了解角色

一个角色包含一组权限，可让您对 Google Cloud 资源执行特定操作。如需向成员（包括用户、群组和服务帐号）提供权限，您可以向成员授予角色。

本页面介绍了您可以授予的 IAM 角色。

本指南的先决条件

了解 IAM 的基本概念

角色类型

IAM 中有三种类型的角色：

基本角色：包括在引入 IAM 之前已存在的 Owner、Editor 和 Viewer 角色。
预定义角色：针对特定服务提供精细访问权限，并由 Google Cloud 管理。
自定义角色：根据用户指定的权限列表提供精细访问权限。

要确定基本角色、预定义角色或自定义角色中是否包含某项权限，您可以使用以下方法之一：

运行 gcloud iam roles describe 命令可以列出角色中的权限。
调用 roles.get() REST API 方法可以列出角色中的权限。
仅适用于基本角色和预定义角色：搜索权限参考以查看该角色是否授予权限。
仅适用于预定义角色：在本页上搜索预定义角色说明以查看该角色包含的权限。

以下各部分介绍了每种角色类型并提供了有关如何使用它们的示例。

基本角色

在引入 IAM 之前已存在多个基本角色：Owner、Editor 和 Viewer。这些角色是嵌套的；也就是说，Owner 角色具有 Editor 角色的权限，而 Editor 角色又具有 Viewer 角色的权限。它们最初称为“原初角色”。

下表汇总了基本角色针对所有 Google Cloud 服务所具有的权限：

基本角色定义

名称	名称	权限
`roles/viewer`	Viewer	拥有执行不会影响状态的只读操作的权限，例如查看（但无法修改）现有资源或数据。
`roles/editor`	Editor	拥有所有查看权限，以及修改状态的操作（例如更改现有资源）的权限。注意：虽然 `roles/editor` 角色包含为大多数 Google Cloud 服务创建和删除资源的权限，但它不包含执行所有服务的所有操作的权限。要详细了解如何检查某项角色是否具有您所需的权限，请参阅上文。
`roles/owner`	Owner	拥有所有修改权限，此外还有权执行以下操作：管理项目和项目中所有资源的角色和权限。为项目设置结算。注意：在资源级层（如 Pub/Sub 主题）授予 Owner 角色并不会授予父级项目上的 Owner 角色。因此，在组织级层获授 Owner 角色后，您不能更新组织的元数据，不过您可以修改组织下的项目和其他资源。

您可以使用 Cloud Console、API 和 gcloud 工具在项目级或服务资源级应用基本角色。如需了解相关说明，请参阅授予、更改和撤消访问权限。

邀请流程

您无法使用 Identity and Access Management API 或 gcloud 命令行工具将 Owner 角色授予项目的成员。您只能使用 Cloud Console 将所有者添加到项目中。系统会通过电子邮件向该成员发送邀请，该成员必须接受邀请才能成为项目的所有者。

请注意，在以下情况下，系统不会发送邀请电子邮件：

您要授予除 Owner 以外的角色时。
组织成员将其组织的其他成员添加为该组织中某个项目的所有者。

如需了解如何使用 Cloud Console 授予角色，请参阅授予、更改和撤消访问权限。

预定义角色

除了基本角色之外，IAM 还提供其他预定义角色，这些角色可提供对特定 Google Cloud 资源的精细访问权限，同时阻止对其他资源的不必要的访问。这些角色由 Google 创建和维护。Google 会根据需要自动更新其权限，例如 Google Cloud 添加新功能或服务时。

下表列出了这些角色、说明以及可设置这些角色的最低级层的资源类型。您可以为此资源类型授予特定角色，或者在大多数情况下可以为该类型在 Google Cloud 层次结构中的任何上级类型授予特定角色。您可以为同一位用户授予多个角色。例如，同一位用户可以拥有项目上的 Network Admi 和 Log Viewer 角色，并且对该项目中的 Pub/Sub 主题具有 Publisher 角色。有关角色中包含的权限的列表，请参阅获取角色元数据。

Access Approval 角色

角色	名称	说明	权限
`roles/accessapproval.approver`	Access Approval Approver ^{Beta 版}	能够查看或操作访问权限审批请求以及查看配置	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.configEditor`	Access Approval Config Editor ^测试版	可更新访问权限审批配置	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.viewer`	Access Approval Viewer ^测试版	可查看访问权限审批请求和配置	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Access Context Manager 角色

角色	名称	说明	权限
`roles/accesscontextmanager.gcpAccessAdmin`	Cloud Access Binding Admin	可以创建、修改和更改 Cloud 访问权限绑定。	accesscontextmanager.gcpUserAccessBindings.*
`roles/accesscontextmanager.gcpAccessReader`	Cloud Access Binding Reader	拥有对 Cloud 访问权限绑定的读取权限。	accesscontextmanager.gcpUserAccessBindings.get accesscontextmanager.gcpUserAccessBindings.list
`roles/accesscontextmanager.policyAdmin`	Access Context Manager Admin	拥有对政策、访问权限级别和访问区域的完整访问权限	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.* accesscontextmanager.accessZones.* accesscontextmanager.policies.* accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyEditor`	Access Context Manager Editor	拥有对政策的修改权限。可创建、修改和更改访问权限级别和访问区域。	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyReader`	Access Context Manager Reader	拥有对政策、访问权限级别和访问区域的读取权限。	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.vpcScTroubleshooterViewer`	VPC Service Controls Troubleshooter Viewer		accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Actions 角色

角色	名称	说明	权限	最低资源要求
`roles/actions.Admin`	Actions Admin	拥有修改和部署某项操作的权限	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
`roles/actions.Viewer`	Actions Viewer	拥有查看某项操作的权限	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

Android Management 角色

角色	名称	说明	权限	最低资源要求
`roles/androidmanagement.user`	Android Management User	拥有管理设备的完整权限。	androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

API Gateway 角色

角色	名称	说明	权限	最低资源要求
`roles/apigateway.admin`	ApiGateway Admin	拥有对 ApiGateway 及相关资源的完全访问权限。	apigateway.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigateway.viewer`	ApiGateway Viewer	拥有对 ApiGateway 及相关资源的只读权限。	apigateway.apiconfigs.get apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.* apigateway.operations.get apigateway.operations.list resourcemanager.projects.get resourcemanager.projects.list

Apigee 角色

角色	名称	说明	权限
`roles/apigee.admin`	Apigee Organization Admin	拥有对所有 Apigee 资源功能的完全访问权限	apigee.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.analyticsAgent`	Apigee Analytics Agent	提供一组特选权限，可让 Apigee Universal Data Collection Agent 管理 Apigee 组织的分析数据	apigee.environments.getDataLocation
`roles/apigee.analyticsEditor`	Apigee Analytics Editor	可修改 Apigee 组织的分析数据	apigee.datacollectors.* apigee.datastores.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.* apigee.hostqueries.* apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.analyticsViewer`	Apigee Analytics Viewer	可查看 Apigee 组织的分析数据	apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.apiAdmin`	Apigee API Admin	拥有对所有 Apigee API 资源的完整读写权限	apigee.apiproductattributes.* apigee.apiproducts.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.* apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.apiReader`	Apigee API Reader	可以读取 apigee 资源	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.developerAdmin`	Apigee Developer Admin	可管理 Apigee 资源开发者	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.apps.* apigee.datacollectors.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developers.* apigee.environments.get apigee.environments.getStats apigee.hoststats.* apigee.organizations.get apigee.organizations.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.environmentAdmin`	Apigee Environment Admin	拥有对 Apigee 环境资源（包括部署）的完整读写权限。	apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.flowhooks.* apigee.ingressconfigs.* apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.monetizationAdmin`	Apigee Monetization Admin	与获利相关的所有权限	apigee.apiproducts.get apigee.apiproducts.list apigee.developersubscriptions.* apigee.organizations.get apigee.organizations.list apigee.rateplans.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.portalAdmin`	Apigee Portal Admin	可以管理 Apigee 组织的门户	apigee.organizations.get apigee.organizations.list apigee.portals.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.readOnlyAdmin`	Apigee Read-only Admin	可查看所有 Apigee 资源	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee.developerrappattributes.get apigee.developerrappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developers.get apigee.developers.list apigee.developersubscriptions.get apigee.developersubscriptions.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.* apigee.ingressconfigs.* apigee.instanceattachments.get apigee.instanceattachments.list apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.operations.* apigee.organizations.get apigee.organizations.list apigee.portals.get apigee.portals.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.rateplans.get apigee.rateplans.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.runtimeAgent`	Apigee Runtime Agent	提供一组特选权限，可让运行时代理访问 Apigee 组织资源	apigee.canaryevaluations.* apigee.ingressconfigs.* apigee.instances.reportStatus apigee.operations.*
`roles/apigee.synchronizerManager`	Apigee Synchronizer Manager	提供一组特选权限，可让 Synchronizer 管理 Apigee 组织中的环境	apigee.environments.get apigee.environments.manageRuntime apigee.ingressconfigs.*
`roles/apigeeconnect.Admin`	Apigee Connect Admin	可以管理 Apigee Connect	apigeeconnect.connections.*
`roles/apigeeconnect.Agent`	Apigee Connect Agent	能够在外部集群和 Google 之间设置 Apigee Connect 代理。	apigeeconnect.endpoints.*

App Engine 角色

角色	名称	说明	权限	最低资源要求
`roles/appengine.appAdmin`	App Engine Admin	拥有所有应用配置和设置的读取/写入/修改权限。如要部署新版本，您还必须在 App Engine 默认服务帐号具有 Service Account User (`roles/iam.serviceAccountUser`) 角色。如需使用 `gcloud` 工具进行部署，您必须在 App Engine 默认服务帐号上拥有 Compute Storage Admin (`roles/compute.storageAdmin`) 和 Cloud Build Editor (`roles/cloudbuild.builds.editor`) 角色。	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.appCreator`	App Engine Creator	能够为项目创建 App Engine 资源。	appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.appViewer`	App Engine Viewer	拥有对所有应用配置和设置的只读权限。	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.codeViewer`	App Engine Code Viewer	拥有对所有应用配置、设置和已部署源代码的只读权限。	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.deployer`	App Engine Deployer	对所有应用配置和设置的只读权限。如要部署新版本，您还必须在 App Engine 默认服务帐号具有 Service Account User (`roles/iam.serviceAccountUser`) 角色。如需使用 `gcloud` 工具进行部署，您必须在 App Engine 默认服务帐号上拥有 Compute Storage Admin (`roles/compute.storageAdmin`) 和 Cloud Build Editor (`roles/cloudbuild.builds.editor`) 角色。无法修改现有版本，但可删除未收到流量的版本。	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.serviceAdmin`	App Engine Service Admin	拥有所有应用配置和设置的只读权限。拥有模块级和版本级设置的写权限。无权部署新版本。	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	项目

Artifact Registry 角色

角色	名称	说明	权限
`roles/artifactregistry.admin`	Artifact Registry Administrator ^{Beta 版}	拥有可创建和管理代码库的管理员权限。	artifactregistry.*
`roles/artifactregistry.reader`	Artifact Registry Reader ^{Beta 版}	可以读取代码库项。	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
`roles/artifactregistry.repoAdmin`	Artifact Registry Repository Administrator ^{Beta 版}	拥有管理代码库中的工件的权限。	artifactregistry.files.* artifactregistry.packages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.*
`roles/artifactregistry.writer`	Artifact Registry Writer ^{Beta 版}	可以读取和写入代码库项。	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list

Assured Workloads 角色

角色	名称	说明	权限
`roles/assuredworkloads.admin`	Assured Workloads Administrator	可授予对 Assured Workloads 资源的完全访问权限，包括管理 IAM 政策。	assuredworkloads.* orgpolicy.* resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
`roles/assuredworkloads.editor`	Assured Workloads Editor	可授予对 Assured Workloads 资源的读取和写入权限。	assuredworkloads.* orgpolicy.* resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
`roles/assuredworkloads.reader`	Assured Workloads Reader	可授予对所有 Assured Workloads 资源的读取权限。	assuredworkloads.operations.* assuredworkloads.workload.get assuredworkloads.workload.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

AutoML 角色

角色	名称	说明	权限	最低资源要求
`roles/automl.admin`	AutoML Admin ^{Beta 版}	拥有所有 AutoML 资源的完整访问权限	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	数据集/模型
`roles/automl.editor`	AutoML Editor ^{Beta 版}	可修改所有 AutoML 资源	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	数据集/模型
`roles/automl.predictor`	AutoML Predictor ^{Beta 版}	可使用模型进行预测	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list	模型
`roles/automl.viewer`	AutoML Viewer ^{Beta 版}	可查看所有 AutoML 资源	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	数据集/模型

BigQuery 角色

角色	名称	说明	权限	最低资源要求
`roles/bigquery.admin`	BigQuery Admin	提供管理项目中所有资源的权限。获授此角色的用户可以管理项目中的所有数据，也可以取消其他用户正在项目中运行的作业。	bigquery.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/bigquery.connectionAdmin`	BigQuery Connection Admin		bigquery.connections.*
`roles/bigquery.connectionUser`	BigQuery Connection User		bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
`roles/bigquery.dataEditor`	BigQuery Data Editor	此角色在应用于表或视图时，可提供以下权限：读取和更新表或视图的数据和元数据。删除表或视图。此角色无法应用于单个模型或例程。此角色在应用于数据集时，可提供以下权限：读取数据集的元数据以及列出数据集中的表。创建、更新、获取和删除数据集的表。此角色在应用于项目或组织级层时，还可提供创建新数据集的权限。	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list	表或视图
`roles/bigquery.dataOwner`	BigQuery Data Owner	此角色在应用于表或视图时，可提供以下权限：读取和更新表或视图的数据和元数据。共享表或视图。删除表或视图。此角色无法应用于单个模型或例程。此角色在应用于数据集时，可提供以下权限：读取、更新和删除数据集。创建、更新、获取和删除数据集的表。此角色在应用于项目或组织级层时，还可提供创建新数据集的权限。	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	表或视图
`roles/bigquery.dataViewer`	BigQuery Data Viewer	此角色在应用于表或视图时，可提供以下权限：从表或视图中读取数据和元数据。此角色无法应用于单个模型或例程。此角色在应用于数据集时，可提供以下权限：读取数据集的元数据以及列出数据集中的表。从数据集的表中读取数据和元数据。此角色在应用于项目或组织级层时，还可提供枚举项目中所有数据集的权限。但若要运行作业，还需要具备其他角色。	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	表或视图
`roles/bigquery.jobUser`	BigQuery Job User	提供在项目中运行作业（包括查询）的权限。	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/bigquery.metadataViewer`	BigQuery Metadata Viewer	此角色在应用于表或视图时，可提供以下权限：从表或视图中读取元数据。此角色无法应用于单个模型或例程。此角色在应用于数据集时，可提供以下权限：列出数据集中的表和视图。从数据集的表和视图中读取元数据。此角色在应用于项目或组织级层时，可提供以下权限：列出项目中的所有数据集，以及读取所有数据集的元数据。列出项目中的所有表和视图，以及读取所有表和视图的元数据。但若要运行作业，还需要具备其他角色。	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	表或视图
`roles/bigquery.readSessionUser`	BigQuery Read Session User	拥有创建和使用读取会话的权限	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceAdmin`	BigQuery Resource Admin	管理所有 BigQuery 资源。	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceEditor`	BigQuery Resource Editor	管理所有 BigQuery 资源，但不能做出购买决定。	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceViewer`	BigQuery Resource Viewer	可查看所有 BigQuery 资源，但不能执行更改或做出购买决定。	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.user`	BigQuery User	此角色应用于数据集时，让您可以读取数据集的元数据并列出数据集中的表。应用于项目时，此角色还提供在项目内运行作业（包括查询）的能力。具有此角色的成员可以枚举自己的作业、取消自己的作业，还可以枚举项目中的数据集。此外，具有此角色的用户还可以在项目中创建新数据集；对于这些新数据集，系统会为创建者授予 BigQuery Data Owner 角色 (`roles/bigquery.dataOwner`)。	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list	数据集

Cloud Bigtable 角色

角色	名称	说明	权限	最低资源要求
`roles/bigtable.admin`	Bigtable Administrator	可管理项目中的所有实例（包括表中存储的数据），还可创建新实例。适用于项目管理员。	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	表
`roles/bigtable.reader`	Bigtable Reader	提供对表中所存储数据的只读权限。适用于数据科学家、信息中心生成器和其他数据分析情景。	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	表
`roles/bigtable.user`	Bigtable User	提供对表中所存储数据的读写权限。适用于应用开发者或服务帐号。	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	表
`roles/bigtable.viewer`	Bigtable Viewer	不提供数据访问权限。仅提供通过 Cloud Console 访问 Cloud Bigtable 所需的一组最低权限。	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	表

Billing 角色

角色	名称	说明	权限	最低资源要求
`roles/billing.admin`	Billing Account Administrator	提供查看和管理结算帐号所有方面的权限。	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* consumerprocurement.accounts.* consumerprocurement.orders.* dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* recommender.commitmentUtilizationInsights.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	结算帐号
`roles/billing.costsManager`	Billing Account Costs Manager	可以查看和导出结算帐号的费用信息。	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.updateUsageExportSpec billing.budgets.*
`roles/billing.creator`	Billing Account Creator	提供创建结算帐号的权限。	billing.accounts.create resourcemanager.organizations.get	组织
`roles/billing.projectManager`	Project Billing Manager	提供为项目分配结算帐号或停用项目结算功能的权限。	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	项目
`roles/billing.user`	Billing Account User	提供将项目与结算帐号相关联的权限。	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create	结算帐号
`roles/billing.viewer`	Billing Account Viewer	查看结算帐号费用信息和交易。	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list	结算帐号

Binary Authorization 角色

角色	名称	说明	权限
`roles/binaryauthorization.attestorsAdmin`	Binary Authorization Attestor Admin	Binary Authorization 证明者管理员	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsEditor`	Binary Authorization Attestor Editor	可修改 Binary Authorization 证明者	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsVerifier`	Binary Authorization Attestor Image Verifier	可调用 Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsViewer`	Binary Authorization Attestor Viewer	可以查看 Binary Authorization 证明者	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.continuousValidationConfigAdmin`	Binary Authorization ContinuousValidationConfig Administrator ^{Beta 版}	可以管理 Binary Authorization ContinuousValidationConfig	binaryauthorization.continuousValidationConfig.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.continuousValidationConfigEditor`	Binary Authorization ContinuousValidationConfig Editor ^{Beta 版}	可以修改 Binary Authorization ContinuousValidationConfig	binaryauthorization.continuousValidationConfig.get binaryauthorization.continuousValidationConfig.update resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.continuousValidationConfigViewer`	Binary Authorization ContinuousValidationConfig Viewer ^{Beta 版}	可以查看 Binary Authorization ContinuousValidationConfig	binaryauthorization.continuousValidationConfig.get resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyAdmin`	Binary Authorization Policy Administrator	Binary Authorization 政策管理员	binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyEditor`	Binary Authorization Policy Editor	可修改 Binary Authorization 政策	binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyViewer`	Binary Authorization Policy Viewer	可查看 Binary Authorization 政策	binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

Hangouts Chat 角色

角色	名称	说明	权限	最低资源要求
`roles/chat.owner`	Chat Bots Owner	可以查看和修改机器人配置	chat.*
`roles/chat.reader`	Chat Bots Viewer	可以查看机器人配置	chat.bots.get

Cloud Asset 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudasset.owner`	Cloud Asset Owner	拥有云资源元数据的完整访问权限	cloudasset.* recommender.locations.*
`roles/cloudasset.viewer`	Cloud Asset Viewer	拥有云资源元数据的只读权限	cloudasset.assets.* recommender.locations.*

Cloud Build 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudbuild.builds.builder`	Cloud Build Service Account	提供执行构建的权限。	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list cloudbuild.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudbuild.builds.editor`	Cloud Build Editor	提供创建和取消构建作业的权限。	cloudbuild.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/cloudbuild.builds.viewer`	Cloud Build Viewer	提供查看构建作业的权限。	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Data Fusion 角色

角色	名称	说明	权限	最低资源要求
`roles/datafusion.admin`	Cloud Data Fusion Admin ^{Beta 版}	提供对 Cloud Data Fusion 实例和相关资源的完整访问权限。	datafusion.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datafusion.runner`	Cloud Data Fusion Runner ^{Beta 版}	提供对 Cloud Data Fusion 运行时资源的访问权限。	datafusion.instances.runtime
`roles/datafusion.viewer`	Cloud Data Fusion Viewer ^{Beta 版}	提供对 Cloud Data Fusion 实例及相关资源的只读权限。	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.runtime datafusion.locations.* datafusion.namespaces.execute datafusion.namespaces.get datafusion.namespaces.getIamPolicy datafusion.namespaces.list datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Debugger 角色

角色	名称	说明	权限	最低资源要求
`roles/clouddebugger.agent`	Cloud Debugger Agent ^{Beta 版}	提供注册调试目标、读取活跃断点和报告断点结果的权限。	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create	服务帐号
`roles/clouddebugger.user`	Cloud Debugger User ^{Beta 版}	提供创建、查看、列出和删除断点（快照和日志点）以及列出调试目标（调试对象）的权限。	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list	项目

Cloud DocumentAI 角色

角色	名称	说明	权限
`roles/documentai.admin`	Cloud DocumentAI Administrator。 ^{Beta 版}	授予对 Cloud Document AI 中所有资源的完整访问权限	documentai.* resourcemanager.projects.get resourcemanager.projects.list
`roles/documentai.apiUser`	Cloud DocumentAI API User ^{Beta 版}	授予处理 Cloud Document AI 中文档的权限	documentai.humanReviewConfigs.review documentai.operations.* documentai.processorVersions.processBatch documentai.processorVersions.processOnline documentai.processors.processBatch documentai.processors.processOnline
`roles/documentai.editor`	Cloud DocumentAI Editor ^{Beta 版}	授予使用 Cloud DocumentAI 中所有资源的权限	documentai.* resourcemanager.projects.get resourcemanager.projects.list
`roles/documentai.viewer`	Cloud DocumentAI Viewer ^{Beta 版}	授予查看 Cloud DocumentAI 中所有资源和处理其中的文档的权限	documentai.evaluations.get documentai.evaluations.list documentai.humanReviewConfigs.get documentai.humanReviewConfigs.review documentai.labelerPools.get documentai.labelerPools.list documentai.locations.* documentai.operations.* documentai.processorTypes.* documentai.processorVersions.get documentai.processorVersions.list documentai.processorVersions.processBatch documentai.processorVersions.processOnline documentai.processors.fetchHumanReviewDetails documentai.processors.get documentai.processors.list documentai.processors.processBatch documentai.processors.processOnline resourcemanager.projects.get resourcemanager.projects.list

Cloud Functions 角色

角色	名称	说明	权限
`roles/cloudfunctions.admin`	Cloud Functions Admin	拥有对函数、运算和位置的完整访问权限。	cloudfunctions.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.developer`	Cloud Functions Developer	拥有对所有函数相关资源的读写权限。	cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.invoker`	Cloud Functions Invoker	可使用受限的访问权限调用 HTTP 函数。	cloudfunctions.functions.invoke
`roles/cloudfunctions.viewer`	Cloud Functions Viewer	拥有对函数和位置的只读权限。	cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud IAP 角色

角色	名称	说明	权限	最低资源要求
`roles/iap.admin`	IAP Policy Admin	提供对 Identity-Aware Proxy 资源的完整访问权限。	iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy	项目
`roles/iap.httpsResourceAccessor`	IAP-secured Web App User	提供对使用 Identity-Aware Proxy 的 HTTPS 资源的访问权限。	iap.webServiceVersions.accessViaIAP	项目
`roles/iap.settingsAdmin`	IAP Settings Admin	IAP 设置管理员。	iap.projects.* iap.web.getSettings iap.web.updateSettings iap.webServiceVersions.getSettings iap.webServiceVersions.updateSettings iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings
`roles/iap.tunnelResourceAccessor`	IAP-secured Tunnel User	可访问使用 Identity-Aware Proxy 的隧道资源	iap.tunnelInstances.accessViaIAP

Cloud IoT 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudiot.admin`	Cloud IoT Admin	拥有对所有 Cloud IoT 资源和权限的完全控制权。	cloudiot.* cloudiottoken.*	设备
`roles/cloudiot.deviceController`	Cloud IoT Device Controller	有权更新设备配置，但无权创建或删除设备。	cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	设备
`roles/cloudiot.editor`	Cloud IoT Editor	拥有对所有 Cloud IoT 资源的读写权限。	cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.*	设备
`roles/cloudiot.provisioner`	Cloud IoT Provisioner	拥有在注册表中创建和删除设备的权限，但无权修改注册表，并且允许设备发布到与 IoT 注册表相关联的主题。	cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	设备
`roles/cloudiot.viewer`	Cloud IoT Viewer	拥有对所有 Cloud IoT 资源的只读权限。	cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	设备

Cloud Talent Solution 角色

角色	名称	说明	权限
`roles/cloudjobdiscovery.admin`	Admin	拥有 Cloud Talent Solution 自助式工具的访问权限。	cloudjobdiscovery.tools.* iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.jobsEditor`	Job Editor	拥有 Cloud Talent Solution 中所有作业数据的写入权限。	cloudjobdiscovery.companies.* cloudjobdiscovery.events.* cloudjobdiscovery.jobs.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.jobsViewer`	Job Viewer	拥有 Cloud Talent Solution 中所有作业数据的读取权限。	cloudjobdiscovery.companies.get cloudjobdiscovery.companies.list cloudjobdiscovery.jobs.get cloudjobdiscovery.jobs.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.profilesEditor`	Profile Editor	拥有 Cloud Talent Solution 中所有个人资料数据的写入权限。	cloudjobdiscovery.events.* cloudjobdiscovery.profiles.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.profilesViewer`	Profile Viewer	拥有 Cloud Talent Solution 中所有个人资料数据的读取权限。	cloudjobdiscovery.profiles.get cloudjobdiscovery.profiles.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list

Cloud KMS 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudkms.admin`	Cloud KMS Admin	提供 Cloud KMS 资源的完整访问权限，但不提供执行加密和解密操作的权限。	cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeys.* cloudkms.importJobs.* cloudkms.keyRings.* cloudkms.locations.* resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyDecrypter`	Cloud KMS CryptoKey Decrypter	仅提供使用 Cloud KMS 资源执行解密操作的权限。	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.locations.* resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyEncrypter`	Cloud KMS CryptoKey Encrypter	仅提供使用 Cloud KMS 资源执行加密操作的权限。	cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.locations.* resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyEncrypterDecrypter`	Cloud KMS CryptoKey Encrypter/Decrypter	仅提供使用 Cloud KMS 资源执行加密和解密操作的权限。	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.locations.* resourcemanager.projects.get	CryptoKey
`roles/cloudkms.importer`	Cloud KMS Importer	可启用 ImportCryptoKeyVersion、CreateImportJob、ListImportJobs 和 GetImportJob 操作	cloudkms.importJobs.create cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.importJobs.useToImport cloudkms.locations.* resourcemanager.projects.get
`roles/cloudkms.publicKeyViewer`	Cloud KMS CryptoKey Public Key Viewer	可启用 GetPublicKey 操作	cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.* resourcemanager.projects.get
`roles/cloudkms.signer`	Cloud KMS CryptoKey Signer	可以启用 Sign 操作	cloudkms.cryptoKeyVersions.useToSign cloudkms.locations.* resourcemanager.projects.get
`roles/cloudkms.signerVerifier`	Cloud KMS CryptoKey Signer/Verifier	可以启用 Sign、Verify 和 GetPublicKey 操作	cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.* resourcemanager.projects.get

Cloud Marketplace 角色

角色	名称	说明	权限
`roles/commerceoffercatalog.offersViewer`	Commerce Offers Catalogs Viewer ^{Alpha 版}	允许查看优惠	commerceoffercatalog.*
`roles/commercepricemanagement.privateOffersAdmin`	Commerce Price Management Private Offers Admin ^{Alpha 版}	允许管理非公开优惠	commerceprice.* resourcemanager.projects.get resourcemanager.projects.list
`roles/commercepricemanagement.viewer`	Commerce Price Management Viewer ^{Alpha 版}	允许查看优惠、免费试用、SKU	commerceprice.privateoffers.get commerceprice.privateoffers.list resourcemanager.projects.get resourcemanager.projects.list
`roles/consumerprocurement.entitlementManager`	Consumer Procurement Entitlement Manager ^{Beta 版}	允许管理使用方项目的授权，启用、停用使用方项目以及检查其服务状态。	consumerprocurement.entitlements.* consumerprocurement.freeTrials.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.operations.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list
`roles/consumerprocurement.entitlementViewer`	Consumer Procurement Entitlement Viewer ^{Beta 版}	允许检查使用方项目的授权和服务状态。	consumerprocurement.entitlements.* consumerprocurement.freeTrials.get consumerprocurement.freeTrials.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/consumerprocurement.orderAdmin`	Consumer Procurement Order Administrator ^{Beta 版}	允许管理购买交易。	commerceoffercatalog.* consumerprocurement.accounts.* consumerprocurement.orders.*
`roles/consumerprocurement.orderViewer`	Consumer Procurement Order Viewer ^{Beta 版}	允许检查购买交易。	commerceoffercatalog.* consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list

Cloud Migration 角色

角色	名称	说明	权限
`roles/cloudmigration.inframanager`	Velostrata Manager ^{Beta 版}	可创建和管理 Compute 虚拟机以运行 Velostrata 基础架构	cloudmigration.* compute.addresses.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.update compute.instances.updateNetworkInterface compute.instances.updateShieldedInstanceConfig compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.* gkehub.endpoints.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update
`roles/cloudmigration.storageaccess`	Velostrata Storage Access ^{Beta 版}	可访问迁移存储空间	storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudmigration.velostrataconnect`	Velostrata Manager Connection Agent ^{Beta 版}	可在 Velostrata Manager 与 Google 之间设置连接	cloudmigration.* gkehub.endpoints.*
`roles/vmmigration.admin`	VM Migration Administrator ^{Beta 版}	可查看和修改所有 VM Migration 对象	vmmigration.*
`roles/vmmigration.viewer`	VM Migration Viewer ^{Beta 版}	可查看所有 VM Migration 对象	vmmigration.deployments.get vmmigration.deployments.list

Cloud Private Catalog 角色

角色	名称	说明	权限
`roles/cloudprivatecatalog.consumer`	Catalog Consumer ^{Beta 版}	可以在目标资源上下文中浏览目录。	cloudprivatecatalog.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudprivatecatalogproducer.admin`	Catalog Admin ^{Beta 版}	可以管理目录并查看其关联情况。	cloudprivatecatalog.* cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogAssociations.* cloudprivatecatalogproducer.catalogs.* cloudprivatecatalogproducer.producerCatalogs.* cloudprivatecatalogproducer.products.* cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudprivatecatalogproducer.manager`	Catalog Manager ^{Beta 版}	可以管理目录和目标资源之间的关联。	cloudprivatecatalog.* cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogAssociations.* cloudprivatecatalogproducer.catalogs.get cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.producerCatalogs.get cloudprivatecatalogproducer.producerCatalogs.list cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudprivatecatalogproducer.orgAdmin`	Catalog Org Admin ^{Beta 版}	可以管理目录组织设置。	cloudprivatecatalog.* cloudprivatecatalogproducer.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Cloud Profiler 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudprofiler.agent`	Cloud Profiler Agent	Cloud Profiler 代理可以注册和提供性能剖析数据。	cloudprofiler.profiles.create cloudprofiler.profiles.update
`roles/cloudprofiler.user`	Cloud Profiler User	Cloud Profiler 用户可以查询和查看性能剖析数据。	cloudprofiler.profiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Scheduler 角色

角色名称说明权限最低资源要求

角色	名称	说明	权限
`roles/cloudscheduler.admin`	Cloud Scheduler Admin	拥有对作业和作业执行的完全访问权限。请注意，Cloud Scheduler Admin（或具有 cloudschedulers.job.create 权限的任何自定义角色）可以创建发布到项目中任何 Pub/Sub 主题的作业。	appengine.applications.get cloudscheduler.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/cloudscheduler.jobRunner`	Cloud Scheduler Job Runner	拥有运行作业的权限。	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.run resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/cloudscheduler.viewer`	Cloud Scheduler Viewer	拥有获取和列出作业、作业执行和位置的权限。	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.list cloudscheduler.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list

roles/cloudscheduler.admin

Cloud Scheduler Admin

拥有对作业和作业执行的完全访问权限。

请注意，Cloud Scheduler Admin（或具有 cloudschedulers.job.create 权限的任何自定义角色）可以创建发布到项目中任何 Pub/Sub 主题的作业。

appengine.applications.get
cloudscheduler.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

roles/cloudscheduler.jobRunner

Cloud Scheduler Job Runner

拥有运行作业的权限。

appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.run
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

roles/cloudscheduler.viewer

Cloud Scheduler Viewer

拥有获取和列出作业、作业执行和位置的权限。

appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

Cloud Security Scanner 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudsecurityscanner.editor`	Web Security Scanner Editor	拥有所有 Web Security Scanner 资源的完整访问权限	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/cloudsecurityscanner.runner`	Web Security Scanner Runner	拥有 Scan 和 ScanRun 的读取权限以及启动扫描的权限	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run	项目
`roles/cloudsecurityscanner.viewer`	Web Security Scanner Viewer	拥有所有 Web Security Scanner 资源的读取权限	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目

Cloud 服务角色

角色	名称	说明	权限	最低资源要求
`roles/servicebroker.admin`	Service Broker Admin	拥有对 ServiceBroker 资源的完整访问权限。	servicebroker.*
`roles/servicebroker.operator`	Service Broker Operator	拥有对 ServiceBroker 资源的操作权限。	servicebroker.bindingoperations.* servicebroker.bindings.create servicebroker.bindings.delete servicebroker.bindings.get servicebroker.bindings.list servicebroker.catalogs.create servicebroker.catalogs.delete servicebroker.catalogs.get servicebroker.catalogs.list servicebroker.instanceoperations.* servicebroker.instances.create servicebroker.instances.delete servicebroker.instances.get servicebroker.instances.list servicebroker.instances.update

Cloud SQL 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudsql.admin`	Cloud SQL Admin	提供 Cloud SQL 资源的完全控制权。	cloudsql.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/cloudsql.client`	Cloud SQL Client	提供 Cloud SQL 实例的连接权限。	cloudsql.instances.connect cloudsql.instances.get	项目
`roles/cloudsql.editor`	Cloud SQL Editor	提供现有 Cloud SQL 实例的完全控制权，但不能修改用户、SSL 证书或删除资源。	cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql.instances.list cloudsq.instances.listServerCas cloudsql.instances.restart cloudsql.instances.rotateServerCa cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/cloudsql.instanceUser`	Cloud SQL Instance User	此角色可访问 Cloud SQL 实例	cloudsql.instances.get cloudsql.instances.login
`roles/cloudsql.viewer`	Cloud SQL Viewer	提供 Cloud SQL 资源的只读权限。	cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql.instances.list cloudsq.instances.listServerCas cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目

Cloud Tasks 角色

角色	名称	说明	权限
`roles/cloudtasks.admin`	Cloud Tasks Admin ^{Beta 版}	拥有对队列和任务的完整访问权限。	cloudtasks.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.enqueuer`	Cloud Tasks Enqueuer ^{Beta 版}	有权创建任务。	cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.queueAdmin`	Cloud Tasks Queue Admin ^{Beta 版}	拥有对队列的管理员权限。	cloudtasks.locations.* cloudtasks.queues.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.taskDeleter`	Cloud Tasks Task Deleter ^{Beta 版}	有权删除任务。	cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.taskRunner`	Cloud Tasks Task Runner ^{Beta 版}	拥有运行任务的权限。	cloudtasks.tasks.fullView cloudtasks.tasks.run resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.viewer`	Cloud Tasks Viewer ^{Beta 版}	拥有获取和列出任务、队列和位置的权限。	cloudtasks.locations.* cloudtasks.queues.get cloudtasks.queues.list cloudtasks.tasks.fullView cloudtasks.tasks.get cloudtasks.tasks.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Trace 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudtrace.admin`	Cloud Trace Admin	提供 Trace 控制台的完整访问权限以及跟踪记录的读写权限。	cloudtrace.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/cloudtrace.agent`	Cloud Trace Agent	适用于服务帐号。提供通过将数据发送到 Stackdriver Trace 来写入跟踪记录的权限。	cloudtrace.traces.patch	项目
`roles/cloudtrace.user`	Cloud Trace User	提供 Trace 控制台的完整访问权限以及跟踪记录的读取权限。	cloudtrace.insights.* cloudtrace.stats.* cloudtrace.tasks.* cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Translation 角色

角色	名称	说明	权限
`roles/cloudtranslate.admin`	Cloud Translation API Admin	拥有所有 Cloud Translation 资源的完整访问权限	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.editor`	Cloud Translation API Editor	所有 Cloud Translation 资源的编辑者	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.user`	Cloud Translation API User	Cloud Translation 和 AutoML 模型用户	automl.models.get automl.models.predict cloudtranslate.generalModels.* cloudtranslate.glossaries.batchPredict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict cloudtranslate.languageDetectionModels.* cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations_list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.viewer`	Cloud Translation API Viewer	所有 Translation 资源查看者	automl.models.get cloudtranslate.generalModels.get cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations_list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list

Workflows 角色

角色	名称	说明	权限
`roles/workflows.admin`	Workflows Admin ^{Beta 版}	拥有对工作流及相关资源的完全访问权限。	resourcemanager.projects.get resourcemanager.projects.list workflows.*
`roles/workflows.editor`	Workflows Editor ^{Beta 版}	拥有对工作流及相关资源的读写权限。	resourcemanager.projects.get resourcemanager.projects.list workflows.executions.* workflows.locations.* workflows.operations.* workflows.workflows.create workflows.workflows.delete workflows.workflows.get workflows.workflows.getIamPolicy workflows.workflows.list workflows.workflows.update
`roles/workflows.invoker`	Workflows Invoker ^{Beta 版}	拥有执行工作流及管理执行任务的权限。	resourcemanager.projects.get resourcemanager.projects.list workflows.executions.*
`roles/workflows.viewer`	Workflows Viewer ^{Beta 版}	拥有对工作流及相关资源的只读权限。	resourcemanager.projects.get resourcemanager.projects.list workflows.executions.get workflows.executions.list workflows.locations.* workflows.operations.get workflows.operations.list workflows.workflows.get workflows.workflows.getIamPolicy workflows.workflows.list

Codelab API Keys 角色

角色	名称	说明	权限
`roles/codelabapikeys.admin`	Codelab ApiKeys Admin ^{Beta 版}	拥有对 API 密钥的完全访问权限	resourcemanager.projects.get resourcemanager.projects.list
`roles/codelabapikeys.editor`	Codelab API Keys Editor ^测试版	此角色可查看和修改 API 密钥的所有属性。	resourcemanager.projects.get resourcemanager.projects.list
`roles/codelabapikeys.viewer`	Codelab API Keys Viewer ^测试版	此角色可查看 API 密钥更改历史记录以外的所有属性。	resourcemanager.projects.get resourcemanager.projects.list

Cloud Composer 角色

角色	名称	说明	权限	最低资源要求
`roles/composer.admin`	Composer Administrator	提供对 Cloud Composer 资源的完全控制权。	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/composer.environmentAndStorageObjectAdmin`	Environment and Storage Object Administrator	提供对 Cloud Composer 资源和所有项目存储分区中对象的完全控制权。	composer.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.*	项目
`roles/composer.environmentAndStorageObjectViewer`	Environment User and Storage Object Viewer	提供列出及获取 Cloud Composer 环境和操作所需的权限。以及对所有项目存储分区中对象的只读权限。	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list	项目
`roles/composer.sharedVpcAgent`	Composer Shared VPC Agent	应分配给共享 VPC 宿主项目中的 Composer Agent 服务帐号的角色	compute.networks.access compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.*
`roles/composer.user`	Composer User	提供列出及获取 Cloud Composer 环境和操作所需的权限。	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/composer.worker`	Composer Worker	提供运行 Cloud Composer 环境虚拟机所需的权限。适用于服务帐号。	artifactregistry.* cloudbuild.* container.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.*	项目

Compute Engine 角色

角色	名称	说明	权限	最低资源要求
`roles/compute.admin`	Compute Admin	拥有对所有 Compute Engine 资源的完整控制权。如果用户要管理配置为以服务帐号身份运行的虚拟机实例，您还必须授予 `roles/iam.serviceAccountUser` 角色。	compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、实例、instanceTemplate、nodeGroup、nodeTemplate、快照^{Beta 版}
`roles/compute.imageUser`	Compute Image User	可在不具备其他映像权限的情况下列出和读取映像。在项目级层授予此角色后，获授此角色的用户可以列出项目中的所有映像，并根据项目中的映像创建实例和永久性磁盘等资源。	compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	映像^{Beta 版}
`roles/compute.instanceAdmin`	Compute Instance Admin（Beta 版）	拥有创建、修改和删除虚拟机实例的权限。这包括创建、修改和删除磁盘的权限，以及配置安全强化型虚拟机^{Beta 版}设置的权限。如果用户要管理配置为以服务帐号身份运行的虚拟机实例，您还必须授予 `roles/iam.serviceAccountUser` 角色。例如，如果贵公司的某位员工负责管理多组虚拟机实例，但不负责管理网络或安全设置，也不负责管理以服务帐号身份运行的实例，则您可以在这些实例所属的组织、文件夹或项目级层授予此角色，也可以在个别实例级层授予此角色。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionNetworkEndpointGroups.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、实例、instanceTemplate、快照^{Beta 版}
`roles/compute.instanceAdmin.v1`	Compute Instance Admin (v1)	拥有对 Compute Engine 实例、实例组、磁盘、快照和映像的完整控制权，拥有所有 Compute Engine 网络资源的读取权限。如果仅在实例级层向用户授予此角色，则该用户无法创建新实例。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.loadBalancerAdmin`	Compute Load Balancer Admin ^{Beta 版}	拥有创建、修改和删除负载平衡器及相关资源的权限。例如，如果您公司的负载平衡团队负责管理负载平衡器、负载平衡器的 SSL 证书、SSL 政策和其他负载平衡资源，而另一个网络团队负责管理其余网络资源，则向负载平衡团队群组授予此角色。	compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.instances.useReadOnly compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionSslCertificates.* compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^{Beta 版}
`roles/compute.networkAdmin`	Compute Network Admin	拥有创建、修改和删除网络资源（不包括防火墙规则和 SSL 证书）的权限。Network Admin 角色允许以只读方式访问防火墙规则、SSL 证书和实例（以查看其临时 IP 地址），但无法让用户创建、启动、停止或删除实例。例如，如果您公司的安全团队负责管理防火墙和 SSL 证书，而网络团队负责管理其余网络资源，则向网络团队群组授予此角色。	compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalNetworkEndpointGroups.use compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.instances.use compute.instances.useReadOnly compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.machineTypes.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.projects.get compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNetworkEndpointGroups.use compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.serviceAttachments.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* networksecurity.* networkservices.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.*	实例^测试版
`roles/compute.networkUser`	Compute Network User	提供对共享 VPC 网络的访问权限获授此角色的服务所有者可以使用属于宿主项目的 VPC 网络和子网。例如，网络用户可以创建属于宿主项目网络的虚拟机实例，但不能在宿主项目中删除网络或者创建新网络。	compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.externalVpnGateways.get compute.externalVpnGateways.list compute.externalVpnGateways.use compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.access compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.authorizationPolicies.use networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.use networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.use networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.use networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpFilters.use networkservices.httpfilters.get networkservices.httpfilters.list networkservices.httpfilters.use networkservices.locations.* networkservices.operations.get networkservices.operations.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/compute.networkViewer`	Compute Network Viewer	提供所有网络资源的只读权限例如，如果您有用于检查网络配置的软件，则可以向该软件的服务帐号授予此角色。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpfilters.get networkservices.httpfilters.list networkservices.locations.* networkservices.operations.get networkservices.operations.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.*	实例^测试版
`roles/compute.orgFirewallPolicyAdmin`	Compute Organization Firewall Policy Admin	拥有对 Compute Engine 组织防火墙政策的完全控制权。	compute.firewallPolicies.cloneRules compute.firewallPolicies.create compute.firewallPolicies.delete compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewallPolicies.move compute.firewallPolicies.setIamPolicy compute.firewallPolicies.update compute.firewallPolicies.use compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgFirewallPolicyUser`	Compute Organization Firewall Policy User	可以查看或使用 Compute Engine 防火墙政策，以便与组织或文件夹相关联。	compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityPolicyAdmin`	Compute Organization Security Policy Admin	拥有对 Compute Engine 组织安全政策的完整控制权。	compute.firewallPolicies.* compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityPolicyUser`	Compute Organization Security Policy User	可以查看或使用 Compute Engine 安全政策，以便与组织或文件夹相关联。	compute.firewallPolicies.addAssociation compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.removeAssociation compute.firewallPolicies.use compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.addAssociation compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.removeAssociation compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityResourceAdmin`	Compute Organization Resource Admin	拥有与组织或文件夹关联的 Compute Engine 防火墙政策的完全控制权。	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.organizations.listAssociations compute.organizations.setFirewallPolicy compute.organizations.setSecurityPolicy compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.osAdminLogin`	Compute OS Admin Login	拥有以管理员用户身份登录 Compute Engine 实例的权限。	compute.instances.get compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^{Beta 版}
`roles/compute.osLogin`	Compute OS Login	拥有以标准用户身份登录 Compute Engine 实例的权限。	compute.instances.get compute.instances.list compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^{Beta 版}
`roles/compute.osLoginExternalUser`	Compute OS Login External User	此角色仅在组织级层提供。此角色可为外部用户授予设置与该组织关联的 OS Login 信息的权限，但不授予对实例的访问权限。外部用户必须获授一个必要的 OS Login 角色才能使用 SSH 访问实例。	compute.oslogin.*	组织
`roles/compute.packetMirroringAdmin`	Compute Packet Mirroring Admin	指定要生成镜像的资源。	compute.networks.mirror compute.projects.get compute.subnetworks.mirror resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.packetMirroringUser`	Compute Packet Mirroring User	可使用 Compute Engine 数据包镜像。	compute.packetMirrorings.* compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.publicIpAdmin`	Compute Public IP Admin ^{Beta 版}	拥有对 Compute Engine 公共 IP 地址管理的完整控制权。	compute.addresses.* compute.globalAddresses.* compute.globalPublicDelegatedPrefixes.* compute.publicAdvertisedPrefixes.* compute.publicDelegatedPrefixes.* resourcemanager.projects.get resourcemanager.projects.list
`roles/compute.securityAdmin`	Compute Security Admin	拥有创建、修改和删除防火墙规则和 SSL 证书的权限，以及配置安全强化型虚拟机^{Beta 版}设置的权限。例如，如果您的公司拥有一个负责管理防火墙和 SSL 证书的安全团队和一个负责管理其余网络资源的网络团队，则向安全团队群组授予此角色。	compute.firewallPolicies.* compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instances.getEffectiveFirewalls compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.updatePolicy compute.packetMirrorings.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.* compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^{Beta 版}
`roles/compute.storageAdmin`	Compute Storage Admin	拥有创建、修改和删除磁盘、映像及快照的权限。例如，如果您公司的某位员工负责管理项目映像，但您不希望该员工拥有项目的 Editor 角色，则向其帐号授予项目的此角色。	compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、快照^{Beta 版}
`roles/compute.viewer`	Compute Viewer	拥有以只读方式获取和列出 Compute Engine 资源的权限，但无权读取这些资源中存储的数据。例如，获授此角色的帐号可以清点项目中的所有磁盘，但无法读取这些磁盘上的任何数据。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、实例、instanceTemplate、nodeGroup、nodeTemplate、快照^{Beta 版}
`roles/compute.xpnAdmin`	Compute Shared VPC Admin	拥有管理共享 VPC 宿主项目的权限，具体来说，就是可以启用宿主项目并将共享 VPC 服务项目关联到宿主项目所在的网络。在组织层级，此角色只能由组织管理员授予。 Google Cloud 建议将 Shared VPC Admin 设为共享 VPC 宿主项目的所有者。Shared VPC Admin 负责向服务所有者授予 Compute Network User 角色 (`roles/compute.networkUser`)，共享 VPC 宿主项目的 Owner 则控制项目本身。如果单个主体（个人或群组）可以同时担任这两个角色，则项目管理会变得更加容易。	compute.globalOperations.get compute.globalOperations.list compute.organizations.administerXpn compute.organizations.disableXpnHost compute.organizations.disableXpnResource compute.organizations.enableXpnHost compute.organizations.enableXpnResource compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	文件夹
`roles/osconfig.guestPolicyAdmin`	GuestPolicy Admin ^{Beta 版}	拥有对 GuestPolicy 的完整管理员权限	osconfig.guestPolicies.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyEditor`	GuestPolicy Editor ^{Beta 版}	可以修改 GuestPolicy 资源	osconfig.guestPolicies.get osconfig.guestPolicies.list osconfig.guestPolicies.update resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyViewer`	GuestPolicy Viewer ^{Beta 版}	可以查看 GuestPolicy 资源	osconfig.guestPolicies.get osconfig.guestPolicies.list resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchDeploymentAdmin`	PatchDeployment Admin	拥有对 PatchDeployment 的完整管理员权限	osconfig.patchDeployments.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchDeploymentViewer`	PatchDeployment Viewer	可以查看 PatchDeployment 资源	osconfig.patchDeployments.get osconfig.patchDeployments.list resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchJobExecutor`	Patch Job Executor	有权执行修补作业。	osconfig.patchJobs.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchJobViewer`	Patch Job Viewer	获取并列出修补作业。	osconfig.patchJobs.get osconfig.patchJobs.list resourcemanager.projects.get resourcemanager.projects.list

Kubernetes Engine 角色

角色	名称	说明	权限	最低资源要求
`roles/container.admin`	Kubernetes Engine Admin	提供对集群及其 Kubernetes API 对象的完整管理权限。如需在节点上设置服务帐号，您还必须在 Compute Engine 默认服务帐号上拥有 Service Account User 角色 (`roles/iam.serviceAccountUser`)。	container.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/container.clusterAdmin`	Kubernetes Engine Cluster Admin	提供管理集群的权限。如需在节点上设置服务帐号，您还必须在 Compute Engine 默认服务帐号上拥有 Service Account User 角色 (`roles/iam.serviceAccountUser`)。	container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.operations.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/container.clusterViewer`	Kubernetes Engine Cluster Viewer	拥有获取和列出 GKE 集群的权限。	container.clusters.get container.clusters.list resourcemanager.projects.get resourcemanager.projects.list
`roles/container.developer`	Kubernetes Engine Developer	提供对集群内 Kubernetes API 对象的访问权限。	container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.leases.* container.limitRanges.* container.localSubjectAccessReviews.* container.managedCertificates.* container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.selfSubjectRulesReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container.storageVersionMigrations.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* container.updateInfos.* container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.* container.volumeSnapshotClasses.* container.volumeSnapshotContents.* container.volumeSnapshots.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/container.hostServiceAgentUser`	Kubernetes Engine Host Service Agent User	允许宿主项目中的 Kubernetes Engine 服务帐号为集群管理配置共享网络资源。另外，还授予检查宿主项目中的防火墙规则的权限。	compute.firewalls.get container.hostServiceAgent.* dns.networks.bindPrivateDNSPolicy dns.networks.bindPrivateDNSZone
`roles/container.viewer`	Kubernetes Engine Viewer	提供对 GKE 资源的只读权限。	container.apiServices.get container.apiServices.getStatus container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.getStatus container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.getStatus container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getStatus container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container.managedCertificates.get container.managedCertificates.list container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container.storageStates.list container.storageVersionMigrations.get container.storageVersionMigrations.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* container.updateInfos.get container.updateInfos.list container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.get container.volumeAttachments.getStatus container.volumeAttachments.list container.volumeSnapshotClasses.get container.volumeSnapshotClasses.list container.volumeSnapshotContents.get container.volumeSnapshotContents.list container.volumeSnapshots.get container.volumeSnapshots.list resourcemanager.projects.get resourcemanager.projects.list	项目

Container Analysis 角色

角色	名称	说明	权限
`roles/containeranalysis.admin`	Container Analysis Admin	拥有对所有 Container Analysis 资源的访问权限。	containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.notes.setIamPolicy containeranalysis.notes.update containeranalysis.occurrences.* resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.notes.attacher`	Container Analysis Notes Attacher	可以将 Container Analysis 发生实例附加到备注。	containeranalysis.notes.attachOccurrence containeranalysis.notes.get
`roles/containeranalysis.notes.editor`	Container Analysis Notes Editor	可以修改 Container Analysis 备注。	containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.notes.occurrences.viewer`	Container Analysis Occurrences for Notes Viewer		containeranalysis.notes.get containeranalysis.notes.listOccurrences
`roles/containeranalysis.notes.viewer`	Container Analysis Notes Viewer	可以查看 Container Analysis 备注。	containeranalysis.notes.get containeranalysis.notes.list resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.occurrences.editor`	Container Analysis Occurrences Editor	可以修改 Container Analysis 发生实例。	containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.occurrences.viewer`	Container Analysis Occurrences Viewer	可以查看 Container Analysis 发生实例。	containeranalysis.occurrences.get containeranalysis.occurrences.list resourcemanager.projects.get resourcemanager.projects.list

Data Catalog 角色

角色	名称	说明	权限
`roles/datacatalog.admin`	Data Catalog Admin	拥有对所有 DataCatalog 资源的完整访问权限	bigquery.datasets.get bigquery.datasets.updateTag bigquery.models.getMetadata bigquery.models.updateTag bigquery.tables.get bigquery.tables.updateTag datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.* datacatalog.entryGroups.* datacatalog.tagTemplates.* datacatalog.taxonomies.* pubsub.topics.get pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.categoryAdmin`	Policy Tag Admin ^{Beta 版}	可管理分类	datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.taxonomies.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.categoryFineGrainedReader`	Fine-Grained Reader ^{Beta 版}	拥有对包含特定政策标记的子资源（例如 BigQuery 列）的读取权限	datacatalog.categories.fineGrainedGet
`roles/datacatalog.entryGroupCreator`	DataCatalog EntryGroup Creator	可以新建 entryGroup	datacatalog.entryGroups.create datacatalog.entryGroups.get datacatalog.entryGroups.list resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryGroupOwner`	DataCatalog entryGroup Owner	拥有对 entryGroup 的完全访问权限	datacatalog.entries.* datacatalog.entryGroups.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryOwner`	DataCatalog entry Owner	拥有对条目的完全访问权限	datacatalog.entries.* datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryViewer`	DataCatalog Entry Viewer	拥有对条目的读取权限	datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagEditor`	Data Catalog Tag Editor	提供修改用于 BigQuery 和 Pub/Sub 的 Google Cloud 资产标记的权限	bigquery.datasets.updateTag bigquery.models.updateTag bigquery.tables.updateTag datacatalog.entries.updateTag pubsub.topics.updateTag
`roles/datacatalog.tagTemplateCreator`	Data Catalog TagTemplate Creator	可以创建新的标记模板	datacatalog.tagTemplates.create datacatalog.tagTemplates.get
`roles/datacatalog.tagTemplateOwner`	Data Catalog TagTemplate Owner	拥有对标记模板的完全访问权限	datacatalog.tagTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagTemplateUser`	Data Catalog TagTemplate User	可以使用模板标记资源	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagTemplateViewer`	Data Catalog TagTemplate Viewer	拥有对模板和使用模板创建的标记的读取权限	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.viewer`	Data Catalog Viewer	提供对用于 BigQuery 和 Pub/Sub 且已编入目录的 Google Cloud 资产的元数据读取权限	bigquery.datasets.get bigquery.models.getMetadata bigquery.tables.get datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get datacatalog.entryGroups.list datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.taxonomies.get datacatalog.taxonomies.list pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.list

Dataflow 角色

角色	名称	说明	权限	最低资源要求
`roles/dataflow.admin`	Dataflow Admin	创建和管理 Dataflow 作业需要的最低权限角色。	compute.machineTypes.get dataflow.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list
`roles/dataflow.developer`	Dataflow Developer	提供执行和操作 Dataflow 作业所需的权限。	dataflow.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataflow.viewer`	Dataflow Viewer	提供对所有 Dataflow 相关资源的只读权限。	dataflow.jobs.get dataflow.jobs.list dataflow.messages.* dataflow.metrics.* dataflow.snapshots.get dataflow.snapshots.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataflow.worker`	Dataflow Worker	提供让 Compute Engine 服务帐号执行 Cloud Dataflow 流水线工作单元所需的权限。	compute.instanceGroupManagers.update compute.instances.delete compute.instances.setDiskAutoDelete dataflow.jobs.get logging.logEntries.create storage.objects.create storage.objects.get	项目

Cloud Data Labeling 角色

角色	名称	说明	权限
`roles/datalabeling.admin`	DataLabeling Service Admin ^{Beta 版}	拥有所有 DataLabeling 资源的完整访问权限	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.editor`	DataLabeling Service Editor ^测试版	可修改所有 DataLabeling 资源	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.viewer`	DataLabeling Service Viewer ^测试版	可查看所有 DataLabeling 资源	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Data Migration 角色

角色	名称	说明	权限	最低资源要求
`roles/datamigration.admin`	Database Migration Admin	拥有对 Database Migration 的所有资源的完整访问权限。	datamigration.* resourcemanager.projects.get resourcemanager.projects.list

Dataprep 角色

角色	名称	说明	权限	最低资源要求
`roles/dataprep.projects.user`	Dataprep User^{Beta 版}	可以使用 Dataprep。	dataprep.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Dataproc 角色

角色	名称	说明	权限	最低资源要求
`roles/dataproc.admin`	Dataproc Administrator	拥有对 Dataproc 资源的完全控制权。	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.* dataproc.clusters.* dataproc.jobs.* dataproc.operations.* dataproc.workflowTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/dataproc.editor`	Dataproc Editor	提供查看管理 Dataproc 所需资源（包括机器类型、网络、项目和区域）而应具备的权限。	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.start dataproc.clusters.stop dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataproc.hubAgent`	Dataproc Hub Agent	可对 Dataproc 资源进行管理。适用于运行 Dataproc Hub 实例的服务帐号。	compute.instances.get compute.instances.setMetadata compute.instances.setTags compute.zoneOperations.get compute.zones.list dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.operations.cancel dataproc.operations.delete dataproc.operations.get dataproc.operations.list iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.locations.* logging.logEntries.create logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.* logging.views.get logging.views.list resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.get storage.objects.list
`roles/dataproc.viewer`	Dataproc Viewer	提供对 Dataproc 资源的只读权限。	compute.machineTypes.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.clusters.get dataproc.clusters.list dataproc.jobs.get dataproc.jobs.list dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.get dataproc.workflowTemplates.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataproc.worker`	Dataproc Worker	提供对 Dataproc 资源的处理权限。适用于服务帐号。	dataproc.agents.* dataproc.tasks.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create storage.buckets.get storage.objects.*

Datastore 角色

角色	名称	说明	权限	最低资源要求
`roles/datastore.importExportAdmin`	Cloud Datastore Import Export Admin	提供对导入和导出作业的完整管理权限。	appengine.applications.get datastore.databases.export datastore.databases.import datastore.operations.cancel datastore.operations.get datastore.operations.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.indexAdmin`	Cloud Datastore Index Admin	提供对索引定义的完整访问权限。	appengine.applications.get datastore.indexes.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.owner`	Cloud Datastore Owner	提供对 Datastore 资源的完整访问权限。	appengine.applications.get datastore.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.user`	Cloud Datastore User	提供对 Cloud Datastore 数据库中数据的读写权限。	appengine.applications.get datastore.databases.get datastore.entities.* datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.viewer`	Cloud Datastore Viewer	提供对 Cloud Datastore 资源的读取权限。	appengine.applications.get datastore.databases.get datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	项目

Deployment Manager 角色

角色	名称	说明	权限	最低资源要求
`roles/deploymentmanager.editor`	Deployment Manager Editor	提供创建和管理部署所需的权限。	deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/deploymentmanager.typeEditor`	Deployment Manager Type Editor	提供对所有类型注册表资源的读写权限。	deploymentmanager.compositeTypes.* deploymentmanager.operations.get deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	项目
`roles/deploymentmanager.typeViewer`	Deployment Manager Type Viewer	提供对所有类型注册表资源的只读权限。	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	项目
`roles/deploymentmanager.viewer`	Deployment Manager Viewer	提供对所有 Deployment Manager 相关资源的只读权限。	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目

Dialogflow 角色

角色	名称	说明	权限	最低资源要求
`roles/dialogflow.admin`	Dialogflow API Admin	向需要对 Dialogflow 特定资源完整访问权限的 Dialogflow API 管理员授予权限。另请参阅 Dialogflow 访问权限控制。	dialogflow.* resourcemanager.projects.get	项目
`roles/dialogflow.client`	Dialogflow API Client	授予使用执行 Dialogflow 特定修改并使用 Dialogflow API 检测意图调用的 Dialogflow API 客户端。另请参阅 Dialogflow 访问权限控制。	dialogflow.contexts.* dialogflow.conversations.* dialogflow.messages.* dialogflow.participants.* dialogflow.sessionEntityTypes.* dialogflow.sessions.*	项目
`roles/dialogflow.consoleAgentEditor`	Dialogflow Console Agent Editor	授予修改现有代理的 Dialogflow 控制台编辑者。另请参阅 Dialogflow 访问权限控制。	actions.agentVersions.create dialogflow.* resourcemanager.projects.get	项目
`roles/dialogflow.consoleSimulatorUser`	Dialogflow Console Simulator User ^Alpha	可以在 Web 控制台的模拟器中查询 Dialogflow 建议。	dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.* dialogflow.documents.get dialogflow.documents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.participants.* dialogflow.sessions.detectIntent resourcemanager.projects.get resourcemanager.projects.list
`roles/dialogflow.consoleSmartMessagingAllowlistEditor`	Dialogflow Console Smart Messaging Allowlist Editor ^Alpha	可以在 Agent Assist 控制台中修改与对话模型关联的智能即时通讯的许可名单	dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.list dialogflow.documents.get dialogflow.documents.list dialogflow.operations.* dialogflow.smartMessagingEntries.* resourcemanager.projects.get resourcemanager.projects.list
`roles/dialogflow.conversationManager`	Dialogflow Conversation Manager	可以管理与 Dialogflow 对话相关的所有资源。	dialogflow.conversationProfiles.* dialogflow.conversations.* dialogflow.participants.*
`roles/dialogflow.integrationManager`	Dialogflow Integration Manager	可以添加、移除、启用和停用 Dialogflow 集成。
`roles/dialogflow.reader`	Dialogflow API Reader	授予使用 Dialogflow API 执行 Dialogflow 特定只读调用的 Dialogflow API 客户端。另请参阅 Dialogflow 访问权限控制。	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.* dialogflow.modelEvaluations.* dialogflow.operations.* dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get	项目

Cloud DLP 角色

角色	名称	说明	权限
`roles/dlp.admin`	DLP Administrator	可管理 DLP，包括作业和模板。	dlp.* serviceusage.services.use
`roles/dlp.analyzeRiskTemplatesEditor`	DLP Analyze Risk Templates Editor	可修改 DLP 分析风险模板。	dlp.analyzeRiskTemplates.*
`roles/dlp.analyzeRiskTemplatesReader`	DLP Analyze Risk Templates Reader	可读取 DLP 分析风险模板。	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
`roles/dlp.deidentifyTemplatesEditor`	DLP De-identify Templates Editor	可修改 DLP 去标识化模板。	dlp.deidentifyTemplates.*
`roles/dlp.deidentifyTemplatesReader`	DLP De-identify Templates Reader	可读取 DLP 去标识化模板。	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
`roles/dlp.inspectFindingsReader`	DLP Inspect Findings Reader	可读取 DLP 存储的发现结果。	dlp.inspectFindings.*
`roles/dlp.inspectTemplatesEditor`	DLP Inspect Templates Editor	可修改 DLP 检查模板。	dlp.inspectTemplates.*
`roles/dlp.inspectTemplatesReader`	DLP Inspect Templates Reader	可读取 DLP 检查模板。	dlp.inspectTemplates.get dlp.inspectTemplates.list
`roles/dlp.jobTriggersEditor`	DLP Job Triggers Editor	可修改作业触发器配置。	dlp.jobTriggers.*
`roles/dlp.jobTriggersReader`	DLP Job Triggers Reader	可读取作业触发器。	dlp.jobTriggers.get dlp.jobTriggers.list
`roles/dlp.jobsEditor`	DLP Jobs Editor	可修改和创建作业	dlp.jobs.* dlp.kms.*
`roles/dlp.jobsReader`	DLP Jobs Reader	可读取作业	dlp.jobs.get dlp.jobs.list
`roles/dlp.reader`	DLP Reader	可读取作业和模板等 DLP 实体。	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.* dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.storedInfoTypesEditor`	DLP Stored InfoTypes Editor	可修改 DLP 存储的信息类型。	dlp.storedInfoTypes.*
`roles/dlp.storedInfoTypesReader`	DLP Stored InfoTypes Reader	可读取 DLP 存储的信息类型。	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.user`	DLP User	可检查和遮盖内容，以及对内容进行去标识化处理	dlp.kms.* serviceusage.services.use

DNS 角色

角色	名称	说明	权限	最低资源要求
`roles/dns.admin`	DNS Administrator	提供对所有 Cloud DNS 资源的读写权限。	compute.networks.get compute.networks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dns.peer`	DNS Peer	可通过 DNS 对等互连地区访问目标网络	dns.networks.targetWithPeeringZone
`roles/dns.reader`	DNS Reader	提供对所有 Cloud DNS 资源的只读权限。	compute.networks.get dns.changes.get dns.changes.list dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list dns.projects.* dns.resourceRecordSets.list resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Domains 角色

角色	名称	说明	权限	最低资源要求
`roles/domains.admin`	Cloud Domains Admin ^{Beta 版}	拥有 Cloud 网域注册信息和相关资源的完整访问权限。	domains.* resourcemanager.projects.get resourcemanager.projects.list
`roles/domains.viewer`	Cloud Domains Viewer ^{Beta 版}	拥有 Cloud 网域注册信息及相关资源的只读权限。	domains.locations.* domains.operations.get domains.operations.list domains.registrations.get domains.registrations.getIamPolicy domains.registrations.list resourcemanager.projects.get resourcemanager.projects.list

Earth Engine 角色

角色	名称	说明	权限
`roles/earthengine.admin`	Earth Engine Resource Admin ^{Beta 版}	拥有对所有 Earth Engine 资源功能的完全访问权限	earthengine.* resourcemanager.projects.get resourcemanager.projects.list
`roles/earthengine.viewer`	Earth Engine Resource Viewer ^{Beta 版}	所有 Earth Engine 资源的查看者	earthengine.assets.get earthengine.assets.getIamPolicy earthengine.assets.list earthengine.computations.* earthengine.filmstripthumbnails.get earthengine.maps.get earthengine.operations.get earthengine.operations.list earthengine.tables.get earthengine.thumbnails.get earthengine.videothumbnails.get resourcemanager.projects.get resourcemanager.projects.list
`roles/earthengine.writer`	Earth Engine Resource Writer^{Beta 版}	所有 Earth Engine 资源的写入者	earthengine.assets.create earthengine.assets.delete earthengine.assets.get earthengine.assets.getIamPolicy earthengine.assets.list earthengine.assets.update earthengine.computations.* earthengine.exports.* earthengine.filmstripthumbnails.* earthengine.imports.* earthengine.maps.* earthengine.operations.* earthengine.tables.* earthengine.thumbnails.* earthengine.videothumbnails.* resourcemanager.projects.get resourcemanager.projects.list

Endpoints 角色

角色	名称	说明	权限	最低资源要求
`roles/endpoints.portalAdmin`	Endpoints Portal Admin ^{Beta 版}	提供在 Cloud Console 的 Endpoints > 开发者门户页面中添加、查看和删除自定义网域所需的全部权限。在为 API 创建的门户上，提供更改设置页面上网站级标签页中设置的权限。	endpoints.* resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get	项目

Error Reporting 角色

角色	名称	说明	权限	最低资源要求
`roles/errorreporting.admin`	Error Reporting Admin ^{Beta 版}	提供对 Error Reporting 数据的完整访问权限。	cloudnotifications.* errorreporting.* logging.notificationRules.* resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get	项目
`roles/errorreporting.user`	Error Reporting User ^{Beta 版}	提供读取和写入 Error Reporting 数据的权限，但不提供发送新错误事件的权限。	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.delete errorreporting.errorEvents.list errorreporting.groupMetadata.* errorreporting.groups.* logging.notificationRules.get logging.notificationRules.list logging.notificationRules.update resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get	项目
`roles/errorreporting.viewer`	Error Reporting Viewer ^{Beta 版}	提供对 Error Reporting 数据的只读权限。	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groupMetadata.get errorreporting.groups.* logging.notificationRules.get logging.notificationRules.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get	项目
`roles/errorreporting.writer`	Error Reporting Writer ^{Beta 版}	提供将错误事件发送到 Error Reporting 的权限。