本页面介绍 IAM 角色,并列出了您可以授予主帐号的预定义角色。
一个角色包含一组权限,可让您对 Google Cloud 资源执行特定操作。如需向主帐号(包括用户、群组和服务帐号)提供权限,您可以向主帐号授予角色。
本指南的先决条件
角色类型
IAM 中有三种类型的角色:
- 基本角色:包括在引入 IAM 之前已存在的 Owner、Editor 和 Viewer 角色。
- 预定义角色:针对特定服务提供精细访问权限,并由 Google Cloud 管理。
- 自定义角色:根据用户指定的权限列表提供精细访问权限。
要确定基本角色、预定义角色或自定义角色中是否包含某项权限,您可以使用以下方法之一:
以下各部分介绍了每种角色类型并提供了有关如何使用它们的示例。
基本角色
在引入 IAM 之前已存在多个基本角色:Owner、Editor 和 Viewer。这些角色是嵌套的;也就是说,Owner 角色具有 Editor 角色的权限,而 Editor 角色又具有 Viewer 角色的权限。它们最初称为“原初角色”。
下表汇总了基本角色针对所有 Google Cloud 服务所具有的权限:
基本角色定义
| 名称 |
名称 |
权限 |
roles/viewer |
Viewer |
拥有执行不会影响状态的只读操作的权限,例如查看(但无法修改)现有资源或数据。 |
roles/editor |
Editor |
拥有所有查看权限,以及修改状态的操作(例如更改现有资源)的权限。注意:Editor 角色包含为大多数 Google Cloud 服务创建和删除资源的权限。但是,它不包含对所有服务执行所有操作的权限。如需详细了解如何检查某个角色是否具有您所需的权限,请参阅本页面中的 角色类型。
|
roles/owner |
所有者 |
拥有 Editor 的所有权限,此外还有权执行以下操作:-
管理项目和项目中所有资源的角色和权限。
- 为项目设置结算。
注意:
- 在资源级层(如 Pub/Sub 主题)授予 Owner 角色并不会授予父级项目上的 Owner 角色。
-
因此,在组织级层获授 Owner 角色后,您不能更新组织的元数据,不过您可以修改组织下的所有项目和其他资源。
-
如需向组织外部的用户授予项目的 Owner 角色,您必须使用 Cloud Console,而不能使用 gcloud CLI。如果您的项目不属于组织,则必须使用 Cloud Console 授予 Owner 角色。
|
您可以使用 Cloud Console、API 和 gcloud CLI 在项目或服务资源级层应用基本角色。如需了解相关说明,请参阅授予、更改和撤消访问权限。
如需了解如何使用 Cloud Console 授予角色,请参阅授予、更改和撤消访问权限。
预定义角色
除了基本角色之外,IAM 还提供其他预定义角色,这些角色可提供对特定 Google Cloud 资源的精细访问权限,同时阻止对其他资源的不必要的访问。 这些角色由 Google 创建和维护。Google 会根据需要自动更新其权限,例如 Google Cloud 添加新功能或服务时。
下表列出了这些角色、说明以及可设置这些角色的最低级层的资源类型。您可以为此资源类型授予特定角色,或者在大多数情况下可以为该类型在 Google Cloud 资源层次结构中的任何上级类型授予特定角色。
您可以在资源层次结构的任何级层向同一用户授予多个角色。例如,同一位用户可以拥有项目上的 Compute Network Admin 和 Logs Viewer 角色,并且对该项目中的 Pub/Sub 主题具有 Pub/Sub Publisher 角色。如需列出角色中包含的权限,请参阅获取角色元数据。
如需有关选择最合适的预定义角色的帮助,请参阅选择预定义角色。
Access Approval 角色
| 角色 |
权限 |
|
Access Approval Approver
Beta 版
(roles/accessapproval.approver)
能够查看或操作访问权限审批请求以及查看配置
|
- accessapproval.requests.*
- accessapproval.settings.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Access Approval Config Editor
Beta 版
(roles/accessapproval.configEditor)
能够更新访问权限审批配置
|
- accessapproval.settings.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Access Approval Viewer
Beta 版
(roles/accessapproval.viewer)
可查看访问权限审批请求和配置
|
- accessapproval.requests.get
- accessapproval.requests.list
- accessapproval.settings.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Access Context Manager 角色
| 角色 |
权限 |
|
Cloud Access Binding Admin
(roles/accesscontextmanager.gcpAccessAdmin)
可以创建、修改和更改 Cloud 访问权限绑定。
|
- accesscontextmanager.gcpUserAccessBindings.*
|
|
Cloud Access Binding Reader
(roles/accesscontextmanager.gcpAccessReader)
拥有对 Cloud 访问权限绑定的读取权限。
|
- accesscontextmanager.gcpUserAccessBindings.get
- accesscontextmanager.gcpUserAccessBindings.list
|
|
Access Context Manager Admin
(roles/accesscontextmanager.policyAdmin)
拥有对政策、访问权限级别和访问区域的完整访问权限
|
- accesscontextmanager.accessLevels.*
- accesscontextmanager.accessPolicies.*
- accesscontextmanager.accessZones.*
- accesscontextmanager.policies.*
- accesscontextmanager.servicePerimeters.*
- cloudasset.assets.searchAllResources
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Access Context Manager Editor
(roles/accesscontextmanager.policyEditor)
拥有对政策的修改权限。可创建、修改和更改访问权限级别和访问区域。
|
- accesscontextmanager.accessLevels.*
- accesscontextmanager.accessPolicies.create
- accesscontextmanager.accessPolicies.delete
- accesscontextmanager.accessPolicies.get
- accesscontextmanager.accessPolicies.getIamPolicy
- accesscontextmanager.accessPolicies.list
- accesscontextmanager.accessPolicies.update
- accesscontextmanager.accessZones.*
- accesscontextmanager.policies.create
- accesscontextmanager.policies.delete
- accesscontextmanager.policies.get
- accesscontextmanager.policies.getIamPolicy
- accesscontextmanager.policies.list
- accesscontextmanager.policies.update
- accesscontextmanager.servicePerimeters.*
- cloudasset.assets.searchAllResources
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Access Context Manager Reader
(roles/accesscontextmanager.policyReader)
拥有对政策、访问权限级别和访问区域的读取权限。
|
- accesscontextmanager.accessLevels.get
- accesscontextmanager.accessLevels.list
- accesscontextmanager.accessPolicies.get
- accesscontextmanager.accessPolicies.getIamPolicy
- accesscontextmanager.accessPolicies.list
- accesscontextmanager.accessZones.get
- accesscontextmanager.accessZones.list
- accesscontextmanager.policies.get
- accesscontextmanager.policies.getIamPolicy
- accesscontextmanager.policies.list
- accesscontextmanager.servicePerimeters.get
- accesscontextmanager.servicePerimeters.list
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
VPC Service Controls Troubleshooter Viewer
(roles/accesscontextmanager.vpcScTroubleshooterViewer)
|
- accesscontextmanager.accessLevels.get
- accesscontextmanager.accessLevels.list
- accesscontextmanager.policies.get
- accesscontextmanager.policies.getIamPolicy
- accesscontextmanager.policies.list
- accesscontextmanager.servicePerimeters.get
- accesscontextmanager.servicePerimeters.list
- logging.exclusions.get
- logging.exclusions.list
- logging.logEntries.list
- logging.logMetrics.get
- logging.logMetrics.list
- logging.logServiceIndexes.*
- logging.logServices.*
- logging.logs.list
- logging.sinks.get
- logging.sinks.list
- logging.usage.*
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
操作角色
| 角色 |
权限 |
|
Actions Admin
(roles/actions.Admin)
拥有修改和部署某项操作的权限
|
- actions.*
- firebase.projects.get
- firebase.projects.update
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.use
|
|
Actions Viewer
(roles/actions.Viewer)
拥有查看某项操作的权限
|
- actions.agent.get
- actions.agentVersions.get
- actions.agentVersions.list
- firebase.projects.get
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.use
|
AI Notebooks 角色
| Role |
Permissions |
|
AI Platform Admin
(roles/ml.admin)
Provides full access to AI Platform resources, and its jobs,
operations, models, and versions.
Lowest-level resources where you can grant this role:
|
- ml.*
- resourcemanager.projects.get
|
|
AI Platform Developer
(roles/ml.developer)
Provides ability to use AI Platform resources for creating models,
versions, jobs for training and prediction, and sending online prediction
requests.
Lowest-level resources where you can grant this role:
|
- ml.jobs.create
- ml.jobs.get
- ml.jobs.getIamPolicy
- ml.jobs.list
- ml.locations.*
- ml.models.create
- ml.models.get
- ml.models.getIamPolicy
- ml.models.list
- ml.models.predict
- ml.operations.get
- ml.operations.list
- ml.projects.*
- ml.studies.*
- ml.trials.*
- ml.versions.get
- ml.versions.list
- ml.versions.predict
- resourcemanager.projects.get
|
|
AI Platform Job Owner
(roles/ml.jobOwner)
Provides full access to all permissions for a particular job resource. This
role is automatically granted to the user who creates the job.
Lowest-level resources where you can grant this role:
|
|
|
AI Platform Model Owner
(roles/ml.modelOwner)
Provides full access to the model and its versions. This role is
automatically granted to the user who creates the model.
Lowest-level resources where you can grant this role:
|
- ml.models.*
- ml.versions.*
|
|
AI Platform Model User
(roles/ml.modelUser)
Provides permissions to read the model and its versions, and use them for
prediction.
Lowest-level resources where you can grant this role:
|
- ml.models.get
- ml.models.predict
- ml.versions.get
- ml.versions.list
- ml.versions.predict
|
|
AI Platform Operation Owner
(roles/ml.operationOwner)
Provides full access to all permissions for a particular operation resource.
Lowest-level resources where you can grant this role:
|
|
|
AI Platform Viewer
(roles/ml.viewer)
Provides read-only access to AI Platform resources.
Lowest-level resources where you can grant this role:
|
- ml.jobs.get
- ml.jobs.list
- ml.locations.*
- ml.models.get
- ml.models.list
- ml.operations.get
- ml.operations.list
- ml.projects.*
- ml.studies.get
- ml.studies.getIamPolicy
- ml.studies.list
- ml.trials.get
- ml.trials.list
- ml.versions.get
- ml.versions.list
- resourcemanager.projects.get
|
Analytics Hub 角色
| 角色 |
权限 |
|
Analytics Hub Admin
Beta 版
(roles/analyticshub.admin)
可以管理数据交换和清单
|
- analyticshub.dataExchanges.*
- analyticshub.listings.create
- analyticshub.listings.delete
- analyticshub.listings.get
- analyticshub.listings.getIamPolicy
- analyticshub.listings.list
- analyticshub.listings.setIamPolicy
- analyticshub.listings.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Analytics Hub Listing Admin
Beta 版
(roles/analyticshub.listingAdmin)
授予对商家信息的完全控制权,包括更新、删除和设置 ACL
|
- analyticshub.dataExchanges.get
- analyticshub.dataExchanges.getIamPolicy
- analyticshub.dataExchanges.list
- analyticshub.listings.delete
- analyticshub.listings.get
- analyticshub.listings.getIamPolicy
- analyticshub.listings.list
- analyticshub.listings.setIamPolicy
- analyticshub.listings.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Analytics Hub Publisher
Beta 版
(roles/analyticshub.publisher)
可以发布到数据交换,从而创建清单
|
- analyticshub.dataExchanges.get
- analyticshub.dataExchanges.getIamPolicy
- analyticshub.dataExchanges.list
- analyticshub.listings.create
- analyticshub.listings.get
- analyticshub.listings.getIamPolicy
- analyticshub.listings.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Analytics Hub Subscriber
Beta 版
(roles/analyticshub.subscriber)
可以浏览数据交换并订阅清单
|
- analyticshub.dataExchanges.get
- analyticshub.dataExchanges.getIamPolicy
- analyticshub.dataExchanges.list
- analyticshub.listings.get
- analyticshub.listings.getIamPolicy
- analyticshub.listings.list
- analyticshub.listings.subscribe
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Analytics Hub Viewer
Beta 版
(roles/analyticshub.viewer)
可以浏览数据交换和清单
|
- analyticshub.dataExchanges.get
- analyticshub.dataExchanges.getIamPolicy
- analyticshub.dataExchanges.list
- analyticshub.listings.get
- analyticshub.listings.getIamPolicy
- analyticshub.listings.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Android 管理角色
| 角色 |
权限 |
|
Android Management User
(roles/androidmanagement.user)
拥有管理设备的完整权限。
|
- androidmanagement.*
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
|
Anthos 多云端角色
| 角色 |
权限 |
|
Anthos Multi-cloud Admin
(roles/gkemulticloud.admin)
可以管理 Anthos 多云资源。
|
- gkemulticloud.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Anthos Multi-cloud Telemetry Writer
(roles/gkemulticloud.telemetryWriter)
授予写入集群遥测数据(例如日志、指标和资源元数据)的权限。
|
- logging.logEntries.create
- monitoring.metricDescriptors.create
- monitoring.metricDescriptors.get
- monitoring.metricDescriptors.list
- monitoring.monitoredResourceDescriptors.*
- monitoring.timeSeries.create
- opsconfigmonitoring.resourceMetadata.write
|
|
Anthos Multi-cloud Viewer
(roles/gkemulticloud.viewer)
可以查看 Anthos 多云资源。
|
- gkemulticloud.awsClusters.generateAccessToken
- gkemulticloud.awsClusters.get
- gkemulticloud.awsClusters.list
- gkemulticloud.awsNodePools.get
- gkemulticloud.awsNodePools.list
- gkemulticloud.awsServerConfigs.*
- gkemulticloud.azureClients.get
- gkemulticloud.azureClients.list
- gkemulticloud.azureClusters.generateAccessToken
- gkemulticloud.azureClusters.get
- gkemulticloud.azureClusters.list
- gkemulticloud.azureNodePools.get
- gkemulticloud.azureNodePools.list
- gkemulticloud.azureServerConfigs.*
- gkemulticloud.operations.get
- gkemulticloud.operations.list
- gkemulticloud.operations.wait
- resourcemanager.projects.get
- resourcemanager.projects.list
|
API Gateway 角色
| 角色 |
权限 |
|
ApiGateway Admin
(roles/apigateway.admin)
拥有对 ApiGateway 及相关资源的完全访问权限。
|
- apigateway.*
- monitoring.metricDescriptors.list
- monitoring.monitoredResourceDescriptors.get
- monitoring.timeSeries.list
- resourcemanager.projects.get
- resourcemanager.projects.list
- servicemanagement.services.get
- serviceusage.services.list
|
|
ApiGateway Viewer
(roles/apigateway.viewer)
拥有对 ApiGateway 及相关资源的只读权限。
|
- apigateway.apiconfigs.get
- apigateway.apiconfigs.getIamPolicy
- apigateway.apiconfigs.list
- apigateway.apis.get
- apigateway.apis.getIamPolicy
- apigateway.apis.list
- apigateway.gateways.get
- apigateway.gateways.getIamPolicy
- apigateway.gateways.list
- apigateway.locations.*
- apigateway.operations.get
- apigateway.operations.list
- monitoring.metricDescriptors.list
- monitoring.monitoredResourceDescriptors.get
- monitoring.timeSeries.list
- resourcemanager.projects.get
- resourcemanager.projects.list
- servicemanagement.services.get
- serviceusage.services.list
|
Apigee 角色
Apigee Registry 角色
| 角色 |
权限 |
|
Cloud Apigee Registry Admin
Beta 版
(roles/apigeeregistry.admin)
拥有对 Cloud Apigee Registry 和运行时资源的完整访问权限。
|
- apigeeregistry.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Apigee Registry Editor
Beta 版
(roles/apigeeregistry.editor)
拥有对 Cloud Apigee Registry 资源的修改权限。
|
- apigeeregistry.apis.create
- apigeeregistry.apis.delete
- apigeeregistry.apis.get
- apigeeregistry.apis.getIamPolicy
- apigeeregistry.apis.list
- apigeeregistry.apis.update
- apigeeregistry.artifacts.create
- apigeeregistry.artifacts.delete
- apigeeregistry.artifacts.get
- apigeeregistry.artifacts.getIamPolicy
- apigeeregistry.artifacts.list
- apigeeregistry.artifacts.update
- apigeeregistry.deployments.*
- apigeeregistry.specs.create
- apigeeregistry.specs.delete
- apigeeregistry.specs.get
- apigeeregistry.specs.getIamPolicy
- apigeeregistry.specs.list
- apigeeregistry.specs.update
- apigeeregistry.versions.create
- apigeeregistry.versions.delete
- apigeeregistry.versions.get
- apigeeregistry.versions.getIamPolicy
- apigeeregistry.versions.list
- apigeeregistry.versions.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Apigee Registry Viewer
Beta 版
(roles/apigeeregistry.viewer)
拥有对 Cloud Apigee Registry 资源的只读权限。
|
- apigeeregistry.apis.get
- apigeeregistry.apis.list
- apigeeregistry.artifacts.get
- apigeeregistry.artifacts.list
- apigeeregistry.deployments.get
- apigeeregistry.deployments.list
- apigeeregistry.specs.get
- apigeeregistry.specs.list
- apigeeregistry.versions.get
- apigeeregistry.versions.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Apigee Registry Worker
Beta 版
(roles/apigeeregistry.worker)
Apigee Registry 应用工作器用于读取和更新 Apigee Registry 工件的角色。
|
- apigeeregistry.apis.get
- apigeeregistry.apis.list
- apigeeregistry.apis.update
- apigeeregistry.artifacts.create
- apigeeregistry.artifacts.delete
- apigeeregistry.artifacts.get
- apigeeregistry.artifacts.list
- apigeeregistry.artifacts.update
- apigeeregistry.deployments.get
- apigeeregistry.deployments.list
- apigeeregistry.deployments.update
- apigeeregistry.specs.get
- apigeeregistry.specs.list
- apigeeregistry.specs.update
- apigeeregistry.versions.get
- apigeeregistry.versions.list
- apigeeregistry.versions.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
App Engine 角色
| 角色 |
权限 |
|
App Engine Admin
(roles/appengine.appAdmin)
拥有所有应用配置和设置的读取/写入/修改权限。
要部署新版本,主帐号必须具有 App Engine 默认服务帐号的 Service Account User (roles/iam.serviceAccountUser) 角色以及项目的 Cloud Build Editor (roles/cloudbuild.builds.editor) 和 Cloud Storage Object Admin (roles/storage.objectAdmin) 角色。
您可以授予此角色的最低级层资源:
|
- appengine.applications.get
- appengine.applications.update
- appengine.instances.*
- appengine.operations.*
- appengine.runtimes.*
- appengine.services.*
- appengine.versions.create
- appengine.versions.delete
- appengine.versions.get
- appengine.versions.list
- appengine.versions.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
App Engine Creator
(roles/appengine.appCreator)
能够为项目创建 App Engine 资源。
您可以授予此角色的最低级层资源:
|
- appengine.applications.create
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
App Engine Viewer
(roles/appengine.appViewer)
拥有对所有应用配置和设置的只读权限。
您可以授予此角色的最低级层资源:
|
- appengine.applications.get
- appengine.instances.get
- appengine.instances.list
- appengine.operations.*
- appengine.services.get
- appengine.services.list
- appengine.versions.get
- appengine.versions.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
App Engine Code Viewer
(roles/appengine.codeViewer)
拥有对所有应用配置、设置和已部署源代码的只读权限。
您可以授予此角色的最低级层资源:
|
- appengine.applications.get
- appengine.instances.get
- appengine.instances.list
- appengine.operations.*
- appengine.services.get
- appengine.services.list
- appengine.versions.get
- appengine.versions.getFileContents
- appengine.versions.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
App Engine Deployer
(roles/appengine.deployer)
对所有应用配置和设置的只读权限。
要部署新版本,您还必须具有 App Engine 默认服务帐号的 Service Account User (roles/iam.serviceAccountUser) 角色以及项目的 Cloud Build Editor (roles/cloudbuild.builds.editor) 和 Cloud Storage Object Admin (roles/storage.objectAdmin) 角色。
无法修改现有版本,但可删除未收到流量的版本。
您可以授予此角色的最低级层资源:
|
- appengine.applications.get
- appengine.instances.get
- appengine.instances.list
- appengine.operations.*
- appengine.services.get
- appengine.services.list
- appengine.versions.create
- appengine.versions.delete
- appengine.versions.get
- appengine.versions.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
App Engine Service Admin
(roles/appengine.serviceAdmin)
对所有应用配置和设置的只读权限。
拥有模块级和版本级设置的写权限。无权部署新版本。
您可以授予此角色的最低级层资源:
|
- appengine.applications.get
- appengine.instances.*
- appengine.operations.*
- appengine.services.*
- appengine.versions.delete
- appengine.versions.get
- appengine.versions.list
- appengine.versions.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Artifact Registry 角色
| 角色 |
权限 |
|
Artifact Registry Administrator
(roles/artifactregistry.admin)
拥有可创建和管理代码库的管理员权限。
|
|
|
Artifact Registry Reader
(roles/artifactregistry.reader)
可以读取代码库项。
|
- artifactregistry.dockerimages.*
- artifactregistry.files.*
- artifactregistry.locations.*
- artifactregistry.packages.get
- artifactregistry.packages.list
- artifactregistry.repositories.downloadArtifacts
- artifactregistry.repositories.get
- artifactregistry.repositories.list
- artifactregistry.repositories.listEffectiveTags
- artifactregistry.repositories.listTagBindings
- artifactregistry.tags.get
- artifactregistry.tags.list
- artifactregistry.versions.get
- artifactregistry.versions.list
|
|
Artifact Registry Repository Administrator
(roles/artifactregistry.repoAdmin)
拥有管理代码库中的工件的权限。
|
- artifactregistry.aptartifacts.*
- artifactregistry.dockerimages.*
- artifactregistry.files.*
- artifactregistry.locations.*
- artifactregistry.packages.*
- artifactregistry.repositories.deleteArtifacts
- artifactregistry.repositories.downloadArtifacts
- artifactregistry.repositories.get
- artifactregistry.repositories.list
- artifactregistry.repositories.listEffectiveTags
- artifactregistry.repositories.listTagBindings
- artifactregistry.repositories.uploadArtifacts
- artifactregistry.tags.*
- artifactregistry.versions.*
- artifactregistry.yumartifacts.*
|
|
Artifact Registry Writer
(roles/artifactregistry.writer)
可以读取和写入代码库项。
|
- artifactregistry.aptartifacts.*
- artifactregistry.dockerimages.*
- artifactregistry.files.*
- artifactregistry.locations.*
- artifactregistry.packages.get
- artifactregistry.packages.list
- artifactregistry.repositories.downloadArtifacts
- artifactregistry.repositories.get
- artifactregistry.repositories.list
- artifactregistry.repositories.listEffectiveTags
- artifactregistry.repositories.listTagBindings
- artifactregistry.repositories.uploadArtifacts
- artifactregistry.tags.create
- artifactregistry.tags.get
- artifactregistry.tags.list
- artifactregistry.tags.update
- artifactregistry.versions.get
- artifactregistry.versions.list
- artifactregistry.yumartifacts.*
|
Assured Workloads 角色
| 角色 |
权限 |
|
Assured Workloads Administrator
(roles/assuredworkloads.admin)
授予对 Assured Workloads 资源和 CRM 资源(项目/文件夹和组织政策管理)的完全访问权限
|
- assuredworkloads.*
- logging.cmekSettings.update
- orgpolicy.policy.*
- resourcemanager.folders.create
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.projects.create
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Assured Workloads Editor
(roles/assuredworkloads.editor)
授予对 Assured Workloads 资源和 CRM 资源(项目/文件夹和组织政策管理)的读写权限
|
- assuredworkloads.*
- orgpolicy.policy.*
- resourcemanager.folders.create
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.projects.create
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Assured Workloads Reader
(roles/assuredworkloads.reader)
授予对所有 Assured Workloads 资源和 CRM 资源(项目/文件夹)的读取权限
|
- assuredworkloads.operations.*
- assuredworkloads.violations.*
- assuredworkloads.workload.get
- assuredworkloads.workload.list
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
AutoML 角色
| 角色 |
权限 |
|
AutoML Admin
Beta 版
(roles/automl.admin)
拥有所有 AutoML 资源的完整访问权限
您可以授予此角色的最低级层资源:
|
- automl.*
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.list
|
|
AutoML Editor
Beta 版
(roles/automl.editor)
可修改所有 AutoML 资源
您可以授予此角色的最低级层资源:
|
- automl.annotationSpecs.*
- automl.annotations.*
- automl.columnSpecs.*
- automl.datasets.create
- automl.datasets.delete
- automl.datasets.export
- automl.datasets.get
- automl.datasets.import
- automl.datasets.list
- automl.datasets.update
- automl.examples.*
- automl.humanAnnotationTasks.*
- automl.locations.get
- automl.locations.list
- automl.modelEvaluations.*
- automl.models.create
- automl.models.delete
- automl.models.deploy
- automl.models.export
- automl.models.get
- automl.models.list
- automl.models.predict
- automl.models.undeploy
- automl.operations.*
- automl.tableSpecs.*
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.list
|
|
AutoML Predictor
Beta 版
(roles/automl.predictor)
可使用模型进行预测
您可以授予此角色的最低级层资源:
|
- automl.models.predict
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
AutoML Viewer
Beta 版
(roles/automl.viewer)
可查看所有 AutoML 资源
您可以授予此角色的最低级层资源:
|
- automl.annotationSpecs.get
- automl.annotationSpecs.list
- automl.annotations.list
- automl.columnSpecs.get
- automl.columnSpecs.list
- automl.datasets.get
- automl.datasets.list
- automl.examples.get
- automl.examples.list
- automl.humanAnnotationTasks.get
- automl.humanAnnotationTasks.list
- automl.locations.get
- automl.locations.list
- automl.modelEvaluations.get
- automl.modelEvaluations.list
- automl.models.get
- automl.models.list
- automl.operations.get
- automl.operations.list
- automl.tableSpecs.get
- automl.tableSpecs.list
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.list
|
Backup for GKE 角色
| Role |
Permissions |
|
Backup for GKE Admin
Beta
(roles/gkebackup.admin)
Full access to all Backup for GKE resources.
|
- gkebackup.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Backup for GKE Backup Admin
Beta
(roles/gkebackup.backupAdmin)
Allows administrators to manage all BackupPlan and Backup resources.
|
- gkebackup.backupPlans.*
- gkebackup.backups.*
- gkebackup.locations.*
- gkebackup.operations.get
- gkebackup.operations.list
- gkebackup.volumeBackups.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Backup for GKE Delegated Backup Admin
Beta
(roles/gkebackup.delegatedBackupAdmin)
Allows administrators to manage Backup resources for specific BackupPlans
|
- gkebackup.backupPlans.get
- gkebackup.backups.*
- gkebackup.volumeBackups.*
|
|
Backup for GKE Delegated Restore Admin
Beta
(roles/gkebackup.delegatedRestoreAdmin)
Allows administrators to manage Restore resources for specific RestorePlans
|
- gkebackup.restorePlans.get
- gkebackup.restores.*
- gkebackup.volumeRestores.*
|
|
Backup for GKE Restore Admin
Beta
(roles/gkebackup.restoreAdmin)
Allows administrators to manage all RestorePlan and Restore resources.
|
- gkebackup.backupPlans.get
- gkebackup.backupPlans.list
- gkebackup.backups.get
- gkebackup.backups.list
- gkebackup.locations.*
- gkebackup.operations.get
- gkebackup.operations.list
- gkebackup.restorePlans.*
- gkebackup.restores.*
- gkebackup.volumeBackups.*
- gkebackup.volumeRestores.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Backup for GKE Viewer
Beta
(roles/gkebackup.viewer)
Read-only access to all Backup for GKE resources.
|
- gkebackup.backupPlans.get
- gkebackup.backupPlans.getIamPolicy
- gkebackup.backupPlans.list
- gkebackup.backups.get
- gkebackup.backups.list
- gkebackup.locations.*
- gkebackup.operations.get
- gkebackup.operations.list
- gkebackup.restorePlans.get
- gkebackup.restorePlans.getIamPolicy
- gkebackup.restorePlans.list
- gkebackup.restores.get
- gkebackup.restores.list
- gkebackup.volumeBackups.*
- gkebackup.volumeRestores.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
BigQuery 角色
结算服务角色
| Role |
Permissions |
|
Billing Account Administrator
(roles/billing.admin)
Provides access to see and manage all aspects of billing accounts.
Lowest-level resources where you can grant this role:
|
- billing.accounts.close
- billing.accounts.get
- billing.accounts.getIamPolicy
- billing.accounts.getPaymentInfo
- billing.accounts.getPricing
- billing.accounts.getSpendingInformation
- billing.accounts.getUsageExportSpec
- billing.accounts.list
- billing.accounts.move
- billing.accounts.redeemPromotion
- billing.accounts.removeFromOrganization
- billing.accounts.reopen
- billing.accounts.setIamPolicy
- billing.accounts.update
- billing.accounts.updatePaymentInfo
- billing.accounts.updateUsageExportSpec
- billing.budgets.*
- billing.credits.*
- billing.resourceAssociations.*
- billing.subscriptions.*
- cloudnotifications.*
- commerceoffercatalog.*
- consumerprocurement.accounts.*
- consumerprocurement.orderAttributions.*
- consumerprocurement.orders.*
- dataprocessing.datasources.get
- dataprocessing.datasources.list
- dataprocessing.groupcontrols.get
- dataprocessing.groupcontrols.list
- logging.logEntries.list
- logging.logServiceIndexes.*
- logging.logServices.*
- logging.logs.list
- logging.privateLogEntries.*
- recommender.commitmentUtilizationInsights.*
- recommender.costInsights.*
- recommender.spendBasedCommitmentInsights.*
- recommender.spendBasedCommitmentRecommendations.*
- recommender.usageCommitmentRecommendations.*
- resourcemanager.projects.createBillingAssignment
- resourcemanager.projects.deleteBillingAssignment
|
|
Billing Account Costs Manager
(roles/billing.costsManager)
Manage budgets for a billing account, and view, analyze, and export cost information of a billing
account.
Lowest-level resources where you can grant this role:
|
- billing.accounts.get
- billing.accounts.getIamPolicy
- billing.accounts.getSpendingInformation
- billing.accounts.getUsageExportSpec
- billing.accounts.list
- billing.accounts.updateUsageExportSpec
- billing.budgets.*
- billing.resourceAssociations.list
- recommender.costInsights.*
|
|
Billing Account Creator
(roles/billing.creator)
Provides access to create billing accounts.
Lowest-level resources where you can grant this role:
|
- billing.accounts.create
- resourcemanager.organizations.get
|
|
Project Billing Manager
(roles/billing.projectManager)
When granted in conjunction with the Billing Account User role, provides access to assign a
project's billing account or disable its billing.
Lowest-level resources where you can grant this role:
|
- resourcemanager.projects.createBillingAssignment
- resourcemanager.projects.deleteBillingAssignment
|
|
Billing Account User
(roles/billing.user)
When granted in conjunction with the Project Owner role or Project Billing Manager role, provides
access to associate projects with billing accounts.
Lowest-level resources where you can grant this role:
|
- billing.accounts.get
- billing.accounts.getIamPolicy
- billing.accounts.list
- billing.accounts.redeemPromotion
- billing.credits.*
- billing.resourceAssociations.create
|
|
Billing Account Viewer
(roles/billing.viewer)
View billing account cost and pricing information, transactions, and billing and commitment
recommendations.
Lowest-level resources where you can grant this role:
|
- billing.accounts.get
- billing.accounts.getIamPolicy
- billing.accounts.getPaymentInfo
- billing.accounts.getPricing
- billing.accounts.getSpendingInformation
- billing.accounts.getUsageExportSpec
- billing.accounts.list
- billing.budgets.get
- billing.budgets.list
- billing.credits.*
- billing.resourceAssociations.list
- billing.subscriptions.get
- billing.subscriptions.list
- commerceoffercatalog.*
- consumerprocurement.accounts.get
- consumerprocurement.accounts.list
- consumerprocurement.orderAttributions.get
- consumerprocurement.orderAttributions.list
- consumerprocurement.orders.get
- consumerprocurement.orders.list
- dataprocessing.datasources.get
- dataprocessing.datasources.list
- dataprocessing.groupcontrols.get
- dataprocessing.groupcontrols.list
- recommender.commitmentUtilizationInsights.get
- recommender.commitmentUtilizationInsights.list
- recommender.costInsights.get
- recommender.costInsights.list
- recommender.spendBasedCommitmentInsights.get
- recommender.spendBasedCommitmentInsights.list
- recommender.spendBasedCommitmentRecommendations.get
- recommender.spendBasedCommitmentRecommendations.list
- recommender.usageCommitmentRecommendations.get
- recommender.usageCommitmentRecommendations.list
|
Binary Authorization 角色
| Role |
Permissions |
|
Binary Authorization Attestor Admin
(roles/binaryauthorization.attestorsAdmin)
Administrator of Binary Authorization Attestors
|
- binaryauthorization.attestors.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Binary Authorization Attestor Editor
(roles/binaryauthorization.attestorsEditor)
Editor of Binary Authorization Attestors
|
- binaryauthorization.attestors.create
- binaryauthorization.attestors.delete
- binaryauthorization.attestors.get
- binaryauthorization.attestors.list
- binaryauthorization.attestors.update
- binaryauthorization.attestors.verifyImageAttested
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Binary Authorization Attestor Image Verifier
(roles/binaryauthorization.attestorsVerifier)
Caller of Binary Authorization Attestors VerifyImageAttested
|
- binaryauthorization.attestors.get
- binaryauthorization.attestors.list
- binaryauthorization.attestors.verifyImageAttested
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Binary Authorization Attestor Viewer
(roles/binaryauthorization.attestorsViewer)
Viewer of Binary Authorization Attestors
|
- binaryauthorization.attestors.get
- binaryauthorization.attestors.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Binary Authorization Policy Administrator
(roles/binaryauthorization.policyAdmin)
Administrator of Binary Authorization Policy
|
- binaryauthorization.continuousValidationConfig.*
- binaryauthorization.platformPolicies.*
- binaryauthorization.policy.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Binary Authorization Policy Editor
(roles/binaryauthorization.policyEditor)
Editor of Binary Authorization Policy
|
- binaryauthorization.continuousValidationConfig.get
- binaryauthorization.continuousValidationConfig.update
- binaryauthorization.platformPolicies.*
- binaryauthorization.policy.evaluatePolicy
- binaryauthorization.policy.get
- binaryauthorization.policy.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Binary Authorization Policy Evaluator
Beta
(roles/binaryauthorization.policyEvaluator)
Evaluator of Binary Authorization Policy
|
- binaryauthorization.platformPolicies.evaluatePolicy
- binaryauthorization.platformPolicies.get
- binaryauthorization.platformPolicies.list
- binaryauthorization.policy.evaluatePolicy
- binaryauthorization.policy.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Binary Authorization Policy Viewer
(roles/binaryauthorization.policyViewer)
Viewer of Binary Authorization Policy
|
- binaryauthorization.continuousValidationConfig.get
- binaryauthorization.platformPolicies.get
- binaryauthorization.platformPolicies.list
- binaryauthorization.policy.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
CA Service 角色
| 角色 |
权限 |
|
CA Service Admin
(roles/privateca.admin)
具有对所有 CA 服务资源的完整访问权限。
|
- privateca.*
- resourcemanager.projects.get
- resourcemanager.projects.list
- storage.buckets.create
|
|
CA Service Auditor
(roles/privateca.auditor)
具有对所有 CA 服务资源的只读权限。
|
- privateca.caPools.get
- privateca.caPools.getIamPolicy
- privateca.caPools.list
- privateca.certificateAuthorities.get
- privateca.certificateAuthorities.getIamPolicy
- privateca.certificateAuthorities.list
- privateca.certificateRevocationLists.get
- privateca.certificateRevocationLists.getIamPolicy
- privateca.certificateRevocationLists.list
- privateca.certificateTemplates.get
- privateca.certificateTemplates.getIamPolicy
- privateca.certificateTemplates.list
- privateca.certificates.get
- privateca.certificates.getIamPolicy
- privateca.certificates.list
- privateca.locations.*
- privateca.operations.get
- privateca.operations.list
- privateca.reusableConfigs.get
- privateca.reusableConfigs.getIamPolicy
- privateca.reusableConfigs.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
CA Service Operation Manager
(roles/privateca.caManager)
可以创建和管理 CA、撤消证书、创建证书模板且拥有对 CA 服务资源的只读权限。
|
- privateca.caPools.create
- privateca.caPools.delete
- privateca.caPools.get
- privateca.caPools.getIamPolicy
- privateca.caPools.list
- privateca.caPools.update
- privateca.certificateAuthorities.create
- privateca.certificateAuthorities.delete
- privateca.certificateAuthorities.get
- privateca.certificateAuthorities.getIamPolicy
- privateca.certificateAuthorities.list
- privateca.certificateAuthorities.update
- privateca.certificateRevocationLists.get
- privateca.certificateRevocationLists.getIamPolicy
- privateca.certificateRevocationLists.list
- privateca.certificateRevocationLists.update
- privateca.certificateTemplates.create
- privateca.certificateTemplates.delete
- privateca.certificateTemplates.get
- privateca.certificateTemplates.getIamPolicy
- privateca.certificateTemplates.list
- privateca.certificateTemplates.update
- privateca.certificates.get
- privateca.certificates.getIamPolicy
- privateca.certificates.list
- privateca.certificates.update
- privateca.locations.*
- privateca.operations.get
- privateca.operations.list
- privateca.reusableConfigs.create
- privateca.reusableConfigs.delete
- privateca.reusableConfigs.get
- privateca.reusableConfigs.getIamPolicy
- privateca.reusableConfigs.list
- privateca.reusableConfigs.update
- resourcemanager.projects.get
- resourcemanager.projects.list
- storage.buckets.create
|
|
CA Service Certificate Manager
(roles/privateca.certificateManager)
能够创建证书,并具有对 CA 服务资源的只读权限。
|
- privateca.caPools.get
- privateca.caPools.getIamPolicy
- privateca.caPools.list
- privateca.certificateAuthorities.get
- privateca.certificateAuthorities.getIamPolicy
- privateca.certificateAuthorities.list
- privateca.certificateRevocationLists.get
- privateca.certificateRevocationLists.getIamPolicy
- privateca.certificateRevocationLists.list
- privateca.certificateTemplates.get
- privateca.certificateTemplates.getIamPolicy
- privateca.certificateTemplates.list
- privateca.certificates.create
- privateca.certificates.get
- privateca.certificates.getIamPolicy
- privateca.certificates.list
- privateca.locations.*
- privateca.operations.get
- privateca.operations.list
- privateca.reusableConfigs.get
- privateca.reusableConfigs.getIamPolicy
- privateca.reusableConfigs.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
CA Service Certificate Requester
(roles/privateca.certificateRequester)
可从 CA 服务请求证书。
|
- privateca.certificates.create
|
|
CA Service Certificate Template User
(roles/privateca.templateUser)
读取、列出和使用证书模板。
|
- privateca.certificateTemplates.get
- privateca.certificateTemplates.list
- privateca.certificateTemplates.use
|
|
CA Service Workload Certificate Requester
(roles/privateca.workloadCertificateRequester)
以调用方的身份从 CA Service 请求证书。
|
- privateca.certificates.createForSelf
|
Certificate Manager 角色
| Role |
Permissions |
|
Certificate Manager Editor
Beta
(roles/certificatemanager.editor)
Edit access to Certificate Manager all resources.
|
- certificatemanager.certmapentries.create
- certificatemanager.certmapentries.get
- certificatemanager.certmapentries.getIamPolicy
- certificatemanager.certmapentries.list
- certificatemanager.certmapentries.update
- certificatemanager.certmaps.create
- certificatemanager.certmaps.get
- certificatemanager.certmaps.getIamPolicy
- certificatemanager.certmaps.list
- certificatemanager.certmaps.update
- certificatemanager.certmaps.use
- certificatemanager.certs.create
- certificatemanager.certs.get
- certificatemanager.certs.getIamPolicy
- certificatemanager.certs.list
- certificatemanager.certs.update
- certificatemanager.certs.use
- certificatemanager.dnsauthorizations.create
- certificatemanager.dnsauthorizations.get
- certificatemanager.dnsauthorizations.getIamPolicy
- certificatemanager.dnsauthorizations.list
- certificatemanager.dnsauthorizations.update
- certificatemanager.dnsauthorizations.use
- certificatemanager.locations.*
- certificatemanager.operations.get
- certificatemanager.operations.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Certificate Manager Owner
Beta
(roles/certificatemanager.owner)
Full access to Certificate Manager all resources.
|
- certificatemanager.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Certificate Manager Viewer
Beta
(roles/certificatemanager.viewer)
Read-only access to Certificate Manager all resources.
|
- certificatemanager.certmapentries.get
- certificatemanager.certmapentries.getIamPolicy
- certificatemanager.certmapentries.list
- certificatemanager.certmaps.get
- certificatemanager.certmaps.getIamPolicy
- certificatemanager.certmaps.list
- certificatemanager.certs.get
- certificatemanager.certs.getIamPolicy
- certificatemanager.certs.list
- certificatemanager.dnsauthorizations.get
- certificatemanager.dnsauthorizations.getIamPolicy
- certificatemanager.dnsauthorizations.list
- certificatemanager.locations.*
- certificatemanager.operations.get
- certificatemanager.operations.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Cloud Asset 角色
| Role |
Permissions |
|
Cloud Asset Owner
(roles/cloudasset.owner)
Full access to cloud assets metadata
|
- cloudasset.*
- recommender.cloudAssetInsights.*
- recommender.locations.*
|
|
Cloud Asset Viewer
(roles/cloudasset.viewer)
Read only access to cloud assets metadata
|
- cloudasset.assets.*
- recommender.cloudAssetInsights.get
- recommender.cloudAssetInsights.list
- recommender.locations.*
|
Cloud Bigtable 角色
| 角色 |
权限 |
|
Bigtable Administrator
(roles/bigtable.admin)
管理项目中的所有实例,包括存储在表中的数据。还可创建新实例。适用于项目管理员。
您可以授予此角色的最低级层资源:
|
- bigtable.*
- monitoring.metricDescriptors.get
- monitoring.metricDescriptors.list
- monitoring.timeSeries.list
- resourcemanager.projects.get
|
|
Bigtable Reader
(roles/bigtable.reader)
提供表中所存储数据的只读权限。适用于数据科学家、信息中心生成器和其他数据分析情景。
您可以授予此角色的最低级层资源:
|
- bigtable.appProfiles.get
- bigtable.appProfiles.list
- bigtable.backups.get
- bigtable.backups.list
- bigtable.clusters.get
- bigtable.clusters.list
- bigtable.instances.get
- bigtable.instances.list
- bigtable.keyvisualizer.*
- bigtable.locations.*
- bigtable.tables.checkConsistency
- bigtable.tables.generateConsistencyToken
- bigtable.tables.get
- bigtable.tables.list
- bigtable.tables.readRows
- bigtable.tables.sampleRowKeys
- monitoring.metricDescriptors.get
- monitoring.metricDescriptors.list
- monitoring.timeSeries.list
- resourcemanager.projects.get
|
|
Bigtable User
(roles/bigtable.user)
提供表中所存储数据的读写权限。适用于应用开发者或服务帐号。
您可以授予此角色的最低级层资源:
|
- bigtable.appProfiles.get
- bigtable.appProfiles.list
- bigtable.backups.get
- bigtable.backups.list
- bigtable.clusters.get
- bigtable.clusters.list
- bigtable.instances.get
- bigtable.instances.list
- bigtable.keyvisualizer.*
- bigtable.locations.*
- bigtable.tables.checkConsistency
- bigtable.tables.generateConsistencyToken
- bigtable.tables.get
- bigtable.tables.list
- bigtable.tables.mutateRows
- bigtable.tables.readRows
- bigtable.tables.sampleRowKeys
- monitoring.metricDescriptors.get
- monitoring.metricDescriptors.list
- monitoring.timeSeries.list
- resourcemanager.projects.get
|
|
Bigtable Viewer
(roles/bigtable.viewer)
不提供数据访问权限。仅提供通过 Cloud Console 访问 Bigtable 所需的一组最低权限。
您可以授予此角色的最低级层资源:
|
- bigtable.appProfiles.get
- bigtable.appProfiles.list
- bigtable.backups.get
- bigtable.backups.list
- bigtable.clusters.get
- bigtable.clusters.list
- bigtable.instances.get
- bigtable.instances.list
- bigtable.locations.*
- bigtable.tables.checkConsistency
- bigtable.tables.generateConsistencyToken
- bigtable.tables.get
- bigtable.tables.list
- monitoring.metricDescriptors.get
- monitoring.metricDescriptors.list
- monitoring.timeSeries.list
- resourcemanager.projects.get
|
Cloud Build 角色
| 角色 |
权限 |
|
Cloud Build Approver
(roles/cloudbuild.builds.approver)
可批准或拒绝待处理的构建。
|
- cloudbuild.builds.approve
- cloudbuild.builds.get
- cloudbuild.builds.list
- remotebuildexecution.blobs.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Build Service Account
(roles/cloudbuild.builds.builder)
提供执行构建的权限。
|
- artifactregistry.aptartifacts.*
- artifactregistry.dockerimages.*
- artifactregistry.files.*
- artifactregistry.locations.*
- artifactregistry.packages.get
- artifactregistry.packages.list
- artifactregistry.repositories.downloadArtifacts
- artifactregistry.repositories.get
- artifactregistry.repositories.list
- artifactregistry.repositories.listEffectiveTags
- artifactregistry.repositories.listTagBindings
- artifactregistry.repositories.uploadArtifacts
- artifactregistry.tags.create
- artifactregistry.tags.get
- artifactregistry.tags.list
- artifactregistry.tags.update
- artifactregistry.versions.get
- artifactregistry.versions.list
- artifactregistry.yumartifacts.*
- cloudbuild.builds.create
- cloudbuild.builds.get
- cloudbuild.builds.list
- cloudbuild.builds.update
- cloudbuild.workerpools.use
- containeranalysis.occurrences.create
- containeranalysis.occurrences.delete
- containeranalysis.occurrences.get
- containeranalysis.occurrences.list
- containeranalysis.occurrences.update
- logging.logEntries.create
- logging.logEntries.list
- logging.privateLogEntries.*
- logging.views.access
- pubsub.topics.create
- pubsub.topics.publish
- remotebuildexecution.blobs.get
- resourcemanager.projects.get
- resourcemanager.projects.list
- source.repos.get
- source.repos.list
- storage.buckets.create
- storage.buckets.get
- storage.buckets.list
- storage.objects.create
- storage.objects.delete
- storage.objects.get
- storage.objects.list
- storage.objects.update
|
|
Cloud Build Editor
(roles/cloudbuild.builds.editor)
提供创建和取消构建作业的权限。
您可以授予此角色的最低级层资源:
|
- cloudbuild.builds.create
- cloudbuild.builds.get
- cloudbuild.builds.list
- cloudbuild.builds.update
- remotebuildexecution.blobs.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Build Viewer
(roles/cloudbuild.builds.viewer)
提供查看构建作业的权限。
您可以授予此角色的最低级层资源:
|
- cloudbuild.builds.get
- cloudbuild.builds.list
- remotebuildexecution.blobs.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Build Integrations Editor
(roles/cloudbuild.integrationsEditor)
可以更新集成
|
- cloudbuild.integrations.get
- cloudbuild.integrations.list
- cloudbuild.integrations.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Build Integrations Owner
(roles/cloudbuild.integrationsOwner)
可以创建/删除集成
|
- cloudbuild.integrations.*
- compute.firewalls.create
- compute.firewalls.get
- compute.firewalls.list
- compute.networks.get
- compute.networks.updatePolicy
- compute.regions.get
- compute.subnetworks.get
- compute.subnetworks.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Build Integrations Viewer
(roles/cloudbuild.integrationsViewer)
可以查看集成
|
- cloudbuild.integrations.get
- cloudbuild.integrations.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Build WorkerPool Editor
(roles/cloudbuild.workerPoolEditor)
可以更新和查看工作器池
|
- cloudbuild.workerpools.get
- cloudbuild.workerpools.list
- cloudbuild.workerpools.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Build WorkerPool Owner
(roles/cloudbuild.workerPoolOwner)
可以创建、删除、更新和查看工作器池
|
- cloudbuild.workerpools.create
- cloudbuild.workerpools.delete
- cloudbuild.workerpools.get
- cloudbuild.workerpools.list
- cloudbuild.workerpools.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Build WorkerPool User
(roles/cloudbuild.workerPoolUser)
可以在工作器池中运行构建
|
- cloudbuild.workerpools.use
|
|
Cloud Build WorkerPool Viewer
(roles/cloudbuild.workerPoolViewer)
可以查看工作器池
|
- cloudbuild.workerpools.get
- cloudbuild.workerpools.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Cloud Composer 角色
| 角色 |
权限 |
|
Cloud Composer v2 API Service Agent Extension
(roles/composer.ServiceAgentV2Ext)
Cloud Composer v2 API Service Agent Extension 是管理 Composer v2 环境所需的补充角色。
|
- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.setIamPolicy
|
|
Composer Administrator
(roles/composer.admin)
提供对 Cloud Composer 资源的完全控制权。
您可以授予此角色的最低级层资源:
|
- composer.*
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
|
|
Environment and Storage Object Administrator
(roles/composer.environmentAndStorageObjectAdmin)
提供对 Cloud Composer 资源和所有项目存储分区中对象的完全控制权。
您可以授予此角色的最低级层资源:
|
- composer.*
- orgpolicy.policy.get
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
- storage.multipartUploads.*
- storage.objects.*
|
|
Environment User and Storage Object Viewer
(roles/composer.environmentAndStorageObjectViewer)
提供列出及获取 Cloud Composer 环境和操作所需的权限。
以及对所有项目存储分区中对象的只读权限。
您可以授予此角色的最低级层资源:
|
- composer.dags.*
- composer.environments.get
- composer.environments.list
- composer.imageversions.*
- composer.operations.get
- composer.operations.list
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
- storage.objects.get
- storage.objects.list
|
|
Composer Shared VPC Agent
(roles/composer.sharedVpcAgent)
应分配给共享 VPC 宿主项目中的 Composer Agent 服务帐号的角色
|
- compute.networks.access
- compute.networks.addPeering
- compute.networks.get
- compute.networks.list
- compute.networks.listPeeringRoutes
- compute.networks.removePeering
- compute.networks.updatePeering
- compute.networks.use
- compute.networks.useExternalIp
- compute.projects.get
- compute.regions.*
- compute.subnetworks.get
- compute.subnetworks.list
- compute.subnetworks.use
- compute.subnetworks.useExternalIp
- compute.zones.*
|
|
Composer User
(roles/composer.user)
提供列出及获取 Cloud Composer 环境和操作所需的权限。
您可以授予此角色的最低级层资源:
|
- composer.dags.*
- composer.environments.get
- composer.environments.list
- composer.imageversions.*
- composer.operations.get
- composer.operations.list
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
|
|
Composer Worker
(roles/composer.worker)
提供运行 Cloud Composer 环境虚拟机所需的权限。适用于服务帐号。
您可以授予此角色的最低级层资源:
|
- artifactregistry.*
- cloudbuild.builds.create
- cloudbuild.builds.get
- cloudbuild.builds.list
- cloudbuild.builds.update
- cloudbuild.workerpools.use
- composer.environments.get
- container.*
- containeranalysis.occurrences.create
- containeranalysis.occurrences.delete
- containeranalysis.occurrences.get
- containeranalysis.occurrences.list
- containeranalysis.occurrences.update
- logging.logEntries.create
- logging.logEntries.list
- logging.privateLogEntries.*
- logging.views.access
- monitoring.metricDescriptors.create
- monitoring.metricDescriptors.get
- monitoring.metricDescriptors.list
- monitoring.monitoredResourceDescriptors.*
- monitoring.timeSeries.*
- orgpolicy.policy.get
- pubsub.schemas.attach
- pubsub.schemas.create
- pubsub.schemas.delete
- pubsub.schemas.get
- pubsub.schemas.list
- pubsub.schemas.validate
- pubsub.snapshots.create
- pubsub.snapshots.delete
- pubsub.snapshots.get
- pubsub.snapshots.list
- pubsub.snapshots.seek
- pubsub.snapshots.update
- pubsub.subscriptions.consume
- pubsub.subscriptions.create
- pubsub.subscriptions.delete
- pubsub.subscriptions.get
- pubsub.subscriptions.list
- pubsub.subscriptions.update
- pubsub.topics.attachSubscription
- pubsub.topics.create
- pubsub.topics.delete
- pubsub.topics.detachSubscription
- pubsub.topics.get
- pubsub.topics.list
- pubsub.topics.publish
- pubsub.topics.update
- pubsub.topics.updateTag
- remotebuildexecution.blobs.get
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
- source.repos.get
- source.repos.list
- storage.buckets.create
- storage.buckets.get
- storage.buckets.list
- storage.multipartUploads.*
- storage.objects.*
|
Cloud Connectors 角色
| Role |
Permissions |
|
Connector Admin
(roles/connectors.admin)
Full access to all resources of Connectors Service.
|
- connectors.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Connectors Viewer
(roles/connectors.viewer)
Read-only access to Connectors all resources.
|
- connectors.connections.get
- connectors.connections.getConnectionSchemaMetadata
- connectors.connections.getIamPolicy
- connectors.connections.getRuntimeActionSchema
- connectors.connections.getRuntimeEntitySchema
- connectors.connections.list
- connectors.connectors.*
- connectors.locations.*
- connectors.operations.get
- connectors.operations.list
- connectors.providers.*
- connectors.runtimeconfig.*
- connectors.versions.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Cloud Data Fusion 角色
| 角色 |
权限 |
|
Cloud Data Fusion Admin
Beta 版
(roles/datafusion.admin)
拥有对 Cloud Data Fusion 实例、命名空间和相关资源的完整访问权限。
您可以授予此角色的最低级层资源:
|
- datafusion.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Data Fusion Runner
Beta 版
(roles/datafusion.runner)
提供对 Cloud Data Fusion 运行时资源的访问权限。
|
- datafusion.instances.runtime
|
|
Cloud Data Fusion Viewer
Beta 版
(roles/datafusion.viewer)
拥有对 Cloud Data Fusion 实例、命名空间及相关资源的只读权限。
您可以授予此角色的最低级层资源:
|
- datafusion.instances.get
- datafusion.instances.getIamPolicy
- datafusion.instances.list
- datafusion.instances.runtime
- datafusion.locations.*
- datafusion.operations.get
- datafusion.operations.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Cloud Data Labeling 角色
| 角色 |
权限 |
|
Data Labeling Service Admin
Beta 版
(roles/datalabeling.admin)
拥有对所有 Data Labeling 资源的完全访问权限
|
- datalabeling.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Data Labeling Service Editor
Beta 版
(roles/datalabeling.editor)
可以修改所有 Data Labeling 资源
|
- datalabeling.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Data Labeling Service Viewer
Beta 版
(roles/datalabeling.viewer)
可以查看所有 Data Labeling 资源
|
- datalabeling.annotateddatasets.get
- datalabeling.annotateddatasets.list
- datalabeling.annotationspecsets.get
- datalabeling.annotationspecsets.list
- datalabeling.dataitems.*
- datalabeling.datasets.get
- datalabeling.datasets.list
- datalabeling.examples.*
- datalabeling.instructions.get
- datalabeling.instructions.list
- datalabeling.operations.get
- datalabeling.operations.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Cloud Dataplex 角色
Cloud Debugger 角色
| 角色 |
权限 |
|
Cloud Debugger Agent
Beta 版
(roles/clouddebugger.agent)
提供注册调试目标、读取活跃断点和报告断点结果的权限。
您可以授予此角色的最低级层资源:
|
- clouddebugger.breakpoints.list
- clouddebugger.breakpoints.listActive
- clouddebugger.breakpoints.update
- clouddebugger.debuggees.create
|
|
Cloud Debugger User
Beta 版
(roles/clouddebugger.user)
提供创建、查看、列出和删除断点(快照和日志点)以及列出调试目标(调试对象)的权限。
您可以授予此角色的最低级层资源:
|
- clouddebugger.breakpoints.create
- clouddebugger.breakpoints.delete
- clouddebugger.breakpoints.get
- clouddebugger.breakpoints.list
- clouddebugger.debuggees.list
|
Cloud Deploy 角色
| 角色 |
权限 |
|
Cloud Deploy Admin
Beta 版
(roles/clouddeploy.admin)
拥有对 Cloud Deploy 资源的完全控制权。
|
- clouddeploy.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Deploy Approver
Beta 版
(roles/clouddeploy.approver)
拥有批准或拒绝发布的权限。
|
- clouddeploy.locations.*
- clouddeploy.operations.*
- clouddeploy.rollouts.approve
- clouddeploy.rollouts.get
- clouddeploy.rollouts.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Deploy Developer
Beta 版
(roles/clouddeploy.developer)
有权管理部署配置,但无权访问操作资源,例如目标。
|
- clouddeploy.deliveryPipelines.create
- clouddeploy.deliveryPipelines.get
- clouddeploy.deliveryPipelines.getIamPolicy
- clouddeploy.deliveryPipelines.list
- clouddeploy.deliveryPipelines.update
- clouddeploy.locations.*
- clouddeploy.operations.*
- clouddeploy.releases.*
- clouddeploy.rollouts.get
- clouddeploy.rollouts.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Deploy Runner
Beta 版
(roles/clouddeploy.jobRunner)
拥有执行 Cloud Deploy 作业的权限,但无权将其传送到目标。
|
- logging.logEntries.create
- storage.objects.create
- storage.objects.get
- storage.objects.list
|
|
Cloud Deploy Operator
Beta 版
(roles/clouddeploy.operator)
拥有管理部署配置的权限。
|
- clouddeploy.deliveryPipelines.create
- clouddeploy.deliveryPipelines.get
- clouddeploy.deliveryPipelines.getIamPolicy
- clouddeploy.deliveryPipelines.list
- clouddeploy.deliveryPipelines.update
- clouddeploy.locations.*
- clouddeploy.operations.*
- clouddeploy.releases.*
- clouddeploy.rollouts.create
- clouddeploy.rollouts.get
- clouddeploy.rollouts.list
- clouddeploy.targets.create
- clouddeploy.targets.get
- clouddeploy.targets.getIamPolicy
- clouddeploy.targets.list
- clouddeploy.targets.update
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Deploy Releaser
Beta 版
(roles/clouddeploy.releaser)
拥有创建 Cloud Deploy 版本和发布的权限。
|
- clouddeploy.deliveryPipelines.get
- clouddeploy.locations.*
- clouddeploy.operations.*
- clouddeploy.releases.create
- clouddeploy.releases.get
- clouddeploy.releases.list
- clouddeploy.rollouts.create
- clouddeploy.rollouts.get
- clouddeploy.rollouts.list
- clouddeploy.targets.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Deploy Viewer
Beta 版
(roles/clouddeploy.viewer)
可以查看 Cloud Deploy 资源。
|
- clouddeploy.config.*
- clouddeploy.deliveryPipelines.get
- clouddeploy.deliveryPipelines.getIamPolicy
- clouddeploy.deliveryPipelines.list
- clouddeploy.locations.*
- clouddeploy.operations.get
- clouddeploy.operations.list
- clouddeploy.releases.get
- clouddeploy.releases.list
- clouddeploy.rollouts.get
- clouddeploy.rollouts.list
- clouddeploy.targets.get
- clouddeploy.targets.getIamPolicy
- clouddeploy.targets.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Cloud DLP 角色
| 角色 |
权限 |
|
DLP Administrator
(roles/dlp.admin)
可管理 DLP,包括作业和模板。
|
- dlp.*
- serviceusage.services.use
|
|
DLP Analyze Risk Templates Editor
(roles/dlp.analyzeRiskTemplatesEditor)
可修改 DLP 分析风险模板。
|
- dlp.analyzeRiskTemplates.*
|
|
DLP Analyze Risk Templates Reader
(roles/dlp.analyzeRiskTemplatesReader)
可读取 DLP 分析风险模板。
|
- dlp.analyzeRiskTemplates.get
- dlp.analyzeRiskTemplates.list
|
|
DLP Column Data Profiles Reader
(roles/dlp.columnDataProfilesReader)
可读取 DLP 列配置文件。
|
|
|
DLP Data Profiles Reader
(roles/dlp.dataProfilesReader)
可读取 DLP 配置文件。
|
- dlp.columnDataProfiles.*
- dlp.projectDataProfiles.*
- dlp.tableDataProfiles.*
|
|
DLP De-identify Templates Editor
(roles/dlp.deidentifyTemplatesEditor)
可修改 DLP 去标识化模板。
|
- dlp.deidentifyTemplates.*
|
|
DLP De-identify Templates Reader
(roles/dlp.deidentifyTemplatesReader)
可读取 DLP 去标识化模板。
|
- dlp.deidentifyTemplates.get
- dlp.deidentifyTemplates.list
|
|
DLP Cost Estimation
(roles/dlp.estimatesAdmin)
管理 DLP 费用估算。
|
|
|
DLP Inspect Findings Reader
(roles/dlp.inspectFindingsReader)
可读取 DLP 存储的发现结果。
|
|
|
DLP Inspect Templates Editor
(roles/dlp.inspectTemplatesEditor)
可修改 DLP 检查模板。
|
|
|
DLP Inspect Templates Reader
(roles/dlp.inspectTemplatesReader)
可读取 DLP 检查模板。
|
- dlp.inspectTemplates.get
- dlp.inspectTemplates.list
|
|
DLP Job Triggers Editor
(roles/dlp.jobTriggersEditor)
可修改作业触发器配置。
|
|
|
DLP Job Triggers Reader
(roles/dlp.jobTriggersReader)
可读取作业触发器。
|
- dlp.jobTriggers.get
- dlp.jobTriggers.list
|
|
DLP Jobs Editor
(roles/dlp.jobsEditor)
可修改和创建作业
|
|
|
DLP Jobs Reader
(roles/dlp.jobsReader)
可读取作业
|
- dlp.jobs.get
- dlp.jobs.list
|
|
DLP Organization Data Profiles Driver
(roles/dlp.orgdriver)
DLP 服务帐号在组织或文件夹中生成数据配置文件所需的权限。
|
- bigquery.bireservations.get
- bigquery.capacityCommitments.get
- bigquery.capacityCommitments.list
- bigquery.config.get
- bigquery.connections.updateTag
- bigquery.datasets.create
- bigquery.datasets.get
- bigquery.datasets.getIamPolicy
- bigquery.datasets.updateTag
- bigquery.jobs.create
- bigquery.jobs.get
- bigquery.jobs.list
- bigquery.jobs.listAll
- bigquery.jobs.listExecutionMetadata
- bigquery.models.*
- bigquery.readsessions.*
- bigquery.reservationAssignments.list
- bigquery.reservationAssignments.search
- bigquery.reservations.get
- bigquery.reservations.list
- bigquery.routines.*
- bigquery.savedqueries.get
- bigquery.savedqueries.list
- bigquery.tables.create
- bigquery.tables.createIndex
- bigquery.tables.createSnapshot
- bigquery.tables.delete
- bigquery.tables.deleteIndex
- bigquery.tables.export
- bigquery.tables.get
- bigquery.tables.getData
- bigquery.tables.getIamPolicy
- bigquery.tables.list
- bigquery.tables.restoreSnapshot
- bigquery.tables.update
- bigquery.tables.updateData
- bigquery.tables.updateTag
- bigquery.transfers.get
- bigquerymigration.translation.*
- cloudasset.assets.*
- datacatalog.categories.fineGrainedGet
- datacatalog.entries.updateTag
- datacatalog.tagTemplates.create
- datacatalog.tagTemplates.get
- datacatalog.tagTemplates.getTag
- datacatalog.tagTemplates.use
- dlp.*
- pubsub.topics.updateTag
- recommender.cloudAssetInsights.get
- recommender.cloudAssetInsights.list
- recommender.locations.*
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.use
|
|
DLP Project Data Profiles Reader
(roles/dlp.projectDataProfilesReader)
可读取 DLP 项目配置文件。
|
- dlp.projectDataProfiles.*
|
|
DLP Project Data Profiles Driver
(roles/dlp.projectdriver)
DLP 服务帐号在项目中生成数据配置文件所需的权限。
|
- bigquery.bireservations.get
- bigquery.capacityCommitments.get
- bigquery.capacityCommitments.list
- bigquery.config.get
- bigquery.connections.updateTag
- bigquery.datasets.create
- bigquery.datasets.get
- bigquery.datasets.getIamPolicy
- bigquery.datasets.updateTag
- bigquery.jobs.create
- bigquery.jobs.get
- bigquery.jobs.list
- bigquery.jobs.listAll
- bigquery.jobs.listExecutionMetadata
- bigquery.models.*
- bigquery.readsessions.*
- bigquery.reservationAssignments.list
- bigquery.reservationAssignments.search
- bigquery.reservations.get
- bigquery.reservations.list
- bigquery.routines.*
- bigquery.savedqueries.get
- bigquery.savedqueries.list
- bigquery.tables.create
- bigquery.tables.createIndex
- bigquery.tables.createSnapshot
- bigquery.tables.delete
- bigquery.tables.deleteIndex
- bigquery.tables.export
- bigquery.tables.get
- bigquery.tables.getData
- bigquery.tables.getIamPolicy
- bigquery.tables.list
- bigquery.tables.restoreSnapshot
- bigquery.tables.update
- bigquery.tables.updateData
- bigquery.tables.updateTag
- bigquery.transfers.get
- bigquerymigration.translation.*
- cloudasset.assets.*
- datacatalog.categories.fineGrainedGet
- datacatalog.entries.updateTag
- datacatalog.tagTemplates.create
- datacatalog.tagTemplates.get
- datacatalog.tagTemplates.getTag
- datacatalog.tagTemplates.use
- dlp.*
- pubsub.topics.updateTag
- recommender.cloudAssetInsights.get
- recommender.cloudAssetInsights.list
- recommender.locations.*
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.use
|
|
DLP Reader
(roles/dlp.reader)
可读取作业和模板等 DLP 实体。
|
- dlp.analyzeRiskTemplates.get
- dlp.analyzeRiskTemplates.list
- dlp.deidentifyTemplates.get
- dlp.deidentifyTemplates.list
- dlp.inspectFindings.*
- dlp.inspectTemplates.get
- dlp.inspectTemplates.list
- dlp.jobTriggers.get
- dlp.jobTriggers.list
- dlp.jobs.get
- dlp.jobs.list
- dlp.locations.*
- dlp.storedInfoTypes.get
- dlp.storedInfoTypes.list
|
|
DLP Stored InfoTypes Editor
(roles/dlp.storedInfoTypesEditor)
可修改 DLP 存储的信息类型。
|
|
|
DLP Stored InfoTypes Reader
(roles/dlp.storedInfoTypesReader)
可读取 DLP 存储的信息类型。
|
- dlp.storedInfoTypes.get
- dlp.storedInfoTypes.list
|
|
DLP Table Data Profiles Reader
(roles/dlp.tableDataProfilesReader)
可读取 DLP 表配置文件。
|
|
|
DLP User
(roles/dlp.user)
可检查和遮盖内容,以及对内容进行去标识化处理
|
- dlp.kms.*
- dlp.locations.*
- serviceusage.services.use
|
Cloud Domains 角色
| 角色 |
权限 |
|
Cloud Domains Admin
(roles/domains.admin)
拥有 Cloud 网域注册信息和相关资源的完整访问权限。
|
- domains.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Cloud Domains Viewer
(roles/domains.viewer)
拥有 Cloud 网域注册信息及相关资源的只读权限。
|
- domains.locations.*
- domains.operations.get
- domains.operations.list
- domains.registrations.get
- domains.registrations.getIamPolicy
- domains.registrations.list
- domains.registrations.listEffectiveTags
- domains.registrations.listTagBindings
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Cloud Filestore 角色
| Role |
Permissions |
|
Cloud Filestore Editor
Beta
(roles/file.editor)
Read-write access to Filestore instances and related resources.
|
|
|
Cloud Filestore Viewer
Beta
(roles/file.viewer)
Read-only access to Filestore instances and related resources.
|
- file.backups.get
- file.backups.list
- file.backups.listEffectiveTags
- file.backups.listTagBindings
- file.instances.get
- file.instances.list
- file.instances.listEffectiveTags
- file.instances.listTagBindings
- file.locations.*
- file.operations.get
- file.operations.list
- file.snapshots.listEffectiveTags
- file.snapshots.listTagBindings
|
Cloud Functions 角色
Cloud Game Services 角色
| 角色 |
权限 |
|
Game Services API Admin
(roles/gameservices.admin)
拥有对 Game Services API 及相关资源的完全访问权限。
|
- gameservices.*
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Game Services API Viewer
(roles/gameservices.viewer)
拥有对 Game Services API 及相关资源的只读权限。
|
- gameservices.gameServerClusters.get
- gameservices.gameServerClusters.list
- gameservices.gameServerConfigs.get
- gameservices.gameServerConfigs.list
- gameservices.gameServerDeployments.get
- gameservices.gameServerDeployments.list
- gameservices.locations.*
- gameservices.operations.get
- gameservices.operations.list
- gameservices.realms.get
- gameservices.realms.list
- resourcemanager.projects.get
- resourcemanager.projects.list
|
Cloud Healthcare 角色
| Role |
Permissions |
|
Healthcare Annotation Editor
(roles/healthcare.annotationEditor)
Create, delete, update, read and list annotations.
|
- healthcare.annotationStores.get
- healthcare.annotationStores.list
- healthcare.annotations.*
- healthcare.datasets.get
- healthcare.datasets.list
- healthcare.locations.*
- healthcare.operations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Healthcare Annotation Reader
(roles/healthcare.annotationReader)
Read and list annotations in an Annotation store.
|
- healthcare.annotationStores.get
- healthcare.annotationStores.list
- healthcare.annotations.get
- healthcare.annotations.list
- healthcare.datasets.get
- healthcare.datasets.list
- healthcare.locations.*
- healthcare.operations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Healthcare Annotation Administrator
(roles/healthcare.annotationStoreAdmin)
Administer Annotation stores.
|
- healthcare.annotationStores.*
- healthcare.datasets.get
- healthcare.datasets.list
- healthcare.locations.*
- healthcare.operations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Healthcare Annotation Store Viewer
(roles/healthcare.annotationStoreViewer)
List Annotation Stores in a dataset.
|
- healthcare.annotationStores.get
- healthcare.annotationStores.list
- healthcare.datasets.get
- healthcare.datasets.list
- healthcare.locations.*
- healthcare.operations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Healthcare Attribute Definition Editor
(roles/healthcare.attributeDefinitionEditor)
Edit AttributeDefinition objects.
|
- healthcare.attributeDefinitions.*
- healthcare.consentStores.checkDataAccess
- healthcare.consentStores.evaluateUserConsents
- healthcare.consentStores.get
- healthcare.consentStores.list
- healthcare.consentStores.queryAccessibleData
- healthcare.datasets.get
- healthcare.datasets.list
- healthcare.locations.*
- healthcare.operations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
|
|
Healthcare Attribute Definition Reader
(roles/healthcare.attributeDefinitionReader)
Read AttributeDefinition objects in a consent store.
|
- healthcare.attributeDefinitions.get
- healthcare.attributeDefinitions.list
- healthcare.consentStores.checkDataAccess
- healthcare.consentStores.evaluateUserConsents
- healthcare.consentStores.get
- healthcare.consentStores.list
- healthcare.consentStores.queryAccessibleData
- healthcare.datasets.get
- healthcare
|
