瞭解角色 | Cloud IAM 說明文件

當某個身分呼叫 Google Cloud Platform API 時，Cloud Identity and Access Management 會要求這個身分具備使用資源的適當權限。您可以將角色授予使用者、群組或服務帳戶，藉此授予權限。

本頁說明可以為身分授予 Cloud Platform 資源存取權的 Cloud IAM 角色。

使用本指南前的建議事項

瞭解 Cloud IAM 的基本概念

角色類型

Cloud IAM 中有三種類型的角色：

原始角色：在 Cloud IAM 推出前就存在的角色，包括「擁有者」、「編輯者」和「檢視者」角色。
預先定義角色：提供精細的特定服務存取權限，並由 GCP 代管。
自訂角色：根據使用者指定的權限清單，提供精細的存取權限。

如要判斷是否有一或多個權限包含在原始、預先定義或自訂角色中，可以透過以下方式進行：

gcloud iam roles describe 指令
roles.get() API

以下各節說明每種角色類型，並舉例說明如何使用這些角色。

原始角色

在 Cloud IAM 推出前就存在三種角色：擁有者、編輯者和檢視者。這些角色屬於同心圓關係；也就是說，擁有者角色包含了編輯者角色中的權限，而編輯者角色包含了檢視者角色中的權限。

下列表格摘要說明原始角色在所有 GCP 服務中包含的權限：

原始角色定義

姓名	名稱	權限
`roles/viewer`	檢視者	不會影響狀態的唯讀動作權限，例如檢視 (但不修改) 現有的資源或資料。
`roles/editor`	編輯者	所有檢視者權限，以及修改狀態的動作權限，像是變更現有的資源。附註：雖然 `roles/editor` 角色包含為大部分 GCP 服務建立和刪除資源的權限，但某些服務不包含這些權限。請參閱上述章節，進一步瞭解如何檢查角色是否具備您所需的權限。
`roles/owner`	擁有者	所有的編輯者權限及以下動作的權限：管理專案的角色和權限，以及專案內的所有資源。設定專案帳單。注意：在資源層級 (如 Cloud Pub/Sub 主題) 上授予擁有者角色，不會在父項專案上授予擁有者角色。擁有者角色不包含機構資源的任何權限。因此，在機構層級上授予擁有者角色，不會允許您更新機構的中繼資料，但是可以讓您修改這個機構下的專案。

您可以透過 GCP Console、API 和 gcloud 指令列工具，在專案或服務資源層級上套用原始角色。

邀請流程

您無法使用 Cloud IAM API 或 gcloud 指令列工具將擁有者角色授予專案成員，而只能透過 GCP 主控台為專案加入擁有者。系統會以電子郵件方式傳送邀請給成員，這位成員必須接受邀請，才能成為專案的擁有者。

請注意，在下列情況中系統不會傳送邀請電子郵件：

您授予的角色不是擁有者。
機構成員將另一位機構成員新增做為機構內專案的擁有者。

預先定義角色

除了原始角色之外，Cloud IAM 還提供其他預先定義角色，可以更精細的方式授予特定 Google Cloud Platform 資源的存取權限，並防止對其他資源進行非必要的存取。

以下表格列出這些角色、角色相關說明，以及可在其中設定角色的最低層級資源類型。可以將特定角色授予此資源類型；或者在大多數情況下，可以將特定角色授予 GCP 階層中任何高於此資源類型的類型。您可以將多個角色授予同一位使用者。例如，同一位使用者可在專案中擁有「網路管理員」和「記錄檢視者」角色，對於專案中的「Pub/Sub」主題也能具備「發布者」角色。如要瞭解每個角色包含哪些權限，請參閱取得角色中繼資料一節。

存取權核准角色

roles/
accessapproval.approver

存取權核准要求核准者 ^{Beta 版} 可查看或處理存取權核准要求，並可查看設定 accessapproval.requests.*
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
accessapproval.configEditor

存取權核准設定編輯者 ^{Beta 版} 可更新存取權核准設定 accessapproval.settings.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
accessapproval.viewer

存取權核准要求檢視者 ^{Beta 版} 可查看存取權核准要求和設定 accessapproval.requests.get
accessapproval.requests.list
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

動作角色

roles/
actions.Admin

動作管理員具備編輯和部署動作的權限 actions.*
firebase.projects.get
firebase.projects.update
resourcemanager.projects.get
resourcemanager.projects.list

roles/
actions.Viewer

動作檢視者具備查看動作的權限 actions.agent.get
actions.agentVersions.get
actions.agentVersions.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Android Management 角色

roles/
androidmanagement.user

Android Management 使用者具備管理裝置的完整管理權限。 androidmanagement.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

角色	名稱	說明	權限	最低資源

App Engine 角色

roles/
appengine.appAdmin

App Engine 管理員所有應用程式配置和設定的讀取/寫入/修改權限。 appengine.applications.get
appengine.applications.update
appengine.instances.*
appengine.operations.*
appengine.runtimes.*
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
appengine.appViewer

App Engine 檢視者所有應用程式配置和設定的唯讀存取權。 appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
appengine.codeViewer

App Engine 程式碼檢視者所有應用程式配置、設定和已部署原始碼的唯讀存取權。 appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
appengine.deployer

App Engine 部署者所有應用程式配置和設定的唯讀存取權。

只限於建立新版本的寫入權限；除了刪除未接收流量的版本之外，無法修改現有版本。

附註：「App Engine 部署者」(roles/appengine.deployer) 角色本身擁有足夠的權限，可以使用 App Engine Admin API 進行部署。如要使用其他 App Engine 工具 (例如 gcloud 指令)，您還必須具備「Compute 儲存空間管理員」(roles/compute.storageAdmin) 和「Cloud Build 編輯者」(cloudbuild.builds.editor) 角色。appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
appengine.serviceAdmin

App Engine 服務管理員所有應用程式配置和設定的唯讀存取權。
對模組層級和版本層級設定的寫入權限。無法部署新的版本。 appengine.applications.get
appengine.instances.*
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
專案

角色	名稱	說明	權限	最低資源

AutoML 角色

roles/
automl.admin

AutoML 管理員 ^{Beta 版} 具備所有 AutoML 資源的完整權限 automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list

roles/
automl.editor

AutoML 編輯者 ^{Beta 版} 所有 AutoML 資源的編輯者 automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list

roles/
automl.predictor

AutoML 預測者 ^{Beta 版} 使用模型預測 automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list

roles/
automl.viewer

AutoML 檢視者 ^{Beta 版} 所有 AutoML 資源的檢視者 automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list

角色	名稱	說明	權限	最低資源

BigQuery 角色

roles/
bigquery.admin

BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. bigquery.*
resourcemanager.projects.get
resourcemanager.projects.list
Project

roles/
bigquery.connectionAdmin

BigQuery 連線管理員 ^{Beta 版} bigquery.connections.*

roles/
bigquery.connectionUser

BigQuery 連線使用者 ^{Beta 版} bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.use

roles/
bigquery.dataEditor

BigQuery 資料編輯者

套用於資料集時，dataEditor 提供以下權限：

讀取資料集的中繼資料，以及列出資料集中的表格。
建立、更新、取得及刪除資料集的表格。

套用於專案或機構層級時，此角色還可以建立新的資料集。

bigquery.datasets.create
bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list 資料集

roles/
bigquery.dataOwner

BigQuery 資料擁有者

套用於資料集時，dataOwner 提供以下權限：

讀取、更新及刪除資料集。
建立、更新、取得及刪除資料集的表格。

套用於專案或機構層級時，此角色還可以建立新的資料集。

bigquery.datasets.*
bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list 資料集

roles/
bigquery.dataViewer

BigQuery 資料檢視者

套用於資料集時，dataViewer 提供以下權限：

讀取資料集的中繼資料，以及列出資料集中的表格。
讀取資料集表格的資料和中繼資料。

套用於專案或機構層級時，這個角色也可以列舉專案中的所有資料集，但還需要其他角色才能執行工作。

bigquery.datasets.get
bigquery.datasets.getIamPolicy bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list 資料集

roles/
bigquery.jobUser

BigQuery 工作使用者提供在專案中執行工作 (包括查詢) 的權限。jobUser 角色可以列舉各自的工作，以及取消自己的工作。 bigquery.jobs.create
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
bigquery.metadataViewer

BigQuery 中繼資料檢視者

套用於機構或專案層級時，metadataViewer 提供以下權限：

列出專案中的所有資料集，以及讀取所有資料集的中繼資料。
列出專案中的所有資料表和檢視表，以及讀取所有資料表和檢視表的中繼資料。

如要執行工作，則還需要其他角色。

bigquery.datasets.get
bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list 專案

roles/
bigquery.readSessionUser

BigQuery 讀取工作階段使用者 ^{Beta 版} 具備建立及使用讀取工作階段的存取權限 bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
bigquery.user

BigQuery 使用者提供在專案中執行工作 (包括查詢) 的權限。使用者角色可以列舉各自的工作、取消自己的工作，以及列舉專案中的資料集。此外，還可以在專案中建立新的資料集；系統會將這些新資料集的 bigquery.dataOwner 角色授予給建立者。bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
resourcemanager.projects.get
resourcemanager.projects.list
專案

角色	名稱	說明	權限	最低資源

Cloud BigTable 角色

roles/
bigtable.admin

Bigtable 管理員可管理專案中的所有執行個體，包含資料表中儲存的資料，且能夠建立新的執行個體。通常適用於專案管理員。 bigtable.*
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
執行個體

roles/
bigtable.reader

Bigtable 讀取者對資料表內儲存的資料提供唯讀存取權。通常適用於資料科學家、資訊主頁建立者及其他資料分析情境。 bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
執行個體

roles/
bigtable.user

Bigtable 使用者提供資料表中儲存資料的讀寫權限。通常適用於應用程式開發人員或服務帳戶。 bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
執行個體

roles/
bigtable.viewer

Bigtable 檢視者無資料存取權限。此為 Cloud Console 中對 Bigtable 的最低存取權限。 bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
執行個體

角色	名稱	說明	權限	最低資源

帳單角色

roles/
billing.admin

Billing Account Administrator Provides access to see and manage all aspects of billing accounts. billing.accounts.close
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.move
billing.accounts.redeemPromotion
billing.accounts.removeFromOrganization
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing.accounts.updatePaymentInfo
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.credits.*
billing.resourceAssociations.*
billing.subscriptions.*
cloudnotifications.*
logging.logEntries.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
Billing Account

roles/
billing.creator

帳單帳戶建立者提供建立帳單帳戶的權限。 billing.accounts.create
resourcemanager.organizations.get
專案

roles/
billing.projectManager

專案帳單管理員提供指派專案的帳單帳戶或停用專案的帳單功能的權限。 resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
專案

roles/
billing.user

帳單帳戶使用者提供建立專案與帳單帳戶之間關聯的權限。 billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.*
billing.resourceAssociations.create
帳單帳戶

roles/
billing.viewer

帳單帳戶檢視者查看帳單帳戶費用資訊和交易。 billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.budgets.get
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.get
billing.subscriptions.list
機構
帳單帳戶

角色	名稱	說明	權限	最低資源

二進位授權角色

roles/
binaryauthorization.attestorsAdmin

二進位授權驗證者管理員 ^{Beta 版} 二進位授權驗證者的管理員 binaryauthorization.attestors.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
binaryauthorization.attestorsEditor

二進位授權驗證者編輯者 ^{Beta 版} 二進位授權驗證者的編輯者 binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list

roles/
binaryauthorization.attestorsVerifier

二進位授權驗證者映像檔驗證者 ^{Beta 版} 二進位授權驗證者 VerifyImageAttested 的呼叫者 binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list

roles/
binaryauthorization.attestorsViewer

二進位授權驗證者檢視者 ^{Beta 版} 二進位授權驗證者的檢視者 binaryauthorization.attestors.get
binaryauthorization.attestors.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
binaryauthorization.policyAdmin

二進位授權政策管理員 ^{Beta 版} 二進位授權政策的管理員 binaryauthorization.policy.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
binaryauthorization.policyEditor

二進位授權政策編輯者 ^{Beta 版} 二進位授權政策的編輯者 binaryauthorization.policy.get
binaryauthorization.policy.update
resourcemanager.projects.get
resourcemanager.projects.list

roles/
binaryauthorization.policyViewer

二進位授權政策檢視者 ^{Beta 版} 二進位授權政策的檢視者 binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Hangouts Chat 角色

roles/
chat.owner

Chat 機器人擁有者可查看及修改機器人設定 chat.*

roles/
chat.reader

Chat 機器人檢視者可查看機器人設定 chat.bots.get

角色	名稱	說明	權限	最低資源

Cloud Asset 角色

roles/
cloudasset.owner

雲資產所有者 ^{Beta 版} 雲端資產中繼資料的完整權限 cloudasset.*

roles/
cloudasset.viewer

雲端資產檢視者具備雲端資產中繼資料的唯讀存取權 cloudasset.assets.*

角色	名稱	說明	權限	最低資源

Cloud Build 角色

roles/
cloudbuild.builds.builder

Cloud Build Service 帳戶可執行建構作業 cloudbuild.*
logging.logEntries.create
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

roles/
cloudbuild.builds.editor

Cloud Build 編輯者提供建立和取消版本的存取權。 cloudbuild.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
cloudbuild.builds.viewer

Cloud Build 檢視者提供檢視版本的存取權。 cloudbuild.builds.get
cloudbuild.builds.list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
專案

角色	名稱	說明	權限	最低資源

Cloud Data Fusion 角色

roles/
datafusion.admin

Cloud Data Fusion 管理員 ^{Beta 版} 具備 Cloud Data Fusion 執行個體和相關資源的完整存取權限。 datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datafusion.viewer

Cloud Data Fusion 檢視者 ^{Beta 版} 具備 Cloud Data Fusion 執行個體和相關資源的唯讀存取權。 datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Stackdriver Debugger 角色

roles/
clouddebugger.agent

Stackdriver Debugger 代理人 ^{Beta 版} 提供註冊偵錯目標、讀取有效中斷點及報告中斷點結果的權限。 clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create
服務帳戶

roles/
clouddebugger.user

Stackdriver Debugger 使用者 ^{Beta 版} 提供建立、查看、列出和刪除中斷點 (快照和記錄點) 及列出偵錯目標的權限。 clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
專案

角色	名稱	說明	權限	最低資源

Cloud Functions 角色

roles/
cloudfunctions.admin

Cloud Functions 管理員 ^{Beta 版} 具備函式、作業和位置的完整存取權。 cloudfunctions.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/
cloudfunctions.developer

Cloud Functions 開發人員 ^{Beta 版} 具備讀取及寫入所有函式相關資源的權限。 cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.invoke
cloudfunctions.functions.list
cloudfunctions.functions.sourceCodeGet
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.locations.*
cloudfunctions.operations.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/
cloudfunctions.invoker

Cloud Functions 叫用者 ^{Beta 版} 可在存取權受限的情況下叫用 HTTP 函式。 cloudfunctions.functions.invoke

roles/
cloudfunctions.viewer

Cloud Functions 檢視者 ^{Beta 版} 具備函式和位置的唯讀存取權。 cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

角色	名稱	說明	權限	最低資源

Cloud IAP 角色

roles/
iap.admin

IAP 政策管理員提供 Identity-Aware Proxy 資源的完整存取權。 iap.tunnel.*
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
專案

roles/
iap.httpsResourceAccessor

受 IAP 保護的網路應用程式使用者提供使用 Identity-Aware Proxy 存取 HTTPS 資源的權限。 iap.webServiceVersions.accessViaIAP
專案

roles/
iap.tunnelResourceAccessor

受 IAP 保護的通道使用者可存取使用 Identity-Aware Proxy 的通道資源 iap.tunnelInstances.accessViaIAP

角色	名稱	說明	權限	最低資源

Cloud IoT 角色

roles/
cloudiot.admin

Cloud IoT 管理員具備所有 Cloud IoT 資源和權限的完整控管權。 cloudiot.*
cloudiottoken.*
裝置

roles/
cloudiot.deviceController

Cloud IoT 裝置控制者可更新裝置的配置，但無法建立或刪除裝置。 cloudiot.devices.get
cloudiot.devices.list
cloudiot.devices.sendCommand
cloudiot.devices.updateConfig
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
裝置

roles/
cloudiot.editor

Cloud IoT Editor Read-write access to all Cloud IoT resources. cloudiot.devices.*
cloudiot.registries.create
cloudiot.registries.delete
cloudiot.registries.get
cloudiot.registries.list
cloudiot.registries.update
cloudiottoken.*
Device

roles/
cloudiot.provisioner

Cloud IoT 佈建者可在登錄檔中建立及刪除裝置，但無法修改登錄檔。 cloudiot.devices.*
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
裝置

roles/
cloudiot.viewer

Cloud IoT 檢視者具備所有 Cloud IoT 資源的唯讀存取權。 cloudiot.devices.get
cloudiot.devices.list
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
裝置

角色	名稱	說明	權限	最低資源

Cloud Talent Solution 角色

roles/
cloudjobdiscovery.admin

管理員可使用 Cloud Job Discovery 自助式工具 cloudjobdiscovery.tools.*
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudjobdiscovery.jobsEditor

工作編輯者具備所有 Cloud Job Discovery 資料的寫入權限。 cloudjobdiscovery.companies.*
cloudjobdiscovery.events.*
cloudjobdiscovery.jobs.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudjobdiscovery.jobsViewer

工作檢視者可讀取 Cloud Job Discovery 的所有資料。 cloudjobdiscovery.companies.get
cloudjobdiscovery.companies.list
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudjobdiscovery.profilesEditor

設定檔編輯者可寫入 Cloud Talent Solution 中所有的設定檔資料。 cloudjobdiscovery.events.*
cloudjobdiscovery.profiles.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudjobdiscovery.profilesViewer

設定檔檢視者可讀取 Cloud Talent Solution 中所有的設定檔資料。 cloudjobdiscovery.profiles.get
cloudjobdiscovery.profiles.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Cloud KMS 角色

roles/
cloudkms.admin

Cloud KMS 管理員提供對 KMS 資源的完整存取權，但加密和解密作業除外。 cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeyVersions.destroy
cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.restore
cloudkms.cryptoKeyVersions.update
cloudkms.cryptoKeys.*
cloudkms.importJobs.*
cloudkms.keyRings.*
resourcemanager.projects.get
CryptoKey

roles/
cloudkms.cryptoKeyDecrypter

Cloud KMS CryptoKey 解密者可使用 KMS 資源，但僅限於解密作業。 cloudkms.cryptoKeyVersions.useToDecrypt
resourcemanager.projects.get
CryptoKey

roles/
cloudkms.cryptoKeyEncrypter

Cloud KMS CryptoKey 加密者可使用 KMS 資源，但僅限於加密作業。 cloudkms.cryptoKeyVersions.useToEncrypt
resourcemanager.projects.get
CryptoKey

roles/
cloudkms.cryptoKeyEncrypterDecrypter

Cloud KMS 加密編譯金鑰加密者/解密者可以使用 Cloud KMS 資源，但只限用於加密與解密作業。 cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
resourcemanager.projects.get
加密編譯金鑰

roles/
cloudkms.importer

Cloud KMS 匯入者可啟用 ImportCryptoKeyVersion、CreateImportJob、ListImportJobs，以及 GetImportJob 作業 cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.list
cloudkms.importJobs.useToImport
resourcemanager.projects.get

roles/
cloudkms.publicKeyViewer

Cloud KMS 加密編譯金鑰的公開金鑰檢視器 ^{Beta 版} 啟用 GetPublicKey 作業 cloudkms.cryptoKeyVersions.viewPublicKey
resourcemanager.projects.get

roles/
cloudkms.signer

Cloud KMS CryptoKey 簽署者可啟用 AsymmetricSign 作業 cloudkms.cryptoKeyVersions.useToSign
resourcemanager.projects.get

roles/
cloudkms.signerVerifier

Cloud KMS CryptoKey 簽署者/驗證者可啟用 AsymmetricSign 和 GetPublicKey 作業 cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.viewPublicKey
resourcemanager.projects.get

角色	名稱	說明	權限	最低資源

雲端遷移角色

roles/
cloudmigration.inframanager

Velostrata Manager ^{Beta 版} 可建立及管理 Compute VM，以執行 Velostrata 基礎架構 cloudmigration.*
compute.addresses.*
compute.diskTypes.*
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.reset
compute.instances.setDiskAutoDelete
compute.instances.setLabels
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setScheduling
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.update
compute.instances.updateNetworkInterface
compute.instances.updateShieldedInstanceConfig
compute.instances.use
compute.licenseCodes.get
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenseCodes.use
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.list
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.*
gkehub.endpoints.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update

roles/
cloudmigration.storageaccess

Velostrata Storage 存取權 ^{Beta 版} 可存取遷移儲存空間 storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

roles/
cloudmigration.velostrataconnect

Velostrata Manager 連結代理人 ^{Beta 版} 可設定 Velostrata Manager 與 Google 之間的連線 cloudmigration.*
gkehub.endpoints.*

roles/
vmmigration.admin

VM Migration 管理員 ^{Beta 版} 可查看及編輯所有 VM Migration 物件 vmmigration.*

roles/
vmmigration.viewer

VM Migration 檢視者 ^{Beta 版} 可查看所有 VM Migration 物件 vmmigration.deployments.get
vmmigration.deployments.list

角色	名稱	說明	權限	最低資源

Cloud Private Catalog 角色

roles/
cloudprivatecatalog.consumer

目錄消費者 ^{Beta 版} 可瀏覽目標資源內容中的目錄。 cloudprivatecatalog.*

roles/
cloudprivatecatalogproducer.admin

目錄管理員 ^{Beta 版} 可管理目錄及查看其關聯。 cloudprivatecatalogproducer.associations.*
cloudprivatecatalogproducer.catalogs.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get

roles/
cloudprivatecatalogproducer.manager

目錄管理員 ^{Beta 版} 可管理目錄和目標資源之間的關聯。 cloudprivatecatalog.*
cloudprivatecatalogproducer.associations.*
cloudprivatecatalogproducer.catalogs.get
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.targets.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get

角色	名稱	說明	權限	最低資源

Stackdriver Profiler 角色

roles/
cloudprofiler.agent

Stackdriver Profiler 代理人 ^{Beta 版} Stackdriver Profiler 代理人可註冊及提供剖析資料。 cloudprofiler.profiles.create
cloudprofiler.profiles.update

roles/
cloudprofiler.user

Stackdriver Profiler 使用者 ^{Beta 版} Stackdriver Profiler 使用者可查詢及檢視剖析資料。 cloudprofiler.profiles.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

角色	名稱	說明	權限	最低資源

Cloud Scheduler 角色

roles/
cloudscheduler.admin

Cloud Scheduler 管理員 ^{Beta 版} 具備工作與作業的完整存取權。 cloudscheduler.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudscheduler.jobRunner

Cloud Scheduler 工作執行者 ^{Beta 版} 具有執行工作的權限。 cloudscheduler.jobs.fullView
cloudscheduler.jobs.run
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudscheduler.viewer

Cloud Scheduler 檢視者 ^{Beta 版} 具備取得及列出工作、作業和位置的權限。 cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Cloud Security Scanner 角色

roles/
cloudsecurityscanner.editor

Cloud Security Scanner 編輯者具備所有 Cloud Security Scanner 資源的完整存取權 appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/
cloudsecurityscanner.runner

Cloud Security Scanner 執行者可讀取 Scan 與 ScanRun，且可啟動掃描功能 cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run

roles/
cloudsecurityscanner.viewer

Cloud Security Scanner 檢視者可讀取 Cloud Security Scanner 的所有資源 cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

角色	名稱	說明	權限	最低資源

Cloud Services 角色

roles/
servicebroker.admin

服務代理程式管理員 ^{Beta 版} 具備 ServiceBroker 資源的完整存取權。 servicebroker.*

roles/
servicebroker.operator

服務代理程式操作者 ^{Beta 版} 具備 ServiceBroker 資源的操作存取權。 servicebroker.bindingoperations.*
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.list
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.list
servicebroker.instanceoperations.*
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.list
servicebroker.instances.update

角色	名稱	說明	權限	最低資源

Cloud SQL 角色

roles/
cloudsql.admin

Cloud SQL 管理員提供對 Cloud SQL 資源的完整控管權。 cloudsql.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案

roles/
cloudsql.client

Cloud SQL 用戶端提供 Cloud SQL 執行個體的連線權限。 cloudsql.instances.connect
cloudsql.instances.get
專案

roles/
cloudsql.editor

Cloud SQL 編輯者提供現有 Cloud SQL 執行個體的完整控管權，但無法修改使用者、安全資料傳輸層 (SSL) 憑證或刪除資源。 cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.instances.restart
cloudsql.instances.rotateServerCa
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案

roles/
cloudsql.viewer

Cloud SQL 檢視者具備 Cloud SQL 資源的唯讀存取權。 cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.export
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案

角色	名稱	說明	權限	最低資源

Cloud Tasks 角色

roles/
cloudtasks.admin

Cloud Tasks 管理員 ^{Beta 版} 具備佇列和工作的完整存取權。 cloudtasks.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudtasks.enqueuer

Cloud Tasks 排入佇列者 ^{Beta 版} 具備建立工作的權限。 cloudtasks.tasks.create
cloudtasks.tasks.fullView
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudtasks.queueAdmin

Cloud Tasks 佇列管理員 ^{Beta 版} 具備佇列的管理權限。 cloudtasks.locations.*
cloudtasks.queues.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudtasks.taskDeleter

Cloud Tasks 工作刪除者 ^{Beta 版} 具備刪除工作的權限。 cloudtasks.tasks.delete
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudtasks.taskRunner

Cloud Tasks 工作執行者 ^{Beta 版} 具備執行工作的權限。 cloudtasks.tasks.fullView
cloudtasks.tasks.run
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudtasks.viewer

Cloud Tasks 檢視者 ^{Beta 版} 可取得及列出工作、佇列與位置。 cloudtasks.locations.*
cloudtasks.queues.get
cloudtasks.queues.list
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Cloud Trace 角色

roles/
cloudtrace.admin

Cloud Trace 管理員提供 Trace 主控台的完整存取權，以及追蹤記錄的讀取/寫入權限。 cloudtrace.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
cloudtrace.agent

Cloud Trace 代理人適用於服務帳戶。可將資料傳送至 Stackdriver Trace 來寫入追蹤記錄。cloudtrace.traces.patch
專案

roles/
cloudtrace.user

Cloud Trace 使用者具備 Trace 主控台的完整存取權限和追蹤記錄的讀取權限。 cloudtrace.insights.*
cloudtrace.stats.*
cloudtrace.tasks.*
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
專案

角色	名稱	說明	權限	最低資源

Cloud Translation 角色

roles/
cloudtranslate.admin

Cloud Translation API 管理員具備所有 Cloud Translation 資源的完整存取權限 automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudtranslate.editor

Cloud Translation API 編輯者可編輯所有 Cloud Translation 資源 automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudtranslate.user

Cloud Translation API 使用者可使用 Cloud Translation 和 AutoML 模型 automl.models.get
automl.models.predict
cloudtranslate.generalModels.*
cloudtranslate.glossaries.batchPredict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
cloudtranslate.languageDetectionModels.*
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudtranslate.viewer

Cloud Translation API 檢視者可檢視所有 Translation 資源 automl.models.get
cloudtranslate.generalModels.get
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Codelab API 金鑰角色

roles/
codelabapikeys.admin

Codelab API 金鑰管理員 ^{Beta 版} 具備 API 金鑰的完整存取權限 resourcemanager.projects.get
resourcemanager.projects.list

roles/
codelabapikeys.editor

程式碼研究室 API 金鑰編輯者 ^{Beta 版} 這個角色可以查看及編輯 API 金鑰的所有屬性。resourcemanager.projects.get
resourcemanager.projects.list

roles/
codelabapikeys.viewer

程式碼研究室 API 金鑰檢視者 ^{Beta 版} 這個角色可以查看 API 金鑰的所有屬性 (變更記錄除外)。 resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Cloud Composer 角色

roles/
composer.admin

Composer 管理員具備 Cloud Composer 資源的完整控管權限。 composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案

roles/
composer.environmentAndStorageObjectAdmin

環境與 Storage 物件管理員可完整控管 Cloud Composer 的資源和所有專案值區中的物件。composer.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.*
專案

roles/
composer.environmentAndStorageObjectViewer

環境使用者與 Storage 物件檢視者具備列出及取得 Cloud Composer 環境和作業所需的權限。具備所有專案值區中物件的唯讀存取權。composer.environments.get
composer.environments.list
composer.imageversions.*
composer.operations.get
composer.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list
專案

roles/
composer.user

Composer 使用者具備列出及取得 Cloud Composer 環境和作業所需的權限。 composer.environments.get
composer.environments.list
composer.imageversions.*
composer.operations.get
composer.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案

roles/
composer.worker

Composer 工作者具備執行 Cloud Composer 環境 VM 所需的權限，適用於服務帳戶。cloudbuild.*
container.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.*
專案

角色	名稱	說明	權限	最低資源

Compute Engine 角色

roles/
compute.admin

Compute 管理員

具備所有 Compute Engine 資源的完整控管權限。

如果使用者會管理設為以服務帳戶的形式運作的虛擬機器執行個體，您必須一併為該名使用者授予 roles/iam.serviceAccountUser 角色。

compute.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 磁碟、映像檔、執行個體、instanceTemplate、nodeGroup、nodeTemplate、快照^{Beta 版}

roles/
compute.imageUser

Compute 映像檔使用者

具備列出及讀取映像檔的權限，不過沒有其他映像檔存取權限。如果您是在專案層級為使用者授予 compute.imageUser 角色，對方就能列出專案中的所有映像檔，並依據專案中的映像檔建立執行個體和永久磁碟等資源。

compute.images.get
compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 映像檔^{Beta 版}

roles/
compute.instanceAdmin

Compute 執行個體管理員 (Beta 版)

具備建立、修改及刪除虛擬機器執行個體的權限，當中包含建立、修改及刪除磁碟的權限，以及變更受防護的 VM^{Beta 版} 設定的權限。

如果使用者會管理設為以服務帳戶的形式運作的虛擬機器執行個體，您必須一併為該名使用者授予 roles/iam.serviceAccountUser 角色。

舉例來說，假設貴公司指派某人來管理虛擬機器執行個體群組，但該名人員不需要管理網路或安全性設定，也不必管理以服務帳戶的形式運作的執行個體，您可以在含有相關執行個體的機構、資料夾或專案中為其授予這個角色，或是在個別執行個體中為其授予這個角色。

compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 磁碟、映像檔、執行個體、instanceTemplate、快照^{Beta 版}

roles/
compute.instanceAdmin.v1

Compute 執行個體管理員 (v1) 具備 Compute Engine 執行個體、執行個體群組、磁碟、快照和映像檔的完整控管權限，以及所有 Compute Engine 網路資源的讀取權限。

如果您僅在執行個體層級為使用者授予這個角色，對方將無法建立新的執行個體。

compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

roles/
compute.loadBalancerAdmin

Compute 負載平衡器管理員 ^{Beta 版}

具備建立、修改及刪除負載平衡器與相關聯資源的權限。

舉例來說，假設貴公司建立了一個負載平衡團隊來管理負載平衡器、負載平衡器的安全資料傳輸層 (SSL) 憑證、安全資料傳輸層 (SSL) 政策和其他負載平衡資源，並另外設置了一個網路團隊來管理其他網路資源，請將 loadBalancerAdmin 角色授予負載平衡團隊成員。

compute.addresses.*
compute.backendBuckets.* compute.backendServices.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 執行個體^{Beta 版}

roles/
compute.networkAdmin

Compute 網路管理員

具備建立、修改及刪除網路資源的權限，但防火牆規則和安全資料傳輸層 (SSL) 憑證除外。網路管理員角色具備防火牆規則、安全資料傳輸層 (SSL) 憑證和執行個體 (用於查看臨時 IP 位址) 的唯讀存取權。不過，具備這個角色的使用者無法建立、啟動、停止或刪除執行個體。

舉例來說，假設貴公司建立了一個安全性團隊來管理防火牆和安全資料傳輸層 (SSL) 憑證，並設置了一個網路團隊來管理其他網路資源，請將 networkAdmin 角色授予網路團隊成員。

compute.addresses.*
compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.externalVpnGateways.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.instances.use compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.projects.get compute.regionBackendServices.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 執行個體^{Beta 版}

roles/
compute.networkUser

Compute 網路使用者

具備共用虛擬私人雲端網路的存取權限

取得這個角色之後，服務擁有者就能使用主專案中的虛擬私人雲端網路和子網路。舉例來說，網路使用者可以建立隸屬於特定主專案網路的 VM 執行個體，但無法在主專案中刪除或建立新的網路。

compute.addresses.createInternal
compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.externalVpnGateways.get compute.externalVpnGateways.list compute.externalVpnGateways.use compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 專案

roles/
compute.networkViewer

Compute Network Viewer

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant that software's service account the networkViewer role.

compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.networks.get
compute.networks.list
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Instance^Beta

roles/
compute.orgSecurityPolicyAdmin

Compute 機構安全性政策管理員 ^{Beta 版} 具備 Compute Engine 機構安全性政策的完整控制權。 compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.securityPolicies.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/
compute.orgSecurityPolicyUser

Compute 機構安全性政策使用者 ^{Beta 版} 查看或使用 Compute Engine 安全性政策，並與機構或資料夾建立關聯。 compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/
compute.orgSecurityResourceAdmin

Compute 機構資源管理員 ^{Beta 版} 具備與機構或資料夾相關聯之 Compute Engine 安全性政策的完整控制權。 compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/
compute.osAdminLogin

Compute OS 管理員登入

以管理員使用者身分登入 Compute Engine 執行個體的存取權。

compute.instances.get
compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 執行個體^{Beta 版}

roles/
compute.osLogin

Compute OS 登入

以標準使用者身分登入 Compute Engine 執行個體的存取權。

compute.instances.get
compute.instances.list compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 執行個體^{Beta 版}

roles/
compute.osLoginExternalUser

Compute OS 登入外部使用者

僅可用於機構層級。

允許外部使用者設定與此機構關聯的 OS 登入資訊。此角色並未授予對執行個體的存取權。外部使用者必須獲得必要的OS 登入角色，才能使用 SSH 存取執行個體。

compute.oslogin.*
機構

roles/
compute.securityAdmin

Compute 安全管理員

具備建立、修改及刪除防火牆規則和安全資料傳輸層 (SSL) 憑證的權限，以及進行受防護的 VM^{Beta 版}設定的權限。

舉例來說，如果貴公司的安全性團隊負責管理防火牆和 SSL 憑證，而網路團隊負責管理其他網路資源，請將 securityAdmin 角色授予安全性團隊所屬的群組。

compute.firewalls.*
compute.globalOperations.get compute.globalOperations.list compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.list compute.networks.updatePolicy compute.packetMirrorings.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 執行個體^{Beta 版}

roles/
compute.storageAdmin

Compute 儲存空間管理員

具備建立、修改及刪除磁碟、映像檔和快照的權限。

舉例來說，如果貴公司有人負責管理映像檔，而您不希望該使用者具備該專案的編輯者角色，那麼請為對方的帳戶授予專案上的 storageAdmin 角色。

compute.diskTypes.*
compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 磁碟、映像檔、快照^{Beta 版}

roles/
compute.viewer

Compute 檢視者

具備唯讀權限，可以取得及列出 Compute Engine 資源，但無法讀取其上儲存的資料。

舉例來說，具備這個角色的帳戶可以列出專案中的所有磁碟，但無法讀取這些磁碟上的任何資料。

compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.list compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list 磁碟、映像檔、執行個體、instanceTemplate、nodeGroup、nodeTemplate、快照 ^{Beta 版}

roles/
compute.xpnAdmin

Compute 共用 VPC 管理員

具備管理共用 VPC 主專案的權限，具體而言可啟用主專案，並為共用 VPC 服務專案與主專案網路建立關聯。

此角色只能由組織管理員授予組織。

Google Cloud 建議您將共用 VPC 管理員設為共用 VPC 主專案的擁有者。共用 VPC 管理員負責將 compute.networkUser 角色授予服務擁有者，而共用 VPC 主專案擁有者則可自行控管專案。如果單一主體 (個別使用者或群體) 可以同時擔任這兩個角色，就能更輕鬆管理專案。

compute.globalOperations.get
compute.globalOperations.list compute.organizations.* compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list 機構

角色	名稱	說明	權限	最低資源

Kubernetes Engine 角色

roles/
container.admin

Kubernetes Engine 管理員提供容器叢集及其 Kubernetes API 物件的完整管理權。 container.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
container.clusterAdmin

Kubernetes Engine 叢集管理員提供容器叢集的管理權。 container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
container.clusterViewer

Kubernetes Engine 叢集檢視者具備 Kubernetes 叢集的唯讀存取權。 container.clusters.get
container.clusters.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
container.developer

Kubernetes Engine 開發人員提供容器叢集裡 Kubernetes API 物件的完整存取權。 container.apiServices.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.*
container.csiDrivers.*
container.csiNodes.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpoints.*
container.events.*
container.horizontalPodAutoscalers.*
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.*
container.pods.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
container.hostServiceAgentUser

Kubernetes Engine 託管服務代理程式使用者具備 Kubernetes Engine 託管服務代理程式的存取權限。 compute.firewalls.get
container.hostServiceAgent.*

roles/
container.viewer

Kubernetes Engine 檢視者提供 GKE 資源的唯讀權限。 container.apiServices.get
container.apiServices.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodes.get
container.csiNodes.list
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getStatus
container.deployments.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.limitRanges.get
container.limitRanges.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

角色	名稱	說明	權限	最低資源

Container Analysis 角色

roles/
containeranalysis.admin

容器分析管理員 ^{Alpha 版} 可存取所有資源。 resourcemanager.projects.get
resourcemanager.projects.list

roles/
containeranalysis.notes.attacher

容器分析註記附加者 ^Alpha 可以將出現次數附加至註記

roles/
containeranalysis.notes.editor

容器分析註記編輯者 ^{Alpha 版} 可以編輯容器分析註記 resourcemanager.projects.get
resourcemanager.projects.list

roles/
containeranalysis.notes.viewer

容器分析筆記檢視者 ^{Alpha 版} 可以檢視容器分析註記 resourcemanager.projects.get
resourcemanager.projects.list

roles/
containeranalysis.occurrences.editor

容器分析發生頻率編輯者 ^Alpha 可編輯容器分析發生頻率 resourcemanager.projects.get
resourcemanager.projects.list

roles/
containeranalysis.occurrences.viewer

容器分析發生頻率檢視者 ^{Alpha 版} 可查看容器分析發生頻率 resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Data Catalog 角色

roles/
datacatalog.admin

Data Catalog 管理員 ^{Beta 版} 具備所有 DataCatalog 資源的完整存取權限 bigquery.datasets.get
bigquery.datasets.updateTag
bigquery.models.getMetadata
bigquery.models.updateTag
bigquery.tables.get
bigquery.tables.updateTag
datacatalog.*
pubsub.topics.get
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datacatalog.entryCreator

DataCatalog 項目建立者 ^{Beta 版} 可建立新項目 datacatalog.entries.create
datacatalog.entries.get
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datacatalog.entryGroupCreator

DataCatalog EntryGroup 建立者 ^{Beta 版} 可以建立新的 entryGroups datacatalog.entryGroups.create
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datacatalog.entryGroupOwner

DataCatalog entryGroup 擁有者 ^{Beta 版} 具備 entryGroups 的完整存取權 datacatalog.entries.*
datacatalog.entryGroups.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datacatalog.entryOwner

DataCatalog 項目擁有者 ^{Beta 版} 具備項目的完整存取權限 datacatalog.entries.*
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datacatalog.entryViewer

DataCatalog 項目檢視者 ^{Beta 版} 具備項目的讀取權限 datacatalog.entries.get
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datacatalog.tagEditor

Data Catalog 標記編輯者 ^{Beta 版} 可修改 BigQuery 和 Pub/Sub 等 GCP 資產相關標記。 bigquery.datasets.updateTag
bigquery.models.updateTag
bigquery.tables.updateTag
pubsub.topics.updateTag

roles/
datacatalog.tagTemplateCreator

Data Catalog TagTemplate 建立者 ^{Beta 版} 可建立新的標記範本 datacatalog.tagTemplates.create
datacatalog.tagTemplates.get

roles/
datacatalog.tagTemplateOwner

Data Catalog TagTemplate 擁有者 ^{Beta 版} 具備標記範本的完整存取權 datacatalog.tagTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datacatalog.tagTemplateUser

Data Catalog TagTemplate 使用者 ^{Beta 版} 可使用標記範本為資源加上標記 datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.use
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datacatalog.tagTemplateViewer

Data Catalog TagTemplate 檢視者 ^{Beta 版} 可讀取範本和利用範本建立的標記 datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datacatalog.viewer

Data Catalog 檢視者 ^{Beta 版} 檢視 DataCatalog 中的資源 bigquery.datasets.get
bigquery.models.getMetadata
bigquery.tables.get
datacatalog.entries.get
datacatalog.entryGroups.get
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
pubsub.topics.get
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Dataflow 角色

roles/
dataflow.admin

Dataflow 管理員負責建立及管理 Dataflow 工作的最小角色。 compute.machineTypes.get
dataflow.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list

roles/
dataflow.developer

Dataflow 開發人員提供執行和操控 Dataflow 工作所需的權限。 dataflow.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
dataflow.viewer

Dataflow 檢視者提供所有 Dataflow 相關資源的的唯讀存取權限。 dataflow.jobs.get
dataflow.jobs.list
dataflow.messages.*
dataflow.metrics.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
dataflow.worker

Dataflow 工作站提供 Compute Engine 服務帳戶執行 Dataflow 管道工作單元所需的權限。 compute.instanceGroupManagers.update
compute.instances.delete
compute.instances.setDiskAutoDelete
dataflow.jobs.get
logging.logEntries.create
storage.objects.create
storage.objects.get
專案

角色	名稱	說明	權限	最低資源

Cloud Data Labeling 角色

roles/
datalabeling.admin

DataLabeling 服務管理員 ^{Beta 版} 具備所有 DataLabeling 資源的完整存取權 datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datalabeling.editor

DataLabeling 服務編輯者 ^{Beta 版} 可編輯所有 DataLabeling 資源 datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
datalabeling.viewer

DataLabeling 服務檢視者 ^{Beta 版} 可查看所有 DataLabeling 資源 datalabeling.annotateddatasets.get
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.get
datalabeling.annotationspecsets.list
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Dataprep 角色

roles/
dataprep.projects.user

Dataprep 使用者 ^{Beta 版} 具備 Dataprep 的使用權限。 dataprep.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

角色	名稱	說明	權限	最低資源

Dataproc 角色

roles/
dataproc.admin

Dataproc 管理員具備 Dataproc 資源的完整控管權。 compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.clusters.*
dataproc.jobs.*
dataproc.operations.*
dataproc.workflowTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
dataproc.editor

Dataproc 編輯者提供檢視管理 Cloud Dataproc 所需資源的必要權限，包括機器類型、網路、專案和區域。 compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.update
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
dataproc.viewer

Dataproc 檢視者具備 Dataproc 資源的唯讀權限。 compute.machineTypes.get
compute.regions.*
compute.zones.get
dataproc.clusters.get
dataproc.clusters.list
dataproc.jobs.get
dataproc.jobs.list
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.get
dataproc.workflowTemplates.list
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
dataproc.worker

Dataproc 工作站工作站對 Dataproc 的存取權。適用於服務帳戶。 dataproc.agents.*
dataproc.tasks.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
storage.buckets.get
storage.objects.*

角色	名稱	說明	權限	最低資源

Datastore 角色

roles/
datastore.importExportAdmin

Cloud Datastore 匯入匯出管理員提供匯入及匯出項目的完整管理權限。 appengine.applications.get
datastore.databases.export
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
datastore.indexAdmin

Cloud Datastore 索引管理員提供索引定義的完整管理權限。 appengine.applications.get
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
datastore.owner

Cloud Datastore 擁有者提供 Cloud Datastore 資源的完整存取權。 appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
datastore.user

Cloud Datastore 使用者提供 Datastore 資料庫中資料的讀寫權限。 appengine.applications.get
datastore.databases.get
datastore.entities.*
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
datastore.viewer

Cloud Datastore 檢視者提供 Datastore 資源的讀取權限。 appengine.applications.get
datastore.databases.get
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

角色	名稱	說明	權限	最低資源

Deployment Manager 角色

roles/
deploymentmanager.editor

Deployment Manager 編輯者提供建立和管理部署作業所需的權限。 deploymentmanager.compositeTypes.*
deploymentmanager.deployments.cancelPreview
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.stop
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案

roles/
deploymentmanager.typeEditor

Deployment Manager 類型編輯者提供所有類型登錄資源的讀寫權限。 deploymentmanager.compositeTypes.*
deploymentmanager.operations.get
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
專案

roles/
deploymentmanager.typeViewer

Deployment Manager 類型檢視者提供所有類型登錄資源的唯讀存取權限。 deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
專案

roles/
deploymentmanager.viewer

Deployment Manager 檢視者提供所有 Deployment Manager 相關資源的唯讀存取權。 deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案

角色	名稱	說明	權限	最低資源

Dialogflow 角色

roles/
dialogflow.admin

Dialogflow API 管理員具備 Dialogflow (只限 API) 資源的完整存取權。使用 roles/owner 或 roles/editor 原始角色存取 API 和 Dialogflow 主控台 (從 Dialogflow 主控台建立代理程式通常需要此存取權限)。dialogflow.*
resourcemanager.projects.get
專案

roles/
dialogflow.client

Dialogflow API 用戶端具備 Dialogflow (只限 API) 資源的用戶端存取權。這個角色授予偵測意圖和讀取/寫入工作階段屬性 (結構定義、工作階段實體類型等) 的權限 dialogflow.contexts.*
dialogflow.sessionEntityTypes.*
dialogflow.sessions.*
專案

roles/
dialogflow.consoleAgentEditor

Dialogflow 主控台代理程式編輯者具備在 Dialogflow 主控台中編輯代理程式的權限 actions.agentVersions.create
dialogflow.*
resourcemanager.projects.get

roles/
dialogflow.reader

Dialogflow API 讀取者具備 Dialogflow (只限 API) 資源的讀取權限，但無法偵測意圖。使用 roles/viewer 原始角色以取得 API 和 Dialogflow 主控台的類似權限。 dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.search
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.operations.*
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
resourcemanager.projects.get
專案

角色	名稱	說明	權限	最低資源

Cloud DLP 角色

roles/
dlp.admin

DLP 管理員可管理 DLP (包括工作和範本)。 dlp.*
serviceusage.services.use

roles/
dlp.analyzeRiskTemplatesEditor

DLP 分析風險範本編輯者可編輯 DLP 分析風險範本。 dlp.analyzeRiskTemplates.*

roles/
dlp.analyzeRiskTemplatesReader

DLP 分析風險範本讀取者可讀取 DLP 分析風險範本。 dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list

roles/
dlp.deidentifyTemplatesEditor

DLP 去識別化範本編輯者可編輯 DLP 去識別化範本。 dlp.deidentifyTemplates.*

roles/
dlp.deidentifyTemplatesReader

DLP 去識別化範本讀取者可讀取 DLP 去識別化範本。 dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list

roles/
dlp.inspectTemplatesEditor

DLP 檢查範本編輯者可編輯 DLP 檢查範本。 dlp.inspectTemplates.*

roles/
dlp.inspectTemplatesReader

DLP 檢查範本讀取者可讀取 DLP 檢查範本。 dlp.inspectTemplates.get
dlp.inspectTemplates.list

roles/
dlp.jobTriggersEditor

DLP 工作觸發條件編輯者可編輯工作觸發條件設定。 dlp.jobTriggers.*

roles/
dlp.jobTriggersReader

DLP 工作觸發條件讀取者可讀取工作觸發條件。 dlp.jobTriggers.get
dlp.jobTriggers.list

roles/
dlp.jobsEditor

DLP 工作編輯者可編輯及建立工作 dlp.jobs.*
dlp.kms.*

roles/
dlp.jobsReader

DLP 工作讀取者可讀取工作 dlp.jobs.get
dlp.jobs.list

roles/
dlp.reader

DLP 讀取者可讀取 DLP 實體，例如工作和範本。 dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list

roles/
dlp.storedInfoTypesEditor

DLP 已儲存資料類型編輯者可編輯 DLP 已儲存資訊類型。 dlp.storedInfoTypes.*

roles/
dlp.storedInfoTypesReader

DLP 已儲存資訊類型讀取器可讀取 DLP 已儲存資訊類型。 dlp.storedInfoTypes.get
dlp.storedInfoTypes.list

roles/
dlp.user

DLP 使用者檢查、遮蓋及去識別化內容 dlp.kms.*
serviceusage.services.use

角色	名稱	說明	權限	最低資源

DNS 角色

roles/
dns.admin

DNS 管理員提供所有 Cloud DNS 資源的讀寫權限。 compute.networks.get
compute.networks.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.*
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.*
dns.resourceRecordSets.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
dns.peer

DNS 對等互連 ^{Beta 版} 可存取含有 DNS 對等互連區域的目標網路 dns.networks.targetWithPeeringZone

roles/
dns.reader

DNS 讀取者提供所有 Cloud DNS 資源的唯讀存取權。 compute.networks.get
dns.changes.get
dns.changes.list
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.projects.*
dns.resourceRecordSets.list
resourcemanager.projects.get
resourcemanager.projects.list
專案

角色	名稱	說明	權限	最低資源

Endpoints 角色

roles/
endpoints.portalAdmin

端點入口網站管理員 ^{Beta 版} 提供在「Developer Portal」(開發人員入口網站) 頁面 (從 GCP 主控台上點選 [Endpoints] (端點) 進入) 上新增、檢視和刪除自訂網域的所有必要權限。在為 API 建立的入口網站上，提供變更「Settings」(設定) 頁面上「Site Wide」(全網站) 分頁中設定的權限。endpoints.*
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
專案

角色	名稱	說明	權限	最低資源

Error Reporting 角色

roles/
errorreporting.admin

Error Reporting 管理員 ^{Beta 版} 提供 Error Reporting 資料的完整存取權。 cloudnotifications.*
errorreporting.*
專案

roles/
errorreporting.user

Error Reporting 使用者 ^{Beta 版} 提供讀取和寫入 Error Reporting 資料的權限，但不包括傳送新的錯誤事件。 cloudnotifications.*
errorreporting.applications.*
errorreporting.errorEvents.delete
errorreporting.errorEvents.list
errorreporting.groupMetadata.*
errorreporting.groups.*
專案

roles/
errorreporting.viewer

錯誤報告檢視器 ^{Beta 版} 提供錯誤報告資料的唯讀權限。 cloudnotifications.*
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groupMetadata.get
errorreporting.groups.*
專案

roles/
errorreporting.writer

錯誤寫入者 ^{Beta 版} 提供將錯誤事件傳送至 Error Reporting 的權限。 errorreporting.errorEvents.create
Service Account

角色	名稱	說明	權限	最低資源

Cloud Filestore 角色

roles/
file.editor

Cloud Filestore 編輯者 ^{Beta 版} 具備 Filestore 執行個體和相關資源的讀取/寫入權限。 file.*

roles/
file.viewer

Cloud Filestore 檢視者 ^{Beta 版} 具備 Filestore 執行個體和相關資源的唯讀權限。 file.instances.get
file.instances.list
file.locations.*
file.operations.get
file.operations.list
file.snapshots.get
file.snapshots.list

角色	名稱	說明	權限	最低資源

Firebase 角色

roles/
firebase.admin

Firebase 管理員具備 Firebase 產品的完整存取權。 appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.list
clientauthconfig.clients.update
cloudconfig.*
cloudfunctions.*
cloudmessaging.*
cloudnotifications.*
cloudtestservice.*
cloudtoolresults.*
datastore.*
errorreporting.groups.*
firebase.*
firebaseabt.*
firebaseanalytics.*
firebaseappdistro.*
firebaseauth.*
firebasecrash.*
firebasecrashlytics.*
firebasedatabase.*
firebasedynamiclinks.*
firebaseextensions.*
firebasehosting.*
firebaseinappmessaging.*
firebaseml.*
firebasenotifications.*
firebaseperformance.*
firebasepredictions.*
firebaserules.*
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.objects.*

roles/
firebase.analyticsAdmin

Firebase Analytics 管理員具備 Google Analytics for Firebase 的完整存取權。 cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

roles/
firebase.analyticsViewer

Firebase Analytics 檢視者具備 Google Analytics for Firebase 的讀取權限。 cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

roles/
firebase.developAdmin

Firebase 開發管理員具備 Firebase 開發類產品與數據分析的完整存取權。 appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudfunctions.*
cloudnotifications.*
datastore.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseauth.*
firebasedatabase.*
firebaseextensions.configs.list
firebasehosting.*
firebaseml.*
firebaserules.*
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.objects.*

roles/
firebase.developViewer

Firebase 開發檢視者具備 Firebase 開發類產品與數據分析的讀取權限。 automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudnotifications.*
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseauth.configs.get
firebaseauth.users.get
firebasedatabase.instances.get
firebasedatabase.instances.list
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list

roles/
firebase.growthAdmin

Firebase 拓展管理員具備 Firebase 拓展類產品與數據分析的完整存取權。 clientauthconfig.clients.get
clientauthconfig.clients.list
cloudconfig.*
cloudmessaging.*
cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.*
firebaseanalytics.*
firebasedynamiclinks.*
firebaseextensions.configs.list
firebaseinappmessaging.*
firebasenotifications.*
firebasepredictions.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/
firebase.growthViewer

Firebase 拓展檢視者具備 Firebase 拓展類產品與數據分析的讀取權限。 cloudconfig.configs.get
cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasepredictions.predictions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/
firebase.qualityAdmin

Firebase 品質管理員具備 Firebase 品質類產品與數據分析的完整存取權。 cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseappdistro.*
firebasecrash.*
firebasecrashlytics.*
firebaseextensions.configs.list
firebaseperformance.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/
firebase.qualityViewer

Firebase 品質檢視者具備 Firebase 品質類產品與數據分析的讀取權限。 cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrash.reports.*
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
firebaseextensions.configs.list
firebaseperformance.data.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

roles/
firebase.viewer

Firebase 檢視者具備 Firebase 產品的唯讀存取權。 automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudconfig.configs.get
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudnotifications.*
cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebaseauth.configs.get
firebaseauth.users.get
firebasecrash.reports.*
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebaseperformance.data.*
firebasepredictions.predictions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list

角色	名稱	說明	權限	最低資源

Firebase 產品角色

roles/
cloudconfig.admin

Firebase 遠端設定管理員具備 Firebase 遠端設定資源的完整存取權。 cloudconfig.*
firebase.clients.get
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudconfig.viewer

Firebase 遠端設定檢視者具備讀取 Firebase 遠端設定資源的權限。 cloudconfig.configs.get
firebase.clients.get
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
cloudtestservice.testAdmin

Firebase Test Lab 管理員具備所有 Test Lab 功能的完整存取權限 cloudtestservice.*
cloudtoolresults.*
firebase.billingPlans.get
firebase.clients.get
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list

roles/
cloudtestservice.testViewer

Firebase Test Lab 檢視者可讀取 Test Lab 功能 cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
firebase.clients.get
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list

roles/
firebaseabt.admin

Firebase A/B 測試管理員 ^{Beta 版} 具備 Firebase A/B 測試資源的完整讀寫權限。 firebase.clients.get
firebase.projects.get
firebaseabt.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseabt.viewer

Firebase A/B 測試檢視者 ^{Beta 版} 具備 Firebase A/B 測試資源的唯讀權限。 firebase.clients.get
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseappdistro.admin

Firebase 應用程式發布管理員 ^{Beta 版} 具備 Firebase 應用程式發布資源的完整讀寫權限。 firebase.clients.get
firebase.projects.get
firebaseappdistro.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseappdistro.viewer

Firebase 應用程式發布檢視者 ^{Beta 版} 具備 Firebase 應用程式發布資源的唯讀權限。 firebase.clients.get
firebase.projects.get
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseauth.admin

Firebase 驗證管理員具備 Firebase 驗證資源的完整讀寫權限。 firebase.clients.get
firebase.projects.get
firebaseauth.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseauth.viewer

Firebase 驗證檢視者具備 Firebase 驗證資源的唯讀權限。 firebase.clients.get
firebase.projects.get
firebaseauth.configs.get
firebaseauth.users.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasecrashlytics.admin

Firebase Crashlytics 管理員具備 Firebase Crashlytics 資源的完整讀寫權限。 firebase.clients.get
firebase.projects.get
firebasecrashlytics.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasecrashlytics.viewer

Firebase Crashlytics 檢視者具備 Firebase Crashlytics 資源的唯讀權限。 firebase.clients.get
firebase.projects.get
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasedatabase.admin

Firebase 即時資料庫管理員具備 Firebase 即時資料庫資源的完整讀寫權限。 firebase.clients.get
firebase.projects.get
firebasedatabase.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasedatabase.viewer

Firebase 即時資料庫檢視者具備 Firebase 即時資料庫資源的唯讀權限。 firebase.clients.get
firebase.projects.get
firebasedatabase.instances.get
firebasedatabase.instances.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasedynamiclinks.admin

Firebase 動態連結管理員具備 Firebase 動態連結資源的完整讀寫權限。 firebase.clients.get
firebase.projects.get
firebasedynamiclinks.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasedynamiclinks.viewer

Firebase 動態連結檢視者具備 Firebase 動態連結資源的唯讀權限。 firebase.clients.get
firebase.projects.get
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasehosting.admin

Firebase Hosting Admin Full read/write access to Firebase Hosting resources. firebase.clients.get
firebase.projects.get
firebasehosting.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasehosting.viewer

Firebase 代管檢視者具備 Firebase 代管資源的唯讀權限。 firebase.clients.get
firebase.projects.get
firebasehosting.sites.get
firebasehosting.sites.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseinappmessaging.admin

Firebase 應用程式內通訊管理員 ^{Beta 版} 具備 Firebase 應用程式內通訊資源的完整讀寫權限。 firebase.clients.get
firebase.projects.get
firebaseinappmessaging.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseinappmessaging.viewer

Firebase In-App Messaging Viewer ^Beta Read-only access to Firebase In-App Messaging resources. firebase.clients.get
firebase.projects.get
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseml.admin

Firebase ML 套件管理員 ^{Beta 版} 具備 Firebase ML 套件資源的完整讀寫權限。 firebase.clients.get
firebase.projects.get
firebaseml.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseml.viewer

Firebase ML 套件檢視者 ^{Beta 版} 具備 Firebase ML 套件資源的唯讀權限。 firebase.clients.get
firebase.projects.get
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasenotifications.admin

Firebase 雲端通訊管理員具備 Firebase 雲端通訊資源的完整讀寫權限。 firebase.clients.get
firebase.projects.get
firebasenotifications.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasenotifications.viewer

Firebase 雲端通訊檢視者具備 Firebase 雲端通訊資源的唯讀權限。 firebase.clients.get
firebase.projects.get
firebasenotifications.messages.get
firebasenotifications.messages.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseperformance.admin

Firebase 效能報表管理員具備 firebaseperformance 資源的完整存取權。 firebase.clients.get
firebase.projects.get
firebaseperformance.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaseperformance.viewer

Firebase Performance Reporting Viewer Read-only access to firebaseperformance resources. firebase.clients.get
firebase.projects.get
firebaseperformance.data.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasepredictions.admin

Firebase 預測管理員具備 Firebase 預測資源的完整讀寫權限。 firebase.clients.get
firebase.projects.get
firebasepredictions.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebasepredictions.viewer

Firebase 預測檢視者具備 Firebase 預測資源的唯讀權限。 firebase.clients.get
firebase.projects.get
firebasepredictions.predictions.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaserules.admin

Firebase 規則管理員具備 Firebase 規則的完整管理權限。 firebaserules.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
firebaserules.viewer

Firebase 規則檢視者具備可測試規則集的所有資源的唯讀權限。 firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Genomics 角色

roles/
genomics.admin

Genomics 管理員具備 Genomics 資料集和作業的完整存取權。 genomics.*

roles/
genomics.editor

Genomics 編輯者可讀取及編輯 Genomics 資料集和作業。 genomics.datasets.create
genomics.datasets.delete
genomics.datasets.get
genomics.datasets.list
genomics.datasets.update
genomics.operations.*

roles/
genomics.pipelinesRunner

Genomics 管道執行者具備 Genomics 管道的完整執行權限。 genomics.operations.*

roles/
genomics.viewer

Genomics 檢視者可檢視 Genomics 資料集和作業。 genomics.datasets.get
genomics.datasets.list
genomics.operations.get
genomics.operations.list

角色	名稱	說明	權限	最低資源

GKE Hub 角色

roles/
gkehub.admin

GKE Hub 管理員 ^{Beta 版} 具備 GKE Hub 和相關資源的完整存取權限。 gkehub.locations.*
gkehub.memberships.*
gkehub.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
gkehub.connect

GKE Hub 連結代理人 ^{Beta 版} 可設定外部叢集與 Google 之間的 GKE Connect。 gkehub.endpoints.*

roles/
gkehub.viewer

GKE Hub 檢視者 ^{Beta 版} 具備 GKE Hub 和相關資源的唯讀存取權。 gkehub.locations.*
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.operations.get
gkehub.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Cloud Healthcare 角色

roles/
healthcare.annotationEditor

Healthcare 註解編輯者 ^{Beta 版} 可建立、刪除、更新、讀取及列出註解。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.annotationReader

Healthcare 註解讀取者 ^{Beta 版} 可讀取及列出 Annotation Store 中的註解。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.annotationStoreAdmin

Healthcare 註解管理員 ^{Beta 版} 可管理 Annotation Store。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.annotationStoreViewer

Healthcare Annotation Store 檢視者 ^{Beta 版} 可列出資料集中的 Annotation Store。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.datasetAdmin

Healthcare 資料集管理員 ^{Beta 版} 可管理 Healthcare 資料集。 healthcare.datasets.*
healthcare.operations.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.datasetViewer

Healthcare 資料集檢視者 ^{Beta 版} 可在專案中列出 Healthcare 資料集。 healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.dicomEditor

Healthcare DICOM Editor ^Beta Edit DICOM images individually and in bulk. healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.dicomWebWrite
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.dicomStoreAdmin

Healthcare DICOM Store 管理員 ^{Beta 版} 可管理 DICOM Store。 healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare.dicomStores.delete
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.get
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.dicomStores.setIamPolicy
healthcare.dicomStores.update
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.dicomStoreViewer

Healthcare DICOM Store 檢視者 ^{Beta 版} 可列出資料集中的 DICOM Store。 healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.dicomViewer

Healthcare DICOM 檢視者 ^{Beta 版} 可從 DICOM Store 擷取 DICOM 映像檔。 healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.fhirResourceEditor

Healthcare FHIR 資源編輯者 ^{Beta 版} 可建立、刪除、更新、讀取及搜尋 FHIR 資源。 healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.create
healthcare.fhirResources.delete
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare.fhirResources.update
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.fhirResourceReader

Healthcare FHIR 資源讀取者 ^{Beta 版} 可讀取及搜尋 FHIR 資源。 healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.fhirStoreAdmin

Healthcare FHIR Store 管理員 ^{Beta 版} 可管理 FHIR 資源存放區。 healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.purge
healthcare.fhirStores.create
healthcare.fhirStores.delete
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.setIamPolicy
healthcare.fhirStores.update
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.fhirStoreViewer

Healthcare FHIR Store 檢視者 ^{Beta 版} 可列出資料集中的 FHIR Store。 healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.hl7V2Consumer

Healthcare HL7v2 訊息使用者 ^{Beta 版} 可列出及讀取 HL7v2 訊息、更新訊息標籤及發布新訊息。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.create
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare.hl7V2Messages.update
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.hl7V2Editor

Healthcare HL7v2 訊息編輯者 ^{Beta 版} 可讀取、寫入及刪除 HL7v2 訊息。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.hl7V2Ingest

Healthcare HL7v2 訊息擷取者 ^{Beta 版} 可擷取來源網路傳出的 HL7v2 訊息。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.ingest
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.hl7V2StoreAdmin

Healthcare HL7v2 Store 管理員 ^{Beta 版} 可管理 HL7v2 Store。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
healthcare.hl7V2StoreViewer

Healthcare HL7v2 存放區檢視者 ^{Beta 版} 可檢視資料集中的 HL7v2 存放區。 healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

IAM 角色

roles/
iam.securityAdmin

安全管理員安全管理員角色，有權取得和設定任何 IAM 政策。 accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.setIamPolicy
accesscontextmanager.accessZones.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.setIamPolicy
accesscontextmanager.servicePerimeters.list
actions.agentVersions.list
apigee.apiproductattributes.list
apigee.apiproducts.list
apigee.apps.list
apigee.deployments.list
apigee.developerappattributes.list
apigee.developerapps.list
apigee.developerattributes.list
apigee.developers.list
apigee.environments.getIamPolicy
apigee.environments.list
apigee.environments.setIamPolicy
apigee.flowhooks.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemaps.list
apigee.organizations.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.sharedflowrevisions.list
apigee.sharedflows.list
apigee.targetservers.list
apigee.tracesessions.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.datasets.setIamPolicy
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.models.setIamPolicy
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.*
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.routines.list
bigquery.savedqueries.list
bigquery.tables.list
bigtable.appProfiles.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.instances.setIamPolicy
bigtable.locations.*
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.setIamPolicy
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.attestors.setIamPolicy
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudasset.feeds.list
cloudbuild.builds.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy
cloudfunctions.locations.*
cloudfunctions.operations.list
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudiot.registries.setIamPolicy
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.importJobs.setIamPolicy
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.keyRings.setIamPolicy
cloudnotifications.*
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.catalogs.setIamPolicy
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudsupport.accounts.setIamPolicy
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.setIamPolicy
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
cloudtranslate.glossaries.list
cloudtranslate.locations.list
cloudtranslate.operations.list
composer.environments.list
composer.imageversions.*
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.disks.setIamPolicy
compute.externalVpnGateways.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.images.setIamPolicy
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.setIamPolicy
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.maintenancePolicies.setIamPolicy
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeGroups.setIamPolicy
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTemplates.setIamPolicy
compute.nodeTypes.list
compute.regionBackendServices.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
compute.regions.list
compute.reservations.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.securityPolicies.setIamPolicy
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.setIamPolicy
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zoneOperations.setIamPolicy
compute.zones.list
container.apiServices.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.csiDrivers.list
container.csiNodes.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpoints.list
container.events.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.secrets.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.entries.getIamPolicy
datacatalog.entries.setIamPolicy
datacatalog.entryGroups.getIamPolicy
datacatalog.entryGroups.setIamPolicy
datacatalog.tagTemplates.getIamPolicy
datacatalog.tagTemplates.setIamPolicy
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
dataflow.jobs.list
dataflow.messages.*
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.setIamPolicy
datafusion.locations.list
datafusion.operations.list
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
dataproc.agents.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.setIamPolicy
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.operations.setIamPolicy
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
dataproc.workflowTemplates.setIamPolicy
dataprocessing.featurecontrols.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.databases.setIamPolicy
datastore.entities.list
datastore.indexes.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.namespaces.setIamPolicy
datastore.operations.list
datastore.statistics.list
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.deployments.setIamPolicy
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.contexts.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.sessionEntityTypes.list
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.storedInfoTypes.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.policies.setIamPolicy
dns.resourceRecordSets.list
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
file.instances.list
file.locations.list
file.operations.list
file.snapshots.list
firebase.links.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrashlytics.issues.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.datasets.setIamPolicy
genomics.operations.list
gkehub.locations.list
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.memberships.setIamPolicy
gkehub.operations.list
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.datasets.setIamPolicy
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.dicomStores.setIamPolicy
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.list
healthcare.fhirStores.setIamPolicy
healthcare.hl7V2Messages.list
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.list
healthcare.hl7V2Stores.setIamPolicy
healthcare.operations.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iap.tunnel.*
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
lifesciences.operations.list
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.list
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.domains.setIamPolicy
managedidentities.locations.list
managedidentities.operations.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.jobs.setIamPolicy
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.models.setIamPolicy
ml.operations.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
netappcloudvolumes.activeDirectories.list
netappcloudvolumes.ipRanges.*
netappcloudvolumes.jobs.list
netappcloudvolumes.regions.*
netappcloudvolumes.serviceLevels.*
netappcloudvolumes.snapshots.list
netappcloudvolumes.volumes.list
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.environments.setIamPolicy
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.instances.setIamPolicy
notebooks.locations.list
notebooks.operations.list
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.beacons.setIamPolicy
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
proximitybeacon.namespaces.setIamPolicy
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.setIamPolicy
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.subscriptions.setIamPolicy
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.list
recommender.iamPolicyRecommendations.list
recommender.locations.list
redis.instances.list
redis.locations.list
redis.operations.list
redisenterprisecloud.databases.list
redisenterprisecloud.subscriptions.list
remotebuildexecution.instances.list
remotebuildexecution.workerpools.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
run.configurations.list
run.locations.*
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.configs.setIamPolicy
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.variables.setIamPolicy
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
runtimeconfig.waiters.setIamPolicy
secretmanager.locations.list
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.secrets.setIamPolicy
secretmanager.versions.list
securitycenter.assets.list
securitycenter.findings.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
securitycenter.sources.setIamPolicy
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.bindings.setIamPolicy
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.catalogs.setIamPolicy
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
servicebroker.instances.setIamPolicy
serviceconsumermanagement.tenancyu.list
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
servicemanagement.consumerSettings.setIamPolicy
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicemanagement.services.setIamPolicy
servicenetworking.operations.list
serviceusage.apiKeys.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
source.repos.setIamPolicy
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.databases.setIamPolicy
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.instances.setIamPolicy
spanner.sessions.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.hmacKeys.list
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storagetransfer.jobs.list
storagetransfer.operations.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
vmmigration.deployments.list
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.list

roles/
iam.securityReviewer

安全性審查者提供可列出所有資源及其 Cloud IAM 政策的權限。 accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.list
actions.agentVersions.list
apigee.apiproductattributes.list
apigee.apiproducts.list
apigee.apps.list
apigee.deployments.list
apigee.developerappattributes.list
apigee.developerapps.list
apigee.developerattributes.list
apigee.developers.list
apigee.environments.getIamPolicy
apigee.environments.list
apigee.flowhooks.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemaps.list
apigee.organizations.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.sharedflowrevisions.list
apigee.sharedflows.list
apigee.targetservers.list
apigee.tracesessions.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.*
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.routines.list
bigquery.savedqueries.list
bigquery.tables.list
bigtable.appProfiles.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.locations.*
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.policy.getIamPolicy
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudasset.feeds.list
cloudbuild.builds.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.list
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudnotifications.*
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
cloudtranslate.glossaries.list
cloudtranslate.locations.list
cloudtranslate.operations.list
composer.environments.list
composer.imageversions.*
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getIamPolicy
compute.instances.list
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.list
compute.regionBackendServices.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.list
compute.reservations.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.list
container.apiServices.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.csiDrivers.list
container.csiNodes.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpoints.list
container.events.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.secrets.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
datacatalog.categories.getIamPolicy
datacatalog.entries.getIamPolicy
datacatalog.entryGroups.getIamPolicy
datacatalog.tagTemplates.getIamPolicy
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
dataflow.jobs.list
dataflow.messages.*
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.list
datafusion.operations.list
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
dataproc.agents.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
dataprocessing.featurecontrols.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.contexts.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.sessionEntityTypes.list
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.storedInfoTypes.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.resourceRecordSets.list
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
file.instances.list
file.locations.list
file.operations.list
file.snapshots.list
firebase.links.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrashlytics.issues.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.operations.list
gkehub.locations.list
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.operations.list
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.list
healthcare.hl7V2Messages.list
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.list
healthcare.operations.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iap.tunnel.getIamPolicy
iap.tunnelInstances.getIamPolicy
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
lifesciences.operations.list
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.list
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.locations.list
managedidentities.operations.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.operations.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
netappcloudvolumes.activeDirectories.list
netappcloudvolumes.ipRanges.*
netappcloudvolumes.jobs.list
netappcloudvolumes.regions.*
netappcloudvolumes.serviceLevels.*
netappcloudvolumes.snapshots.list
netappcloudvolumes.volumes.list
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.list
notebooks.operations.list
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.topics.getIamPolicy
pubsub.topics.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.list
recommender.iamPolicyRecommendations.list
recommender.locations.list
redis.instances.list
redis.locations.list
redis.operations.list
redisenterprisecloud.databases.list
redisenterprisecloud.subscriptions.list
remotebuildexecution.instances.list
remotebuildexecution.workerpools.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.configurations.list
run.locations.*
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
secretmanager.locations.list
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.versions.list
securitycenter.assets.list
securitycenter.findings.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
serviceconsumermanagement.tenancyu.list
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicenetworking.operations.list
serviceusage.apiKeys.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.hmacKeys.list
storage.objects.getIamPolicy
storage.objects.list
storagetransfer.jobs.list
storagetransfer.operations.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
vmmigration.deployments.list
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.list
磁碟、映像檔、執行個體、instanceTemplate、nodeGroup、nodeTemplate、快照 ^{Beta 版}

角色	名稱	說明	權限	最低資源

Roles 角色

roles/
iam.organizationRoleAdmin

機構角色管理員具備機構及其專案中所有自訂角色的管理權限。 iam.roles.*
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
機構

roles/
iam.organizationRoleViewer

機構角色檢視者具備機構及其專案中所有自訂角色的讀取權限。 iam.roles.get
iam.roles.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
專案

roles/
iam.roleAdmin

角色管理員具備專案中所有自訂角色的存取權限。 iam.roles.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
專案

roles/
iam.roleViewer

角色檢視者提供專案中所有自訂角色的讀取權限。 iam.roles.get
iam.roles.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
專案

角色	名稱	說明	權限	最低資源

服務帳戶角色

roles/
iam.serviceAccountAdmin

服務帳戶管理員可建立及管理服務帳戶。 iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list
服務帳戶

roles/
iam.serviceAccountCreator

建立服務帳戶可建立服務帳戶。 iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
iam.serviceAccountDeleter

刪除服務帳戶可刪除服務帳戶。 iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
iam.serviceAccountKeyAdmin

服務帳戶金鑰管理員可建立及管理 (及輪替) 服務帳戶金鑰。 iam.serviceAccountKeys.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
服務帳戶

roles/
iam.serviceAccountTokenCreator

服務帳戶憑證建立者模擬服務帳戶 (建立 OAuth2 存取憑證與簽署 blob 或 JWT 等)。 iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
服務帳戶

roles/
iam.serviceAccountUser

服務帳戶使用者能夠以服務帳戶執行作業。 iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
服務帳戶

roles/
iam.workloadIdentityUser

Workload Identity 使用者使用 GKE 工作負載的模擬服務帳戶 iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.list

角色	名稱	說明	權限	最低資源

Cloud Life Sciences 角色

roles/
lifesciences.admin

Cloud Life Sciences 管理員 ^{Beta 版} 具備 Cloud Life Sciences 資源的完整控制權。 lifesciences.*

roles/
lifesciences.editor

Cloud Life Sciences 編輯者 ^{Beta 版} 有權讀取及編輯 Cloud Life Sciences 資源。 lifesciences.*

roles/
lifesciences.viewer

Cloud Life Sciences 檢視者 ^{Beta 版} 有權讀取 Cloud Life Sciences 資源。 lifesciences.operations.get
lifesciences.operations.list

roles/
lifesciences.workflowsRunner

Cloud Life Sciences 工作流程執行者 ^{Beta 版} 具備 Cloud Life Sciences 工作流程的完整執行權限。 lifesciences.*

角色	名稱	說明	權限	最低資源

Logging 角色

roles/
logging.admin

Logging 管理員提供使用 Stackdriver Logging 所有功能的必要完整權限。 logging.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
logging.configWriter

記錄設定寫入者提供權限以讀取和寫入記錄指標與匯出記錄檔接收器的設定。 logging.exclusions.*
logging.logMetrics.*
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.*
resourcemanager.projects.get
resourcemanager.projects.list
專案

roles/
logging.logWriter

記錄寫入者提供寫入記錄項目的權限。 logging.logEntries.create
專案

roles/
logging.privateLogViewer

私密記錄檢視者提供「記錄檢視者」角色權限，還提供對私密記錄內記錄項目的唯讀存取權。 logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.projects.get
專案

roles/
logging.viewer

記錄檢視者提供檢視記錄的存取權。 logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.projects.get
專案

角色	名稱	說明	權限	最低資源

Cloud Managed Identities 角色

roles/
managedidentities.admin

Google Cloud Managed Identities 管理員 ^{Beta 版} 具有 Google Cloud Managed Identities 網域和相關資源的完整存取權。建議僅在專案層級授予這個角色。 managedidentities.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
managedidentities.domainAdmin

Google Cloud Managed Identities 網域管理員具備 Google Cloud Managed Identities 網域和相關資源的讀取、更新及刪除權限。建議僅在資源 (網域) 層級授予這個角色。managedidentities.domains.attachTrust
managedidentities.domains.delete
managedidentities.domains.detachTrust
managedidentities.domains.get
managedidentities.domains.getIamPolicy
managedidentities.domains.reconfigureTrust
managedidentities.domains.resetpassword
managedidentities.domains.update
managedidentities.domains.validateTrust
managedidentities.locations.*
managedidentities.operations.get
managedidentities.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
managedidentities.viewer

Google Cloud Managed Identities 檢視者具備 Google Cloud Managed Identities 網域和相關資源的唯讀存取權。 managedidentities.domains.get
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.locations.*
managedidentities.operations.get
managedidentities.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Machine Learning Engine 角色

roles/
ml.admin

ML Engine 管理員提供 AI Platform 資源及其工作、作業、模型和版本的完整存取權。 ml.*
resourcemanager.projects.get
專案

roles/
ml.developer

ML Engine 開發人員可以將 AI Platform 資源用於建立模型、版本、訓練與預測工作，以及傳送線上預測要求。 ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get
專案

roles/
ml.jobOwner

ML Engine 工作擁有者提供特定工作資源所有權限的完整存取權。系統會自動將這個角色授予建立工作的使用者。 ml.jobs.*
工作

roles/
ml.modelOwner

ML Engine 模型擁有者提供模型及其版本的完整存取權。系統會自動將這個角色授予建立模型的使用者。 ml.models.*
ml.versions.*
模型

roles/
ml.modelUser

ML Engine 模型使用者提供模型及其版本的讀取權限，且可使用模型進行預測。 ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict
模型

roles/
ml.operationOwner

ML Engine 作業擁有者提供對特定作業資源所有權限的完整存取權。 ml.operations.*
作業

roles/
ml.viewer

ML Engine 檢視者提供 AI Platform 資源的唯讀存取權。 ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.*
ml.versions.get
ml.versions.list
resourcemanager.projects.get
專案

角色	名稱	說明	權限	最低資源

Monitoring 角色

roles/
monitoring.admin

Monitoring 管理員可提供與 roles/monitoring.editor 相同的存取權。 cloudnotifications.*
monitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.*
專案

roles/
monitoring.alertPolicyEditor

Monitoring AlertPolicy 編輯者 ^{Beta 版} 具備快訊政策的讀取/寫入存取權。 monitoring.alertPolicies.*

roles/
monitoring.alertPolicyViewer

Monitoring AlertPolicy 檢視者 ^{Beta 版} 具備快訊政策的唯讀存取權。 monitoring.alertPolicies.get
monitoring.alertPolicies.list

roles/
monitoring.editor

Monitoring 編輯者提供所有監控資料和設定相關資訊的完整存取權。 cloudnotifications.*
monitoring.alertPolicies.*
monitoring.dashboards.*
monitoring.groups.*
monitoring.metricDescriptors.*
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.publicWidgets.*
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.*
專案

roles/
monitoring.metricWriter

Monitoring 指標寫入者提供指標的唯寫存取權。這提供了 Stackdriver 代理程式及其他傳送指標的系統需要的適切權限。 monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
專案

roles/
monitoring.notificationChannelEditor

Monitoring NotificationChannel 編輯者 ^{Beta 版} 具備通知管道的讀取/寫入存取權。 monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify

roles/
monitoring.notificationChannelViewer

Monitoring NotificationChannel 檢視者 ^{Beta 版} 具備通知管道的唯讀存取權。 monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list

roles/
monitoring.uptimeCheckConfigEditor

Monitoring 運作時間檢查設定編輯器 ^{Beta 版} 具備運作時間檢查設定的讀取/寫入權限。 monitoring.uptimeCheckConfigs.*

roles/
monitoring.uptimeCheckConfigViewer

Monitoring 運作時間檢查設定檢視者 ^{Beta 版} 具備運作時間檢查設定的唯讀存取權。 monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list

roles/
monitoring.viewer

Monitoring 檢視者提供唯讀存取權，可取得及列出所有監控資料和設定的相關資訊。 cloudnotifications.*
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
專案

角色	名稱	說明	權限	最低資源

組織政策角色

roles/
axt.admin

資料存取透明化控管機制管理員啟用組織的資料存取透明化控管機制 axt.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
orgpolicy.policyAdmin

組織政策管理員提供設定組織政策的權限，以定義機構針對雲端資源配置訂定的限制。 orgpolicy.*
機構

roles/
orgpolicy.policyViewer

機構政策檢視者可檢視資源的機構政策。 orgpolicy.policy.get
機構

角色	名稱	說明	權限	最低資源

其他角色

roles/
accesscontextmanager.policyAdmin

Access Context Manager 管理員具備政策、存取層級和存取區域的完整存取權 accesscontextmanager.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
accesscontextmanager.policyEditor

Access Context Manager 編輯者具備政策的編輯權限。建立、編輯和變更存取層級與存取區域。 accesscontextmanager.accessLevels.*
accesscontextmanager.accessPolicies.create
accesscontextmanager.accessPolicies.delete
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.update
accesscontextmanager.accessZones.*
accesscontextmanager.policies.create
accesscontextmanager.policies.delete
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.update
accesscontextmanager.servicePerimeters.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
accesscontextmanager.policyReader

Access Context Manager 讀取者具備政策、存取層級和存取區域的讀取存取權。 accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.get
accesscontextmanager.accessZones.list
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

roles/
dataprocessing.admin

資料處理控制資源管理員 ^{Beta 版} 資料處理控制管理員可全面管理資料處理控制設定，並且可查看所有資料來源的資料。 dataprocessing.*

roles/
dataprocessing.iamAccessHistoryExporter

資料處理 IAM 存取記錄匯出者 ^{Beta 版} 可以使用 BigQuery 匯出 IAM 存取記錄的資料處理匯出者。 dataprocessing.iamaccesshistory.*

roles/
firebasecrash.symbolMappingsAdmin

Firebase 當機符號上傳者對 Firebase 當機回報的符號對應檔資源具備完整的讀取/寫入權限。 firebase.clients.get
resourcemanager.projects.get

roles/
mobilecrashreporting.symbolMappingsAdmin

Firebase 當機符號上傳者 (已淘汰) 對 Firebase 當機回報的符號對應檔資源具備完整的讀取/寫入存取權。現已由 firebasecrash.symbolMappingsAdmin 取代 firebase.clients.get
resourcemanager.projects.get

roles/
remotebuildexecution.actionCacheWriter

Remote Build Execution 動作快取寫入者 ^{Beta 版} Remote Build Execution 動作快取寫入者 remotebuildexecution.actions.set
remotebuildexecution.blobs.create

roles/
remotebuildexecution.artifactAdmin

Remote Build Execution 構件管理員 ^{Beta 版} Remote Build Execution 構件管理員 remotebuildexecution.actions.create
remotebuildexecution.actions.get
remotebuildexecution.blobs.*
remotebuildexecution.logstreams.*

roles/
remotebuildexecution.artifactCreator

Remote Build Execution 構件建立者 ^{Beta 版} Remote Build Execution 構件建立者 remotebuildexecution.actions.create
remotebuildexecution.actions.get
remotebuildexecution.blobs.*
remotebuildexecution.logstreams.*

roles/
remotebuildexecution.artifactViewer

Remote Build Execution 構件檢視者 ^{Beta 版} Remote Build Execution 構件檢視者 remotebuildexecution.actions.get
remotebuildexecution.blobs.get
remotebuildexecution.logstreams.get

roles/
remotebuildexecution.configurationAdmin

Remote Build Execution 設定管理員 ^{Beta 版} Remote Build Execution 設定管理員 remotebuildexecution.instances.*
remotebuildexecution.workerpools.*

roles/
remotebuildexecution.configurationViewer

Remote Build Execution 設定檢視者 ^{Beta 版} Remote Build Execution 設定檢視者 remotebuildexecution.instances.get
remotebuildexecution.instances.list
remotebuildexecution.workerpools.get
remotebuildexecution.workerpools.list

roles/
remotebuildexecution.logstreamWriter

Remote Build Execution Logstream 寫入者 ^{Beta 版} Remote Build Execution Logstream 寫入者 remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.update

roles/
remotebuildexecution.worker

Remote Build Execution 工作者 ^{Beta 版} Remote Build Execution 工作者 remotebuildexecution.actions.update
remotebuildexecution.blobs.*
remotebuildexecution.botsessions.*
remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.update

roles/
resourcemanager.organizationCreator

機構建立者具備建立和列出機構的存取權。

roles/
runtimeconfig.admin

Cloud RuntimeConfig 管理員具備 RuntimeConfig 資源的完整存取權。 runtimeconfig.*

roles/
subscribewithgoogledeveloper.developer

透過 Google Developer 訂閱 ^{Beta 版} 存取 DevTools，以便透過 Google 訂閱 resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper.*

角色	名稱	說明	權限	最低資源

第三方合作夥伴角色

roles/
netappcloudvolumes.admin

NetApp Cloud Volumes 管理員 ^{Alpha 版} 這個角色是由 NetApp 負責管理，而非 Google。 netappcloudvolumes.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
netappcloudvolumes.viewer

NetApp Cloud Volumes 檢視者 ^{Beta 版} 這個角色是由 NetApp 負責管理，而非 Google。 netappcloudvolumes.activeDirectories.get
netappcloudvolumes.activeDirectories.list
netappcloudvolumes.ipRanges.*
netappcloudvolumes.jobs.*
netappcloudvolumes.regions.*
netappcloudvolumes.serviceLevels.*
netappcloudvolumes.snapshots.get
netappcloudvolumes.snapshots.list
netappcloudvolumes.volumes.get
netappcloudvolumes.volumes.list
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

專案角色

roles/
browser

瀏覽者瀏覽專案階層的讀取權限，包括資料夾、機構和 Cloud IAM 政策。本角色不包含檢視專案資源的權限。 resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
專案

角色	名稱	說明	權限	最低資源

Proximity Beacon 角色

roles/
proximitybeacon.attachmentEditor

信標附件編輯者可以建立和刪除附件；可以列出和取得專案的信標；可以列出專案的命名空間。 proximitybeacon.attachments.*
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.namespaces.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
proximitybeacon.attachmentPublisher

信標附件發布者授予必要權限，以使用信標在並非這個專案擁有的命名空間中建立附件。 proximitybeacon.beacons.attach
proximitybeacon.beacons.get
proximitybeacon.beacons.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
proximitybeacon.attachmentViewer

信標附件檢視者可查看命名空間之下的所有附件；不具備信標或命名空間權限。 proximitybeacon.attachments.get
proximitybeacon.attachments.list
resourcemanager.projects.get
resourcemanager.projects.list

roles/
proximitybeacon.beaconEditor

信標編輯者具備註冊、修改及查看信標的必要存取權；不具備附件或命名空間權限。 proximitybeacon.beacons.create
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.beacons.update
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Pub/Sub 角色

roles/
pubsub.admin

Pub/Sub 管理員提供主題與訂閱項目的完整存取權。 pubsub.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
主題

roles/
pubsub.editor

Pub/Sub 編輯者提供修改主題與訂閱項目的存取權，以及發布和調用訊息的存取權。 pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
主題

roles/
pubsub.publisher

Pub/Sub 發布者提供將訊息發布至主題的存取權。 pubsub.topics.publish
主題

roles/
pubsub.subscriber

Pub/Sub 訂閱者提供調用訂閱訊息的存取權，以及將訂閱附加到主題的存取權。 pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
主題

roles/
pubsub.viewer

Pub/Sub 檢視者提供檢視主題與訂閱項目的存取權。 pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
主題

角色	名稱	說明	權限	最低資源

Recommendations AI 角色

roles/
automlrecommendations.admin

Recommendations AI 管理員 ^{Beta 版} 具備所有 Recommendations AI 資源的完整存取權限。 automlrecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

roles/
automlrecommendations.adminViewer

Recommendations AI 管理員檢視者 ^{Beta 版} 所有 Recommendations AI 資源的檢視者。 automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.*
automlrecommendations.eventStores.*
automlrecommendations.events.list
automlrecommendations.placements.*
automlrecommendations.recommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

roles/
automlrecommendations.editor

Recommendations AI 編輯者 ^{Beta 版} 所有 Recommendations AI 資源的編輯者。 automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.*
automlrecommendations.catalogs.*
automlrecommendations.eventStores.*
automlrecommendations.events.create
automlrecommendations.events.list
automlrecommendations.placements.*
automlrecommendations.recommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

roles/
automlrecommendations.viewer

Recommendations AI 檢視者 ^{Beta 版} 可查看所有 Recommendations AI 資源。automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.*
automlrecommendations.eventStores.*
automlrecommendations.events.list
automlrecommendations.placements.*
automlrecommendations.recommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

角色	名稱	說明	權限	最低資源

Recommender 角色

roles/
recommender.computeAdmin

Compute 建議工具管理員 ^{Beta 版} 可管理 Compute 建議。 recommender.computeInstanceGroupManagerMachineTypeRecommendations.*
recommender.computeInstanceMachineTypeRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
recommender.computeViewer

Compute 建議工具檢視者 ^{Beta 版} 可查看 Compute 建議。 recommender.computeInstanceGroupManagerMachineTypeRecommendations.get
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.get
recommender.computeInstanceMachineTypeRecommendations.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
recommender.iamAdmin

身分與存取權管理建議工具管理員 ^{Beta 版} 身分與存取權管理政策推薦項目的管理員。 recommender.iamPolicyRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

roles/
recommender.iamViewer

身分與存取權管理建議工具檢視者 ^{Beta 版} 身分與存取權管理政策推薦項目的審查者。 recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

角色	名稱	說明	權限	最低資源

Memorystore Redis 角色

roles/
redis.admin

Cloud Memorystore Redis 管理員 ^{Beta 版} Memorystore 資源的完整控制權。 compute.networks.list
redis.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
執行個體

roles/
redis.editor

Cloud Memorystore Redis 編輯者 ^{Beta 版} 管理 Memorystore 執行個體，但無法建立或刪除執行個體。 compute.networks.list
redis.instances.get
redis.instances.list
redis.instances.update
redis.locations.*
redis.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
執行個體

roles/
redis.viewer

Cloud Memorystore Redis 檢視者 ^{Beta 版} 具備所有 Memorystore 資源的唯讀存取權。 redis.instances.get
redis.instances.list
redis.locations.*
redis.operations.get
redis.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
執行個體

角色	名稱	說明	權限	最低資源

Resource Manager 角色

roles/
resourcemanager.folderAdmin

資料夾管理員提供處理資料夾的所有可用權限。 orgpolicy.policy.get
resourcemanager.folders.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager.projects.setIamPolicy
資料夾

roles/
resourcemanager.folderCreator

資料夾建立者提供瀏覽階層及建立資料夾所需的權限。 orgpolicy.policy.get
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
資料夾

roles/
resourcemanager.folderEditor

資料夾編輯者提供修改資料夾和查看資料夾之 Cloud IAM 政策的權限。 orgpolicy.policy.get
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.undelete
resourcemanager.folders.update
resourcemanager.projects.get
resourcemanager.projects.list
資料夾

roles/
resourcemanager.folderIamAdmin

資料夾身分與存取權管理管理員提供管理資料夾 Cloud IAM 政策的權限。 resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.setIamPolicy
資料夾

roles/
resourcemanager.folderMover

資料夾移動者提供將專案和資料夾移入或移出上層機構或資料夾的權限。 resourcemanager.folders.move
resourcemanager.projects.move
資料夾

roles/
resourcemanager.folderViewer

資料夾檢視器提供取得資料夾及列出資源下資料夾和專案的權限。 orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
資料夾

roles/
resourcemanager.lienModifier

專案防刪除鎖定修改者提供修改專案防刪除鎖定設定的存取權。 resourcemanager.projects.updateLiens
專案

roles/
resourcemanager.organizationAdmin

機構組織管理員具備管理屬於機構的所有資源的存取權。 orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy

roles/
resourcemanager.organizationViewer

機構檢視者提供檢視機構的存取權。 resourcemanager.organizations.get
機構

roles/
resourcemanager.projectCreator

專案建立者提供建立新專案的存取權。使用者建立專案後，系統會自動為使用者授予專案擁有者的角色。 resourcemanager.organizations.get
resourcemanager.projects.create
資料夾

roles/
resourcemanager.projectDeleter

專案刪除者提供刪除 GCP 專案的存取權。 resourcemanager.projects.delete
資料夾

roles/
resourcemanager.projectIamAdmin

專案 IAM 管理員提供管理專案 Cloud IAM 政策的權限。 resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
專案

roles/
resourcemanager.projectMover

專案移動者提供更新和移動專案的存取權。 resourcemanager.projects.get
resourcemanager.projects.move
resourcemanager.projects.update
專案

角色	名稱	說明	權限	最低資源

Cloud Run 角色

roles/
run.admin

Cloud Run 管理員 ^{Beta 版} 具備所有 Cloud Run 資源的完整控制權。 resourcemanager.projects.get
resourcemanager.projects.list
run.*
Cloud Run 服務

roles/
run.invoker

Cloud Run 叫用者 ^{Beta 版} 可叫用 Cloud Run 服務。 run.routes.invoke
Cloud Run 服務

roles/
run.viewer

Cloud Run 檢視者 ^{Beta 版} 可查看所有 Cloud Run 資源狀態 (包括身分與存取權管理政策)。 resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
Cloud Run 服務

角色	名稱	說明	權限	最低資源

安全中心角色

roles/
securitycenter.admin

安全中心管理員具備安全中心的管理員 (超級使用者) 存取權 resourcemanager.organizations.get
securitycenter.*
機構

roles/
securitycenter.adminEditor

安全中心管理員編輯者具備安全中心的管理員讀寫存取權 resourcemanager.organizations.get
securitycenter.assets.*
securitycenter.assetsecuritymarks.*
securitycenter.findings.*
securitycenter.findingsecuritymarks.*
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
機構

roles/
securitycenter.adminViewer

安全中心管理員檢視者具備安全中心的管理員讀取存取權 resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
機構

roles/
securitycenter.assetSecurityMarksWriter

安全中心資產安全標記寫入者具備資產安全標記的寫入存取權 securitycenter.assetsecuritymarks.*
機構

roles/
securitycenter.assetsDiscoveryRunner

安全中心資產探索執行者可以對資產執行資產探索作業 securitycenter.assets.runDiscovery
機構

roles/
securitycenter.assetsViewer

安全中心資產檢視者具備資產的讀取存取權 resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
機構

roles/
securitycenter.findingSecurityMarksWriter

安全中心發現項目安全標記寫入者具備發現項目安全標記的寫入存取權 securitycenter.findingsecuritymarks.*
機構

roles/
securitycenter.findingsEditor

安全中心發現項目編輯者具備發現項目的讀寫存取權 resourcemanager.organizations.get
securitycenter.findings.*
securitycenter.sources.get
securitycenter.sources.list
機構

roles/
securitycenter.findingsStateSetter

安全中心發現項目狀態設定者可設定發現項目的狀態 securitycenter.findings.setState
機構

roles/
securitycenter.findingsViewer

安全中心發現項目檢視者具備發現項目的讀取存取權 resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
機構

roles/
securitycenter.sourcesAdmin

安全中心來源管理員具備來源的管理員存取權 resourcemanager.organizations.get
securitycenter.sources.*
機構

roles/
securitycenter.sourcesEditor

安全中心來源編輯者具備來源的讀寫存取權 resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
機構

roles/
securitycenter.sourcesViewer

安全中心來源檢視者具備來源的讀取存取權 resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
機構

角色	名稱	說明	權限	最低資源

Service Consumer Management 角色

roles/
serviceconsumermanagement.tenancyUnitsAdmin

獨立租用環境管理員 ^{Beta 版} 管理獨立租用環境 serviceconsumermanagement.tenancyu.*

roles/
serviceconsumermanagement.tenancyUnitsViewer

獨立租用環境檢視者 ^{Beta 版} 檢視獨立租用環境 serviceconsumermanagement.tenancyu.list

角色	名稱	說明	權限	最低資源

Service Management 角色

roles/
cloudbuild.serviceAgent

Cloud Build 服務代理人 ^{Alpha 版} 可將代管資源的存取權授予 Cloud Build 服務帳戶。 cloudbuild.*
compute.firewalls.get
compute.firewalls.list
compute.networks.get
compute.subnetworks.get
logging.logEntries.create
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

roles/
cloudfunctions.serviceAgent

Cloud Functions 服務代理人 ^{Alpha 版} 可將代管資源的存取權授予 Cloud Functions 服務帳戶。 clientauthconfig.clients.list
cloudfunctions.functions.invoke
firebasedatabase.instances.get
firebasedatabase.instances.update
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.signBlob
pubsub.subscriptions.*
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
serviceusage.quotas.get
serviceusage.services.disable
serviceusage.services.enable
storage.buckets.get
storage.buckets.update

roles/
cloudscheduler.serviceAgent

Cloud Scheduler 服務代理人 ^{Alpha 版} 可將管理資源的權限授予 Cloud Scheduler 服務帳戶。 iam.serviceAccounts.getAccessToken
logging.logEntries.create
pubsub.topics.publish

roles/
cloudtasks.serviceAgent

Cloud Tasks Service Agent ^Alpha Grants Cloud Tasks Service Account access to manage resources. iam.serviceAccounts.getAccessToken
logging.logEntries.create

roles/
datafusion.serviceAgent

Cloud Data Fusion API 服務代理人 ^{Alpha 版} 可將 Service Networking、Dataproc、Storage、BigQuery、Spanner 和 BigTable 資源的存取權限授予 Cloud Data Fusion 服務帳戶。 bigquery.datasets.*
bigquery.jobs.create
bigquery.models.*
bigquery.routines.*
bigquery.tables.*
bigtable.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.machineTypes.*
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute.networks.removePeering
compute.networks.update
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.update
firebase.projects.get
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
spanner.databaseOperations.*
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.list
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.write
spanner.instanceConfigs.*
spanner.instances.get
spanner.instances.list
spanner.sessions.*
storage.buckets.*
storage.objects.*

roles/
dataproc.serviceAgent

Dataproc 服務代理人 ^{Alpha 版} 可將服務帳戶、運算資源和儲存空間資源的存取權限授予 Dataproc 服務帳戶，其中包含服務帳戶的存取權。 compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.get
compute.firewalls.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
dataproc.clusters.*
dataproc.jobs.*
firebase.projects.get
iam.serviceAccounts.actAs
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.objects.*

roles/
serverless.serviceAgent

Cloud Run 服務代理人 ^{Alpha 版} 可將代管資源的存取權授予 Cloud Run 服務帳戶。 clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.signBlob
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.routes.invoke
storage.objects.get
storage.objects.list

roles/
servicemanagement.admin

Service Management 管理員具備 Google Service Management 資源的完整控制權。 monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceconsumermanagement.*
servicemanagement.services.*
serviceusage.quotas.get
serviceusage.services.get

roles/
servicemanagement.configEditor

服務設定編輯者可更新服務設定及建立發布活動。 servicemanagement.services.get
servicemanagement.services.update

roles/
servicemanagement.quotaAdmin

配額管理員 ^{Beta 版} 提供服務配額的管理存取權。 monitoring.timeSeries.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.consumerSettings.*
serviceusage.quotas.*
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
專案

roles/
servicemanagement.quotaViewer

配額檢視者 ^{Beta 版} 提供檢視服務配額的存取權。 monitoring.timeSeries.list
servicemanagement.consumerSettings.get
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
專案

roles/
servicemanagement.serviceConsumer

服務消費者可以啟用服務。 servicemanagement.services.bind

roles/
servicemanagement.serviceController

服務控制者具備執行階段控制權，可檢查和回報服務的使用情形。 servicemanagement.services.check
servicemanagement.services.get
servicemanagement.services.quota
servicemanagement.services.report
專案

角色	名稱	說明	權限	最低資源

Service Networking 角色

roles/
servicenetworking.networksAdmin

Service Networking 管理員 ^{Beta 版} 擁有專案服務網路的完整控制權。 servicenetworking.*

角色	名稱	說明	權限	最低資源

Service Usage 角色

roles/
serviceusage.apiKeysAdmin

API 金鑰管理員 ^{Beta 版} 可建立、刪除、更新、取得和列出專案的 API 金鑰。 serviceusage.apiKeys.*
serviceusage.operations.get

roles/
serviceusage.apiKeysViewer

API 金鑰檢視者 ^{Beta 版} 可取得及列出專案的 API 金鑰。 serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list

roles/
serviceusage.serviceUsageAdmin

服務使用情形管理員 ^{Beta 版} 可啟用、停用及檢查服務狀態、檢查作業，以及消費者專案的消費配額和帳單。 monitoring.timeSeries.list
serviceusage.operations.*
serviceusage.quotas.*
serviceusage.services.*

roles/
serviceusage.serviceUsageConsumer

服務使用情形消費者 ^{Beta 版} 可檢查服務狀態與作業，以及消費者專案的消費配額和帳單。 monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use

roles/
serviceusage.serviceUsageViewer

服務使用情形檢視者 ^{Beta 版} 可檢查消費者專案的服務狀態和作業。 monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

角色	名稱	說明	權限	最低資源

Source 角色

roles/
source.admin

Source Repository Administrator Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies. source.*
Repository

roles/
source.reader

原始碼存放區讀取者提供列出、複製、擷取和瀏覽存放區的權限。 source.repos.get
source.repos.list
存放區

roles/
source.writer

原始碼存放區寫入者提供列出、複製、擷取、瀏覽和更新存放區的權限。 source.repos.get
source.repos.list
source.repos.update
存放區

角色	名稱	說明	權限	最低資源

Cloud Spanner 角色

roles/
spanner.admin

Cloud Spanner 管理員具備以下權限：授予權限給其他主體及撤銷其他主體的權限、分配和刪除可扣款資源、對資源發布取得/列出/修改作業、讀取和寫入資料庫，以及擷取專案中繼資料。 monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.*
專案

roles/
spanner.databaseAdmin

Cloud Spanner 資料庫管理員具備以下權限：取得/列出專案中的所有 Spanner 資源、建立/列出/捨棄資料庫、授予/撤銷專案資料庫的存取權，以及專案中所有 Spanner 資料庫的讀寫存取權。 monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databaseOperations.*
spanner.databases.*
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.*
專案

roles/
spanner.databaseReader

Cloud Spanner 資料庫讀取者具備以下權限：由 Spanner 資料庫讀取、在資料庫執行 SQL 查詢，以及檢視結構定義。 spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.read
spanner.databases.select
spanner.sessions.*
資料庫

roles/
spanner.databaseUser

Cloud Spanner 資料庫使用者 Cloud Spanner 資料庫具備以下權限：讀取和寫入 Spanner 資料庫、在資料庫上執行 SQL 查詢，以及檢視和更新結構定義。 spanner.databaseOperations.*
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.write
spanner.sessions.*
資料庫

roles/
spanner.viewer

Cloud Spanner 檢視者具備權限可檢視所有 Spanner 執行個體和資料庫，但無法修改或讀取。 monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.list
spanner.instanceConfigs.*
spanner.instances.get
spanner.instances.list
專案

角色	名稱	說明	權限	最低資源

Stackdriver 角色

roles/
stackdriver.accounts.editor

Stackdriver 帳戶編輯者具備管理 Stackdriver 帳戶結構所需的讀取/寫入存取權。 resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.projects.*

roles/
stackdriver.accounts.viewer

Stackdriver 帳戶檢視者具備唯讀存取權，僅能取得及列出 Stackdriver 帳戶結構相關資訊。 resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get

roles/
stackdriver.resourceMaintenanceWindow.editor

Stackdriver 資源維護期間編輯器具備管理 Stackdriver 資源維護期間所需的讀取/寫入存取權。

roles/
stackdriver.resourceMaintenanceWindow.viewer

Stackdriver 資源維護期間檢視者具備 Stackdriver 資源維護期間相關資訊的唯讀存取權。

roles/
stackdriver.resourceMetadata.writer

Stackdriver 資源中繼資料寫入者 ^{Beta 版} 具備資源中繼資料的唯寫存取權。這提供了 Stackdriver 代理者及其他傳送中繼資料系統需要的適切權限。 stackdriver.resourceMetadata.*

角色	名稱	說明	權限	最低資源

Storage 角色

roles/
storage.admin

儲存管理員授予物件及值區的完整控制權。

套用到個別值區時，控制只會套用到指定的值區以及值區中的物件。

firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.*
storage.objects.*
值區

roles/
storage.hmacKeyAdmin

Storage HMAC 金鑰管理員具備 GCS HMAC 金鑰的完整控制權。 firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.hmacKeys.*

roles/
storage.objectAdmin

儲存空間物件管理員授予物件的完整控制權，包含列出、建立、檢視和刪除物件。 resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.*
值區

roles/
storage.objectCreator

Storage 物件建立者允許使用者建立物件。未授予檢視、刪除或覆寫物件的權限。 resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
值區

roles/
storage.objectViewer

Storage 物件檢視者授予檢視物件與物件中繼資料的存取權，但不包括 ACL。也可以列出值區的物件。 resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
值區

roles/
storagetransfer.admin

Storage Transfer 管理員建立、更新及管理轉移工作與作業。 resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.*

roles/
storagetransfer.user

Storage Transfer 使用者可建立及更新儲存空間轉移工作與作業。 resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.jobs.create
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.update
storagetransfer.operations.*
storagetransfer.projects.*

roles/
storagetransfer.viewer

Storage Transfer 檢視者具備儲存空間轉移工作與作業的讀取存取權。 resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.operations.get
storagetransfer.operations.list
storagetransfer.projects.*

角色	名稱	說明	權限	最低資源

Storage 舊版角色

roles/
storage.legacyBucketOwner

Storage 舊版值區擁有者授予權限以建立、覆寫及刪除物件；可於列出時列出值區中的物件及讀取物件中繼資料，但不含 Cloud IAM 政策；以及讀取和編輯值區中繼資料，包括 Cloud IAM 政策。

使用這個角色也會反映在值區的 ACL 中。詳細資訊請參閱 Cloud IAM 與 ACL 的關係說明。

storage.buckets.get
storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.list 值區

roles/
storage.legacyBucketReader

Storage 舊版值區讀取者授予權限以列出值區內容及讀取值區中繼資料，但不包括 Cloud IAM 政策。在物件列出作業期間讀取物件中繼資料 (不含 Cloud IAM 政策)。

使用這個角色也會反映在值區的 ACL 中。詳細資訊請參閱 Cloud IAM 與 ACL 的關係說明。

storage.buckets.get
storage.objects.list 值區

roles/
storage.legacyBucketWriter

Storage 舊版值區寫入者授予權限以建立、覆寫及刪除物件；可於列出時列出值區中的物件及讀取物件中繼資料，但不含 Cloud IAM 政策；以及讀取值區中繼資料，但不含 Cloud IAM 政策。

使用這個角色也會反映在值區的 ACL 中。詳細資訊請參閱 Cloud IAM 與 ACL 的關係說明。

storage.buckets.get
storage.objects.create storage.objects.delete storage.objects.list 值區

roles/
storage.legacyObjectOwner

Storage 舊版物件擁有者授予權限以檢視及編輯物件及其中繼資料，包括 ACL。 storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
值區

roles/
storage.legacyObjectReader

Storage 舊版物件讀取者授予檢視物件與物件中繼資料的權限，但不包括 ACL。 storage.objects.get
值區

角色	名稱	說明	權限	最低資源

支援角色

roles/
cloudsupport.admin

支援帳戶管理員可在不授予客服案件存取權的情況下管理支援帳戶。詳細資訊請參閱 Cloud Support 說明文件。 cloudsupport.*
機構

roles/
cloudsupport.viewer

支援帳戶檢視者具備支援帳戶詳情的唯讀存取權，但無法查看支援記錄。 cloudsupport.accounts.get
cloudsupport.accounts.getUserRoles
cloudsupport.accounts.list
機構

角色	名稱	說明	權限	最低資源

Cloud Threat Detection 角色

roles/
threatdetection.editor

威脅偵測設定編輯器 ^{Beta 版} 具備所有威脅偵測設定的讀寫存取權 threatdetection.*
機構

roles/
threatdetection.viewer

威脅偵測設定檢視者 ^{Beta 版} 具有所有威脅偵測設定的讀取權限 threatdetection.detectorSettings.get
threatdetection.sinkSettings.get
threatdetection.sourceSettings.get

角色	名稱	說明	權限	最低資源

Cloud TPU 角色

roles/
tpu.admin

TPU 管理員具備 TPU 節點和相關資源的完整存取權。 resourcemanager.projects.get
resourcemanager.projects.list
tpu.*

roles/
tpu.viewer

TPU 檢視者具備 TPU 節點和相關資源的唯讀存取權。 resourcemanager.projects.get
resourcemanager.projects.list
tpu.acceleratortypes.*
tpu.locations.*
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
tpu.tensorflowversions.*

角色	名稱	說明	權限	最低資源

無服務器虛擬私人雲端存取角色

roles/
vpaccess.user

無伺服器虛擬私人雲端存取使用者無伺服器虛擬私人雲端存取連接器的使用者 resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.connectors.use
vpcaccess.locations.*
vpcaccess.operations.*

roles/
vpaccess.viewer

無伺服器虛擬私人雲端存取檢視者所有無伺服器虛擬私人雲端存取資源的檢視者 resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.*

roles/
vpcaccess.admin

無伺服器虛擬私人雲端存取管理員具備所有無伺服器虛擬私人雲端存取資源的完整存取權 resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.*

角色	名稱	說明	權限	最低資源

自訂角色

除了預先定義角色，Cloud IAM 也允許建立自訂 Cloud IAM 角色。您可以建立具備一或多個權限的自訂 Cloud IAM 角色，然後將自訂角色授予屬於您機構的使用者。詳情請參閱瞭解自訂角色和建立及管理自訂角色的說明。

適用於特定產品的 Cloud IAM 說明文件

適用於特定產品的 Cloud IAM 說明文件詳細介紹每種產品提供的預先定義角色。閱讀下列說明頁面，有助於您深入瞭解預先定義角色。

說明文件	說明
適用於 App Engine 的 Cloud IAM	說明適用於 App Engine 的 Cloud IAM 角色
適用於 BigQuery 的 Cloud IAM	說明適用於 BigQuery 的 Cloud IAM 角色
適用於 Cloud BigTable 的 Cloud IAM	說明適用於 Cloud BigTable 的 Cloud IAM 角色
適用於 Cloud Billing API 的 Cloud IAM	說明適用於 Cloud Billing API 的 Cloud IAM 角色與權限
適用於 Cloud Dataflow 的 Cloud IAM	說明適用於 Cloud Dataflow 的 Cloud IAM 角色
適用於 Cloud Dataproc 的 Cloud IAM	說明適用於 Cloud Dataproc 的 Cloud IAM 角色與權限
適用於 Cloud Datastore 的 Cloud IAM	說明適用於 Cloud Datastore 的 Cloud IAM 角色與權限
適用於 Cloud DNS 的 Cloud IAM	說明適用於 Cloud DNS 的 Cloud IAM 角色與權限
適用於 Cloud KMS 的 Cloud IAM	說明適用於 Cloud KMS 的 Cloud IAM 角色與權限
適用於 AI Platform 的 Cloud IAM	說明適用於 AI Platform 的 Cloud IAM 角色與權限
適用於 Cloud Pub/Sub 的 Cloud IAM	說明適用於 Cloud Pub/Sub 的 Cloud IAM 角色
適用於 Cloud Spanner 的 Cloud IAM	說明適用於 Cloud Spanner 的 Cloud IAM 角色與權限
適用於 Cloud SQL 的 Cloud IAM	說明適用於 Cloud SQL 的 Cloud IAM 角色
適用於 Cloud Storage 的 Cloud IAM	說明適用於 Cloud Storage 的 Cloud IAM 角色
適用於 Compute Engine 的 Cloud IAM	說明適用於 Compute Engine 的 Cloud IAM 角色
適用於 GKE 的 Cloud IAM	說明適用於 GKE 的 Cloud IAM 角色與權限
適用於 Deployment Manager 的 Cloud IAM	說明適用於 Deployment Manager 的 Cloud IAM 角色與權限
適用於機構的 Cloud IAM	說明適用於機構的 Cloud IAM 角色
Cloud IAM for Folders	說明適用於資料夾的 Cloud IAM 角色。
適用於專案的 Cloud IAM	說明適用於專案的 Cloud IAM 角色
適用於 Service Management 的 Cloud IAM	說明適用於 Service Management 的 Cloud IAM 角色與權限
適用於 Stackdriver Debugger 的 Cloud IAM	說明適用於 Debugger 的 Cloud IAM 角色
適用於 Stackdriver Logging 的 Cloud IAM	說明適用於 Logging 的 Cloud IAM 角色
適用於 Stackdriver Monitoring 的 Cloud IAM	說明適用於 Monitoring 的 Cloud IAM 角色
適用於 Stackdriver Trace 的 Cloud IAM	說明適用於 Trace 的 Cloud IAM 角色與權限

後續步驟

瞭解如何為使用者授予 Cloud IAM 角色。
瞭解自訂角色