和元数据。此角色无法应用于单个模型或例程。此角色在应用于数据集时，可提供以下权限：读取数据集的元数据以及列出数据集中的表。从数据集的表中读取数据和元数据。此角色在应用于项目或组织级层时，还可提供枚举项目中所有数据集的权限。但若要运行作业，还需要具备其他角色。	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	表或视图
`roles/bigquery.jobUser`	BigQuery Job User	提供在项目中运行作业（包括查询）的权限。此角色可以检查所有作业是否存在，以及枚举和取消自己的作业。	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/bigquery.metadataViewer`	BigQuery Metadata Viewer	此角色在应用于表或视图时，可提供以下权限：从表或视图中读取元数据。此角色无法应用于单个模型或例程。此角色在应用于数据集时，可提供以下权限：列出数据集中的表和视图。从数据集的表和视图中读取元数据。此角色在应用于项目或组织级层时，可提供以下权限：列出项目中的所有数据集，以及读取所有数据集的元数据。列出项目中的所有表和视图，以及读取所有表和视图的元数据。但若要运行作业，还需要具备其他角色。	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	表或视图
`roles/bigquery.readSessionUser`	BigQuery Read Session User	拥有创建和使用读取会话的权限	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceAdmin`	BigQuery Resource Admin ^{Beta 版}	管理所有 BigQuery 资源。	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.user`	BigQuery User	此角色应用于数据集时，让您可以读取数据集的元数据并列出数据集中的表。应用于项目时，此角色还提供在项目内运行作业（包括查询）的能力。具有此角色的成员可以枚举自己的作业、取消自己的作业，还可以枚举项目中的数据集。此外，具有此角色的用户还可以在项目中创建新数据集；对于这些新数据集，系统会为创建者授予 BigQuery Data Owner 角色 (`roles/bigquery.dataOwner`)。	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list	数据集

Cloud Bigtable 角色

角色	名称	说明	权限	最低资源要求
`roles/bigtable.admin`	Bigtable Administrator	可管理项目中的所有实例（包括表中存储的数据），还可创建新实例。适用于项目管理员。	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	实例
`roles/bigtable.reader`	Bigtable Reader	提供对表中所存储数据的只读权限。适用于数据科学家、信息中心生成器和其他数据分析情景。	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	实例
`roles/bigtable.user`	Bigtable User	提供对表中所存储数据的读写权限。适用于应用开发者或服务帐号。	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	实例
`roles/bigtable.viewer`	Bigtable Viewer	不提供数据访问权限。仅提供适用于 Bigtable 的 Cloud Console 的一组最低访问权限。	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	实例

Billing 角色

角色	名称	说明	权限	最低资源要求
`roles/billing.admin`	Billing Account Administrator	提供查看和管理结算帐号所有方面的权限。	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* consumerprocurement.accounts.* consumerprocurement.orders.* dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	结算帐号
`roles/billing.creator`	Billing Account Creator	提供创建结算帐号的权限。	billing.accounts.create resourcemanager.organizations.get	组织
`roles/billing.projectManager`	Project Billing Manager	提供为项目分配结算帐号或停用项目结算功能的权限。	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	项目
`roles/billing.user`	Billing Account User	提供将项目与结算帐号相关联的权限。	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create	结算帐号
`roles/billing.viewer`	Billing Account Viewer	查看结算帐号费用信息和交易。	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.groupcontrols.list	结算帐号

Binary Authorization 角色

角色	名称	说明	权限
`roles/binaryauthorization.attestorsAdmin`	Binary Authorization Attestor Admin ^{Beta 版}	Binary Authorization 证明者管理员	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsEditor`	Binary Authorization Attestor Editor ^{Beta 版}	可修改 Binary Authorization 证明者	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsVerifier`	Binary Authorization Attestor Image Verifier ^{Beta 版}	可调用 Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsViewer`	Binary Authorization Attestor Viewer ^{Beta 版}	可以查看 Binary Authorization 证明者	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyAdmin`	Binary Authorization Policy Administrator ^{Beta 版}	Binary Authorization 政策管理员	binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyEditor`	Binary Authorization Policy Editor ^{Beta 版}	可修改 Binary Authorization 政策	binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyViewer`	Binary Authorization Policy Viewer ^{Beta 版}	可以查看 Binary Authorization 政策	binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

Hangouts Chat 角色

角色	名称	说明	权限	最低资源要求
`roles/chat.owner`	聊天机器人所有者	可以查看和修改机器人配置	chat.*
`roles/chat.reader`	聊天机器人查看者	可以查看机器人配置	chat.bots.get

Cloud Asset 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudasset.owner`	云资源所有者	拥有云资源元数据的完整访问权限	cloudasset.*
`roles/cloudasset.viewer`	云资产查看者	拥有云资源元数据的只读权限	cloudasset.assets.*

Cloud Build 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudbuild.builds.builder`	Cloud Build Service Account	提供执行构建的权限。	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list cloudbuild.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudbuild.builds.editor`	Cloud Build Editor	提供创建和取消构建作业的权限。	cloudbuild.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/cloudbuild.builds.viewer`	Cloud Build Viewer	提供查看构建作业的权限。	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Data Fusion 角色

角色	名称	说明	权限	最低资源要求
`roles/datafusion.admin`	Cloud Data Fusion Admin ^{Beta 版}	提供对 Cloud Data Fusion 实例和相关资源的完整访问权限。	datafusion.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datafusion.runner`	Cloud Data Fusion Runner ^{Beta 版}	提供对 Cloud Data Fusion 运行时资源的访问权限。	datafusion.instances.runtime
`roles/datafusion.viewer`	Cloud Data Fusion Viewer ^{Beta 版}	提供对 Cloud Data Fusion 实例及相关资源的只读权限。	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.runtime datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Debugger 角色

角色	名称	说明	权限	最低资源要求
`roles/clouddebugger.agent`	Cloud Debugger Agent ^{Beta 版}	提供注册调试目标、读取活跃断点和报告断点结果的权限。	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create	服务帐号
`roles/clouddebugger.user`	Cloud Debugger User ^{Beta 版}	提供创建、查看、列出和删除断点（快照和日志点）以及列出调试目标（调试对象）的权限。	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list	项目

Cloud Functions 角色

角色	名称	说明	权限
`roles/cloudfunctions.admin`	Cloud Functions Admin^{Beta 版}	拥有函数、运算和位置的完整访问权限。	Cloudfunctions.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.developer`	Cloud Functions Developer^{Beta 版}	拥有所有函数相关资源的读写权限。	cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.invoker`	Cloud Functions Invoker^{Beta 版}	可使用受限的访问权限调用 HTTP 函数。	cloudfunctions.functions.invoke
`roles/cloudfunctions.viewer`	Cloud Functions Viewer^{Beta 版}	拥有函数和位置的只读权限。	cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud IAP 角色

角色	名称	说明	权限	最低资源要求
`roles/iap.admin`	IAP Policy Admin	提供对 Identity-Aware Proxy 资源的完整访问权限。	iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy	项目
`roles/iap.httpsResourceAccessor`	IAP-secured Web App User	提供对使用 Identity-Aware Proxy 的 HTTPS 资源的访问权限。	iap.webServiceVersions.accessViaIAP	项目
`roles/iap.settingsAdmin`	IAP Settings Admin	IAP 设置管理员。	iap.projects.* iap.web.getSettings iap.web.updateSettings iap.webServiceVersions.getSettings iap.webServiceVersions.updateSettings iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings
`roles/iap.tunnelResourceAccessor`	IAP-secured Tunnel User	可访问使用 Identity-Aware Proxy 的隧道资源	iap.tunnelInstances.accessViaIAP

Cloud IoT 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudiot.admin`	Cloud IoT Admin	拥有对所有 Cloud IoT 资源和权限的完全控制权。	cloudiot.* cloudiottoken.*	设备
`roles/cloudiot.deviceController`	Cloud IoT Device Controller	有权更新设备配置，但无权创建或删除设备。	cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	设备
`roles/cloudiot.editor`	Cloud IoT Editor	拥有对所有 Cloud IoT 资源的读写权限。	cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.*	设备
`roles/cloudiot.provisioner`	Cloud IoT Provisioner	拥有在注册表中创建和删除设备的权限，但无权修改注册表。	cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	设备
`roles/cloudiot.viewer`	Cloud IoT Viewer	拥有对所有 Cloud IoT 资源的只读权限。	cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	设备

Cloud Talent Solution 角色

角色	名称	说明	权限
`roles/cloudjobdiscovery.admin`	Admin	拥有 Cloud Talent Solution 自助式工具的访问权限。	cloudjobdiscovery.tools.* iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.jobsEditor`	Job Editor	拥有 Cloud Talent Solution 中所有作业数据的写入权限。	cloudjobdiscovery.companies.* cloudjobdiscovery.events.* cloudjobdiscovery.jobs.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.jobsViewer`	Job Viewer	拥有 Cloud Talent Solution 中所有作业数据的读取权限。	cloudjobdiscovery.companies.get cloudjobdiscovery.companies.list cloudjobdiscovery.jobs.get cloudjobdiscovery.jobs.search resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.profilesEditor`	Profile Editor	拥有 Cloud Talent Solution 中所有个人资料数据的写入权限。	cloudjobdiscovery.events.* cloudjobdiscovery.profiles.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.profilesViewer`	Profile Viewer	拥有 Cloud Talent Solution 中所有个人资料数据的读取权限。	cloudjobdiscovery.profiles.get cloudjobdiscovery.profiles.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list

Cloud KMS 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudkms.admin`	Cloud KMS Admin	提供 Cloud KMS 资源的完整访问权限，但不提供执行加密和解密操作的权限。	cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeys.* cloudkms.importJobs.* cloudkms.keyRings.* resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyDecrypter`	Cloud KMS CryptoKey Decrypter	仅提供使用 Cloud KMS 资源执行解密操作的权限。	cloudkms.cryptoKeyVersions.useToDecrypt resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyEncrypter`	Cloud KMS CryptoKey Encrypter	仅提供使用 Cloud KMS 资源执行加密操作的权限。	cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyEncrypterDecrypter`	Cloud KMS CryptoKey Encrypter/Decrypter	仅提供使用 Cloud KMS 资源执行加密和解密操作的权限。	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get	CryptoKey
`roles/cloudkms.importer`	Cloud KMS Importer	可启用 ImportCryptoKeyVersion、CreateImportJob、ListImportJobs 和 GetImportJob 操作	cloudkms.importJobs.create cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.importJobs.useToImport resourcemanager.projects.get
`roles/cloudkms.publicKeyViewer`	Cloud KMS CryptoKey Public Key Viewer	可启用 GetPublicKey 操作	cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get
`roles/cloudkms.signer`	Cloud KMS CryptoKey Signer	可启用 AsymmetricSign 操作	cloudkms.cryptoKeyVersions.useToSign resourcemanager.projects.get
`roles/cloudkms.signerVerifier`	Cloud KMS CryptoKey Signer/Verifier	可启用 AsymmetricSign 和 GetPublicKey 操作	cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get

Cloud Marketplace 角色

角色	名称	说明	权限
`roles/consumerprocurement.entitlementManager`	Consumer Procurement Entitlement Manager ^{Beta 版}	允许管理使用方项目的授权，启用、停用使用方项目以及检查其服务状态。	consumerprocurement.entitlements.* consumerprocurement.freeTrials.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.operations.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list
`roles/consumerprocurement.entitlementViewer`	Consumer Procurement Entitlement Viewer ^{Beta 版}	允许检查使用方项目的授权和服务状态。	consumerprocurement.entitlements.* consumerprocurement.freeTrials.get consumerprocurement.freeTrials.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/consumerprocurement.orderAdmin`	Consumer Procurement Order Administrator ^{Beta 版}	允许管理购买交易。	consumerprocurement.accounts.* consumerprocurement.orders.*
`roles/consumerprocurement.orderViewer`	Consumer Procurement Order Viewer ^{Beta 版}	允许检查购买交易。	consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list

Cloud Migration 角色

角色	名称	说明	权限
`roles/cloudmigration.inframanager`	Velostrata Manager ^{Beta 版}	可创建和管理 Compute 虚拟机以运行 Velostrata 基础架构	cloudmigration.* compute.addresses.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.update compute.instances.updateNetworkInterface compute.instances.updateShieldedInstanceConfig compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.* gkehub.endpoints.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update
`roles/cloudmigration.storageaccess`	Velostrata Storage Access ^{Beta 版}	可访问迁移存储空间	storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudmigration.velostrataconnect`	Velostrata Manager Connection Agent ^{Beta 版}	可在 Velostrata Manager 与 Google 之间设置连接	cloudmigration.* gkehub.endpoints.*
`roles/vmmigration.admin`	VM Migration Administrator ^{Beta 版}	可查看和修改所有 VM Migration 对象	vmmigration.*
`roles/vmmigration.viewer`	VM Migration Viewer ^{Beta 版}	可查看所有 VM Migration 对象	vmmigration.deployments.get vmmigration.deployments.list

Cloud Private Catalog 角色

角色	名称	说明	权限
`roles/cloudprivatecatalog.consumer`	Catalog Consumer ^{Beta 版}	可以在目标资源情境中浏览目录。	cloudprivatecatalog.*
`roles/cloudprivatecatalogproducer.admin`	Catalog Admin ^{Beta 版}	可以管理目录并查看其关联。	cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get
`roles/cloudprivatecatalogproducer.manager`	Catalog Manager ^{Beta 版}	可管理目录和目标资源之间的关联。	cloudprivatecatalog.* cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.get cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get

Cloud Profiler 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudprofiler.agent`	Stackdriver Profiler Agent^{Beta 版}	Stackdriver Profiler 代理可以注册和提供性能剖析数据。	cloudprofiler.profiles.create cloudprofiler.profiles.update
`roles/cloudprofiler.user`	Stackdriver Profiler User ^{Beta 版}	Stackdriver Profiler 用户可以查询和查看性能剖析数据。	cloudprofiler.profiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Scheduler 角色

角色	名称	说明	权限
`roles/cloudscheduler.admin`	Cloud Scheduler Admin ^{Beta 版}	拥有作业和执行作业的完整访问权限。	appengine.applications.get cloudscheduler.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/cloudscheduler.jobRunner`	Cloud Scheduler Job Runner ^{Beta 版}	可以运行作业。	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.run resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/cloudscheduler.viewer`	Cloud Scheduler Viewer ^{Beta 版}	可获取和列出作业、作业执行情况和位置。	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.list cloudscheduler.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list

Cloud Security Scanner 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudsecurityscanner.editor`	Web Security Scanner Editor	拥有所有 Web Security Scanner 资源的完整访问权限	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/cloudsecurityscanner.runner`	Web Security Scanner Runner	拥有 Scan 和 ScanRun 的读取权限以及启动扫描的权限	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run	项目
`roles/cloudsecurityscanner.viewer`	Web Security Scanner Viewer	拥有所有 Web Security Scanner 资源的读取权限	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目

Cloud 服务角色

角色	名称	说明	权限	最低资源要求
`roles/servicebroker.admin`	Service Broker Admin ^{Beta 版}	拥有 ServiceBroker 资源的完整访问权限。	servicebroker.*
`roles/servicebroker.operator`	Service Broker Operator ^{Beta 版}	拥有 ServiceBroker 资源的操作权限。	servicebroker.bindingoperations.* servicebroker.bindings.create servicebroker.bindings.delete servicebroker.bindings.get servicebroker.bindings.list servicebroker.catalogs.create servicebroker.catalogs.delete servicebroker.catalogs.get servicebroker.catalogs.list servicebroker.instanceoperations.* servicebroker.instances.create servicebroker.instances.delete servicebroker.instances.get servicebroker.instances.list servicebroker.instances.update

Cloud SQL 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudsql.admin`	Cloud SQL Admin	提供 Cloud SQL 资源的完全控制权。	cloudsql.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/cloudsql.client`	Cloud SQL Client	提供 Cloud SQL 实例的连接权限。	cloudsql.instances.connect cloudsql.instances.get	项目
`roles/cloudsql.editor`	Cloud SQL Editor	提供现有 Cloud SQL 实例的完全控制权，但不能修改用户、SSL 证书或删除资源。	cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql.instances.list cloudsq.instances.listServerCas cloudsql.instances.restart cloudsql.instances.rotateServerCa cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/cloudsql.viewer`	Cloud SQL Viewer	提供 Cloud SQL 资源的只读权限。	cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql.instances.list cloudsq.instances.listServerCas cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目

Cloud Tasks 角色

角色	名称	说明	权限
`roles/cloudtasks.admin`	Cloud Tasks Admin ^{Beta 版}	拥有队列和任务的完整访问权限。	cloudtasks.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.enqueuer`	Cloud Tasks Enqueuer ^{Beta 版}	有权创建任务。	cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.queueAdmin`	Cloud Tasks Queue Admin ^{Beta 版}	拥有对队列的管理员权限。	cloudtasks.locations.* cloudtasks.queues.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.taskDeleter`	Cloud Tasks Task Deleter ^{Beta 版}	有权删除任务。	cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.taskRunner`	Cloud Tasks Task Runner ^{Beta 版}	有权运行任务。	cloudtasks.tasks.fullView cloudtasks.tasks.run resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.viewer`	Cloud Tasks Viewer ^{Beta 版}	有权获取和列出任务、队列和位置。	cloudtasks.locations.* cloudtasks.queues.get cloudtasks.queues.list cloudtasks.tasks.fullView cloudtasks.tasks.get cloudtasks.tasks.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Trace 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudtrace.admin`	Cloud Trace Admin	提供 Trace 控制台的完整访问权限以及跟踪记录的读写权限。	cloudtrace.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/cloudtrace.agent`	Cloud Trace Agent	适用于服务帐号。提供通过将数据发送到 Stackdriver Trace 来写入跟踪记录的权限。	cloudtrace.traces.patch	项目
`roles/cloudtrace.user`	Cloud Trace User	提供 Trace 控制台的完整访问权限以及跟踪记录的读取权限。	cloudtrace.insights.* cloudtrace.stats.* cloudtrace.tasks.* cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Translation 角色

角色	名称	说明	权限
`roles/cloudtranslate.admin`	Cloud Translation API 管理员	拥有所有 Cloud Translation 资源的完整访问权限	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.editor`	Cloud Translation API 编辑者	Cloud Translation 资源的编辑者	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.user`	Cloud Translation API 用户	Cloud Translation 和 AutoML 模型用户	automl.models.get automl.models.predict cloudtranslate.generalModels.* cloudtranslate.glossaries.batchPredict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict cloudtranslate.languageDetectionModels.* cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations_list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.viewer`	Cloud Translation API 查看者	所有 Translation 资源查看者	automl.models.get cloudtranslate.generalModels.get cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations_list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list

Codelab API Keys 角色

角色	名称	说明	权限
`roles/codelabapikeys.admin`	Codelab ApiKeys Admin ^{Beta 版}	拥有对 API 密钥的完整访问权限	resourcemanager.projects.get resourcemanager.projects.list
`roles/codelabapikeys.editor`	Codelab API Keys Editor ^{Beta 版}	此角色可查看和修改 API 密钥的所有属性。	resourcemanager.projects.get resourcemanager.projects.list
`roles/codelabapikeys.viewer`	Codelab API Keys Viewer ^{Beta 版}	此角色可查看 API 密钥更改历史记录以外的所有属性。	resourcemanager.projects.get resourcemanager.projects.list

Cloud Composer 角色

角色	名称	说明	权限	最低资源要求
`roles/composer.admin`	Composer Administrator	提供对 Cloud Composer 资源的完全控制权。	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/composer.environmentAndStorageObjectAdmin`	Environment and Storage Object Administrator	提供对 Cloud Composer 资源和所有项目存储分区中对象的完全控制权。	composer.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.*	项目
`roles/composer.environmentAndStorageObjectViewer`	Environment User and Storage Object Viewer	提供列出及获取 Cloud Composer 环境和操作所需的权限。以及对所有项目存储分区中对象的只读权限。	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list	项目
`roles/composer.user`	Composer User	提供列出及获取 Cloud Composer 环境和操作所需的权限。	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/composer.worker`	Composer Worker	提供运行 Cloud Composer 环境虚拟机所需的权限。适用于服务帐号。	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list cloudbuild.* container.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.*	项目

Compute Engine 角色

角色	名称	说明	权限	最低资源要求
`roles/compute.admin`	Compute Admin	拥有对所有 Compute Engine 资源的完整控制权。如果用户要管理配置为以服务帐号身份运行的虚拟机实例，您还必须授予 `roles/iam.serviceAccountUser` 角色。	compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、实例、instanceTemplate、nodeGroup、nodeTemplate、快照^{Beta 版}
`roles/compute.imageUser`	Compute Image User	可在不具备其他映像权限的情况下列出和读取映像。在项目级层授予此角色后，获授此角色的用户可以列出项目中的所有映像，并根据项目中的映像创建实例和永久性磁盘等资源。	compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	映像^{Beta 版}
`roles/compute.instanceAdmin`	Compute Instance Admin（Beta 版）	拥有创建、修改和删除虚拟机实例的权限。这包括创建、修改和删除磁盘的权限，以及配置安全强化型虚拟机^{Beta 版}设置的权限。如果用户要管理配置为以服务帐号身份运行的虚拟机实例，您还必须授予 `roles/iam.serviceAccountUser` 角色。例如，如果贵公司的某位员工负责管理多组虚拟机实例，但不负责管理网络或安全设置，也不负责管理以服务帐号身份运行的实例，则您可以在这些实例所属的组织、文件夹或项目级层授予此角色，也可以在个别实例级层授予此角色。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、实例、instanceTemplate、快照^{Beta 版}
`roles/compute.instanceAdmin.v1`	Compute Instance Admin (v1)	拥有对 Compute Engine 实例、实例组、磁盘、快照和映像的完整控制权，拥有所有 Compute Engine 网络资源的读取权限。如果仅在实例级层向用户授予此角色，则该用户无法创建新实例。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.loadBalancerAdmin`	Compute Load Balancer Admin ^{Beta 版}	拥有创建、修改和删除负载平衡器及相关资源的权限。例如，如果您公司的负载平衡团队负责管理负载平衡器、负载平衡器的 SSL 证书、SSL 政策和其他负载平衡资源，而另一个网络团队负责管理其余网络资源，则向负载平衡团队群组授予此角色。	compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^{Beta 版}
`roles/compute.networkAdmin`	Compute Network Admin	拥有创建、修改和删除网络资源（不包括防火墙规则和 SSL 证书）的权限。Network Admin 角色允许以只读方式访问防火墙规则、SSL 证书和实例（以查看其临时 IP 地址），但无法让用户创建、启动、停止或删除实例。例如，如果您公司的安全团队负责管理防火墙和 SSL 证书，而网络团队负责管理其余网络资源，则向网络团队群组授予此角色。	compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.externalVpnGateways.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.instances.use compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.machineTypes.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.projects.get compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* networksecurity.* networkservices.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^{Beta 版}
`roles/compute.networkUser`	Compute Network User	提供对共享 VPC 网络的访问权限获授此角色的服务所有者可以使用属于宿主项目的 VPC 网络和子网。例如，网络用户可以创建属于宿主项目网络的虚拟机实例，但不能在宿主项目中删除网络或者创建新网络。	compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.externalVpnGateways.get compute.externalVpnGateways.list compute.externalVpnGateways.use compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.access compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.authorizationPolicies.use networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.use networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.use networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.use networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpFilters.use networkservices.httpfilters.get networkservices.httpfilters.list networkservices.httpfilters.use networkservices.locations.* networkservices.operations.get networkservices.operations.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/compute.networkViewer`	Compute Network Viewer	提供所有网络资源的只读权限例如，如果您有用于检查网络配置的软件，则可以向该软件的服务帐号授予此角色。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpfilters.get networkservices.httpfilters.list networkservices.locations.* networkservices.operations.get networkservices.operations.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^{Beta 版}
`roles/compute.orgSecurityPolicyAdmin`	Compute Organization Security Policy Admin ^{Beta 版}	拥有对 Compute Engine 组织安全政策的完整控制权。	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityPolicyUser`	Compute Organization Security Policy User ^{Beta 版}	可以查看或使用 Compute Engine 安全政策，以便与组织或文件夹相关联。	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.addAssociation compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.removeAssociation compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityResourceAdmin`	Compute Organization Resource Admin ^{Beta 版}	拥有与组织或文件夹关联的 Compute Engine 安全政策的完整控制权。	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.organizations.listAssociations compute.organizations.setSecurityPolicy compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.osAdminLogin`	Compute OS Admin Login	拥有以管理员用户身份登录 Compute Engine 实例的权限。	compute.instances.get compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^{Beta 版}
`roles/compute.osLogin`	Compute OS Login	拥有以标准用户身份登录 Compute Engine 实例的权限。	compute.instances.get compute.instances.list compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^{Beta 版}
`roles/compute.osLoginExternalUser`	Compute OS Login External User	此角色仅在组织级层提供。此角色可为外部用户授予设置与该组织关联的 OS Login 信息的权限，但不授予对实例的访问权限。外部用户必须获授一个必要的 OS Login 角色才能使用 SSH 访问实例。	compute.oslogin.*	组织
`roles/compute.packetMirroringAdmin`	Compute Packet Mirroring Admin	指定要生成镜像的资源。	compute.networks.mirror compute.projects.get compute.subnetworks.mirror resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.packetMirroringUser`	Compute Packet Mirroring User	可使用 Compute Engine 数据包镜像。	compute.packetMirrorings.* compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.publicIpAdmin`	Compute Public IP Admin ^{Beta 版}	拥有对 Compute Engine 公共 IP 地址管理的完整控制权。	compute.addresses.* compute.globalAddresses.* compute.globalPublicDelegatedPrefixes.* compute.publicAdvertisedPrefixes.* compute.publicDelegatedPrefixes.* resourcemanager.projects.get resourcemanager.projects.list
`roles/compute.securityAdmin`	Compute Security Admin	拥有创建、修改和删除防火墙规则和 SSL 证书的权限，以及配置安全强化型虚拟机^{Beta 版}设置的权限。例如，如果您的公司拥有一个负责管理防火墙和 SSL 证书的安全团队和一个负责管理其余网络资源的网络团队，则向安全团队群组授予此角色。	compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instances.getEffectiveFirewalls compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.updatePolicy compute.packetMirrorings.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^{Beta 版}
`roles/compute.storageAdmin`	Compute Storage Admin	拥有创建、修改和删除磁盘、映像及快照的权限。例如，如果您公司的某位员工负责管理项目映像，但您不希望该员工拥有项目的 Editor 角色，则向其帐号授予项目的此角色。	compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、快照^{Beta 版}
`roles/compute.viewer`	Compute Viewer	拥有以只读方式获取和列出 Compute Engine 资源的权限，但无权读取这些资源中存储的数据。例如，获授此角色的帐号可以清点项目中的所有磁盘，但无法读取这些磁盘上的任何数据。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、实例、instanceTemplate、nodeGroup、nodeTemplate、快照^{Beta 版}
`roles/compute.xpnAdmin`	Compute Shared VPC Admin	拥有管理共享 VPC 宿主项目的权限，具体来说，就是可以启用宿主项目并将共享 VPC 服务项目关联到宿主项目所在的网络。在组织层级，此角色只能由组织管理员授予。 Google Cloud 建议将 Shared VPC Admin 设为共享 VPC 宿主项目的所有者。Shared VPC Admin 负责向服务所有者授予 Compute Network User 角色 (`roles/compute.networkUser`)，共享 VPC 宿主项目的 Owner 则控制项目本身。如果单个主体（个人或群组）可以同时担任这两个角色，则项目管理会变得更加容易。	compute.globalOperations.get compute.globalOperations.list compute.organizations.administerXpn compute.organizations.disableXpnHost compute.organizations.disableXpnResource compute.organizations.enableXpnHost compute.organizations.enableXpnResource compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	文件夹
`roles/osconfig.assignmentAdmin`	Assignment Admin	拥有对 Assignment 的完整管理员权限	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.assignmentEditor`	Assignment Editor	可以修改 Assignment 资源	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.assignmentViewer`	Assignment Viewer	可以查看 Assignment 资源	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyAdmin`	GuestPolicy Admin ^{Beta 版}	拥有对 GuestPolicy 的完整管理员权限	osconfig.guestPolicies.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyEditor`	GuestPolicy Editor ^{Beta 版}	可以修改 GuestPolicy 资源	osconfig.guestPolicies.get osconfig.guestPolicies.list osconfig.guestPolicies.update resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyViewer`	GuestPolicy Viewer ^{Beta 版}	可以查看 GuestPolicy 资源	osconfig.guestPolicies.get osconfig.guestPolicies.list resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigAdmin`	OsConfig Admin	拥有对 OsConfig 的完整管理员权限	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigEditor`	OsConfig Editor	可以修改 OsConfig 资源	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigViewer`	OsConfig Viewer	可以查看 OsConfig 资源	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchDeploymentAdmin`	PatchDeployment Admin	拥有对 PatchDeployment 的完整管理员权限	osconfig.patchDeployments.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchDeploymentViewer`	PatchDeployment Viewer	可以查看 PatchDeployment 资源	osconfig.patchDeployments.get osconfig.patchDeployments.list resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchJobExecutor`	Patch Job Executor	有权执行修补作业。	osconfig.patchJobs.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchJobViewer`	Patch Job Viewer	获取并列出修补作业。	osconfig.patchJobs.get osconfig.patchJobs.list resourcemanager.projects.get resourcemanager.projects.list

Kubernetes Engine 角色

角色	名称	说明	权限	最低资源要求
`roles/container.admin`	Kubernetes Engine Admin	提供对集群及其 Kubernetes API 对象的完整管理权限。如需在节点上设置一个服务帐号，您还必须授予 Service Account User 角色 (`roles/iam.serviceAccountUser`)。	container.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/container.clusterAdmin`	Kubernetes Engine Cluster Admin	提供管理集群的权限。如需在节点上设置一个服务帐号，您还必须授予 Service Account User 角色 (`roles/iam.serviceAccountUser`)。	container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.operations.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/container.clusterViewer`	Kubernetes Engine Cluster Viewer	拥有获取和列出 GKE 集群的权限。	container.clusters.get container.clusters.list resourcemanager.projects.get resourcemanager.projects.list
`roles/container.developer`	Kubernetes Engine Developer	提供对集群内 Kubernetes API 对象的访问权限。	container.apiServices.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpoints.* container.events.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.limitRanges.* container.localSubjectAccessReviews.* container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/container.hostServiceAgentUser`	Kubernetes Engine Host Service Agent User	允许宿主项目中的 Kubernetes Engine 服务帐号为集群管理配置共享网络资源。另外，还授予检查宿主项目中的防火墙规则的权限。	compute.firewalls.get container.hostServiceAgent.*
`roles/container.viewer`	Kubernetes Engine Viewer	提供对 GKE 资源的只读权限。	container.apiServices.get container.apiServices.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getStatus container.deployments.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.limitRanges.get container.limitRanges.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list	项目

Container Analysis 角色

角色	名称	说明	权限
`roles/containeranalysis.admin`	Container Analysis Admin	拥有对所有 Container Analysis 资源的访问权限。	containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.notes.setIamPolicy containeranalysis.notes.update containeranalysis.occurrences.* resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.notes.attacher`	Container Analysis Notes Attacher	可以将 Container Analysis 发生实例附加到备注。	containeranalysis.notes.attachOccurrence containeranalysis.notes.get
`roles/containeranalysis.notes.editor`	Container Analysis Notes Editor	可以修改 Container Analysis 备注。	containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.notes.occurrences.viewer`	Container Analysis Occurrences for Notes Viewer		containeranalysis.notes.get containeranalysis.notes.listOccurrences
`roles/containeranalysis.notes.viewer`	Container Analysis Notes Viewer	可以查看 Container Analysis 备注。	containeranalysis.notes.get containeranalysis.notes.list resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.occurrences.editor`	Container Analysis Occurrences Editor	可以修改 Container Analysis 发生实例。	containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.occurrences.viewer`	Container Analysis Occurrences Viewer	可以查看 Container Analysis 发生实例。	containeranalysis.occurrences.get containeranalysis.occurrences.list resourcemanager.projects.get resourcemanager.projects.list

Data Catalog 角色

角色	名称	说明	权限
`roles/datacatalog.admin`	Data Catalog Admin	拥有对所有 DataCatalog 资源的完整访问权限	bigquery.datasets.get bigquery.datasets.updateTag bigquery.models.getMetadata bigquery.models.updateTag bigquery.tables.get bigquery.tables.updateTag datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.* datacatalog.entryGroups.* datacatalog.tagTemplates.* datacatalog.taxonomies.* pubsub.topics.get pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.categoryAdmin`	Policy Tag Admin ^{Beta 版}	可管理分类	datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.taxonomies.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.categoryFineGrainedReader`	Fine-Grained Reader ^{Beta 版}	拥有对包含特定政策标记的子资源（例如 BigQuery 列）的读取权限	datacatalog.categories.fineGrainedGet
`roles/datacatalog.entryGroupCreator`	DataCatalog EntryGroup Creator	可以新建 entryGroup	datacatalog.entryGroups.create datacatalog.entryGroups.get datacatalog.entryGroups.list resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryGroupOwner`	DataCatalog entryGroup Owner	拥有对 entryGroup 的完全访问权限	datacatalog.entries.* datacatalog.entryGroups.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryOwner`	DataCatalog entry Owner	拥有对条目的完全访问权限	datacatalog.entries.* datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryViewer`	DataCatalog Entry Viewer	拥有对条目的读取权限	datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagEditor`	Data Catalog Tag Editor	提供修改用于 BigQuery 和 Pub/Sub 的 Google Cloud 资产标记的权限	bigquery.datasets.updateTag bigquery.models.updateTag bigquery.tables.updateTag datacatalog.entries.updateTag pubsub.topics.updateTag
`roles/datacatalog.tagTemplateCreator`	Data Catalog TagTemplate Creator	可以创建新的标记模板	datacatalog.tagTemplates.create datacatalog.tagTemplates.get
`roles/datacatalog.tagTemplateOwner`	Data Catalog TagTemplate Owner	拥有对标记模板的完全访问权限	datacatalog.tagTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagTemplateUser`	Data Catalog TagTemplate User	可以使用模板标记资源	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagTemplateViewer`	Data Catalog TagTemplate Viewer	拥有对模板和使用模板创建的标记的读取权限	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.viewer`	Data Catalog Viewer	提供对用于 BigQuery 和 Pub/Sub 且已编入目录的 Google Cloud 资产的元数据读取权限	bigquery.datasets.get bigquery.models.getMetadata bigquery.tables.get datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get datacatalog.entryGroups.list datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.taxonomies.get datacatalog.taxonomies.list pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.list

Dataflow 角色

角色	名称	说明	权限	最低资源要求
`roles/dataflow.admin`	Dataflow Admin	创建和管理 Dataflow 作业需要的最低权限角色。	compute.machineTypes.get dataflow.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list
`roles/dataflow.developer`	Dataflow Developer	提供执行和操作 Dataflow 作业所需的权限。	dataflow.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataflow.viewer`	Dataflow Viewer	提供对所有 Dataflow 相关资源的只读权限。	dataflow.jobs.get dataflow.jobs.list dataflow.messages.* dataflow.metrics.* dataflow.snapshots.get dataflow.snapshots.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataflow.worker`	Dataflow Worker	提供让 Compute Engine 服务帐号执行 Cloud Dataflow 流水线工作单元所需的权限。	compute.instanceGroupManagers.update compute.instances.delete compute.instances.setDiskAutoDelete dataflow.jobs.get logging.logEntries.create storage.objects.create storage.objects.get	项目

Cloud Data Labeling 角色

角色	名称	说明	权限
`roles/datalabeling.admin`	DataLabeling Service Admin ^{Beta 版}	拥有所有 DataLabeling 资源的完整访问权限	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.editor`	DataLabeling Service Editor ^{Beta 版}	可修改所有 DataLabeling 资源	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.viewer`	DataLabeling Service Viewer ^{Beta 版}	可查看所有 DataLabeling 资源	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Dataprep 角色

角色	名称	说明	权限	最低资源要求
`roles/dataprep.projects.user`	Dataprep User ^{Beta 版}	可以使用 Dataprep。	dataprep.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Dataproc 角色

角色	名称	说明	权限	最低资源要求
`roles/dataproc.admin`	Dataproc Administrator	拥有对 Dataproc 资源的完全控制权。	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.* dataproc.clusters.* dataproc.jobs.* dataproc.operations.* dataproc.workflowTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/dataproc.editor`	Dataproc Editor	提供查看管理 Dataproc 所需资源（包括机器类型、网络、项目和区域）而应具备的权限。	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataproc.viewer`	Dataproc Viewer	提供对 Dataproc 资源的只读权限。	compute.machineTypes.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.clusters.get dataproc.clusters.list dataproc.jobs.get dataproc.jobs.list dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.get dataproc.workflowTemplates.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataproc.worker`	Dataproc Worker	提供对 Dataproc 资源的处理权限。适用于服务帐号。	dataproc.agents.* dataproc.tasks.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create storage.buckets.get storage.objects.*

Datastore 角色

角色	名称	说明	权限	最低资源要求
`roles/datastore.importExportAdmin`	Cloud Datastore Import Export Admin	提供对导入和导出作业的完整管理权限。	appengine.applications.get datastore.databases.export datastore.databases.import datastore.operations.cancel datastore.operations.get datastore.operations.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.indexAdmin`	Cloud Datastore Index Admin	提供对索引定义的完整访问权限。	appengine.applications.get datastore.indexes.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.owner`	Cloud Datastore Owner	提供对 Datastore 资源的完整访问权限。	appengine.applications.get datastore.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.user`	Cloud Datastore User	提供对 Cloud Datastore 数据库中数据的读写权限。	appengine.applications.get datastore.databases.get datastore.entities.* datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.viewer`	Cloud Datastore Viewer	提供对 Cloud Datastore 资源的读取权限。	appengine.applications.get datastore.databases.get datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	项目

Deployment Manager 角色

角色	名称	说明	权限	最低资源要求
`roles/deploymentmanager.editor`	Deployment Manager Editor	提供创建和管理部署所需的权限。	deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/deploymentmanager.typeEditor`	Deployment Manager Type Editor	提供对所有类型注册表资源的读写权限。	deploymentmanager.compositeTypes.* deploymentmanager.operations.get deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	项目
`roles/deploymentmanager.typeViewer`	Deployment Manager Type Viewer	提供对所有类型注册表资源的只读权限。	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	项目
`roles/deploymentmanager.viewer`	Deployment Manager Viewer	提供对所有 Deployment Manager 相关资源的只读权限。	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目

Dialogflow 角色

角色	名称	说明	权限	最低资源要求
`roles/dialogflow.admin`	Dialogflow API Admin	向需要对 Dialogflow 特定资源完整访问权限的 Dialogflow API 管理员授予权限。另请参阅 Dialogflow 访问权限控制。	dialogflow.* resourcemanager.projects.get	项目
`roles/dialogflow.client`	Dialogflow API Client	授予使用执行 Dialogflow 特定修改并使用 Dialogflow API 检测意图调用的 Dialogflow API 客户端。另请参阅 Dialogflow 访问权限控制。	dialogflow.contexts.* dialogflow.sessionEntityTypes.* dialogflow.sessions.*	项目
`roles/dialogflow.consoleAgentEditor`	Dialogflow Console Agent Editor	授予修改现有代理的 Dialogflow 控制台编辑者。另请参阅 Dialogflow 访问权限控制。	actions.agentVersions.create dialogflow.* resourcemanager.projects.get	项目
`roles/dialogflow.reader`	Dialogflow API Reader	授予使用 Dialogflow API 执行 Dialogflow 特定只读调用的 Dialogflow API 客户端。另请参阅 Dialogflow 访问权限控制。	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.search dialogflow.contexts.get dialogflow.contexts.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.operations.* dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list resourcemanager.projects.get	项目

Cloud DLP 角色

角色	名称	说明	权限
`roles/dlp.admin`	DLP Administrator	可管理 DLP，包括作业和模板。	dlp.* serviceusage.services.use
`roles/dlp.analyzeRiskTemplatesEditor`	DLP Analyze Risk Templates Editor	可修改 DLP 分析风险模板。	dlp.analyzeRiskTemplates.*
`roles/dlp.analyzeRiskTemplatesReader`	DLP Analyze Risk Templates Reader	可读取 DLP 分析风险模板。	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
`roles/dlp.deidentifyTemplatesEditor`	DLP De-identify Templates Editor	可修改 DLP 去标识化模板。	dlp.deidentifyTemplates.*
`roles/dlp.deidentifyTemplatesReader`	DLP De-identify Templates Reader	可读取 DLP 去标识化模板。	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
`roles/dlp.inspectFindingsReader`	DLP Inspect Findings Reader	可读取 DLP 存储的发现结果。	dlp.inspectFindings.*
`roles/dlp.inspectTemplatesEditor`	DLP Inspect Templates Editor	可修改 DLP 检查模板。	dlp.inspectTemplates.*
`roles/dlp.inspectTemplatesReader`	DLP Inspect Templates Reader	可读取 DLP 检查模板。	dlp.inspectTemplates.get dlp.inspectTemplates.list
`roles/dlp.jobTriggersEditor`	DLP Job Triggers Editor	可修改作业触发器配置。	dlp.jobTriggers.*
`roles/dlp.jobTriggersReader`	DLP Job Triggers Reader	可读取作业触发器。	dlp.jobTriggers.get dlp.jobTriggers.list
`roles/dlp.jobsEditor`	DLP Jobs Editor	可修改和创建作业	dlp.jobs.* dlp.kms.*
`roles/dlp.jobsReader`	DLP Jobs Reader	可读取作业	dlp.jobs.get dlp.jobs.list
`roles/dlp.reader`	DLP Reader	可读取作业和模板等 DLP 实体。	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.* dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.storedInfoTypesEditor`	DLP Stored InfoTypes Editor	可修改 DLP 存储的信息类型。	dlp.storedInfoTypes.*
`roles/dlp.storedInfoTypesReader`	DLP Stored InfoTypes Reader	可读取 DLP 存储的信息类型。	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.user`	DLP User	可检查和遮盖内容，以及对内容进行去标识化处理	dlp.kms.* serviceusage.services.use

DNS 角色

角色	名称	说明	权限	最低资源要求
`roles/dns.admin`	DNS Administrator	提供对所有 Cloud DNS 资源的读写权限。	compute.networks.get compute.networks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dns.peer`	DNS Peer	可通过 DNS 对等互连地区访问目标网络	dns.networks.targetWithPeeringZone
`roles/dns.reader`	DNS Reader	提供对所有 Cloud DNS 资源的只读权限。	compute.networks.get dns.changes.get dns.changes.list dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list dns.projects.* dns.resourceRecordSets.list resourcemanager.projects.get resourcemanager.projects.list	项目

Endpoints 角色

角色	名称	说明	权限	最低资源要求
`roles/endpoints.portalAdmin`	Endpoints Portal Admin ^{Beta 版}	提供在 Cloud Console 的 Endpoints > 开发者门户页面中添加、查看和删除自定义网域所需的全部权限。在为 API 创建的门户上，提供更改设置页面上网站级标签页中设置的权限。	endpoints.* resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get	项目

Error Reporting 角色

角色	名称	说明	权限	最低资源要求
`roles/errorreporting.admin`	Error Reporting Admin ^{Beta 版}	提供对 Error Reporting 数据的完整访问权限。	cloudnotifications.* errorreporting.*	项目
`roles/errorreporting.user`	Error Reporting User ^{Beta 版}	提供读取和写入 Error Reporting 数据的权限，但不提供发送新错误事件的权限。	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.delete errorreporting.errorEvents.list errorreporting.groupMetadata.* errorreporting.groups.*	项目
`roles/errorreporting.viewer`	Error Reporting Viewer ^{Beta 版}	提供对 Error Reporting 数据的只读权限。	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groupMetadata.get errorreporting.groups.*	项目
`roles/errorreporting.writer`	Errors Writer ^{Beta 版}	提供将错误事件发送到 Error Reporting 的权限。	errorreporting.errorEvents.create	服务帐号

Cloud Filestore 角色

角色	名称	说明	权限	最低资源要求
`roles/file.editor`	Cloud Filestore Editor ^{Beta 版}	拥有对 Filestore 实例及相关资源的读写权限。	file.*
`roles/file.viewer`	Cloud Filestore Viewer ^{Beta 版}	拥有对 Filestore 实例及相关资源的只读权限。	file.backups.get file.backups.list file.instances.get file.instances.list file.locations.* file.operations.get file.operations.list

Firebase 角色

角色	名称	说明	权限
`roles/firebase.admin`	Firebase Admin	拥有对 Firebase 产品的完整访问权限。	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.delete clientauthconfig.clients.get clientauthconfig.clients.list clientauthconfig.clients.update cloudconfig.* cloudfunctions.* cloudmessaging.* cloudnotifications.* cloudtestservice.* cloudtoolresults.* datastore.* errorreporting.groups.* firebase.* firebaseabt.* firebaseanalytics.* firebaseappdistro.* firebaseauth.* firebasecrash.* firebasecrashlytics.* firebasedatabase.* firebasedynamiclinks.* firebaseextensions.* firebasehosting.* firebaseinappmessaging.* firebaseml.* firebasenotifications.* firebaseperformance.* firebasepredictions.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.*
`roles/firebase.analyticsAdmin`	Firebase Analytics Admin	拥有对 Google Analytics for Firebase 的完整访问权限。	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/firebase.analyticsViewer`	Firebase Analytics Viewer	拥有对 Google Analytics for Firebase 的读取权限。	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/firebase.developAdmin`	Firebase Develop Admin	拥有对 Firebase 开发类产品和 Analytics 的完整访问权限。	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.get clientauthconfig.clients.list cloudfunctions.* cloudnotifications.* datastore.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseauth.* firebasedatabase.* firebaseextensions.configs.list firebasehosting.* firebaseml.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.*
`roles/firebase.developViewer`	Firebase Develop Viewer	拥有对 Firebase 开发类产品和 Analytics 的读取权限。	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseauth.configs.get firebaseauth.users.get firebasedatabase.instances.get firebasedatabase.instances.list firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list
`roles/firebase.growthAdmin`	Firebase Grow Admin	拥有对 Firebase 发展类产品和 Analytics 的完整访问权限。	clientauthconfig.clients.get clientauthconfig.clients.list cloudconfig.* cloudmessaging.* cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.* firebaseanalytics.* firebasedynamiclinks.* firebaseextensions.configs.list firebaseinappmessaging.* firebasenotifications.* firebasepredictions.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.growthViewer`	Firebase Grow Viewer	拥有对 Firebase 发展类产品和 Analytics 的读取权限。	cloudconfig.configs.get cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebasenotifications.messages.get firebasenotifications.messages.list firebasepredictions.predictions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.qualityAdmin`	Firebase Quality Admin	拥有对 Firebase 质量类产品和 Analytics 的完整访问权限。	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseappdistro.* firebasecrash.* firebasecrashlytics.* firebaseextensions.configs.list firebaseperformance.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.qualityViewer`	Firebase Quality Viewer	拥有对 Firebase 质量类产品和 Analytics 的读取权限。	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebaseextensions.configs.list firebaseperformance.data.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.viewer`	Firebase Viewer	拥有对 Firebase 产品的只读权限。	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudconfig.configs.get cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebaseauth.configs.get firebaseauth.users.get firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebasedatabase.instances.get firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebasenotifications.messages.get firebasenotifications.messages.list firebaseperformance.data.* firebasepredictions.predictions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list

Firebase 产品角色

角色	名称	说明	权限
`roles/cloudconfig.admin`	Firebase Remote Config Admin	拥有对 Firebase 远程配置资源的完整访问权限。	cloudconfig.* firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudconfig.viewer`	Firebase Remote Config Viewer	拥有对 Firebase 远程配置资源的读取权限。	cloudconfig.configs.get firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtestservice.testAdmin`	Firebase 测试实验室管理员	拥有所有测试实验室功能的完整访问权限	cloudtestservice.* cloudtoolresults.* firebase.billingPlans.get firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.get storage.buckets.update storage.objects.create storage.objects.get storage.objects.list
`roles/cloudtestservice.testViewer`	Firebase 测试实验室查看者	拥有测试实验室功能的读取权限	cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
`roles/firebaseabt.admin`	Firebase A/B Testing Admin ^{Beta 版}	拥有 Firebase A/B 测试资源的完全读写权限。	firebase.clients.get firebase.projects.get firebaseabt.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseabt.viewer`	Firebase A/B Testing Viewer ^{Beta 版}	拥有 Firebase A/B 测试资源的只读权限。	firebase.clients.get firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseappdistro.admin`	Firebase App Distribution Admin ^{Beta 版}	拥有 Firebase 应用分发资源的完全读写权限。	firebase.clients.get firebase.projects.get firebaseappdistro.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseappdistro.viewer`	Firebase App Distribution Viewer ^{Beta 版}	拥有 Firebase 应用分发资源的只读权限。	firebase.clients.get firebase.projects.get firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseauth.admin`	Firebase 身份验证管理员	拥有 Firebase 身份验证资源的完全读写权限。	firebase.clients.get firebase.projects.get firebaseauth.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseauth.viewer`	Firebase 身份验证查看者	拥有 Firebase 身份验证资源的只读权限。	firebase.clients.get firebase.projects.get firebaseauth.configs.get firebaseauth.users.get resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasecrashlytics.admin`	Firebase Crashlytics 管理员	拥有 Firebase Crashlytics 资源的完全读写权限。	firebase.clients.get firebase.projects.get firebasecrashlytics.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasecrashlytics.viewer`	Firebase Crashlytics 查看者	拥有 Firebase Crashlytics 资源的只读权限。	firebase.clients.get firebase.projects.get firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedatabase.admin`	Firebase Realtime Database Admin	拥有 Firebase 实时数据库资源的完全读写权限。	firebase.clients.get firebase.projects.get firebasedatabase.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedatabase.viewer`	Firebase Realtime Database Viewer	拥有 Firebase 实时数据库资源的只读权限。	firebase.clients.get firebase.projects.get firebasedatabase.instances.get firebasedatabase.instances.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedynamiclinks.admin`	Firebase Dynamic Links Admin	拥有对 Firebase 动态链接资源的完整读写权限。	firebase.clients.get firebase.projects.get firebasedynamiclinks.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedynamiclinks.viewer`	Firebase 动态链接查看者	拥有 Firebase 动态链接资源的只读权限。	firebase.clients.get firebase.projects.get firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasehosting.admin`	Firebase 托管管理员	拥有 Firebase 托管资源的完全读写权限。	firebase.clients.get firebase.projects.get firebasehosting.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasehosting.viewer`	Firebase 托管查看者	拥有 Firebase 托管资源的只读权限。	firebase.clients.get firebase.projects.get firebasehosting.sites.get firebasehosting.sites.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseinappmessaging.admin`	Firebase In-App Messaging Admin ^{Beta 版}	拥有 Firebase 应用内消息资源的完全读写权限。	firebase.clients.get firebase.projects.get firebaseinappmessaging.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseinappmessaging.viewer`	Firebase In-App Messaging Viewer ^{Beta 版}	拥有 Firebase 应用内消息资源的只读权限。	firebase.clients.get firebase.projects.get firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseml.admin`	Firebase ML Kit Admin ^{Beta 版}	拥有 Firebase 机器学习套件资源的完全读写权限。	firebase.clients.get firebase.projects.get firebaseml.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseml.viewer`	Firebase ML Kit Viewer ^{Beta 版}	拥有 Firebase 机器学习套件资源的只读权限。	firebase.clients.get firebase.projects.get firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasenotifications.admin`	Firebase Cloud Messaging Admin	拥有 Firebase 云消息传递资源的完全读写权限。	firebase.clients.get firebase.projects.get firebasenotifications.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasenotifications.viewer`	Firebase Cloud Messaging Viewer	拥有 Firebase 云消息传递资源的只读权限。	firebase.clients.get firebase.projects.get firebasenotifications.messages.get firebasenotifications.messages.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseperformance.admin`	Firebase Performance Reporting Admin	拥有对 firebaseperformance 资源的完整访问权限。	firebase.clients.get firebase.projects.get firebaseperformance.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseperformance.viewer`	Firebase Performance Reporting Viewer	拥有 firebaseperformance 资源的只读权限。	firebase.clients.get firebase.projects.get firebaseperformance.data.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasepredictions.admin`	Firebase 预测管理员	拥有 Firebase 预测资源的完全读写权限。	firebase.clients.get firebase.projects.get firebasepredictions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasepredictions.viewer`	Firebase 预测查看者	拥有 Firebase 预测资源的只读权限。	firebase.clients.get firebase.projects.get firebasepredictions.predictions.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaserules.admin`	Firebase Rules Admin	拥有 Firebase 规则的完全管理权限。	firebaserules.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaserules.viewer`	Firebase Rules Viewer	拥有对具有规则集测试功能的所有资源的只读权限。	firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Game Services 角色

角色	名称	说明	权限	最低资源要求
`roles/gameservices.admin`	Game Services API Admin ^{Beta 版}	拥有对 Game Services API 及相关资源的完全访问权限。	gameservices.* resourcemanager.projects.get resourcemanager.projects.list
`roles/gameservices.viewer`	Game Services API Viewer ^{Beta 版}	拥有对 Game Services API 及相关资源的只读权限。	gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list

Genomics 角色

角色	名称	说明	权限
`roles/genomics.admin`	Genomics 管理员	拥有基因组数据集和操作的完整访问权限。	genomics.*
`roles/genomics.editor`	Genomics 编辑者	可以读取和编辑基因组数据集和操作。	genomics.datasets.create genomics.datasets.delete genomics.datasets.get genomics.datasets.list genomics.datasets.update genomics.operations.*
`roles/genomics.pipelinesRunner`	Genomics 流水线运行者	拥有对基因组管道进行操作的完整访问权限。	genomics.operations.*
`roles/genomics.viewer`	Genomics 查看者	有权查看基因组数据集和操作。	genomics.datasets.get genomics.datasets.list genomics.operations.get genomics.operations.list

GKE Hub 角色

角色	名称	说明	权限
`roles/gkehub.admin`	GKE Hub Admin	拥有对 GKE Hub 和相关资源的完整访问权限。	gkehub.features.* gkehub.locations.* gkehub.memberships.* gkehub.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/gkehub.connect`	GKE Hub Connection Agent	可在外部集群与 Google 之间设置 GKE Connect。	gkehub.endpoints.*
`roles/gkehub.gatewayAdmin`	Connect Gateway Admin	拥有对 Connect Gateway 的完整访问权限。	gkehub.gateway.*
`roles/gkehub.viewer`	GKE Hub Viewer	拥有对 GKE Hub 和相关资源的只读权限。	gkehub.features.get gkehub.features.list gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Healthcare 角色

角色	名称	说明	权限
`roles/healthcare.annotationEditor`	Healthcare Annotation Editor	可创建、删除、更新、读取和列出注释。	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationReader`	Healthcare Annotation Reader	可读取和列出注释存储区中的注释。	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationStoreAdmin`	Healthcare Annotation Administrator	可管理注释存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationStoreViewer`	Healthcare Annotation Store Viewer	可列出数据集中的注释存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.datasetAdmin`	Healthcare Dataset Administrator	可以管理医疗保健数据集。	healthcare.datasets.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.datasetViewer`	Healthcare Dataset Viewer	可以列出项目中的医疗保健数据集。	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomEditor`	Healthcare DICOM Editor	可逐个及批量修改 DICOM 映像。	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomStoreAdmin`	Healthcare DICOM Store Administrator	可管理 DICOM 存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.deidentify healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomStoreViewer`	Healthcare DICOM Store Viewer	可列出数据集中的 DICOM 存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomViewer`	Healthcare DICOM Viewer	可从 DICOM 存储区检索 DICOM 映像。	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirResourceEditor`	Healthcare FHIR Resource Editor	可创建、删除、更新、读取和搜索 FHIR 资源。	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.translateConceptMap healthcare.fhirResources.update healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirResourceReader`	Healthcare FHIR Resource Reader	可读取和搜索 FHIR 资源。	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare.fhirResources.translateConceptMap healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirStoreAdmin`	Healthcare FHIR Store Administrator	可管理 FHIR 资源存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare.fhirStores.create healthcare.fhirStores.deidentify healthcare.fhirStores.delete healthcare.fhirStores.export healthcare.fhirStores.get healthcare.fhirStores.getIamPolicy healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.fhirStores.update healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirStoreViewer`	Healthcare FHIR Store Viewer	可列出数据集中的 FHIR 存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Consumer`	Healthcare HL7v2 Message Consumer	可列出和读取 HL7v2 消息，更新消息标签，以及发布新消息。	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.create healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare.hl7V2Messages.update healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Editor`	Healthcare HL7v2 Message Editor	拥有对 HL7v2 消息的读取、写入和删除权限。	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Ingest`	Healthcare HL7v2 Message Ingest	可提取从来源网络接收到的 HL7v2 消息。	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.ingest healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2StoreAdmin`	Healthcare HL7v2 Store Administrator	可管理 HL7v2 存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2StoreViewer`	Healthcare HL7v2 Store Viewer	可查看数据集中的 HL7v2 存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list

IAM 角色

角色	名称	说明	权限	最低资源要求
`roles/iam.securityAdmin`	Security Admin	安全管理员角色，拥有获取和设置任意 IAM 政策的权限。	accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.setIamPolicy accesscontextmanager.accessZones.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.setIamPolicy accesscontextmanager.servicePerimeters.list actions.agentVersions.list apigee.apiproductattributes.list apigee.apiproducts.list apigee.apps.list apigee.deployments.list apigee.developerrappattributes.list apigee.developerapps.list apigee.developerattributes.list apigee.developers.list apigee.environments.getIamPolicy apigee.environments.list apigee.environments.setIamPolicy apigee.flowhooks.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemaps.list apigee.organizations.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.sharedflowrevisions.list apigee.sharedflows.list apigee.targetservers.list apigee.tracesessions.list apigeeconnect.connections.* apikeys.keys.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list artifactregistry.files.list artifactregistry.packages.list artifactregistry.repositories.getIamPolicy artifactregistry.repositories.list artifactregistry.repositories.setIamPolicy artifactregistry.tags.list artifactregistry.versions.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.datasets.setIamPolicy automl.examples.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.locations.setIamPolicy automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.models.setIamPolicy automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.list bigquery.capacityCommitments.list bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.setIamPolicy bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy bigquery.jobs.list bigquery.models.list bigquery.reservationAssignments.list bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.list bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.setIamPolicy bigtable.appProfiles.list bigtable.backups.getIamPolicy bigtable.backups.list bigtable.backups.setIamPolicy bigtable.clusters.list