瞭解角色

當某個身分呼叫 Google Cloud Platform API 時,Cloud Identity and Access Management 會要求這個身分具備使用資源的適當權限。您可以將角色授予使用者、群組或服務帳戶,藉此授予權限。

本頁說明可以為身分授予 Cloud Platform 資源存取權的 Cloud IAM 角色。

使用本指南前的建議事項

角色類型

Cloud IAM 中有三種類型的角色:

  • 原始角色:在 Cloud IAM 推出前就存在的角色,包括「擁有者」、「編輯者」和「檢視者」角色。
  • 預先定義角色:提供精細的特定服務存取權限,並由 GCP 代管。
  • 自訂角色:根據使用者指定的權限清單,提供精細的存取權限。

如要判斷是否有一或多個權限包含在原始、預先定義或自訂角色中,可以透過以下方式進行:

以下各節說明每種角色類型,並舉例說明如何使用這些角色。

原始角色

在 Cloud IAM 推出前就存在三種角色:擁有者、編輯者和檢視者。這些角色屬於同心圓關係;也就是說,擁有者角色包含了編輯者角色中的權限,而編輯者角色包含了檢視者角色中的權限。

下列表格摘要說明原始角色在所有 GCP 服務中包含的權限:

原始角色定義

姓名 名稱 權限
roles/viewer 檢視者 不會影響狀態的唯讀動作權限,例如檢視 (但不修改) 現有的資源或資料。
roles/editor 編輯者 所有檢視者權限,以及修改狀態的動作權限,像是變更現有的資源。
注意:雖然 roles/editor 角色包含為大部分 GCP 服務建立和刪除資源的權限,但某些服務 (如 Cloud Source Repositories 和 Stackdriver) 不包含這些權限。請參閱上述章節,進一步瞭解如何檢查角色是否具備您所需的權限。
roles/owner 擁有者 所有的編輯者權限以下動作的權限:
  • 管理專案的角色和權限,以及專案內的所有資源。
  • 設定專案帳單。
注意:
  • 在資源層級 (如 Cloud Pub/Sub 主題) 上授予擁有者角色,不會在父項專案上授予擁有者角色。
  • 擁有者角色不包含機構資源的任何權限。因此,在機構層級上授予擁有者角色,不會允許您更新機構的中繼資料,但是可以讓您修改這個機構下的專案。

您可以透過 GCP 主控台API gcloud 指令列工具,在專案或服務資源層級上套用原始角色。

邀請流程

您無法使用 Cloud IAM API 或 gcloud 指令列工具將擁有者角色授予專案成員,而只能透過 GCP 主控台為專案加入擁有者。系統會以電子郵件方式傳送邀請給成員,這位成員必須接受邀請,才能成為專案的擁有者。

請注意,在下列情況中系統不會傳送邀請電子郵件:

  • 您授予的角色不是擁有者。
  • 機構成員將另一位機構成員新增做為機構內專案的擁有者。

預先定義角色

除了原始角色之外,Cloud IAM 還提供其他預先定義角色,可以更精細的方式授予特定 Google Cloud Platform 資源的存取權限,並防止對其他資源進行非必要的存取。

以下表格列出這些角色、角色相關說明,以及可在其中設定角色的最低層級資源類型。可以將特定角色授予此資源類型;或者在大多數情況下,可以將特定角色授予 GCP 階層中任何高於此資源類型的類型。您可以將多個角色授予同一位使用者。例如,同一位使用者可在專案中擁有「網路管理員」和「記錄檢視者」角色,對於專案中的「Pub/Sub」主題也能具備「發布者」角色。如需角色所包含權限的清單,請參閱取得角色中繼資料一節。

Android Management 角色

roles/
androidmanagement.user
Android Management 使用者 具備管理裝置的完整管理權限。 androidmanagement.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
角色 名稱 說明 權限 最低資源

App Engine 角色

roles/
appengine.appAdmin
App Engine Admin Read/Write/Modify access to all application configuration and settings. appengine.applications.get
appengine.applications.update
appengine.instances.*
appengine.operations.*
appengine.runtimes.*
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
appengine.appViewer
App Engine 檢視者 具備對所有應用程式配置和設定的唯讀存取權。 appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
appengine.codeViewer
App Engine 程式碼檢視者 對所有應用程式配置、設定,和已部署原始碼的唯讀存取權。 appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
appengine.deployer
App Engine Deployer Read-only access to all application configuration and settings.

Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic.

Note: The App Engine Deployer (roles/appengine.deployer) role alone grants adequate permission to deploy using the App Engine Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Compute Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (cloudbuild.builds.editor) roles. appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
appengine.serviceAdmin
App Engine 服務管理員 對所有應用程式配置和設定的唯讀存取權。
對模組層級和版本層級設定的寫入權限。無法部署新的版本。 appengine.applications.get
appengine.instances.*
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
專案
角色 名稱 說明 權限 最低資源

AutoML 角色

roles/
automl.admin
AutoML 管理員 Beta 版 具備所有 AutoML 資源的完整權限 automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
roles/
automl.editor
AutoML 編輯器 Beta 版 適用於所有 AutoML 資源的編輯器 automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
roles/
automl.predictor
AutoML Predictor Beta Predict using models automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list
roles/
automl.viewer
AutoML 檢視器 Beta 版 可查看所有 AutoML 資源 automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
角色 名稱 說明 權限 最低資源

BigQuery 角色

roles/
bigquery.admin
BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. bigquery.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
bigquery.connectionAdmin
BigQuery Connection Admin
roles/
bigquery.connectionUser
BigQuery Connection User
roles/
bigquery.dataEditor
BigQuery 資料編輯者

套用於資料集時,dataEditor 提供以下權限:

  • 讀取資料集的中繼資料,以及列出資料集中的表格。
  • 建立、更新、取得及刪除資料集的表格。

套用於專案或機構層級時,此角色還可以建立新的資料集。

bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
資料集 roles/
bigquery.dataOwner
BigQuery 資料擁有者

套用於資料集時,dataOwner 提供以下權限:

  • 讀取、更新及刪除資料集。
  • 建立、更新、取得及刪除資料集的表格。

套用於專案或機構層級時,此角色還可以建立新的資料集。

bigquery.datasets.*
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
資料集 roles/
bigquery.dataViewer
BigQuery Data Viewer

When applied to a dataset, dataViewer provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataset roles/
bigquery.jobUser
BigQuery Job User Provides permissions to run jobs, including queries, within the project. The jobUser role can enumerate their own jobs and cancel their own jobs. bigquery.jobs.create
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
bigquery.metadataViewer
BigQuery 中繼資料檢視者

套用於機構或專案層級時,metadataViewer 提供以下權限:

  • 列出專案中的所有資料集,以及讀取所有資料集的中繼資料。
  • 列出專案中的所有資料表和視圖,以及讀取所有資料表和視圖的中繼資料。

但還需要其他角色才能執行工作。

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.tables.get
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
bigquery.readSessionUser
BigQuery 讀取工作階段使用者 Beta 版 具備建立及使用讀取工作階段的存取權限 bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
bigquery.user
BigQuery User Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the bigquery.dataOwner role for these new datasets. bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
resourcemanager.projects.get
resourcemanager.projects.list
Project
角色 名稱 說明 權限 最低資源

Cloud BigTable 角色

roles/
bigtable.admin
Bigtable 管理員 可管理專案中的所有執行個體,包含資料表中儲存的資料,且能夠建立新的執行個體。通常適用於專案管理員。 bigtable.*
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
執行個體 roles/
bigtable.reader
Bigtable 讀取器 提供資料表中儲存資料的唯讀權限。通常適用於資料科學家、資訊主頁建立者及其他資料分析情境。 bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
執行個體 roles/
bigtable.user
Bigtable 使用者 提供資料表中儲存資料的讀寫權限。通常適用於應用程式開發人員或服務帳戶。 bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
執行個體 roles/
bigtable.viewer
Bigtable Viewer Provides no data access. Intended as a minimal set of permissions to access the GCP Console for Cloud Bigtable. bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Instance
角色 名稱 說明 權限 最低資源

帳單角色

roles/
billing.admin
帳單帳戶管理員 提供查看及管理帳單帳戶所有資訊和功能的權限。 billing.accounts.close
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.move
billing.accounts.redeemPromotion
billing.accounts.removeFromOrganization
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing.accounts.updatePaymentInfo
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.credits.*
billing.resourceAssociations.*
billing.subscriptions.*
cloudnotifications.*
logging.logEntries.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
帳單帳戶 roles/
billing.creator
Billing Account Creator Provides access to create billing accounts. billing.accounts.create
resourcemanager.organizations.get
Project roles/
billing.projectManager
專案帳單管理員 提供指派專案的帳單帳戶或停用專案的帳單功能的權限。 resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
專案 roles/
billing.user
Billing Account User Provides access to associate projects with billing accounts. billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.*
billing.resourceAssociations.create
Billing Account roles/
billing.viewer
帳單帳戶檢視者 檢視帳單帳戶的費用資訊與交易。 billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.budgets.get
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.get
billing.subscriptions.list
機構
帳單帳戶
角色 名稱 說明 權限 最低資源

二進位授權角色

roles/
binaryauthorization.attestorsAdmin
二進位授權驗證者管理員 Beta 版 二進位授權驗證者的管理員 binaryauthorization.attestors.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsEditor
二進位授權驗證者編輯者 Beta 版 二進位授權驗證者的編輯者 binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsVerifier
二進位授權驗證者映像檔驗證器 Beta 版 二進位授權驗證者 VerifyImageAttested 的呼叫者 binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsViewer
Binary Authorization Attestor Viewer Beta Viewer of Binary Authorization Attestors binaryauthorization.attestors.get
binaryauthorization.attestors.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyAdmin
Binary Authorization Policy Administrator Beta Administrator of Binary Authorization Policy binaryauthorization.policy.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyEditor
二進位授權政策編輯器 Beta 版 二進位授權政策的編輯者 binaryauthorization.policy.get
binaryauthorization.policy.update
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyViewer
Binary Authorization Policy Viewer Beta Viewer of Binary Authorization Policy binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

Cloud Asset 角色

roles/
cloudasset.viewer
雲端資產檢視者 具備雲端資產中繼資料的唯讀存取權 cloudasset.*
角色 名稱 說明 權限 最低資源

Cloud Build 角色

roles/
cloudbuild.builds.builder
Cloud Build Service Account Can perform builds cloudbuild.*
logging.logEntries.create
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
roles/
cloudbuild.builds.editor
Cloud Build 編輯者 提供建立和取消版本的存取權。 cloudbuild.*
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
cloudbuild.builds.viewer
Cloud Build 檢視器 提供檢視版本的權限。 cloudbuild.builds.get
cloudbuild.builds.list
resourcemanager.projects.get
resourcemanager.projects.list
專案
角色 名稱 說明 權限 最低資源

Cloud Data Fusion 角色

roles/
datafusion.admin
Cloud Data Fusion 管理員 Beta 版 具備 Cloud Data Fusion 執行個體和相關資源的完整存取權。 datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datafusion.viewer
雲端資料合併檢視器 Beta 版 具備雲端資料合併執行個體和相關資源的唯讀存取權。 datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

Stackdriver Debugger 角色

roles/
clouddebugger.agent
Stackdriver Debugger 代理程式 Beta 版 提供註冊偵錯目標、讀取有效中斷點及報告中斷點結果的權限。 clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create
服務帳戶 roles/
clouddebugger.user
Stackdriver Debugger User Beta Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
Project
角色 名稱 說明 權限 最低資源

Cloud Functions 角色

roles/
cloudfunctions.developer
Cloud Functions 開發人員 Beta 版 具備所有函式相關資源的讀寫存取權。 cloudfunctions.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
cloudfunctions.viewer
Cloud Functions 檢視者 Beta 版 具備函式和位置的唯讀存取權。 cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
角色 名稱 說明 權限 最低資源

Cloud IAP 角色

roles/
iap.admin
IAP 政策管理員 提供 Cloud Identity-Aware Proxy 資源的完整存取權。 iap.tunnel.*
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
iap.tunnelZones.*
iap.web.*
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
iap.webServices.*
iap.webTypes.*
專案 roles/
iap.httpsResourceAccessor
IAP-secured Web App User Provides permission to access HTTPS resources which use Cloud Identity-Aware Proxy. iap.webServiceVersions.accessViaIAP
Project roles/
iap.tunnelResourceAccessor
IAP-secured Tunnel User Beta Access Tunnel resources which use Identity-Aware Proxy iap.tunnelInstances.accessViaIAP
角色 名稱 說明 權限 最低資源

Cloud IoT 角色

roles/
cloudiot.admin
Cloud IoT 管理員 擁有所有 Cloud IoT 資源和權限的完整控制權。 cloudiot.*
cloudiottoken.*
裝置 roles/
cloudiot.deviceController
Cloud IoT Device Controller Access to update the configuration of devices, but not to create or delete devices. cloudiot.devices.get
cloudiot.devices.list
cloudiot.devices.sendCommand
cloudiot.devices.updateConfig
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
Device roles/
cloudiot.editor
Cloud IoT Editor Read-write access to all Cloud IoT resources. cloudiot.devices.*
cloudiot.registries.create
cloudiot.registries.delete
cloudiot.registries.get
cloudiot.registries.list
cloudiot.registries.update
cloudiottoken.*
Device roles/
cloudiot.provisioner
Cloud IoT 佈建者 可以在登錄檔中建立及刪除裝置,但無法修改登錄檔。 cloudiot.devices.*
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
裝置 roles/
cloudiot.viewer
Cloud IoT Viewer Read-only access to all Cloud IoT resources. cloudiot.devices.get
cloudiot.devices.list
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
Device
角色 名稱 說明 權限 最低資源

Cloud Talent Solution 角色

roles/
cloudjobdiscovery.admin
管理員 可使用 Cloud Job Discovery 自助式工具 cloudjobdiscovery.tools.*
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.jobsEditor
Job Editor Write access to all Cloud Job Discovery data. cloudjobdiscovery.companies.*
cloudjobdiscovery.events.*
cloudjobdiscovery.jobs.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.jobsViewer
Job Viewer Read access to all Cloud Job Discovery data. cloudjobdiscovery.companies.get
cloudjobdiscovery.companies.list
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.profilesEditor
設定檔編輯器 具備 Cloud Talent Solution 中所有設定檔資料的寫入權限。 cloudjobdiscovery.events.*
cloudjobdiscovery.profiles.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.profilesViewer
設定檔檢視器 具備 Cloud Talent Solution 中所有設定檔資料的讀取權限。 cloudjobdiscovery.profiles.get
cloudjobdiscovery.profiles.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

Cloud KMS 角色

roles/
cloudkms.admin
Cloud KMS Admin Provides full access to Cloud KMS resources, except encrypt and decrypt operations. cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeyVersions.destroy
cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.restore
cloudkms.cryptoKeyVersions.update
cloudkms.cryptoKeys.*
cloudkms.keyRings.*
resourcemanager.projects.get
CryptoKey roles/
cloudkms.cryptoKeyDecrypter
Cloud KMS CryptoKey Decrypter Provides ability to use Cloud KMS resources for decrypt operations only. cloudkms.cryptoKeyVersions.useToDecrypt
resourcemanager.projects.get
CryptoKey roles/
cloudkms.cryptoKeyEncrypter
Cloud KMS CryptoKey 加密者 可以使用 Cloud KMS 資源,但僅限於加密作業。cloudkms.cryptoKeyVersions.useToEncrypt
resourcemanager.projects.get
CryptoKey roles/
cloudkms.cryptoKeyEncrypterDecrypter
Cloud KMS CryptoKey Encrypter/Decrypter Provides ability to use Cloud KMS resources for encrypt and decrypt operations only. cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
resourcemanager.projects.get
CryptoKey roles/
cloudkms.publicKeyViewer
Cloud KMS 加密編譯金鑰的公開金鑰檢視器 Beta 版 啟用 GetPublicKey 作業 cloudkms.cryptoKeyVersions.viewPublicKey
resourcemanager.projects.get
roles/
cloudkms.signer
Cloud KMS CryptoKey Signer Beta Enables the AsymmetricSign operation cloudkms.cryptoKeyVersions.useToSign
resourcemanager.projects.get
roles/
cloudkms.signerVerifier
Cloud KMS CryptoKey 簽署者/驗證者 Beta 版 可啟用 AsymmetricSign 和 GetPublicKey 作業 cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.viewPublicKey
resourcemanager.projects.get
角色 名稱 說明 權限 最低資源

Cloud Private Catalog 角色

roles/
cloudprivatecatalog.consumer
目錄消費者 Beta 版 可瀏覽目標資源內容中的目錄。 cloudprivatecatalog.*
roles/
cloudprivatecatalogproducer.admin
目錄管理員 Beta 版 可管理目錄及查看其關聯。 cloudprivatecatalogproducer.associations.*
cloudprivatecatalogproducer.catalogs.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
roles/
cloudprivatecatalogproducer.manager
Catalog Manager Beta Can manage associations between a catalog and a target resource. cloudprivatecatalog.*
cloudprivatecatalogproducer.associations.*
cloudprivatecatalogproducer.catalogs.get
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.targets.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
角色 名稱 說明 權限 最低資源

Stackdriver Profiler 角色

roles/
cloudprofiler.agent
Stackdriver 分析器代理程式 Beta 版 Stackdriver 分析器代理程式可註冊及提供數據呈現資料。 cloudprofiler.profiles.create
cloudprofiler.profiles.update
roles/
cloudprofiler.user
Stackdriver 分析器使用者 Beta 版 Stackdriver 分析器使用者可查詢和檢視剖析資料。 cloudprofiler.profiles.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
角色 名稱 說明 權限 最低資源

Cloud Scheduler 角色

roles/
cloudscheduler.admin
Cloud Scheduler Admin Beta Full access to jobs and executions. cloudscheduler.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudscheduler.viewer
Cloud Scheduler 檢視器 Beta 版 取得工作、作業和位置權限,並查看其資訊清單。 cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

Cloud Security Scanner 角色

roles/
cloudsecurityscanner.editor
Cloud Security Scanner 編輯器 具備所有 Cloud Security Scanner 資源的完整權限 appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
cloudsecurityscanner.runner
Cloud Security Scanner Runner Read access to Scan and ScanRun, plus the ability to start scans cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
roles/
cloudsecurityscanner.viewer
Cloud Security Scanner 檢視者 具備所有 Cloud Security Scanner 資源的讀取存取權 cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
角色 名稱 說明 權限 最低資源

Cloud Services 角色

roles/
servicebroker.admin
Service Broker Admin Beta Full access to ServiceBroker resources. servicebroker.*
roles/
servicebroker.operator
服務代理程式操作者 Beta 版 具備 ServiceBroker 資源的操作存取權。 servicebroker.bindingoperations.*
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.list
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.list
servicebroker.instanceoperations.*
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.list
servicebroker.instances.update
角色 名稱 說明 權限 最低資源

Cloud SQL 角色

roles/
cloudsql.admin
Cloud SQL 管理員 提供 Cloud SQL 資源的完整控制權。 cloudsql.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案 roles/
cloudsql.client
Cloud SQL 用戶端 提供 Cloud SQL 執行個體的連線權限。 cloudsql.instances.connect
cloudsql.instances.get
專案 roles/
cloudsql.editor
Cloud SQL Editor Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.instances.restart
cloudsql.instances.rotateServerCa
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project roles/
cloudsql.viewer
Cloud SQL 檢視者 提供 Cloud SQL 資源的唯讀存取權。 cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.export
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案
角色 名稱 說明 權限 最低資源

Cloud Tasks 角色

roles/
cloudtasks.admin
Cloud Tasks Admin Beta Full access to queues and tasks. cloudtasks.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.enqueuer
Cloud 工作排入佇列器 Beta 版 具有工作建立權限。 cloudtasks.tasks.create
cloudtasks.tasks.fullView
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.queueAdmin
Cloud 工作佇列管理員 Beta 版 具備佇列的管理權限。 cloudtasks.locations.*
cloudtasks.queues.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.taskDeleter
Cloud Tasks 工作刪除者 Beta 版 具備刪除工作的權限。 cloudtasks.tasks.delete
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.taskRunner
Cloud Tasks 工作執行者 Beta 版 可以執行工作。 cloudtasks.tasks.fullView
cloudtasks.tasks.run
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.viewer
Cloud 工作檢視者 Beta 取得並列出工作、佇列和位置的存取權限。 cloudtasks.locations.*
cloudtasks.queues.get
cloudtasks.queues.list
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

Cloud Trace 角色

roles/
cloudtrace.admin
Cloud Trace 管理員 提供 Trace 主控台的完整存取權,以及追蹤記錄的讀取/寫入權限。 cloudtrace.*
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
cloudtrace.agent
Cloud Trace 代理者 使用於服務帳戶。可以透過傳送資料到 Stackdriver Trace 的方式寫入追蹤記錄。 cloudtrace.traces.patch
專案 roles/
cloudtrace.user
Cloud Trace User Provides full access to the Trace console and read access to traces. cloudtrace.insights.*
cloudtrace.stats.*
cloudtrace.tasks.*
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
Project
角色 名稱 說明 權限 最低資源

Cloud Translation 角色

roles/
cloudtranslate.admin
Cloud Translation API 管理員 具備所有 Cloud Translation 資源的完整存取權 automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtranslate.editor
Cloud Translation API 編輯器 可編輯所有 Cloud Translation 資源 automl.models.get
automl.models.predict
cloudtranslate.generalModels.batchPredict
cloudtranslate.generalModels.get
cloudtranslate.generalModels.predict
cloudtranslate.glossaries.batchPredict
cloudtranslate.glossaries.create
cloudtranslate.glossaries.delete
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
cloudtranslate.languageDetectionModels.predict
cloudtranslate.locations.get
cloudtranslate.locations.list
cloudtranslate.operations.cancel
cloudtranslate.operations.delete
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtranslate.user
Cloud Translation API User Beta User of Cloud Translation and AutoML models automl.models.get
automl.models.predict
cloudtranslate.generalModels.batchPredict
cloudtranslate.generalModels.get
cloudtranslate.generalModels.predict
cloudtranslate.glossaries.batchPredict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
cloudtranslate.languageDetectionModels.predict
cloudtranslate.locations.get
cloudtranslate.locations.list
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtranslate.viewer
Cloud Translation API 檢視者 所有翻譯資源的檢視者 automl.models.get
cloudtranslate.generalModels.get
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.locations.get
cloudtranslate.locations.list
cloudtranslate.operations.get
cloudtranslate.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

Codelab API 金鑰角色

roles/
codelabapikeys.admin
Codelab API 金鑰管理員 Beta 版 具備 API 金鑰的完整權限 resourcemanager.projects.get
resourcemanager.projects.list
roles/
codelabapikeys.editor
Codelab API 金鑰編輯者 Beta 版 這個角色可以查看及編輯所有 API 金鑰屬性。 resourcemanager.projects.get
resourcemanager.projects.list
roles/
codelabapikeys.viewer
Codelab API 金鑰檢視器 Beta 版 這個角色可查看所有屬性 (API 金鑰變更記錄除外)。 resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

Cloud Composer 角色

roles/
composer.admin
Composer Administrator Provides full control of Cloud Composer resources. composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project roles/
composer.environmentAndStorageObjectAdmin
Environment and Storage Object Administrator Provides full control of Cloud Composer resources and of the objects in all project buckets. composer.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.*
Project roles/
composer.environmentAndStorageObjectViewer
環境使用者和 Storage 物件檢視者 提供列出與取得 Cloud Composer 環境和作業所需的權限。提供對所有專案值區中物件的唯讀存取權。 composer.environments.get
composer.environments.list
composer.operations.get
composer.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list
專案 roles/
composer.user
Composer 使用者 提供列出與取得 Cloud Composer 環境和作業所需的權限。 composer.environments.get
composer.environments.list
composer.operations.get
composer.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案 roles/
composer.worker
Composer Worker Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. cloudbuild.*
container.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.*
Project
角色 名稱 說明 權限 最低資源

Compute Engine 角色

roles/
compute.admin
Compute Admin

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta roles/
compute.imageUser
Compute 映像檔使用者

具備列出及讀取映像檔的權限,但不具備對映像檔的其他權限。在專案層級授予 compute.imageUser 角色可讓使用者列出專案中的所有映像檔,並依據專案中的映像檔建立資源 (例如執行個體和永久磁碟)。

compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
映像檔Beta 版 roles/
compute.instanceAdmin
Compute Instance Admin (beta)

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VMBETA settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Disk, image, instance, instanceTemplate, snapshot Beta roles/
compute.instanceAdmin.v1
Compute Instance Admin (v1) Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.

If you grant a user this role only at an instance level, then that user cannot create new instances.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.diskTypes.*
compute.disks.*
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.*
compute.licenses.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
compute.loadBalancerAdmin
Compute 負載平衡器管理員 Beta 版

具備建立、修改及刪除負載平衡器與相關資源的權限。

舉例來說,如果貴公司的負載平衡小組負責管理負載平衡器、負載平衡器的 SSL 憑證、SSL 政策和其他負載平衡資源,而網路小組負責管理其他網路資源,那麼請將 loadBalancerAdmin 角色授予負載平衡小組所屬的群組。

compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.instances.use
compute.networks.get
compute.networks.list
compute.networks.use
compute.projects.get
compute.regionBackendServices.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
執行個體 Beta 版 roles/
compute.networkAdmin
Compute Network Admin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the networking team's group the networkAdmin role.

compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.instances.use
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.use
compute.networks.*
compute.projects.get
compute.regionBackendServices.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta roles/
compute.networkUser
Compute 網路使用者

提供共用虛擬私人雲端 (VPC) 網路的存取權

授予這個角色後,服務擁有者就可使用屬於主專案的 VPC 網路和子網路。舉例來說,網路使用者可建立屬於主專案網路的 VM 執行個體,但無法在主專案中刪除或建立新網路。

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.useInternal
compute.firewalls.get
compute.firewalls.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案 roles/
compute.networkViewer
Compute 網路檢視者

具備所有網路資源的唯讀存取權

舉例來說,如果您的軟體可檢查網路配置,那麼請將 networkViewer 角色授予該軟體的服務帳戶。

compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.networks.get
compute.networks.list
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
執行個體Beta 版 roles/
compute.osAdminLogin
Compute OS 管理員登入

以管理員使用者身分登入 Compute Engine 執行個體的存取權。

compute.instances.get
compute.instances.list
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
執行個體 Beta 版 roles/
compute.osLogin
Compute OS 登入

以標準使用者身分登入 Compute Engine 執行個體的存取權。

compute.instances.get
compute.instances.list
compute.instances.osLogin
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
執行個體Beta 版 roles/
compute.osLoginExternalUser
Compute OS 登入外部使用者

僅能使用於機構層級。

允許外部使用者設定與此機構關聯的 OS 登入資訊。此角色並未授予對執行個體的存取權。外部使用者必須獲得必要的OS 登入身分與存取權管理角色,才能使用 SSH 存取執行個體。

compute.oslogin.*
機構 roles/
compute.securityAdmin
Compute 安全管理員

具備建立、修改及刪除防火牆規則和 SSL 憑證的權限,以及進行受防護的 VM 測試版設定的權限。

舉例來說,如果貴公司的安全性團隊負責管理防火牆和 SSL 憑證,而網路團隊負責管理其他網路資源,請將 securityAdmin 角色授予安全性團隊所屬的群組。

compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routes.get
compute.routes.list
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
執行個體Beta 版 roles/
compute.storageAdmin
Compute 儲存空間管理員

具備建立、修改及刪除磁碟、映像檔和快照的權限。

舉例來說,如果貴公司有人負責管理專案映像檔,而您並不想讓他們擁有專案的編輯者角色,請授予專案的 storageAdmin 角色給他們的帳戶。

compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
磁碟、映像檔、快照 Beta 版 roles/
compute.viewer
Compute 檢視器

具備唯讀權限,可以取得及列出 Compute Engine 資源,但無法讀取其上儲存的資料。

舉例來說,具備這個角色的帳戶可以列出專案中的所有磁碟,但無法讀取這些磁碟上的任何資料。

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networks.get
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
磁碟、映像檔、執行個體、instanceTemplate、nodeGroup、nodeTemplate、快照 Beta 版 roles/
compute.xpnAdmin
Compute Shared VPC Admin

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

This role can only be granted on the organization by an organization admin.

Google Cloud Platform recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the compute.networkUser role to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

compute.globalOperations.get
compute.globalOperations.list
compute.organizations.*
compute.projects.get
compute.subnetworks.getIamPolicy
compute.subnetworks.setIamPolicy
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Organization
角色 名稱 說明 權限 最低資源

Kubernetes Engine 角色

roles/
container.admin
Kubernetes Engine 管理員 提供容器叢集及其 Kubernetes API 物件的完整管理權。 container.*
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
container.clusterAdmin
Kubernetes Engine Cluster Admin Provides access to management of Container Clusters. container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
container.clusterViewer
Kubernetes Engine 叢集檢視器 具備 Kubernetes 叢集的唯讀權限。 container.clusters.get
container.clusters.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
container.developer
Kubernetes Engine 開發人員 提供容器叢集中 Kubernetes API 物件的完整存取權。 container.apiServices.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpoints.*
container.events.*
container.horizontalPodAutoscalers.*
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.*
container.pods.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
container.hostServiceAgentUser
Kubernetes Engine 代管服務代理程式使用者 具有 Kubernetes Engine 代管服務代理程式的使用權限。 compute.firewalls.get
container.hostServiceAgent.*
roles/
container.viewer
Kubernetes Engine Viewer Provides read-only access to GKE resources. container.apiServices.get
container.apiServices.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getStatus
container.deployments.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.limitRanges.get
container.limitRanges.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
角色 名稱 說明 權限 最低資源

Container Analysis 角色

roles/
containeranalysis.admin
Container Analysis Admin Alpha Access to all resources. resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.notes.attacher
容器分析註記附加者 可以將出現次數附加至註記
roles/
containeranalysis.notes.editor
容器分析註記編輯者 可以編輯容器分析註記 resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.notes.viewer
容器分析註記檢視者 可以檢視容器分析註記 resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.occurrences.editor
容器分析發生頻率編輯器 可編輯容器分析發生頻率 resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.occurrences.viewer
容器分析發生頻率檢視器 可查看容器分析發生頻率 resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

Dataflow 角色

roles/
dataflow.admin
Dataflow Admin Minimal role for creating and managing dataflow jobs. compute.machineTypes.get
dataflow.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
roles/
dataflow.developer
Dataflow 開發人員 提供執行和操控 Cloud Dataflow 工作所需的權限。 dataflow.*
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
dataflow.viewer
Dataflow 檢視器 提供所有 Cloud Dataflow 相關資源的唯讀權限。 dataflow.jobs.get
dataflow.jobs.list
dataflow.messages.*
dataflow.metrics.*
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
dataflow.worker
Dataflow Worker Provides the permissions necessary for a Compute Engine service account to execute work units for a Cloud Dataflow pipeline. compute.instanceGroupManagers.update
compute.instances.delete
compute.instances.setDiskAutoDelete
dataflow.jobs.get
logging.logEntries.create
storage.objects.create
storage.objects.get
Project
角色 名稱 說明 權限 最低資源

Cloud Data Labeling 角色

roles/
datalabeling.admin
DataLabeling 服務管理員 Beta 版 具備所有 DataLabeling 資源的完整存取權 datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datalabeling.editor
DataLabeling 服務編輯器 Beta 版 可編輯所有 DataLabeling 資源 datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datalabeling.viewer
DataLabeling 服務檢視者 Beta 版 所有 DataLabeling 資源的檢視者 datalabeling.annotateddatasets.get
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.get
datalabeling.annotationspecsets.list
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

Dataprep 角色

roles/
dataprep.projects.user
Dataprep 使用者 Beta 版 具備 Dataprep 的使用權限。 dataprep.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
角色 名稱 說明 權限 最低資源

Dataproc 角色

roles/
dataproc.admin
Dataproc 管理員 具備 Dataproc 資源的完整控制權。 compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.clusters.*
dataproc.jobs.*
dataproc.operations.*
dataproc.workflowTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
dataproc.editor
Dataproc 編輯者 提供檢視管理 Cloud Dataproc 所需資源的必要權限,包括機器類型、網路、專案和區域。 compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.update
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
dataproc.viewer
Dataproc Viewer Provides read-only access to Cloud Dataproc resources. compute.machineTypes.get
compute.regions.*
compute.zones.get
dataproc.clusters.get
dataproc.clusters.list
dataproc.jobs.get
dataproc.jobs.list
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.get
dataproc.workflowTemplates.list
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
dataproc.worker
Dataproc 工作站 工作站對 Dataproc 的存取權。適用於服務帳戶。 dataproc.agents.*
dataproc.tasks.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
storage.buckets.get
storage.objects.*
角色 名稱 說明 權限 最低資源

Datastore 角色

roles/
datastore.importExportAdmin
Cloud Datastore Import Export Admin Provides full access to manage imports and exports. appengine.applications.get
datastore.databases.export
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
datastore.indexAdmin
Cloud Datastore 索引管理員 提供索引定義的完整管理權限。 appengine.applications.get
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
datastore.owner
Cloud Datastore 擁有者 提供 Cloud Datastore 資源的完整存取權。 appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
datastore.user
Cloud Datastore 使用者 提供 Cloud Datastore 資料庫中資料的讀寫存取權。 appengine.applications.get
datastore.databases.get
datastore_entities*
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
datastore.viewer
Cloud Datastore 檢視者 提供 Cloud Datastore 資源的讀取存取權。 appengine.applications.get
datastore.databases.get
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
專案
角色 名稱 說明 權限 最低資源

Deployment Manager 角色

roles/
deploymentmanager.editor
Deployment Manager Editor Provides the permissions necessary to create and manage deployments. deploymentmanager.compositeTypes.*
deploymentmanager.deployments.cancelPreview
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.stop
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project roles/
deploymentmanager.typeEditor
Deployment Manager 類型編輯器 提供所有類型登錄資源的讀寫權限。 deploymentmanager.compositeTypes.*
deploymentmanager.operations.get
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
專案 roles/
deploymentmanager.typeViewer
Deployment Manager Type Viewer Provides read-only access to all Type Registry resources. deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Project roles/
deploymentmanager.viewer
Deployment Manager 檢視器 提供所有 Cloud Deployment Manager 相關資源的唯讀權限。 deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案
角色 名稱 說明 權限 最低資源

Dialogflow 角色

roles/
dialogflow.admin
Dialogflow API Admin Full access to Dialogflow (API only) resources. Use the roles/owner or roles/editor primitive role for access to both API and Dialogflow console (commonly needed to create an agent from the Dialogflow console). dialogflow.*
resourcemanager.projects.get
Project roles/
dialogflow.client
Dialogflow API Client Client access to Dialogflow (API only) resources. This grants permission to detect intent and read/write session properties (contexts, session entity types, etc.). dialogflow.contexts.*
dialogflow.sessionEntityTypes.*
dialogflow.sessions.*
Project roles/
dialogflow.consoleAgentEditor
Dialogflow Console Agent Editor Can edit agent in Dialogflow Console dialogflow.*
resourcemanager.projects.get
roles/
dialogflow.reader
Dialogflow API Reader Read access to Dialogflow (API only) resources. Cannot detect intent. Use the roles/viewer primitive role for similar access to both API and Dialogflow console. dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.search
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.operations.*
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
resourcemanager.projects.get
Project
角色 名稱 說明 權限 最低資源

Cloud DLP 角色

roles/
dlp.admin
DLP 系統管理員 可管理 DLP (包括工作和範本)。 dlp.*
serviceusage.services.use
roles/
dlp.analyzeRiskTemplatesEditor
DLP Analyze Risk Templates Editor Edit DLP analyze risk templates. dlp.analyzeRiskTemplates.*
roles/
dlp.analyzeRiskTemplatesReader
DLP 分析風險範本讀取者 可讀取 DLP 分析風險範本。 dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
roles/
dlp.deidentifyTemplatesEditor
DLP 去識別化範本編輯者 可編輯 DLP 去識別化範本。 dlp.deidentifyTemplates.*
roles/
dlp.deidentifyTemplatesReader
DLP De-identify Templates Reader Read DLP de-identify templates. dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
roles/
dlp.inspectTemplatesEditor
DLP 檢查範本編輯者 編輯 DLP 檢查範本。 dlp.inspectTemplates.*
roles/
dlp.inspectTemplatesReader
DLP 檢查範本讀取者 讀取 DLP 檢查範本。 dlp.inspectTemplates.get
dlp.inspectTemplates.list
roles/
dlp.jobTriggersEditor
DLP 工作觸發條件編輯器 可編輯工作觸發條件設定。 dlp.jobTriggers.*
roles/
dlp.jobTriggersReader
DLP 工作觸發條件讀取器 可讀取工作觸發條件。 dlp.jobTriggers.get
dlp.jobTriggers.list
roles/
dlp.jobsEditor
DLP Jobs Editor Edit and create jobs dlp.jobs.*
dlp.kms.*
roles/
dlp.jobsReader
DLP 工作讀取者 可讀取工作 dlp.jobs.get
dlp.jobs.list
roles/
dlp.reader
DLP Reader Read DLP entities, such as jobs and templates. dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
roles/
dlp.storedInfoTypesEditor
DLP Stored InfoTypes Editor Edit DLP stored info types. dlp.storedInfoTypes.*
roles/
dlp.storedInfoTypesReader
DLP 已儲存資訊類型讀取者 讀取 DLP 已儲存資訊類型。 dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
roles/
dlp.user
DLP User Inspect, Redact, and De-identify Content dlp.kms.*
serviceusage.services.use
角色 名稱 說明 權限 最低資源

DNS 角色

roles/
dns.admin
DNS Administrator Provides read-write access to all Cloud DNS resources. compute.networks.get
compute.networks.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.*
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.*
dns.resourceRecordSets.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
dns.peer
DNS 對等互連 可存取含有 DNS 對等互連區域的目標網路 dns.networks.targetWithPeeringZone
roles/
dns.reader
DNS Reader Provides read-only access to all Cloud DNS resources. compute.networks.get
dns.changes.get
dns.changes.list
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.projects.*
dns.resourceRecordSets.list
resourcemanager.projects.get
resourcemanager.projects.list
Project
角色 名稱 說明 權限 最低資源

Endpoints 角色

roles/
endpoints.portalAdmin
Endpoints Portal Admin Beta Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the GCP Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page. endpoints.*
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
Project
角色 名稱 說明 權限 最低資源

Error Reporting 角色

roles/
errorreporting.admin
Error Reporting 管理員 Beta 版 提供 Error Reporting 資料的完整存取權。 cloudnotifications.*
errorreporting.*
專案 roles/
errorreporting.user
Error Reporting User Beta Provides the permissions to read and write Error Reporting data, except for sending new error events. cloudnotifications.*
errorreporting.applications.*
errorreporting.errorEvents.delete
errorreporting.errorEvents.list
errorreporting.groupMetadata.*
errorreporting.groups.*
Project roles/
errorreporting.viewer
錯誤報告檢視器 Beta 版 提供錯誤報告資料的唯讀權限。 cloudnotifications.*
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groupMetadata.get
errorreporting.groups.*
專案 roles/
errorreporting.writer
錯誤寫入者 Beta 版 提供傳送錯誤事件給 Error Reporting 的權限。 errorreporting.errorEvents.create
Service Account
角色 名稱 說明 權限 最低資源

Cloud Filestore 角色

roles/
file.editor
Cloud Filestore Editor Beta Read-write access to Filestore instances and related resources. file.*
roles/
file.viewer
Cloud Filestore 檢視者 Beta 版 具備 Filestore 執行個體和相關資源的唯讀權限。 file.instances.get
file.instances.list
file.locations.*
file.operations.get
file.operations.list
file.snapshots.get
file.snapshots.list
角色 名稱 說明 權限 最低資源

Firebase 角色

roles/
cloudtestservice.testAdmin
Firebase Test Lab 管理員 具備所有 Test Lab 功能的完整存取權 cloudtestservice.*
cloudtoolresults.*
firebase.billingPlans.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list
roles/
cloudtestservice.testViewer
Firebase Test Lab Viewer Read access to Test Lab features cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
roles/
firebase.admin
Firebase Admin Beta Full access to Firebase products. appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.list
clientauthconfig.clients.update
cloudconfig.*
cloudfunctions.*
cloudnotifications.*
cloudtestservice.*
cloudtoolresults.*
datastore.*
errorreporting.groups.*
firebase.*
firebaseabt.*
firebaseanalytics.*
firebaseauth.*
firebasecrash.*
firebasedatabase.*
firebasedynamiclinks.*
firebaseextensions.*
firebasehosting.*
firebaseinappmessaging.*
firebaseml.*
firebasenotifications.*
firebaseperformance.*
firebasepredictions.*
firebaserules.*
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.*
roles/
firebase.analyticsAdmin
Firebase Analytics 管理員 Beta 版 具備 Google Analytics for Firebase 的完整存取權。 cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
firebase.analyticsViewer
Firebase Analytics Viewer Beta Read access to Google Analytics for Firebase. cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
firebase.developAdmin
Firebase 開發管理員 Beta 版 具備 Firebase 開發類產品與數據分析的完整存取權。 appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudfunctions.*
cloudnotifications.*
datastore.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseauth.*
firebasedatabase.*
firebaseextensions.configs.list
firebasehosting.*
firebaseml.*
firebaserules.*
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.*
roles/
firebase.developViewer
Firebase 開發檢視者 Beta 版 具備 Firebase 開發類產品與數據分析的讀取存取權。 automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudnotifications.*
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseauth.configs.get
firebaseauth.users.get
firebasedatabase.instances.get
firebasedatabase.instances.list
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
roles/
firebase.growthAdmin
Firebase Grow Admin Beta Full access to Firebase Grow products and Analytics. clientauthconfig.clients.get
clientauthconfig.clients.list
cloudconfig.*
cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.*
firebaseanalytics.*
firebasedynamiclinks.*
firebaseextensions.configs.list
firebaseinappmessaging.*
firebasenotifications.*
firebasepredictions.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.growthViewer
Firebase 拓展檢視者 Beta 版 具備 Firebase 拓展類產品與數據分析的讀取存取權。 cloudconfig.configs.get
cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasepredictions.predictions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.qualityAdmin
Firebase 品質管理員 Beta 版 具備 Firebase 品質類產品與數據分析的完整存取權。 cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebasecrash.*
firebaseextensions.configs.list
firebaseperformance.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.qualityViewer
Firebase 品質檢視器 Beta 版 具備 Firebase 品質類產品與數據分析的讀取權限。 cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebasecrash.reports.*
firebaseextensions.configs.list
firebaseperformance.data.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.viewer
Firebase Viewer Beta Read-only access to Firebase products. automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudconfig.configs.get
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudnotifications.*
cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseauth.configs.get
firebaseauth.users.get
firebasecrash.reports.*
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebaseperformance.data.*
firebasepredictions.predictions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
角色 名稱 說明 權限 最低資源

Firebase Crash Reporting 角色

roles/
firebasecrash.symbolMappingsAdmin
Firebase 當機符號上傳者 對 Firebase Crash Reporting 的符號對應檔資源具備完整的讀/寫權限。 firebase.clients.get
resourcemanager.projects.get
角色 名稱 說明 權限 最低資源

Genomics 角色

roles/
genomics.admin
Genomics 管理員 具備 Genomics 資料集和作業的完整存取權。 genomics.*
roles/
genomics.editor
Genomics 編輯者 有權讀取及編輯 Genomics 資料集和相關作業。 genomics.datasets.create
genomics.datasets.delete
genomics.datasets.get
genomics.datasets.list
genomics.datasets.update
genomics.operations.*
roles/
genomics.pipelinesRunner
Genomics 管道執行者 具備 Genomics 管道的完整存取權。 genomics.operations.*
roles/
genomics.viewer
Genomics 檢視器 可檢視 Genomics 資料集和作業。 genomics.datasets.get
genomics.datasets.list
genomics.operations.get
genomics.operations.list
角色 名稱 說明 權限 最低資源

Cloud Healthcare 角色

roles/
healthcare.annotationEditor
Healthcare 註解編輯者 Beta 建立、刪除、更新、讀取及列出註解的權限。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.annotationReader
Healthcare 註解讀取者 Beta 版 可讀取及列出 Annotation Store 中的註解。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.annotationStoreAdmin
Healthcare 註解系統管理員 Beta 版 管理註解存放區。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.annotationStoreViewer
Healthcare Annotation Store Viewer Beta List Annotation Stores in a dataset. healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.datasetAdmin
Healthcare Dataset Administrator Beta Administer Healthcare Datasets. healthcare.datasets.*
healthcare.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.datasetViewer
Healthcare 資料集檢視器 Beta 版 可在專案中列出 Healthcare 資料集。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomEditor
Healthcare DICOM 編輯者 Beta 版 可個別以及大量編輯 DICOM 圖片。 healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.dicomWebWrite
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomStoreAdmin
Healthcare DICOM Administrator Beta Administer DICOM stores. healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare.dicomStores.delete
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.get
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.dicomStores.setIamPolicy
healthcare.dicomStores.update
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomStoreViewer
Healthcare DICOM Store 檢視器 Beta 版 可在資料集中列出 DICOM Store。 healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomViewer
Healthcare DICOM Viewer Beta Retrieve DICOM images from a DICOM store. healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirResourceEditor
Healthcare FHIR Resource Editor Beta Create, delete, update, read and search FHIR resources. healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.create
healthcare.fhirResources.delete
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare.fhirResources.update
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirResourceReader
Healthcare FHIR 資源讀取者 Beta 版 可讀取和搜尋 FHIR 資源。 healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirStoreAdmin
Healthcare FHIR 管理員 Beta 版 可管理 FHIR 資源存放區。 healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.create
healthcare.fhirStores.delete
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.setIamPolicy
healthcare.fhirStores.update
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirStoreViewer
Healthcare FHIR Store 檢視者 Beta 版 列出資料集中的 FHIR Store。 healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2Consumer
Healthcare HL7v2 訊息使用者 Beta 可列出和讀取 HL7v2 訊息、更新訊息標籤及發佈新訊息。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.create
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare.hl7V2Messages.update
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2Editor
Healthcare HL7v2 訊息編輯器 Beta 版 具備 HL7v2 訊息的讀取、寫入及刪除權限。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2Ingest
Healthcare HL7v2 Message Ingest Beta Ingest HL7v2 messages received from a source network. healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.ingest
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2StoreAdmin
Healthcare HL7v2 Store 管理員 Beta 版 可管理 HL7v2 Store。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2StoreViewer
Healthcare HL7v2 Store 檢視器 Beta 版 具備資料集中 HL7v2 商店的檢視權限。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

IAM 角色

roles/
iam.securityReviewer
Security Reviewer Provides permissions to list all resources and Cloud IAM policies on them. accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.eventStores.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.list
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.savedqueries.list
bigquery.tables.list
bigtable.appProfiles.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.locations.*
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.policy.getIamPolicy
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudbuild.builds.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.list
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudnotifications.*
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
cloudtranslate.generalModels.getIamPolicy
cloudtranslate.glossaries.getIamPolicy
cloudtranslate.glossaries.list
cloudtranslate.languageDetectionModels.getIamPolicy
cloudtranslate.locations.getIamPolicy
cloudtranslate.locations.list
cloudtranslate.operations.getIamPolicy
cloudtranslate.operations.list
composer.environments.list
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getIamPolicy
compute.instances.list
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.list
compute.regionBackendServices.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.list
compute.reservations.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.list
container.apiServices.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpoints.list
container.events.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.scheduledJobs.list
container.secrets.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
datacatalog.tagTemplates.getIamPolicy
dataflow.jobs.list
dataflow.messages.*
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.list
datafusion.operations.list
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
dataproc.agents.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.contexts.list
dialogflow.entityTypes.list
dialogflow.intents.list
dialogflow.sessionEntityTypes.list
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.storedInfoTypes.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.resourceRecordSets.list
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
file.instances.list
file.locations.list
file.operations.list
file.snapshots.list
firebase.links.list
firebaseabt.experiments.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.operations.list
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.list
healthcare.hl7V2Messages.list
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.list
healthcare.operations.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iap.tunnel.getIamPolicy
iap.tunnelInstances.getIamPolicy
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.list
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.locations.list
managedidentities.operations.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.operations.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.topics.getIamPolicy
pubsub.topics.list
redis.instances.list
redis.locations.list
redis.operations.list
remotebuildexecution.instances.list
remotebuildexecution.workerpools.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.configurations.list
run.locations.*
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
securitycenter.assets.list
securitycenter.findings.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
serviceconsumermanagement.tenancyu.list
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicenetworking.operations.list
serviceusage.apiKeys.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.getIamPolicy
storage.objects.list
storagetransfer.jobs.list
storagetransfer.operations.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.list
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta
角色 名稱 說明 權限 最低資源

Roles 角色

roles/
iam.organizationRoleAdmin
機構角色系統管理員 提供機構及其專案中所有自訂角色的管理存取權。 iam.roles.*
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
機構 roles/
iam.organizationRoleViewer
機構角色檢視者 提供機構及其專案中所有自訂角色的讀取權限。 iam.roles.get
iam.roles.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
專案 roles/
iam.roleAdmin
Role Administrator Provides access to all custom roles in the project. iam.roles.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
Project roles/
iam.roleViewer
Role Viewer Provides read access to all custom roles in the project. iam.roles.get
iam.roles.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
Project
角色 名稱 說明 權限 最低資源

服務帳戶角色

roles/
iam.serviceAccountAdmin
Service Account Admin Create and manage service accounts. iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list
Service Account roles/
iam.serviceAccountCreator
建立服務帳戶 可建立服務帳戶。 iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
iam.serviceAccountDeleter
Delete Service Accounts Access to delete service accounts. iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
iam.serviceAccountKeyAdmin
服務帳戶金鑰管理員 建立和管理 (以及輪替) 服務帳戶金鑰。 iam.serviceAccountKeys.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
服務帳戶 roles/
iam.serviceAccountTokenCreator
Service Account Token Creator Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Service Account roles/
iam.serviceAccountUser
服務帳戶使用者 以服務帳戶執行作業。 iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
服務帳戶
角色 名稱 說明 權限 最低資源

Logging 角色

roles/
logging.admin
Logging Admin Provides all permissions necessary to use all features of Stackdriver Logging. logging.*
resourcemanager.projects.get
resourcemanager.projects.list
Project roles/
logging.configWriter
記錄設定寫入者 提供讀取和寫入記錄指標與匯出記錄接收器的設定的權限。 logging.exclusions.*
logging.logMetrics.*
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.*
resourcemanager.projects.get
resourcemanager.projects.list
專案 roles/
logging.logWriter
Logs Writer Provides the permissions to write log entries. logging.logEntries.create
Project roles/
logging.privateLogViewer
Private Logs Viewer Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.projects.get
Project roles/
logging.viewer
記錄檢視者 提供檢視記錄的存取權。 logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.projects.get
專案
角色 名稱 說明 權限 最低資源

Machine Learning Engine 角色

roles/
ml.admin
ML Engine 管理員 提供 Cloud ML Engine 資源及其工作、作業、模型和版本的完整存取權。 ml.*
resourcemanager.projects.get
專案 roles/
ml.developer
ML Engine Developer Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get
Project roles/
ml.jobOwner
ML Engine 工作擁有者 提供特定工作資源的完整存取權。系統會自動將這個角色授予建立工作的使用者。 ml.jobs.*
工作 roles/
ml.modelOwner
ML Engine 模型擁有者 提供模型及其版本的完整存取權。系統會自動將這個角色授予建立模型的使用者。 ml.models.*
ml.versions.*
模型 roles/
ml.modelUser
ML Engine 模型使用者 提供模型及相關版本的讀取權限,且可使用模型進行預測。 ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict
模型 roles/
ml.operationOwner
ML Engine 作業擁有者 提供對特定作業資源所有權限的完整存取權。 ml.operations.*
作業 roles/
ml.viewer
ML Engine 檢視者 提供 Cloud ML Engine 資源的唯讀存取權。 ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.*
ml.versions.get
ml.versions.list
resourcemanager.projects.get
專案
角色 名稱 說明 權限 最低資源

Monitoring 角色

roles/
monitoring.admin
Monitoring 管理員 可提供與 roles/monitoring.editor 相同的存取權限。 cloudnotifications.*
monitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.*
專案 roles/
monitoring.alertPolicyEditor
Monitoring AlertPolicy 編輯者 Beta 版 具備快訊政策的讀寫存取權。 monitoring.alertPolicies.*
roles/
monitoring.alertPolicyViewer
Monitoring AlertPolicy 檢視器 Beta 版 具備快訊政策的唯讀權限。 monitoring.alertPolicies.get
monitoring.alertPolicies.list
roles/
monitoring.editor
Monitoring 編輯者 提供所有監控資料和設定相關資訊的完整存取權。 cloudnotifications.*
monitoring.alertPolicies.*
monitoring.dashboards.*
monitoring.groups.*
monitoring.metricDescriptors.*
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.publicWidgets.*
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.*
專案 roles/
monitoring.metricWriter
Monitoring 指標寫入器 提供指標的唯寫存取權。這提供了 Stackdriver 代理者及其他傳送指標的系統需要的適切權限。 monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
專案 roles/
monitoring.notificationChannelEditor
Monitoring NotificationChannel Editor Beta Read/write access to notification channels. monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
roles/
monitoring.notificationChannelViewer
Monitoring NotificationChannel 檢視者 Beta 版 具備通知管道的唯讀存取權。 monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
roles/
monitoring.uptimeCheckConfigEditor
Monitoring 運作時間檢查設定編輯器 Beta 版 具備運作時間檢查設定的讀取/寫入權限。 monitoring.uptimeCheckConfigs.*
roles/
monitoring.uptimeCheckConfigViewer
Monitoring 運作時間檢查設定檢視器 Beta 版 具備運作時間檢查設定的唯讀權限。 monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
roles/
monitoring.viewer
Monitoring 檢視器 提供唯讀權限,以取得和列出所有監控資料與設定的相關資訊。 cloudnotifications.*
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
專案
角色 名稱 說明 權限 最低資源

組織政策角色

roles/
axt.admin
資料存取透明化控管機制管理員 啟用組織的資料存取透明化控管機制 axt.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
orgpolicy.policyAdmin
Organization Policy Administrator Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies. orgpolicy.*
Organization roles/
orgpolicy.policyViewer
機構政策檢視器 提供檢視資源的機構政策的權限。 orgpolicy.policy.get
機構
角色 名稱 說明 權限 最低資源

其他角色

roles/
accesscontextmanager.policyAdmin
Access Context Manager 管理員 具備政策、存取層級和存取區域的完整權限 accesscontextmanager.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
accesscontextmanager.policyEditor
Access Context Manager Editor Edit access to policies. Create, edit, and change access levels and access zones. accesscontextmanager.accessLevels.*
accesscontextmanager.accessPolicies.create
accesscontextmanager.accessPolicies.delete
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.update
accesscontextmanager.accessZones.*
accesscontextmanager.policies.create
accesscontextmanager.policies.delete
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.update
accesscontextmanager.servicePerimeters.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
accesscontextmanager.policyReader
Access Context Manager Reader Read access to policies, access levels, and access zones. accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.get
accesscontextmanager.accessZones.list
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
dlpscanner.serviceAgent
DLP Scanner Service Agent Alpha Allows DLP API access for DLP Scanner.
roles/
indexstore.serviceAgent
Cloud Indexstore API Service Agent Alpha Grants Cloud Indexstore access to services and APIs in the user project
roles/
mobilecrashreporting.symbolMappingsAdmin
Firebase Crash Symbol Uploader (Deprecated) Full read/write access to symbol mapping file resources for Firebase Crash Reporting.Deprecated in favor of firebasecrash.symbolMappingsAdmin firebase.clients.get
resourcemanager.projects.get
roles/
resourcemanager.organizationCreator
機構建立者 具備建立和列出機構的存取權。
roles/
runtimeconfig.admin
Cloud RuntimeConfig 管理員 具備 RuntimeConfig 資源的完整權限。 runtimeconfig.*
roles/
subscribewithgoogledeveloper.developer
透過 Google Developer 訂閱 Beta 版 存取 DevTools,以便透過 Google 訂閱 resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper*
角色 名稱 說明 權限 最低資源

專案角色

roles/
browser
瀏覽者 瀏覽專案階層的讀取權限,包括資料夾、機構和 Cloud IAM 政策。本角色不包含檢視專案資源的權限。 resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
專案
角色 名稱 說明 權限 最低資源

Proximity Beacon 角色

roles/
proximitybeacon.attachmentEditor
Beaco 附件編輯者 可以建立和刪除附件;可以列出和取得專案的指標;可以列出專案的命名空間。 proximitybeacon.attachments.*
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.namespaces.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
proximitybeacon.attachmentPublisher
信標附件發佈者 授予必要權限,以便透過信標在並非這個專案擁有的命名空間中建立附件。proximitybeacon.beacons.attach
proximitybeacon.beacons.get
proximitybeacon.beacons.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
proximitybeacon.attachmentViewer
信標附件檢視器 有權查看命名空間之下的附件;不具備信標或命名空間權限。 proximitybeacon.attachments.get
proximitybeacon.attachments.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
proximitybeacon.beaconEditor
信標編輯者 具備註冊、修改及查看信標的必要權限;不具備附件或命名空間權限。proximitybeacon.beacons.create
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.beacons.update
resourcemanager.projects.get
resourcemanager.projects.list
角色 名稱 說明 權限 最低資源

Pub/Sub 角色

roles/
pubsub.admin
Pub/Sub 管理員 提供主題與訂閱項目的完整存取權。 pubsub.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
主題 roles/
pubsub.editor
Pub/Sub Editor Provides access to modify topics and subscriptions, and access to publish and consume messages. pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Topic roles/
pubsub.publisher
Pub/Sub 發佈者 提供將訊息發佈到主題的權限。 pubsub.topics.publish
主題 roles/
pubsub.subscriber
Pub/Sub 訂閱者 提供調用訂閱訊息的權限,以及將訂閱內容附加到主題的權限。 pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
主題 roles/
pubsub.viewer
Pub/Sub Viewer Provides access to view topics and subscriptions. pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Topic
角色 名稱 說明 權限 最低資源

Memorystore Redis 角色

roles/
redis.admin
Cloud Memorystore Redis 管理員 Beta 版 Cloud Memorystore 資源的完整控管權。 compute.networks.list
redis.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
執行個體 roles/
redis.editor
Cloud Memorystore Redis 編輯者 Beta 版 管理 Cloud Memorystore 執行個體,但無法建立或刪除執行個體。 compute.networks.list
redis.instances.get
redis.instances.list
redis.instances.update
redis.locations.*
redis.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
執行個體 roles/
redis.viewer
Cloud Memorystore Redis 檢視器 Beta 版 唯讀存取所有 Cloud Memorystore 資源。 redis.instances.get
redis.instances.list
redis.locations.*
redis.operations.get
redis.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
執行個體
角色 名稱 說明 權限 最低資源

Resource Manager 角色

roles/
resourcemanager.folderAdmin
資料夾管理員 提供處理資料夾的所有可用權限。 orgpolicy.policy.get
resourcemanager.folders.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager.projects.setIamPolicy
資料夾 roles/
resourcemanager.folderCreator
資料夾建立者 提供瀏覽階層及建立資料夾所需的權限。 orgpolicy.policy.get
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
資料夾 roles/
resourcemanager.folderEditor
資料夾編輯者 提供修改資料夾和查看資料夾的 Cloud IAM 政策的權限。 orgpolicy.policy.get
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.undelete
resourcemanager.folders.update
resourcemanager.projects.get
resourcemanager.projects.list
資料夾 roles/
resourcemanager.folderIamAdmin
Folder IAM Admin Provides permissions to administer Cloud IAM policies on folders. resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.setIamPolicy
Folder roles/
resourcemanager.folderMover
Folder Mover Provides permission to move projects and folders into and out of a parent Organization or folder. resourcemanager.folders.move
resourcemanager.projects.move
Folder roles/
resourcemanager.folderViewer
資料夾檢視器 提供取得資料夾及列出資源下資料夾和專案的權限。 orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
資料夾 roles/
resourcemanager.lienModifier
專案防刪除鎖定修改者 提供修改專案防刪除鎖定設定的存取權。 resourcemanager.projects.updateLiens
專案 roles/
resourcemanager.organizationAdmin
機構組織管理員 具備管理屬於機構的所有資源的存取權。 orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
roles/
resourcemanager.organizationViewer
機構檢視器 提供檢視機構的權限。 resourcemanager.organizations.get
機構 roles/
resourcemanager.projectCreator
Project Creator Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project. resourcemanager.organizations.get
resourcemanager.projects.create
Folder roles/
resourcemanager.projectDeleter
Project Deleter Provides access to delete GCP projects. resourcemanager.projects.delete
Folder roles/
resourcemanager.projectIamAdmin
專案 IAM 管理員 提供管理專案的 Cloud IAM 政策的權限。 resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
專案 roles/
resourcemanager.projectMover
專案移動器 提供更新和移動專案的權限。 resourcemanager.projects.get
resourcemanager.projects.update
專案
角色 名稱 說明 權限 最低資源

Cloud Run 角色

roles/
run.admin
Cloud Run Admin Beta Full control over all Cloud Run resources. resourcemanager.projects.get
resourcemanager.projects.list
run.*
roles/
run.invoker
Cloud Run 叫用器 Beta 版 可叫用 Cloud Run 服務。 run.routes.invoke
roles/
run.viewer
Cloud Run 檢視者 Beta 版 可查看所有 Cloud Run 資源狀態 (包括身分與存取權管理政策)。 resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
角色 名稱 說明 權限 最低資源

安全中心角色

roles/
securitycenter.admin
安全中心管理員 Beta 版 具備安全中心的管理員 (超級使用者) 權限 resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.*
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.findingsecuritymarks.*
securitycenter.organizationsettings.*
securitycenter.sources.*
roles/
securitycenter.adminEditor
Security Center Admin Editor Admin Read-write access to security center resourcemanager.organizations.get
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.*
securitycenter.findings.*
securitycenter.findingsecuritymarks.*
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
roles/
securitycenter.adminViewer
Security Center Admin Viewer Admin Read access to security center resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
roles/
securitycenter.assetSecurityMarksWriter
安全中心資產安全標記寫入者器 Beta 版 具備資產安全標記的寫入權限 securitycenter.assetsecuritymarks.*
roles/
securitycenter.assetsDiscoveryRunner
安全中心資產探索執行器 Beta 版 可以對資產執行資產探索作業 securitycenter.assets.runDiscovery
roles/
securitycenter.assetsViewer
安全中心來源檢視器 Beta 版 具備資產的讀取權限 resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
roles/
securitycenter.editor
安全中心編輯者 Beta 版 具備資產、設定、通知訊息串和標記的讀寫存取權,以及掃描作業的唯讀存取權 resourcemanager.organizations.get
securitycenter.assets.get
securitycenter.assets.getFieldNames
securitycenter.assets.list
securitycenter.assets.triggerDiscovery
securitycenter.assets.update
securitycenter.configs.get
securitycenter.configs.getIamPolicy
securitycenter.configs.update
securitycenter.scans.*
roles/
securitycenter.findingSecurityMarksWriter
Security Center Finding Security Marks Writer Write access to finding security marks securitycenter.findingsecuritymarks.*
roles/
securitycenter.findingsEditor
安全中心發現項目編輯者 Beta 版 具備發現項目的讀取/寫入權限 resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
roles/
securitycenter.findingsStateSetter
安全中心發現項目狀態設定者 Beta 版 可設定發現項目的狀態 securitycenter.findings.setState
roles/
securitycenter.findingsViewer
安全中心發現項目檢視器 Beta 版 具備發現項目的讀取/寫入權限 resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
roles/
securitycenter.sourcesAdmin
Security Center Sources Admin Admin access to sources resourcemanager.organizations.get
securitycenter.sources.*
roles/
securitycenter.sourcesEditor
Security Center Sources Editor Read-write access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
roles/
securitycenter.sourcesViewer
安全中心來源檢視者 Beta 版 具備來源的讀取存取權 resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
roles/
securitycenter.viewer
安全中心檢視器 Beta 具備資產、設定、通知訊息串、掃描作業和標記的讀取權限 resourcemanager.organizations.get
securitycenter.assets.get
securitycenter.assets.getFieldNames
securitycenter.assets.list
securitycenter.configs.get
securitycenter.configs.getIamPolicy
securitycenter.scans.*
角色 名稱 說明 權限 最低資源

Service Consumer Management 角色

roles/
serviceconsumermanagement.tenancyUnitsAdmin
Admin of Tenancy Units Beta Administrate tenancy units serviceconsumermanagement.tenancyu.*
roles/
serviceconsumermanagement.tenancyUnitsViewer
獨立租用環境檢視器 Beta 版 可檢視獨立租用環境 serviceconsumermanagement.tenancyu.list
角色 名稱 說明 權限 最低資源

Service Management 角色

roles/
servicemanagement.admin
Service Management 管理員 具備所有 Google Service Management 資源的完整控制權限。 monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceconsumermanagement.*
servicemanagement.services.*
serviceusage.quotas.get
serviceusage.services.get
roles/
servicemanagement.configEditor
服務設定編輯者 可以更新服務設定及建立發布活動。servicemanagement.services.get
servicemanagement.services.update
roles/
servicemanagement.quotaAdmin
配額系統管理員 Beta 版 提供管理服務配額的權限。 monitoring.timeSeries.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.consumerSettings.*
serviceusage.quotas.*
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
專案 roles/
servicemanagement.quotaViewer
Quota Viewer Beta Provides access to view service quotas. monitoring.timeSeries.list
servicemanagement.consumerSettings.get
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project roles/
servicemanagement.serviceConsumer
Service Consumer Can enable the service. servicemanagement.services.bind
roles/
servicemanagement.serviceController
服務控制器 具備執行階段控制權,可檢查和回報服務的使用情形。 servicemanagement.services.check
servicemanagement.services.get
servicemanagement.services.quota
servicemanagement.services.report
專案
角色 名稱 說明 權限 最低資源

Service Networking 角色

roles/
servicenetworking.networksAdmin
服務網路管理員 Beta 版 具備專案服務網路的完整控制權。 servicenetworking.*
角色 名稱 說明 權限 最低資源

Service Usage 角色

roles/
serviceusage.apiKeysAdmin
API Keys Admin Beta Ability to create, delete, update, get and list API keys for a project. serviceusage.apiKeys.*
serviceusage.operations.get
roles/
serviceusage.apiKeysViewer
API 金鑰檢視器 Beta 版 可取得及列出專案的 API 金鑰。 serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
roles/
serviceusage.serviceUsageAdmin
服務使用情形管理員 Beta 版 可啟用、停用及檢查服務狀態、檢查作業,以及消耗消費者專案的配額和帳單。 monitoring.timeSeries.list
serviceusage.operations.*
serviceusage.quotas.*
serviceusage.services.*
roles/
serviceusage.serviceUsageConsumer
服務使用情形消費者 Beta 版 可檢查服務狀態、檢查作業,以及提取消費者專案的配額和帳單。monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
roles/
serviceusage.serviceUsageViewer
Service Usage Viewer Beta Ability to inspect service states and operations for a consumer project. monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
角色 名稱 說明 權限 最低資源

Source 角色

roles/
source.admin
原始碼存放區管理員 提供建立、更新、刪除、列出、複製、擷取和瀏覽存放區的權限。還提供讀取與變更 IAM 政策的權限。 source.*
專案 roles/
source.reader
Source Repository Reader Provides permissions to list, clone, fetch, and browse repositories. source.repos.get
source.repos.list
Project roles/
source.writer
Source Repository Writer Provides permissions to list, clone, fetch, browse, and update repositories. source.repos.get
source.repos.list
source.repos.update
Project
角色 名稱 說明 權限 最低資源

Cloud Spanner 角色

roles/
spanner.admin
Cloud Spanner 管理員 具備以下權限:授予權限給其他主體及撤銷其他主體的權限、分配和刪除應付費資源、對資源發佈取得/列出/修改作業、讀取和寫入資料庫,以及擷取專案中繼資料。 monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.*
專案 roles/
spanner.databaseAdmin
Cloud Spanner 資料庫管理員 具備以下權限:取得/列出專案中的所有 Cloud Spanner 資源、建立/列出/捨棄資料庫、授予/撤銷專案資料庫的存取權,以及專案中所有 Cloud Spanner 資料庫的讀寫存取權。 monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databaseOperations.*
spanner.databases.*
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.*
專案 roles/
spanner.databaseReader
Cloud Spanner 資料庫讀取者 具備以下權限:讀取 Cloud Spanner 資料庫、在資料庫上執行 SQL 查詢,以及檢視結構定義。 spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.read
spanner.databases.select
spanner.sessions.*
資料庫 roles/
spanner.databaseUser
Cloud Spanner 資料庫使用者 具備以下權限:讀取和寫入 Cloud Spanner 資料庫、在資料庫上執行 SQL 查詢,以及檢視和更新結構定義。 spanner.databaseOperations.*
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.write
spanner.sessions.*
資料庫 roles/
spanner.viewer
Cloud Spanner 檢視者 具備檢視所有 Cloud Spanner 執行個體和資料庫的權限,但無法修改或讀取。 monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.list
spanner.instanceConfigs.*
spanner.instances.get
spanner.instances.list
專案
角色 名稱 說明 權限 最低資源

Stackdriver 角色

roles/
stackdriver.accounts.editor
Stackdriver 帳戶編輯器 具備管理 Stackdriver 帳戶結構所需的讀取/寫入權限。 resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.*
roles/
stackdriver.accounts.viewer
Stackdriver 帳戶檢視者 具備唯讀存取權,僅能取得及列出 Stackdriver 帳戶結構相關資訊。 resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
roles/
stackdriver.resourceMaintenanceWindow.editor
Stackdriver 資源維護期間編輯者 具備管理 Stackdriver 資源維護期間所需的讀寫存取權。
roles/
stackdriver.resourceMaintenanceWindow.viewer
Stackdriver 資源維護期間檢視者 具備 Stackdriver 資源維護期間相關資訊的唯讀存取權。
roles/
stackdriver.resourceMetadata.writer
Stackdriver Resource Metadata Writer Beta Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata. stackdriver.resourceMetadata.*
角色 名稱 說明 權限 最低資源

Storage 角色

roles/
storage.admin
Storage Admin Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.*
Bucket roles/
storage.objectAdmin
Storage Object Admin Grants full control of objects, including listing, creating, viewing, and deleting objects. resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.*
Bucket roles/
storage.objectCreator
Storage Object Creator Allows users to create objects. Does not give permission to view, delete, or overwrite objects. resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
Bucket roles/
storage.objectViewer
Storage 物件檢視者 授予檢視物件及其中繼資料的存取權,但不包括 ACL。也可以列出值區中的物件。 resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
值區 roles/
storagetransfer.admin
儲存空間轉移服務管理員 建立、更新及管理轉移工作與作業。 resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.*
roles/
storagetransfer.user
Storage 移轉服務使用者 可建立及更新儲存空間移轉工作與作業。 resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.jobs.create
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.update
storagetransfer.operations.*
storagetransfer.projects.*
roles/
storagetransfer.viewer
儲存空間轉移服務檢視器 具備儲存空間轉移服務工作與作業的讀取存取權。 resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.operations.get
storagetransfer.operations.list
storagetransfer.projects.*
角色 名稱 說明 權限 最低資源

Storage 舊版角色

roles/
storage.legacyBucketOwner
Storage 舊版值區擁有者 授予權限以建立、覆寫及刪除物件;可於列出時列出值區之中的物件及讀取物件中繼資料,但不含 Cloud IAM 政策;以及讀取值區中繼資料,但不含 Cloud IAM 政策。

使用這個角色也會反映在值區的 ACL 中。詳細資訊請參閱 Cloud IAM 與 ACL 的關係說明

storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.list
值區 roles/
storage.legacyBucketReader
Storage Legacy Bucket Reader Grants permission to list a bucket's contents and read bucket metadata, excluding Cloud IAM policies. Also grants permission to read object metadata, excluding Cloud IAM policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

storage.buckets.get
storage.objects.list
Bucket roles/
storage.legacyBucketWriter
Storage Legacy Bucket Writer Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read bucket metadata, excluding Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.list
Bucket roles/
storage.legacyObjectOwner
Storage 舊版物件擁有者 授予權限以檢視及編輯物件及其中繼資料,包括 ACL。 storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
值區 roles/
storage.legacyObjectReader
Storage Legacy Object Reader Grants permission to view objects and their metadata, excluding ACLs. storage.objects.get
Bucket
角色 名稱 說明 權限 最低資源

支援角色

roles/
cloudsupport.admin
支援帳戶管理員 可以在不授予支援記錄存取權的情況下管理支援帳戶。詳細資訊請參閱 Cloud Support 說明文件。 cloudsupport.*
機構 roles/
cloudsupport.viewer
支援帳戶檢視器 具備支援帳戶詳情的唯讀權限,但無法查看支援記錄。 cloudsupport.accounts.get
cloudsupport.accounts.getUserRoles
cloudsupport.accounts.list
機構
角色 名稱 說明 權限 最低資源

Cloud Threat Detection 角色

roles/
threatdetection.editor
威脅偵測設定編輯者 具備所有威脅偵測設定的讀寫存取權 threatdetection.*
roles/
threatdetection.viewer
Threat Detection Settings Viewer Beta Read access to all Threat Detection settings threatdetection.detectorSettings.get
threatdetection.sinkSettings.get
threatdetection.sourceSettings.get
角色 名稱 說明 權限 最低資源

Cloud TPU 角色

roles/
tpu.admin
TPU 管理員 具備存取 TPU 節點與相關資源的完整權限。 resourcemanager.projects.get
resourcemanager.projects.list
tpu.*
roles/
tpu.viewer
TPU Viewer Read-only access to TPU nodes and related resources. resourcemanager.projects.get
resourcemanager.projects.list
tpu.acceleratortypes.*
tpu.locations.*
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
tpu.tensorflowversions.*
角色 名稱 說明 權限 最低資源

自訂角色

除了預先定義角色,Cloud IAM 也允許建立自訂 Cloud IAM 角色。您可以建立具備一或多個權限的自訂 Cloud IAM 角色,然後將自訂角色授予屬於您機構的使用者。詳情請參閱瞭解自訂角色建立及管理自訂角色的說明。

適用於特定產品的 Cloud IAM 說明文件

適用於特定產品的 Cloud IAM 說明文件詳細介紹每種產品提供的預先定義角色。閱讀下列說明頁面,有助於您深入瞭解預先定義角色。

說明文件 說明
適用於 App Engine 的 Cloud IAM 說明適用於 App Engine 的 Cloud IAM 角色
適用於 BigQuery 的 Cloud IAM 說明適用於 BigQuery 的 Cloud IAM 角色
適用於 Cloud BigTable 的 Cloud IAM 說明適用於 Cloud BigTable 的 Cloud IAM 角色
適用於 Cloud Billing API 的 Cloud IAM 說明適用於 Cloud Billing API 的 Cloud IAM 角色與權限
適用於 Cloud Dataflow 的 Cloud IAM 說明適用於 Cloud Dataflow 的 Cloud IAM 角色
適用於 Cloud Dataproc 的 Cloud IAM 說明適用於 Cloud Dataproc 的 Cloud IAM 角色與權限
適用於 Cloud Datastore 的 Cloud IAM 說明適用於 Cloud Datastore 的 Cloud IAM 角色與權限
適用於 Cloud DNS 的 Cloud IAM 說明適用於 Cloud DNS 的 Cloud IAM 角色與權限
適用於 Cloud KMS 的 Cloud IAM 說明適用於 Cloud KMS 的 Cloud IAM 角色與權限
適用於 Cloud ML Engine 的 Cloud IAM 說明適用於 Cloud ML Engine 的 Cloud IAM 角色與權限
適用於 Cloud Pub/Sub 的 Cloud IAM 說明適用於 Cloud Pub/Sub 的 Cloud IAM 角色
適用於 Cloud Spanner 的 Cloud IAM 說明適用於 Cloud Spanner 的 Cloud IAM 角色與權限
適用於 Cloud SQL 的 Cloud IAM 說明適用於 Cloud SQL 的 Cloud IAM 角色
適用於 Cloud Storage 的 Cloud IAM 說明適用於 Cloud Storage 的 Cloud IAM 角色
適用於 Compute Engine 的 Cloud IAM 說明適用於 Compute Engine 的 Cloud IAM 角色
適用於 GKE 的 Cloud IAM 說明適用於 GKE 的 Cloud IAM 角色與權限
適用於 Cloud Deployment Manager 的 Cloud IAM 說明適用於 Cloud Deployment Manager 的 Cloud IAM 角色與權限
適用於機構的 Cloud IAM 說明適用於機構的 Cloud IAM 角色
Cloud IAM for Folders 說明適用於資料夾的 Cloud IAM 角色。
適用於專案的 Cloud IAM 說明適用於專案的 Cloud IAM 角色
適用於 Service Management 的 Cloud IAM 說明適用於 Service Management 的 Cloud IAM 角色與權限
適用於 Stackdriver Debugger 的 Cloud IAM 說明適用於 Debugger 的 Cloud IAM 角色
適用於 Stackdriver Logging 的 Cloud IAM 說明適用於 Logging 的 Cloud IAM 角色
適用於 Stackdriver Monitoring 的 Cloud IAM 說明適用於 Monitoring 的 Cloud IAM 角色
適用於 Stackdriver Trace 的 Cloud IAM 說明適用於 Trace 的 Cloud IAM 角色與權限

後續步驟

本頁內容對您是否有任何幫助?請提供意見:

傳送您對下列選項的寶貴意見...

這個網頁
Cloud Identity and Access Management Documentation