了解角色

本页面介绍 IAM 角色,并列出了您可以授予主帐号的预定义角色。

一个角色包含一组权限,可让您对 Google Cloud 资源执行特定操作。如需向主帐号(包括用户、群组和服务帐号)提供权限,您可以向主帐号授予角色。

本指南的先决条件

角色类型

IAM 中有三种类型的角色:

  • 基本角色:包括在引入 IAM 之前已存在的 Owner、Editor 和 Viewer 角色。
  • 预定义角色:针对特定服务提供精细访问权限,并由 Google Cloud 管理。
  • 自定义角色:根据用户指定的权限列表提供精细访问权限。

要确定基本角色、预定义角色或自定义角色中是否包含某项权限,您可以使用以下方法之一:

  • 运行 gcloud iam roles describe 命令可以列出角色中的权限。
  • 调用 roles.get() REST API 方法可以列出角色中的权限。
  • 仅适用于基本角色和预定义角色:搜索权限参考以查看该角色是否授予权限。
  • 仅适用于预定义角色:在本页上搜索预定义角色说明以查看该角色包含的权限。

以下各部分介绍了每种角色类型并提供了有关如何使用它们的示例。

基本角色

在引入 IAM 之前已存在多个基本角色:Owner、Editor 和 Viewer。这些角色是嵌套的;也就是说,Owner 角色具有 Editor 角色的权限,而 Editor 角色又具有 Viewer 角色的权限。它们最初称为“原初角色”。

下表汇总了基本角色针对所有 Google Cloud 服务所具有的权限:

基本角色定义

名称 名称 权限
roles/viewer Viewer 拥有执行不会影响状态的只读操作的权限,例如查看(但无法修改)现有资源或数据。
roles/editor Editor 拥有所有查看权限,以及修改状态的操作(例如更改现有资源)的权限。
注意:Editor 角色包含为大多数 Google Cloud 服务创建和删除资源的权限。但是,它不包含对所有服务执行所有操作的权限。如需详细了解如何检查某个角色是否具有您所需的权限,请参阅本页面中的角色类型
roles/owner 所有者 拥有 Editor 的所有权限,此外还有权执行以下操作:
  • 管理项目和项目中所有资源的角色和权限。
  • 为项目设置结算。
注意
  • 在资源级层(如 Pub/Sub 主题)授予 Owner 角色并不会授予父级项目上的 Owner 角色。
  • 因此,在组织级层获授 Owner 角色后,您不能更新组织的元数据,不过您可以修改组织下的所有项目和其他资源。
  • 如需向组织外部的用户授予项目的 Owner 角色,您必须使用 Cloud Console,而不能使用 gcloud CLI。如果您的项目不属于组织,则必须使用 Cloud Console 授予 Owner 角色。

您可以使用 Cloud Console、API 和 gcloud CLI 在项目或服务资源级层应用基本角色。如需了解相关说明,请参阅授予、更改和撤消访问权限

如需了解如何使用 Cloud Console 授予角色,请参阅授予、更改和撤消访问权限

预定义角色

除了基本角色之外,IAM 还提供其他预定义角色,这些角色可提供对特定 Google Cloud 资源的精细访问权限,同时阻止对其他资源的不必要的访问。 这些角色由 Google 创建和维护。Google 会根据需要自动更新其权限,例如 Google Cloud 添加新功能或服务时。

下表列出了这些角色、说明以及可设置这些角色的最低级层的资源类型。您可以为此资源类型授予特定角色,或者在大多数情况下可以为该类型在 Google Cloud 资源层次结构中的任何上级类型授予特定角色。

您可以在资源层次结构的任何级层向同一用户授予多个角色。例如,同一位用户可以拥有项目上的 Compute Network Admin 和 Logs Viewer 角色,并且对该项目中的 Pub/Sub 主题具有 Pub/Sub Publisher 角色。如需列出角色中包含的权限,请参阅获取角色元数据

如需有关选择最合适的预定义角色的帮助,请参阅选择预定义角色

Access Approval 角色

角色 权限

Access Approval Approver Beta 版
(roles/accessapproval.approver)

能够查看或操作访问权限审批请求以及查看配置

  • accessapproval.requests.*
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Approval Config Editor Beta 版
(roles/accessapproval.configEditor)

能够更新访问权限审批配置

  • accessapproval.settings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Approval Viewer Beta 版
(roles/accessapproval.viewer)

可查看访问权限审批请求和配置

  • accessapproval.requests.get
  • accessapproval.requests.list
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Context Manager 角色

角色 权限

Cloud Access Binding Admin
(roles/accesscontextmanager.gcpAccessAdmin)

可以创建、修改和更改 Cloud 访问权限绑定。

  • accesscontextmanager.gcpUserAccessBindings.*

Cloud Access Binding Reader
(roles/accesscontextmanager.gcpAccessReader)

拥有对 Cloud 访问权限绑定的读取权限。

  • accesscontextmanager.gcpUserAccessBindings.get
  • accesscontextmanager.gcpUserAccessBindings.list

Access Context Manager Admin
(roles/accesscontextmanager.policyAdmin)

拥有对政策、访问权限级别和访问区域的完整访问权限

  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.*
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.*
  • accesscontextmanager.servicePerimeters.*
  • cloudasset.assets.searchAllResources
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Context Manager Editor
(roles/accesscontextmanager.policyEditor)

拥有对政策的修改权限。可创建、修改和更改访问权限级别和访问区域。

  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.create
  • accesscontextmanager.accessPolicies.delete
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessPolicies.update
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.create
  • accesscontextmanager.policies.delete
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.policies.update
  • accesscontextmanager.servicePerimeters.*
  • cloudasset.assets.searchAllResources
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Context Manager Reader
(roles/accesscontextmanager.policyReader)

拥有对政策、访问权限级别和访问区域的读取权限。

  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessZones.get
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

VPC Service Controls Troubleshooter Viewer
(roles/accesscontextmanager.vpcScTroubleshooterViewer)

  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

操作角色

角色 权限

Actions Admin
(roles/actions.Admin)

拥有修改和部署某项操作的权限

  • actions.*
  • firebase.projects.get
  • firebase.projects.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Actions Viewer
(roles/actions.Viewer)

拥有查看某项操作的权限

  • actions.agent.get
  • actions.agentVersions.get
  • actions.agentVersions.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

AI Notebooks 角色

Role Permissions

Notebooks Admin
(roles/notebooks.admin)

Full access to Notebooks, all resources.

Lowest-level resources where you can grant this role:

  • Instance
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Legacy Admin
(roles/notebooks.legacyAdmin)

Full access to Notebooks all resources through compute API.

  • compute.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Legacy Viewer
(roles/notebooks.legacyViewer)

Read-only access to Notebooks all resources through compute API.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Runner
(roles/notebooks.runner)

Restricted access for running scheduled Notebooks.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.create
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.create
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.create
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.create
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Viewer
(roles/notebooks.viewer)

Read-only access to Notebooks, all resources.

Lowest-level resources where you can grant this role:

  • Instance
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

AI Platform 角色

Role Permissions

AI Platform Admin
(roles/ml.admin)

Provides full access to AI Platform resources, and its jobs, operations, models, and versions.

Lowest-level resources where you can grant this role:

  • Project
  • ml.*
  • resourcemanager.projects.get

AI Platform Developer
(roles/ml.developer)

Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.

Lowest-level resources where you can grant this role:

  • Project
  • ml.jobs.create
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.locations.*
  • ml.models.create
  • ml.models.get
  • ml.models.getIamPolicy
  • ml.models.list
  • ml.models.predict
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.*
  • ml.trials.*
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict
  • resourcemanager.projects.get

AI Platform Job Owner
(roles/ml.jobOwner)

Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.

Lowest-level resources where you can grant this role:

  • Job
  • ml.jobs.*

AI Platform Model Owner
(roles/ml.modelOwner)

Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.

Lowest-level resources where you can grant this role:

  • Model
  • ml.models.*
  • ml.versions.*

AI Platform Model User
(roles/ml.modelUser)

Provides permissions to read the model and its versions, and use them for prediction.

Lowest-level resources where you can grant this role:

  • Model
  • ml.models.get
  • ml.models.predict
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict

AI Platform Operation Owner
(roles/ml.operationOwner)

Provides full access to all permissions for a particular operation resource.

Lowest-level resources where you can grant this role:

  • Operation
  • ml.operations.*

AI Platform Viewer
(roles/ml.viewer)

Provides read-only access to AI Platform resources.

Lowest-level resources where you can grant this role:

  • Project
  • ml.jobs.get
  • ml.jobs.list
  • ml.locations.*
  • ml.models.get
  • ml.models.list
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.get
  • ml.studies.getIamPolicy
  • ml.studies.list
  • ml.trials.get
  • ml.trials.list
  • ml.versions.get
  • ml.versions.list
  • resourcemanager.projects.get

Analytics Hub 角色

角色 权限

Analytics Hub Admin Beta 版
(roles/analyticshub.admin)

可以管理数据交换和清单

  • analyticshub.dataExchanges.*
  • analyticshub.listings.create
  • analyticshub.listings.delete
  • analyticshub.listings.get
  • analyticshub.listings.getIamPolicy
  • analyticshub.listings.list
  • analyticshub.listings.setIamPolicy
  • analyticshub.listings.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Analytics Hub Listing Admin Beta 版
(roles/analyticshub.listingAdmin)

授予对商家信息的完全控制权,包括更新、删除和设置 ACL

  • analyticshub.dataExchanges.get
  • analyticshub.dataExchanges.getIamPolicy
  • analyticshub.dataExchanges.list
  • analyticshub.listings.delete
  • analyticshub.listings.get
  • analyticshub.listings.getIamPolicy
  • analyticshub.listings.list
  • analyticshub.listings.setIamPolicy
  • analyticshub.listings.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Analytics Hub Publisher Beta 版
(roles/analyticshub.publisher)

可以发布到数据交换,从而创建清单

  • analyticshub.dataExchanges.get
  • analyticshub.dataExchanges.getIamPolicy
  • analyticshub.dataExchanges.list
  • analyticshub.listings.create
  • analyticshub.listings.get
  • analyticshub.listings.getIamPolicy
  • analyticshub.listings.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Analytics Hub Subscriber Beta 版
(roles/analyticshub.subscriber)

可以浏览数据交换并订阅清单

  • analyticshub.dataExchanges.get
  • analyticshub.dataExchanges.getIamPolicy
  • analyticshub.dataExchanges.list
  • analyticshub.listings.get
  • analyticshub.listings.getIamPolicy
  • analyticshub.listings.list
  • analyticshub.listings.subscribe
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Analytics Hub Viewer Beta 版
(roles/analyticshub.viewer)

可以浏览数据交换和清单

  • analyticshub.dataExchanges.get
  • analyticshub.dataExchanges.getIamPolicy
  • analyticshub.dataExchanges.list
  • analyticshub.listings.get
  • analyticshub.listings.getIamPolicy
  • analyticshub.listings.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Android 管理角色

角色 权限

Android Management User
(roles/androidmanagement.user)

拥有管理设备的完整权限。

  • androidmanagement.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Anthos 多云端角色

角色 权限

Anthos Multi-cloud Admin
(roles/gkemulticloud.admin)

可以管理 Anthos 多云资源。

  • gkemulticloud.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Anthos Multi-cloud Telemetry Writer
(roles/gkemulticloud.telemetryWriter)

授予写入集群遥测数据(例如日志、指标和资源元数据)的权限。

  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • opsconfigmonitoring.resourceMetadata.write

Anthos Multi-cloud Viewer
(roles/gkemulticloud.viewer)

可以查看 Anthos 多云资源。

  • gkemulticloud.awsClusters.generateAccessToken
  • gkemulticloud.awsClusters.get
  • gkemulticloud.awsClusters.list
  • gkemulticloud.awsNodePools.get
  • gkemulticloud.awsNodePools.list
  • gkemulticloud.awsServerConfigs.*
  • gkemulticloud.azureClients.get
  • gkemulticloud.azureClients.list
  • gkemulticloud.azureClusters.generateAccessToken
  • gkemulticloud.azureClusters.get
  • gkemulticloud.azureClusters.list
  • gkemulticloud.azureNodePools.get
  • gkemulticloud.azureNodePools.list
  • gkemulticloud.azureServerConfigs.*
  • gkemulticloud.operations.get
  • gkemulticloud.operations.list
  • gkemulticloud.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list

API Gateway 角色

角色 权限

ApiGateway Admin
(roles/apigateway.admin)

拥有对 ApiGateway 及相关资源的完全访问权限。

  • apigateway.*
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
  • serviceusage.services.list

ApiGateway Viewer
(roles/apigateway.viewer)

拥有对 ApiGateway 及相关资源的只读权限。

  • apigateway.apiconfigs.get
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.gateways.get
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.locations.*
  • apigateway.operations.get
  • apigateway.operations.list
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
  • serviceusage.services.list

Apigee 角色

角色 权限

Apigee Organization Admin
(roles/apigee.admin)

拥有对所有 Apigee 资源功能的完全访问权限

  • apigee.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Analytics Agent
(roles/apigee.analyticsAgent)

提供一组特选权限,可让 Apigee Universal Data Collection Agent 管理 Apigee 组织的分析数据

  • apigee.datalocation.*
  • apigee.environments.getDataLocation
  • apigee.runtimeconfigs.*

Apigee Analytics Editor
(roles/apigee.analyticsEditor)

可修改 Apigee 组织的分析数据

  • apigee.datacollectors.*
  • apigee.datastores.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.*
  • apigee.hostqueries.*
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.*
  • apigee.reports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Analytics Viewer
(roles/apigee.analyticsViewer)

可查看 Apigee 组织的分析数据

  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.reports.get
  • apigee.reports.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee API Admin
(roles/apigee.apiAdminV2)

拥有对所有 Apigee API 资源的完整读写权限

  • apigee.apiproductattributes.*
  • apigee.apiproducts.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.keyvaluemapentries.*
  • apigee.keyvaluemaps.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.*
  • apigee.proxyrevisions.*
  • apigee.sharedflowrevisions.*
  • apigee.sharedflows.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee API Reader
(roles/apigee.apiReaderV2)

可以读取 apigee 资源

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.keyvaluemapentries.get
  • apigee.keyvaluemapentries.list
  • apigee.keyvaluemaps.list
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.sharedflowrevisions.deploy
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflowrevisions.undeploy
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Developer Admin
(roles/apigee.developerAdmin)

可管理 Apigee 资源开发者

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.*
  • apigee.apps.*
  • apigee.datacollectors.*
  • apigee.developerappattributes.*
  • apigee.developerapps.*
  • apigee.developerattributes.*
  • apigee.developerbalances.*
  • apigee.developermonetizationconfigs.*
  • apigee.developers.*
  • apigee.developersubscriptions.*
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.rateplans.get
  • apigee.rateplans.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Environment Admin
(roles/apigee.environmentAdmin)

拥有对 Apigee 环境资源(包括部署)的完整读写权限。

  • apigee.archivedeployments.*
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.deployments.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.environments.setIamPolicy
  • apigee.environments.update
  • apigee.flowhooks.*
  • apigee.ingressconfigs.*
  • apigee.keystorealiases.*
  • apigee.keystores.*
  • apigee.keyvaluemaps.*
  • apigee.maskconfigs.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.references.*
  • apigee.resourcefiles.*
  • apigee.sharedflowrevisions.deploy
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflowrevisions.undeploy
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Monetization Admin
(roles/apigee.monetizationAdmin)

与获利相关的所有权限

  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.developerbalances.*
  • apigee.developermonetizationconfigs.*
  • apigee.developersubscriptions.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.rateplans.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Portal Admin
(roles/apigee.portalAdmin)

可以管理 Apigee 组织的门户

  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.portals.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Read-only Admin
(roles/apigee.readOnlyAdmin)

可查看所有 Apigee 资源

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.get
  • apigee.apps.*
  • apigee.archivedeployments.download
  • apigee.archivedeployments.get
  • apigee.archivedeployments.list
  • apigee.caches.list
  • apigee.canaryevaluations.get
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datalocation.*
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.deployments.get
  • apigee.deployments.list
  • apigee.developerrappattributes.get
  • apigee.developerrappattributes.list
  • apigee.developerapps.get
  • apigee.developerapps.list
  • apigee.developerattributes.get
  • apigee.developerattributes.list
  • apigee.developerbalances.get
  • apigee.developermonetizationconfigs.get
  • apigee.developers.get
  • apigee.developers.list
  • apigee.developersubscriptions.get
  • apigee.developersubscriptions.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getDataLocation
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.flowhooks.getSharedFlow
  • apigee.flowhooks.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hostsecurityreports.get
  • apigee.hostsecurityreports.list
  • apigee.hoststats.*
  • apigee.ingressconfigs.*
  • apigee.instanceattachments.get
  • apigee.instanceattachments.list
  • apigee.instances.get
  • apigee.instances.list
  • apigee.keystorealiases.get
  • apigee.keystorealiases.list
  • apigee.keystores.get
  • apigee.keystores.list
  • apigee.keyvaluemapentries.get
  • apigee.keyvaluemapentries.list
  • apigee.keyvaluemaps.list
  • apigee.maskconfigs.get
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.portals.get
  • apigee.portals.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.rateplans.get
  • apigee.rateplans.list
  • apigee.references.get
  • apigee.references.list
  • apigee.reports.get
  • apigee.reports.list
  • apigee.resourcefiles.get
  • apigee.resourcefiles.list
  • apigee.runtimeconfigs.*
  • apigee.securityreports.get
  • apigee.securityreports.list
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.get
  • apigee.targetservers.list
  • apigee.tracesessions.get
  • apigee.tracesessions.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Runtime Agent
(roles/apigee.runtimeAgent)

提供一组特选权限,可让运行时代理访问 Apigee 组织资源

  • apigee.canaryevaluations.*
  • apigee.ingressconfigs.*
  • apigee.instances.reportStatus
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.runtimeconfigs.*

Apigee Security Admin
(roles/apigee.securityAdmin)

可以管理 Apigee 组织的安全设置

  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.list
  • apigee.hostsecurityreports.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.securityreports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Security Viewer
(roles/apigee.securityViewer)

可查看 Apigee 组织的安全设置

  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.list
  • apigee.hostsecurityreports.get
  • apigee.hostsecurityreports.list
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.securityreports.get
  • apigee.securityreports.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Synchronizer Manager
(roles/apigee.synchronizerManager)

提供一组特选权限,可让 Synchronizer 管理 Apigee 组织中的环境

  • apigee.environments.get
  • apigee.environments.manageRuntime
  • apigee.ingressconfigs.*

Apigee Connect Admin
(roles/apigeeconnect.Admin)

可以管理 Apigee Connect

  • apigeeconnect.connections.*

Apigee Connect Agent
(roles/apigeeconnect.Agent)

能够在外部集群和 Google 之间设置 Apigee Connect 代理。

  • apigeeconnect.endpoints.*

Apigee Registry 角色

角色 权限

Cloud Apigee Registry Admin Beta 版
(roles/apigeeregistry.admin)

拥有对 Cloud Apigee Registry 和运行时资源的完整访问权限。

  • apigeeregistry.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Apigee Registry Editor Beta 版
(roles/apigeeregistry.editor)

拥有对 Cloud Apigee Registry 资源的修改权限。

  • apigeeregistry.apis.create
  • apigeeregistry.apis.delete
  • apigeeregistry.apis.get
  • apigeeregistry.apis.getIamPolicy
  • apigeeregistry.apis.list
  • apigeeregistry.apis.update
  • apigeeregistry.artifacts.create
  • apigeeregistry.artifacts.delete
  • apigeeregistry.artifacts.get
  • apigeeregistry.artifacts.getIamPolicy
  • apigeeregistry.artifacts.list
  • apigeeregistry.artifacts.update
  • apigeeregistry.deployments.*
  • apigeeregistry.specs.create
  • apigeeregistry.specs.delete
  • apigeeregistry.specs.get
  • apigeeregistry.specs.getIamPolicy
  • apigeeregistry.specs.list
  • apigeeregistry.specs.update
  • apigeeregistry.versions.create
  • apigeeregistry.versions.delete
  • apigeeregistry.versions.get
  • apigeeregistry.versions.getIamPolicy
  • apigeeregistry.versions.list
  • apigeeregistry.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Apigee Registry Viewer Beta 版
(roles/apigeeregistry.viewer)

拥有对 Cloud Apigee Registry 资源的只读权限。

  • apigeeregistry.apis.get
  • apigeeregistry.apis.list
  • apigeeregistry.artifacts.get
  • apigeeregistry.artifacts.list
  • apigeeregistry.deployments.get
  • apigeeregistry.deployments.list
  • apigeeregistry.specs.get
  • apigeeregistry.specs.list
  • apigeeregistry.versions.get
  • apigeeregistry.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Apigee Registry Worker Beta 版
(roles/apigeeregistry.worker)

Apigee Registry 应用工作器用于读取和更新 Apigee Registry 工件的角色。

  • apigeeregistry.apis.get
  • apigeeregistry.apis.list
  • apigeeregistry.apis.update
  • apigeeregistry.artifacts.create
  • apigeeregistry.artifacts.delete
  • apigeeregistry.artifacts.get
  • apigeeregistry.artifacts.list
  • apigeeregistry.artifacts.update
  • apigeeregistry.deployments.get
  • apigeeregistry.deployments.list
  • apigeeregistry.deployments.update
  • apigeeregistry.specs.get
  • apigeeregistry.specs.list
  • apigeeregistry.specs.update
  • apigeeregistry.versions.get
  • apigeeregistry.versions.list
  • apigeeregistry.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine 角色

角色 权限

App Engine Admin
(roles/appengine.appAdmin)

拥有所有应用配置和设置的读取/写入/修改权限。

要部署新版本,主帐号必须具有 App Engine 默认服务帐号Service Account User (roles/iam.serviceAccountUser) 角色以及项目的 Cloud Build Editor (roles/cloudbuild.builds.editor) 和 Cloud Storage Object Admin (roles/storage.objectAdmin) 角色。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.operations.*
  • appengine.runtimes.*
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Creator
(roles/appengine.appCreator)

能够为项目创建 App Engine 资源。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Viewer
(roles/appengine.appViewer)

拥有对所有应用配置和设置的只读权限。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Code Viewer
(roles/appengine.codeViewer)

拥有对所有应用配置、设置和已部署源代码的只读权限。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.getFileContents
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Deployer
(roles/appengine.deployer)

对所有应用配置和设置的只读权限。

要部署新版本,您还必须具有 App Engine 默认服务帐号Service Account User (roles/iam.serviceAccountUser) 角色以及项目的 Cloud Build Editor (roles/cloudbuild.builds.editor) 和 Cloud Storage Object Admin (roles/storage.objectAdmin) 角色。

无法修改现有版本,但可删除未收到流量的版本。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Service Admin
(roles/appengine.serviceAdmin)

对所有应用配置和设置的只读权限。

拥有模块级和版本级设置的写权限。无权部署新版本。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.get
  • appengine.instances.*
  • appengine.operations.*
  • appengine.services.*
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Artifact Registry 角色

角色 权限

Artifact Registry Administrator
(roles/artifactregistry.admin)

拥有可创建和管理代码库的管理员权限。

  • artifactregistry.*

Artifact Registry Reader
(roles/artifactregistry.reader)

可以读取代码库项。

  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.locations.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.listEffectiveTags
  • artifactregistry.repositories.listTagBindings
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list

Artifact Registry Repository Administrator
(roles/artifactregistry.repoAdmin)

拥有管理代码库中的工件的权限。

  • artifactregistry.aptartifacts.*
  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.locations.*
  • artifactregistry.packages.*
  • artifactregistry.repositories.deleteArtifacts
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.listEffectiveTags
  • artifactregistry.repositories.listTagBindings
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.*
  • artifactregistry.versions.*
  • artifactregistry.yumartifacts.*

Artifact Registry Writer
(roles/artifactregistry.writer)

可以读取和写入代码库项。

  • artifactregistry.aptartifacts.*
  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.locations.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.listEffectiveTags
  • artifactregistry.repositories.listTagBindings
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.*

Assured Workloads 角色

角色 权限

Assured Workloads Administrator
(roles/assuredworkloads.admin)

授予对 Assured Workloads 资源和 CRM 资源(项目/文件夹和组织政策管理)的完全访问权限

  • assuredworkloads.*
  • logging.cmekSettings.update
  • orgpolicy.policy.*
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Assured Workloads Editor
(roles/assuredworkloads.editor)

授予对 Assured Workloads 资源和 CRM 资源(项目/文件夹和组织政策管理)的读写权限

  • assuredworkloads.*
  • orgpolicy.policy.*
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Assured Workloads Reader
(roles/assuredworkloads.reader)

授予对所有 Assured Workloads 资源和 CRM 资源(项目/文件夹)的读取权限

  • assuredworkloads.operations.*
  • assuredworkloads.violations.*
  • assuredworkloads.workload.get
  • assuredworkloads.workload.list
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AutoML 角色

角色 权限

AutoML Admin Beta 版
(roles/automl.admin)

拥有所有 AutoML 资源的完整访问权限

您可以授予此角色的最低级层资源:

  • 数据集
  • 模型
  • automl.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

AutoML Editor Beta 版
(roles/automl.editor)

可修改所有 AutoML 资源

您可以授予此角色的最低级层资源:

  • 数据集
  • 模型
  • automl.annotationSpecs.*
  • automl.annotations.*
  • automl.columnSpecs.*
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.update
  • automl.examples.*
  • automl.humanAnnotationTasks.*
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.*
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • automl.models.undeploy
  • automl.operations.*
  • automl.tableSpecs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

AutoML Predictor Beta 版
(roles/automl.predictor)

可使用模型进行预测

您可以授予此角色的最低级层资源:

  • 模型
  • automl.models.predict
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AutoML Viewer Beta 版
(roles/automl.viewer)

可查看所有 AutoML 资源

您可以授予此角色的最低级层资源:

  • 数据集
  • 模型
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

Backup for GKE 角色

Role Permissions

Backup for GKE Admin Beta
(roles/gkebackup.admin)

Full access to all Backup for GKE resources.

  • gkebackup.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Backup for GKE Backup Admin Beta
(roles/gkebackup.backupAdmin)

Allows administrators to manage all BackupPlan and Backup resources.

  • gkebackup.backupPlans.*
  • gkebackup.backups.*
  • gkebackup.locations.*
  • gkebackup.operations.get
  • gkebackup.operations.list
  • gkebackup.volumeBackups.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Backup for GKE Delegated Backup Admin Beta
(roles/gkebackup.delegatedBackupAdmin)

Allows administrators to manage Backup resources for specific BackupPlans

  • gkebackup.backupPlans.get
  • gkebackup.backups.*
  • gkebackup.volumeBackups.*

Backup for GKE Delegated Restore Admin Beta
(roles/gkebackup.delegatedRestoreAdmin)

Allows administrators to manage Restore resources for specific RestorePlans

  • gkebackup.restorePlans.get
  • gkebackup.restores.*
  • gkebackup.volumeRestores.*

Backup for GKE Restore Admin Beta
(roles/gkebackup.restoreAdmin)

Allows administrators to manage all RestorePlan and Restore resources.

  • gkebackup.backupPlans.get
  • gkebackup.backupPlans.list
  • gkebackup.backups.get
  • gkebackup.backups.list
  • gkebackup.locations.*
  • gkebackup.operations.get
  • gkebackup.operations.list
  • gkebackup.restorePlans.*
  • gkebackup.restores.*
  • gkebackup.volumeBackups.*
  • gkebackup.volumeRestores.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Backup for GKE Viewer Beta
(roles/gkebackup.viewer)

Read-only access to all Backup for GKE resources.

  • gkebackup.backupPlans.get
  • gkebackup.backupPlans.getIamPolicy
  • gkebackup.backupPlans.list
  • gkebackup.backups.get
  • gkebackup.backups.list
  • gkebackup.locations.*
  • gkebackup.operations.get
  • gkebackup.operations.list
  • gkebackup.restorePlans.get
  • gkebackup.restorePlans.getIamPolicy
  • gkebackup.restorePlans.list
  • gkebackup.restores.get
  • gkebackup.restores.list
  • gkebackup.volumeBackups.*
  • gkebackup.volumeRestores.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery 角色

角色 权限

BigQuery Admin
(roles/bigquery.admin)

提供管理项目中所有资源的权限。获授此角色的用户可以管理项目中的所有数据,也可以取消其他用户正在项目中运行的作业。

您可以授予此角色的最低级层资源:

  • 数据集
  • 行访问权限政策
  • 视图
  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.config.*
  • bigquery.connections.*
  • bigquery.dataPolicies.create
  • bigquery.dataPolicies.delete
  • bigquery.dataPolicies.get
  • bigquery.dataPolicies.getIamPolicy
  • bigquery.dataPolicies.list
  • bigquery.dataPolicies.setIamPolicy
  • bigquery.dataPolicies.update
  • bigquery.datasets.*
  • bigquery.jobs.*
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.overrideTimeTravelRestrictions
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.savedqueries.*
  • bigquery.tables.*
  • bigquery.transfers.*
  • bigquerymigration.translation.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Connection Admin
(roles/bigquery.connectionAdmin)

  • bigquery.connections.*

BigQuery Connection User
(roles/bigquery.connectionUser)

  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use

BigQuery Data Editor
(roles/bigquery.dataEditor)

此角色在应用于表或视图时,可提供以下权限:

  • 读取和更新表或视图的数据和元数据。
  • 删除表或视图。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 读取数据集的元数据以及列出数据集中的表。
  • 创建、更新、获取和删除数据集的表。

此角色在应用于项目或组织级层时,还可提供创建新数据集的权限。

您可以授予此角色的最低级层资源:

  • 查看
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Data Owner
(roles/bigquery.dataOwner)

此角色在应用于表或视图时,可提供以下权限:

  • 读取和更新表或视图的数据和元数据。
  • 共享表或视图。
  • 删除表或视图。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 读取、更新和删除数据集。
  • 创建、更新、获取和删除数据集的表。

此角色在应用于项目或组织级层时,还可提供创建新数据集的权限。

您可以授予此角色的最低级层资源:

  • 查看
  • bigquery.config.get
  • bigquery.dataPolicies.create
  • bigquery.dataPolicies.delete
  • bigquery.dataPolicies.get
  • bigquery.dataPolicies.getIamPolicy
  • bigquery.dataPolicies.list
  • bigquery.dataPolicies.setIamPolicy
  • bigquery.dataPolicies.update
  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Data Viewer
(roles/bigquery.dataViewer)

此角色在应用于表或视图时,可提供以下权限:

  • 从表或视图中读取数据和元数据。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 读取数据集的元数据以及列出数据集中的表。
  • 从数据集的表中读取数据和元数据。

此角色在应用于项目或组织级层时,还可提供枚举项目中所有数据集的权限。但若要运行作业,还需要具备其他角色。

您可以授予此角色的最低级层资源:

  • 查看
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.createSnapshot
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Filtered Data Viewer
(roles/bigquery.filteredDataViewer)

可以查看由行访问权限政策定义的已过滤表数据

  • bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User
(roles/bigquery.jobUser)

提供在项目中运行作业(包括查询)的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • bigquery.config.get
  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Metadata Viewer
(roles/bigquery.metadataViewer)

此角色在应用于表或视图时,可提供以下权限:

  • 从表或视图中读取元数据。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 列出数据集中的表和视图。
  • 从数据集的表和视图中读取元数据。

此角色在应用于项目或组织级层时,可提供以下权限:

  • 列出项目中的所有数据集,以及读取所有数据集的元数据。
  • 列出项目中的所有表和视图,以及读取所有表和视图的元数据。

但若要运行作业,还需要具备其他角色。

您可以授予此角色的最低级层资源:

  • 查看
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Read Session User
(roles/bigquery.readSessionUser)

拥有创建和使用读取会话的权限

  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Admin
(roles/bigquery.resourceAdmin)

管理所有 BigQuery 资源。

  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • recommender.bigqueryCapacityCommitmentsInsights.*
  • recommender.bigqueryCapacityCommitmentsRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Editor
(roles/bigquery.resourceEditor)

管理所有 BigQuery 资源,但不能做出购买决定。

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Viewer
(roles/bigquery.resourceViewer)

可查看所有 BigQuery 资源,但不能执行更改或做出购买决定。

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery User
(roles/bigquery.user)

此角色应用于数据集时,让您可以读取数据集的元数据并列出数据集中的表。

应用于项目时,此角色还提供在项目内运行作业(包括查询)的能力。具有此角色的主帐号可以枚举自己的作业、取消自己的作业,还可以枚举项目中的数据集。此外,具有此角色的用户还可以在项目中创建新数据集;对于这些新数据集,系统会为创建者授予 BigQuery Data Owner 角色 (roles/bigquery.dataOwner)。

您可以授予此角色的最低级层资源:

  • 数据集
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • bigquerymigration.translation.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Masked Reader Beta 版
(roles/bigquerydatapolicy.maskedReader)

拥有对与数据政策关联的政策标记所标记的子资源(例如 BigQuery 列)的遮盖内容读取权限

  • bigquery.dataPolicies.maskedGet

结算服务角色

Role Permissions

Billing Account Administrator
(roles/billing.admin)

Provides access to see and manage all aspects of billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.close
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.move
  • billing.accounts.redeemPromotion
  • billing.accounts.removeFromOrganization
  • billing.accounts.reopen
  • billing.accounts.setIamPolicy
  • billing.accounts.update
  • billing.accounts.updatePaymentInfo
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.credits.*
  • billing.resourceAssociations.*
  • billing.subscriptions.*
  • cloudnotifications.*
  • commerceoffercatalog.*
  • consumerprocurement.accounts.*
  • consumerprocurement.orderAttributions.*
  • consumerprocurement.orders.*
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • logging.logEntries.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • recommender.commitmentUtilizationInsights.*
  • recommender.costInsights.*
  • recommender.spendBasedCommitmentInsights.*
  • recommender.spendBasedCommitmentRecommendations.*
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Billing Account Costs Manager
(roles/billing.costsManager)

Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.resourceAssociations.list
  • recommender.costInsights.*

Billing Account Creator
(roles/billing.creator)

Provides access to create billing accounts.

Lowest-level resources where you can grant this role:

  • Organization
  • billing.accounts.create
  • resourcemanager.organizations.get

Project Billing Manager
(roles/billing.projectManager)

When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.

Lowest-level resources where you can grant this role:

  • Project
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Billing Account User
(roles/billing.user)

When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.redeemPromotion
  • billing.credits.*
  • billing.resourceAssociations.create

Billing Account Viewer
(roles/billing.viewer)

View billing account cost and pricing information, transactions, and billing and commitment recommendations.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.budgets.get
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.get
  • billing.subscriptions.list
  • commerceoffercatalog.*
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.spendBasedCommitmentInsights.get
  • recommender.spendBasedCommitmentInsights.list
  • recommender.spendBasedCommitmentRecommendations.get
  • recommender.spendBasedCommitmentRecommendations.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list

Binary Authorization 角色

Role Permissions

Binary Authorization Attestor Admin
(roles/binaryauthorization.attestorsAdmin)

Administrator of Binary Authorization Attestors

  • binaryauthorization.attestors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Editor
(roles/binaryauthorization.attestorsEditor)

Editor of Binary Authorization Attestors

  • binaryauthorization.attestors.create
  • binaryauthorization.attestors.delete
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.update
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Image Verifier
(roles/binaryauthorization.attestorsVerifier)

Caller of Binary Authorization Attestors VerifyImageAttested

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Viewer
(roles/binaryauthorization.attestorsViewer)

Viewer of Binary Authorization Attestors

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Administrator
(roles/binaryauthorization.policyAdmin)

Administrator of Binary Authorization Policy

  • binaryauthorization.continuousValidationConfig.*
  • binaryauthorization.platformPolicies.*
  • binaryauthorization.policy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Editor
(roles/binaryauthorization.policyEditor)

Editor of Binary Authorization Policy

  • binaryauthorization.continuousValidationConfig.get
  • binaryauthorization.continuousValidationConfig.update
  • binaryauthorization.platformPolicies.*
  • binaryauthorization.policy.evaluatePolicy
  • binaryauthorization.policy.get
  • binaryauthorization.policy.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Evaluator Beta
(roles/binaryauthorization.policyEvaluator)

Evaluator of Binary Authorization Policy

  • binaryauthorization.platformPolicies.evaluatePolicy
  • binaryauthorization.platformPolicies.get
  • binaryauthorization.platformPolicies.list
  • binaryauthorization.policy.evaluatePolicy
  • binaryauthorization.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Viewer
(roles/binaryauthorization.policyViewer)

Viewer of Binary Authorization Policy

  • binaryauthorization.continuousValidationConfig.get
  • binaryauthorization.platformPolicies.get
  • binaryauthorization.platformPolicies.list
  • binaryauthorization.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service 角色

角色 权限

CA Service Admin
(roles/privateca.admin)

具有对所有 CA 服务资源的完整访问权限。

  • privateca.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create

CA Service Auditor
(roles/privateca.auditor)

具有对所有 CA 服务资源的只读权限。

  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service Operation Manager
(roles/privateca.caManager)

可以创建和管理 CA、撤消证书、创建证书模板且拥有对 CA 服务资源的只读权限。

  • privateca.caPools.create
  • privateca.caPools.delete
  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.caPools.update
  • privateca.certificateAuthorities.create
  • privateca.certificateAuthorities.delete
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateAuthorities.update
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateRevocationLists.update
  • privateca.certificateTemplates.create
  • privateca.certificateTemplates.delete
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.update
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.certificates.update
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.create
  • privateca.reusableConfigs.delete
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • privateca.reusableConfigs.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create

CA Service Certificate Manager
(roles/privateca.certificateManager)

能够创建证书,并具有对 CA 服务资源的只读权限。

  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.create
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service Certificate Requester
(roles/privateca.certificateRequester)

可从 CA 服务请求证书。

  • privateca.certificates.create

CA Service Certificate Template User
(roles/privateca.templateUser)

读取、列出和使用证书模板。

  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.use

CA Service Workload Certificate Requester
(roles/privateca.workloadCertificateRequester)

以调用方的身份从 CA Service 请求证书。

  • privateca.certificates.createForSelf

Certificate Manager 角色

Role Permissions

Certificate Manager Editor Beta
(roles/certificatemanager.editor)

Edit access to Certificate Manager all resources.

  • certificatemanager.certmapentries.create
  • certificatemanager.certmapentries.get
  • certificatemanager.certmapentries.getIamPolicy
  • certificatemanager.certmapentries.list
  • certificatemanager.certmapentries.update
  • certificatemanager.certmaps.create
  • certificatemanager.certmaps.get
  • certificatemanager.certmaps.getIamPolicy
  • certificatemanager.certmaps.list
  • certificatemanager.certmaps.update
  • certificatemanager.certmaps.use
  • certificatemanager.certs.create
  • certificatemanager.certs.get
  • certificatemanager.certs.getIamPolicy
  • certificatemanager.certs.list
  • certificatemanager.certs.update
  • certificatemanager.certs.use
  • certificatemanager.dnsauthorizations.create
  • certificatemanager.dnsauthorizations.get
  • certificatemanager.dnsauthorizations.getIamPolicy
  • certificatemanager.dnsauthorizations.list
  • certificatemanager.dnsauthorizations.update
  • certificatemanager.dnsauthorizations.use
  • certificatemanager.locations.*
  • certificatemanager.operations.get
  • certificatemanager.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Certificate Manager Owner Beta
(roles/certificatemanager.owner)

Full access to Certificate Manager all resources.

  • certificatemanager.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Certificate Manager Viewer Beta
(roles/certificatemanager.viewer)

Read-only access to Certificate Manager all resources.

  • certificatemanager.certmapentries.get
  • certificatemanager.certmapentries.getIamPolicy
  • certificatemanager.certmapentries.list
  • certificatemanager.certmaps.get
  • certificatemanager.certmaps.getIamPolicy
  • certificatemanager.certmaps.list
  • certificatemanager.certs.get
  • certificatemanager.certs.getIamPolicy
  • certificatemanager.certs.list
  • certificatemanager.dnsauthorizations.get
  • certificatemanager.dnsauthorizations.getIamPolicy
  • certificatemanager.dnsauthorizations.list
  • certificatemanager.locations.*
  • certificatemanager.operations.get
  • certificatemanager.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Asset 角色

Role Permissions

Cloud Asset Owner
(roles/cloudasset.owner)

Full access to cloud assets metadata

  • cloudasset.*
  • recommender.cloudAssetInsights.*
  • recommender.locations.*

Cloud Asset Viewer
(roles/cloudasset.viewer)

Read only access to cloud assets metadata

  • cloudasset.assets.*
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*

Cloud Bigtable 角色

角色 权限

Bigtable Administrator
(roles/bigtable.admin)

管理项目中的所有实例,包括存储在表中的数据。还可创建新实例。适用于项目管理员。

您可以授予此角色的最低级层资源:

  • bigtable.*
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable Reader
(roles/bigtable.reader)

提供表中所存储数据的只读权限。适用于数据科学家、信息中心生成器和其他数据分析情景。

您可以授予此角色的最低级层资源:

  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable User
(roles/bigtable.user)

提供表中所存储数据的读写权限。适用于应用开发者或服务帐号。

您可以授予此角色的最低级层资源:

  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.mutateRows
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable Viewer
(roles/bigtable.viewer)

不提供数据访问权限。仅提供通过 Cloud Console 访问 Bigtable 所需的一组最低权限。

您可以授予此角色的最低级层资源:

  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Cloud Build 角色

角色 权限

Cloud Build Approver
(roles/cloudbuild.builds.approver)

可批准或拒绝待处理的构建。

  • cloudbuild.builds.approve
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Service Account
(roles/cloudbuild.builds.builder)

提供执行构建的权限。

  • artifactregistry.aptartifacts.*
  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.locations.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.listEffectiveTags
  • artifactregistry.repositories.listTagBindings
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • logging.logEntries.list
  • logging.privateLogEntries.*
  • logging.views.access
  • pubsub.topics.create
  • pubsub.topics.publish
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Cloud Build Editor
(roles/cloudbuild.builds.editor)

提供创建和取消构建作业的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Viewer
(roles/cloudbuild.builds.viewer)

提供查看构建作业的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Editor
(roles/cloudbuild.integrationsEditor)

可以更新集成

  • cloudbuild.integrations.get
  • cloudbuild.integrations.list
  • cloudbuild.integrations.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Owner
(roles/cloudbuild.integrationsOwner)

可以创建/删除集成

  • cloudbuild.integrations.*
  • compute.firewalls.create
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.networks.get
  • compute.networks.updatePolicy
  • compute.regions.get
  • compute.subnetworks.get
  • compute.subnetworks.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Viewer
(roles/cloudbuild.integrationsViewer)

可以查看集成

  • cloudbuild.integrations.get
  • cloudbuild.integrations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool Editor
(roles/cloudbuild.workerPoolEditor)

可以更新和查看工作器池

  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • cloudbuild.workerpools.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool Owner
(roles/cloudbuild.workerPoolOwner)

可以创建、删除、更新和查看工作器池

  • cloudbuild.workerpools.create
  • cloudbuild.workerpools.delete
  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • cloudbuild.workerpools.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool User
(roles/cloudbuild.workerPoolUser)

可以在工作器池中运行构建

  • cloudbuild.workerpools.use

Cloud Build WorkerPool Viewer
(roles/cloudbuild.workerPoolViewer)

可以查看工作器池

  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Composer 角色

角色 权限

Cloud Composer v2 API Service Agent Extension
(roles/composer.ServiceAgentV2Ext)

Cloud Composer v2 API Service Agent Extension 是管理 Composer v2 环境所需的补充角色。

  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy

Composer Administrator
(roles/composer.admin)

提供对 Cloud Composer 资源的完全控制权。

您可以授予此角色的最低级层资源:

  • 项目
  • composer.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Environment and Storage Object Administrator
(roles/composer.environmentAndStorageObjectAdmin)

提供对 Cloud Composer 资源和所有项目存储分区中对象的完全控制权。

您可以授予此角色的最低级层资源:

  • 项目
  • composer.*
  • orgpolicy.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.multipartUploads.*
  • storage.objects.*

Environment User and Storage Object Viewer
(roles/composer.environmentAndStorageObjectViewer)

提供列出及获取 Cloud Composer 环境和操作所需的权限。 以及对所有项目存储分区中对象的只读权限。

您可以授予此角色的最低级层资源:

  • 项目
  • composer.dags.*
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list

Composer Shared VPC Agent
(roles/composer.sharedVpcAgent)

应分配给共享 VPC 宿主项目中的 Composer Agent 服务帐号的角色

  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.updatePeering
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zones.*

Composer User
(roles/composer.user)

提供列出及获取 Cloud Composer 环境和操作所需的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • composer.dags.*
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Composer Worker
(roles/composer.worker)

提供运行 Cloud Composer 环境虚拟机所需的权限。适用于服务帐号。

您可以授予此角色的最低级层资源:

  • 项目
  • artifactregistry.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • composer.environments.get
  • container.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • logging.logEntries.list
  • logging.privateLogEntries.*
  • logging.views.access
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • orgpolicy.policy.get
  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.multipartUploads.*
  • storage.objects.*

Cloud Connectors 角色

Role Permissions

Connector Admin
(roles/connectors.admin)

Full access to all resources of Connectors Service.

  • connectors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Connectors Viewer
(roles/connectors.viewer)

Read-only access to Connectors all resources.

  • connectors.connections.get
  • connectors.connections.getConnectionSchemaMetadata
  • connectors.connections.getIamPolicy
  • connectors.connections.getRuntimeActionSchema
  • connectors.connections.getRuntimeEntitySchema
  • connectors.connections.list
  • connectors.connectors.*
  • connectors.locations.*
  • connectors.operations.get
  • connectors.operations.list
  • connectors.providers.*
  • connectors.runtimeconfig.*
  • connectors.versions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Data Fusion 角色

角色 权限

Cloud Data Fusion Admin Beta 版
(roles/datafusion.admin)

拥有对 Cloud Data Fusion 实例、命名空间和相关资源的完整访问权限。

您可以授予此角色的最低级层资源:

  • 项目
  • datafusion.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Data Fusion Runner Beta 版
(roles/datafusion.runner)

提供对 Cloud Data Fusion 运行时资源的访问权限。

  • datafusion.instances.runtime

Cloud Data Fusion Viewer Beta 版
(roles/datafusion.viewer)

拥有对 Cloud Data Fusion 实例、命名空间及相关资源的只读权限。

您可以授予此角色的最低级层资源:

  • 项目
  • datafusion.instances.get
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.instances.runtime
  • datafusion.locations.*
  • datafusion.operations.get
  • datafusion.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Data Labeling 角色

角色 权限

Data Labeling Service Admin Beta 版
(roles/datalabeling.admin)

拥有对所有 Data Labeling 资源的完全访问权限

  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Labeling Service Editor Beta 版
(roles/datalabeling.editor)

可以修改所有 Data Labeling 资源

  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Labeling Service Viewer Beta 版
(roles/datalabeling.viewer)

可以查看所有 Data Labeling 资源

  • datalabeling.annotateddatasets.get
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.get
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.*
  • datalabeling.datasets.get
  • datalabeling.datasets.list
  • datalabeling.examples.*
  • datalabeling.instructions.get
  • datalabeling.instructions.list
  • datalabeling.operations.get
  • datalabeling.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Dataplex 角色

角色 权限

Dataplex Administrator
(roles/dataplex.admin)

拥有对所有 Dataplex 资源的完整访问权限。

  • dataplex.assetActions.*
  • dataplex.assets.create
  • dataplex.assets.delete
  • dataplex.assets.get
  • dataplex.assets.getIamPolicy
  • dataplex.assets.list
  • dataplex.assets.setIamPolicy
  • dataplex.assets.update
  • dataplex.content.*
  • dataplex.entities.*
  • dataplex.environments.*
  • dataplex.lakeActions.*
  • dataplex.lakes.*
  • dataplex.locations.*
  • dataplex.operations.*
  • dataplex.partitions.*
  • dataplex.tasks.*
  • dataplex.zoneActions.*
  • dataplex.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataplex Data Owner
(roles/dataplex.dataOwner)

拥有数据的 Owner 权限。只能授予 Dataplex 资源(数据湖、可用区或资产)。

  • dataplex.assets.ownData
  • dataplex.assets.readData
  • dataplex.assets.writeData

Dataplex Data Reader
(roles/dataplex.dataReader)

拥有对数据的只读权限。只能授予 Dataplex 资源(数据湖、可用区或资产)。

  • dataplex.assets.readData

Dataplex Data Writer
(roles/dataplex.dataWriter)

拥有对数据的写入权限。只能授予 Dataplex 资源(数据湖、可用区或资产)。

  • dataplex.assets.writeData

Dataplex Developer
(roles/dataplex.developer)

允许在数据湖中运行数据分析工作负载。

  • dataplex.content.*
  • dataplex.environments.execute
  • dataplex.environments.get
  • dataplex.environments.list
  • dataplex.tasks.cancel
  • dataplex.tasks.create
  • dataplex.tasks.delete
  • dataplex.tasks.get
  • dataplex.tasks.list
  • dataplex.tasks.update

Dataplex Editor
(roles/dataplex.editor)

拥有对 Dataplex 资源的写入权限。

  • dataplex.assetActions.*
  • dataplex.assets.create
  • dataplex.assets.delete
  • dataplex.assets.get
  • dataplex.assets.getIamPolicy
  • dataplex.assets.list
  • dataplex.assets.update
  • dataplex.content.delete
  • dataplex.content.get
  • dataplex.content.getIamPolicy
  • dataplex.content.list
  • dataplex.environments.create
  • dataplex.environments.delete
  • dataplex.environments.get
  • dataplex.environments.getIamPolicy
  • dataplex.environments.list
  • dataplex.environments.update
  • dataplex.lakeActions.*
  • dataplex.lakes.create
  • dataplex.lakes.delete
  • dataplex.lakes.get
  • dataplex.lakes.getIamPolicy
  • dataplex.lakes.list
  • dataplex.lakes.update
  • dataplex.operations.*
  • dataplex.tasks.cancel
  • dataplex.tasks.create
  • dataplex.tasks.delete
  • dataplex.tasks.get
  • dataplex.tasks.getIamPolicy
  • dataplex.tasks.list
  • dataplex.tasks.update
  • dataplex.zoneActions.*
  • dataplex.zones.create
  • dataplex.zones.delete
  • dataplex.zones.get
  • dataplex.zones.getIamPolicy
  • dataplex.zones.list
  • dataplex.zones.update

Dataplex Metadata Reader
(roles/dataplex.metadataReader)

拥有对元数据的只读权限。

  • dataplex.assets.get
  • dataplex.assets.list
  • dataplex.entities.get
  • dataplex.entities.list
  • dataplex.partitions.get
  • dataplex.partitions.list
  • dataplex.zones.get
  • dataplex.zones.list

Dataplex Metadata Writer
(roles/dataplex.metadataWriter)

拥有对元数据的读写权限。

  • dataplex.assets.get
  • dataplex.assets.list
  • dataplex.entities.*
  • dataplex.partitions.*
  • dataplex.zones.get
  • dataplex.zones.list

Dataplex Storage Data Owner
(roles/dataplex.storageDataOwner)

拥有数据的 Owner 权限。 不应直接使用。此角色由 Dataplex 授予 Cloud Storage 存储桶、BigQuery 数据集等代管式资源。

  • bigquery.datasets.get
  • bigquery.models.create
  • bigquery.models.delete
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.models.updateData
  • bigquery.models.updateMetadata
  • bigquery.routines.create
  • bigquery.routines.delete
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.routines.update
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.deleteSnapshot
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Dataplex Storage Data Reader
(roles/dataplex.storageDataReader)

拥有对数据的只读权限。不应直接使用。此角色由 Dataplex 授予 Cloud Storage 存储桶、BigQuery 数据集等代管式资源。

  • bigquery.datasets.get
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • storage.buckets.get
  • storage.objects.get
  • storage.objects.list

Dataplex Storage Data Writer
(roles/dataplex.storageDataWriter)

拥有对数据的写入权限。不应直接使用。此角色由 Dataplex 授予 Cloud Storage 存储桶、BigQuery 数据集等代管式资源。

  • bigquery.tables.updateData
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.update

Dataplex Viewer
(roles/dataplex.viewer)

拥有对 Dataplex 资源的读取权限。

  • dataplex.assetActions.*
  • dataplex.assets.get
  • dataplex.assets.getIamPolicy
  • dataplex.assets.list
  • dataplex.content.get
  • dataplex.content.getIamPolicy
  • dataplex.content.list
  • dataplex.environments.get
  • dataplex.environments.getIamPolicy
  • dataplex.environments.list
  • dataplex.lakeActions.*
  • dataplex.lakes.get
  • dataplex.lakes.getIamPolicy
  • dataplex.lakes.list
  • dataplex.operations.get
  • dataplex.operations.list
  • dataplex.tasks.get
  • dataplex.tasks.getIamPolicy
  • dataplex.tasks.list
  • dataplex.zoneActions.*
  • dataplex.zones.get
  • dataplex.zones.getIamPolicy
  • dataplex.zones.list

Cloud Debugger 角色

角色 权限

Cloud Debugger Agent Beta 版
(roles/clouddebugger.agent)

提供注册调试目标、读取活跃断点和报告断点结果的权限。

您可以授予此角色的最低级层资源:

  • 服务帐号
  • clouddebugger.breakpoints.list
  • clouddebugger.breakpoints.listActive
  • clouddebugger.breakpoints.update
  • clouddebugger.debuggees.create

Cloud Debugger User Beta 版
(roles/clouddebugger.user)

提供创建、查看、列出和删除断点(快照和日志点)以及列出调试目标(调试对象)的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • clouddebugger.breakpoints.create
  • clouddebugger.breakpoints.delete
  • clouddebugger.breakpoints.get
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list

Cloud Deploy 角色

角色 权限

Cloud Deploy Admin Beta 版
(roles/clouddeploy.admin)

拥有对 Cloud Deploy 资源的完全控制权。

  • clouddeploy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Approver Beta 版
(roles/clouddeploy.approver)

拥有批准或拒绝发布的权限。

  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.rollouts.approve
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Developer Beta 版
(roles/clouddeploy.developer)

有权管理部署配置,但无权访问操作资源,例如目标。

  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.*
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Runner Beta 版
(roles/clouddeploy.jobRunner)

拥有执行 Cloud Deploy 作业的权限,但无权将其传送到目标。

  • logging.logEntries.create
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list

Cloud Deploy Operator Beta 版
(roles/clouddeploy.operator)

拥有管理部署配置的权限。

  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.*
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.create
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • clouddeploy.targets.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Releaser Beta 版
(roles/clouddeploy.releaser)

拥有创建 Cloud Deploy 版本和发布的权限。

  • clouddeploy.deliveryPipelines.get
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.create
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Viewer Beta 版
(roles/clouddeploy.viewer)

可以查看 Cloud Deploy 资源。

  • clouddeploy.config.*
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.locations.*
  • clouddeploy.operations.get
  • clouddeploy.operations.list
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud DLP 角色

角色 权限

DLP Administrator
(roles/dlp.admin)

可管理 DLP,包括作业和模板。

  • dlp.*
  • serviceusage.services.use

DLP Analyze Risk Templates Editor
(roles/dlp.analyzeRiskTemplatesEditor)

可修改 DLP 分析风险模板。

  • dlp.analyzeRiskTemplates.*

DLP Analyze Risk Templates Reader
(roles/dlp.analyzeRiskTemplatesReader)

可读取 DLP 分析风险模板。

  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list

DLP Column Data Profiles Reader
(roles/dlp.columnDataProfilesReader)

可读取 DLP 列配置文件。

  • dlp.columnDataProfiles.*

DLP Data Profiles Reader
(roles/dlp.dataProfilesReader)

可读取 DLP 配置文件。

  • dlp.columnDataProfiles.*
  • dlp.projectDataProfiles.*
  • dlp.tableDataProfiles.*

DLP De-identify Templates Editor
(roles/dlp.deidentifyTemplatesEditor)

可修改 DLP 去标识化模板。

  • dlp.deidentifyTemplates.*

DLP De-identify Templates Reader
(roles/dlp.deidentifyTemplatesReader)

可读取 DLP 去标识化模板。

  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list

DLP Cost Estimation
(roles/dlp.estimatesAdmin)

管理 DLP 费用估算。

  • dlp.estimates.*

DLP Inspect Findings Reader
(roles/dlp.inspectFindingsReader)

可读取 DLP 存储的发现结果。

  • dlp.inspectFindings.*

DLP Inspect Templates Editor
(roles/dlp.inspectTemplatesEditor)

可修改 DLP 检查模板。

  • dlp.inspectTemplates.*

DLP Inspect Templates Reader
(roles/dlp.inspectTemplatesReader)

可读取 DLP 检查模板。

  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list

DLP Job Triggers Editor
(roles/dlp.jobTriggersEditor)

可修改作业触发器配置。

  • dlp.jobTriggers.*

DLP Job Triggers Reader
(roles/dlp.jobTriggersReader)

可读取作业触发器。

  • dlp.jobTriggers.get
  • dlp.jobTriggers.list

DLP Jobs Editor
(roles/dlp.jobsEditor)

可修改和创建作业

  • dlp.jobs.*
  • dlp.kms.*

DLP Jobs Reader
(roles/dlp.jobsReader)

可读取作业

  • dlp.jobs.get
  • dlp.jobs.list

DLP Organization Data Profiles Driver
(roles/dlp.orgdriver)

DLP 服务帐号在组织或文件夹中生成数据配置文件所需的权限。

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.connections.updateTag
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • bigquerymigration.translation.*
  • cloudasset.assets.*
  • datacatalog.categories.fineGrainedGet
  • datacatalog.entries.updateTag
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • dlp.*
  • pubsub.topics.updateTag
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

DLP Project Data Profiles Reader
(roles/dlp.projectDataProfilesReader)

可读取 DLP 项目配置文件。

  • dlp.projectDataProfiles.*

DLP Project Data Profiles Driver
(roles/dlp.projectdriver)

DLP 服务帐号在项目中生成数据配置文件所需的权限。

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.connections.updateTag
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.jobs.listExecutionMetadata
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createIndex
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.deleteIndex
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • bigquerymigration.translation.*
  • cloudasset.assets.*
  • datacatalog.categories.fineGrainedGet
  • datacatalog.entries.updateTag
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • dlp.*
  • pubsub.topics.updateTag
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

DLP Reader
(roles/dlp.reader)

可读取作业和模板等 DLP 实体。

  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list
  • dlp.inspectFindings.*
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.get
  • dlp.jobTriggers.list
  • dlp.jobs.get
  • dlp.jobs.list
  • dlp.locations.*
  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list

DLP Stored InfoTypes Editor
(roles/dlp.storedInfoTypesEditor)

可修改 DLP 存储的信息类型。

  • dlp.storedInfoTypes.*

DLP Stored InfoTypes Reader
(roles/dlp.storedInfoTypesReader)

可读取 DLP 存储的信息类型。

  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list

DLP Table Data Profiles Reader
(roles/dlp.tableDataProfilesReader)

可读取 DLP 表配置文件。

  • dlp.tableDataProfiles.*

DLP User
(roles/dlp.user)

可检查和遮盖内容,以及对内容进行去标识化处理

  • dlp.kms.*
  • dlp.locations.*
  • serviceusage.services.use

Cloud Domains 角色

角色 权限

Cloud Domains Admin
(roles/domains.admin)

拥有 Cloud 网域注册信息和相关资源的完整访问权限。

  • domains.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Domains Viewer
(roles/domains.viewer)

拥有 Cloud 网域注册信息及相关资源的只读权限。

  • domains.locations.*
  • domains.operations.get
  • domains.operations.list
  • domains.registrations.get
  • domains.registrations.getIamPolicy
  • domains.registrations.list
  • domains.registrations.listEffectiveTags
  • domains.registrations.listTagBindings
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Filestore 角色

Role Permissions

Cloud Filestore Editor Beta
(roles/file.editor)

Read-write access to Filestore instances and related resources.

  • file.*

Cloud Filestore Viewer Beta
(roles/file.viewer)

Read-only access to Filestore instances and related resources.

  • file.backups.get
  • file.backups.list
  • file.backups.listEffectiveTags
  • file.backups.listTagBindings
  • file.instances.get
  • file.instances.list
  • file.instances.listEffectiveTags
  • file.instances.listTagBindings
  • file.locations.*
  • file.operations.get
  • file.operations.list
  • file.snapshots.listEffectiveTags
  • file.snapshots.listTagBindings

Cloud Functions 角色

角色 权限

Cloud Functions Admin
(roles/cloudfunctions.admin)

拥有对函数、运算和位置的完整访问权限。

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.*
  • eventarc.*
  • recommender.locations.*
  • recommender.runServiceIdentityInsights.*
  • recommender.runServiceIdentityRecommendations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Functions Developer
(roles/cloudfunctions.developer)

拥有对所有函数相关资源的读写权限。

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.call
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.invoke
  • cloudfunctions.functions.list
  • cloudfunctions.functions.sourceCodeGet
  • cloudfunctions.functions.sourceCodeSet
  • cloudfunctions.functions.update
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • cloudfunctions.runtimes.*
  • eventarc.channelConnections.create
  • eventarc.channelConnections.delete
  • eventarc.channelConnections.get
  • eventarc.channelConnections.getIamPolicy
  • eventarc.channelConnections.list
  • eventarc.channelConnections.publish
  • eventarc.channels.create
  • eventarc.channels.delete
  • eventarc.channels.get
  • eventarc.channels.getIamPolicy
  • eventarc.channels.list
  • eventarc.channels.publish
  • eventarc.channels.undelete
  • eventarc.channels.update
  • eventarc.locations.*
  • eventarc.operations.*
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.undelete
  • eventarc.triggers.update
  • recommender.locations.*
  • recommender.runServiceIdentityInsights.*
  • recommender.runServiceIdentityRecommendations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.executions.*
  • run.jobs.create
  • run.jobs.delete
  • run.jobs.get
  • run.jobs.getIamPolicy
  • run.jobs.list
  • run.jobs.run
  • run.jobs.update
  • run.locations.*
  • run.operations.*
  • run.revisions.*
  • run.routes.*
  • run.services.create
  • run.services.delete
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • run.services.listEffectiveTags
  • run.services.listTagBindings
  • run.services.update
  • run.tasks.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Functions Invoker
(roles/cloudfunctions.invoker)

可使用受限的访问权限调用 HTTP 函数。

  • cloudfunctions.functions.invoke

Cloud Functions Viewer
(roles/cloudfunctions.viewer)

拥有对函数和位置的只读权限。

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • cloudfunctions.runtimes.*
  • eventarc.channelConnections.get
  • eventarc.channelConnections.getIamPolicy
  • eventarc.channelConnections.list
  • eventarc.channels.get
  • eventarc.channels.getIamPolicy
  • eventarc.channels.list
  • eventarc.locations.*
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.providers.*
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • recommender.locations.*
  • recommender.runServiceIdentityInsights.get
  • recommender.runServiceIdentityInsights.list
  • recommender.runServiceIdentityRecommendations.get
  • recommender.runServiceIdentityRecommendations.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.executions.get
  • run.executions.list
  • run.jobs.get
  • run.jobs.getIamPolicy
  • run.jobs.list
  • run.locations.*
  • run.operations.get
  • run.operations.list
  • run.revisions.get
  • run.revisions.list
  • run.routes.get
  • run.routes.list
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • run.services.listEffectiveTags
  • run.services.listTagBindings
  • run.tasks.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Game Services 角色

角色 权限

Game Services API Admin
(roles/gameservices.admin)

拥有对 Game Services API 及相关资源的完全访问权限。

  • gameservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Game Services API Viewer
(roles/gameservices.viewer)

拥有对 Game Services API 及相关资源的只读权限。

  • gameservices.gameServerClusters.get
  • gameservices.gameServerClusters.list
  • gameservices.gameServerConfigs.get
  • gameservices.gameServerConfigs.list
  • gameservices.gameServerDeployments.get
  • gameservices.gameServerDeployments.list
  • gameservices.locations.*
  • gameservices.operations.get
  • gameservices.operations.list
  • gameservices.realms.get
  • gameservices.realms.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Healthcare 角色

Role Permissions

Healthcare Annotation Editor
(roles/healthcare.annotationEditor)

Create, delete, update, read and list annotations.

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.annotations.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Annotation Reader
(roles/healthcare.annotationReader)

Read and list annotations in an Annotation store.

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.annotations.get
  • healthcare.annotations.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Annotation Administrator
(roles/healthcare.annotationStoreAdmin)

Administer Annotation stores.

  • healthcare.annotationStores.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Annotation Store Viewer
(roles/healthcare.annotationStoreViewer)

List Annotation Stores in a dataset.

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Attribute Definition Editor
(roles/healthcare.attributeDefinitionEditor)

Edit AttributeDefinition objects.

  • healthcare.attributeDefinitions.*
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Attribute Definition Reader
(roles/healthcare.attributeDefinitionReader)

Read AttributeDefinition objects in a consent store.

  • healthcare.attributeDefinitions.get
  • healthcare.attributeDefinitions.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare