了解角色

一个角色包含一组权限,可让您对 Google Cloud 资源执行特定操作。如需向主帐号(包括用户、群组和服务帐号)提供权限,您可以向主帐号授予角色。

本页面介绍了您可以授予的 IAM 角色。

本指南的先决条件

角色类型

IAM 中有三种类型的角色:

  • 基本角色:包括在引入 IAM 之前已存在的 Owner、Editor 和 Viewer 角色。
  • 预定义角色:针对特定服务提供精细访问权限,并由 Google Cloud 管理。
  • 自定义角色:根据用户指定的权限列表提供精细访问权限。

要确定基本角色、预定义角色或自定义角色中是否包含某项权限,您可以使用以下方法之一:

  • 运行 gcloud iam roles describe 命令可以列出角色中的权限。
  • 调用 roles.get() REST API 方法可以列出角色中的权限。
  • 仅适用于基本角色和预定义角色:搜索权限参考以查看该角色是否授予权限。
  • 仅适用于预定义角色:在本页上搜索预定义角色说明以查看该角色包含的权限。

以下各部分介绍了每种角色类型并提供了有关如何使用它们的示例。

基本角色

在引入 IAM 之前已存在多个基本角色:Owner、Editor 和 Viewer。这些角色是嵌套的;也就是说,Owner 角色具有 Editor 角色的权限,而 Editor 角色又具有 Viewer 角色的权限。它们最初称为“原初角色”。

下表汇总了基本角色针对所有 Google Cloud 服务所具有的权限:

基本角色定义

名称 名称 权限
roles/viewer Viewer 拥有执行不会影响状态的只读操作的权限,例如查看(但无法修改)现有资源或数据。
roles/editor Editor 拥有所有查看权限,以及修改状态的操作(例如更改现有资源)的权限。
注意:Editor 角色包含为大多数 Google Cloud 服务创建和删除资源的权限。但是,它不包含对所有服务执行所有操作的权限。如需详细了解如何检查某项角色是否具有您所需的权限,请参阅上文
roles/owner 所有者 拥有 Editor 的所有权限,此外还有权执行以下操作:
  • 管理项目和项目中所有资源的角色和权限。
  • 为项目设置结算。
注意
  • 在资源级层(如 Pub/Sub 主题)授予 Owner 角色并不会授予父级项目上的 Owner 角色。
  • 因此,在组织级层获授 Owner 角色后,您不能更新组织的元数据,不过您可以修改组织下的所有项目和其他资源。
  • 如需向组织外部的用户授予项目 Owner 角色,您必须使用 Cloud Console,而不能使用 gcloud 工具。如果您的项目不是组织的一部分,则必须使用 Cloud Console 授予 Owner 角色。

您可以使用 Cloud Console、API 和 gcloud 工具在项目或服务资源级层应用基本角色。如需了解相关说明,请参阅授予、更改和撤消访问权限

如需了解如何使用 Cloud Console 授予角色,请参阅授予、更改和撤消访问权限

预定义角色

除了基本角色之外,IAM 还提供其他预定义角色,这些角色可提供对特定 Google Cloud 资源的精细访问权限,同时阻止对其他资源的不必要的访问。 这些角色由 Google 创建和维护。Google 会根据需要自动更新其权限,例如 Google Cloud 添加新功能或服务时。

下表列出了这些角色、说明以及可设置这些角色的最低级层的资源类型。您可以为此资源类型授予特定角色,或者在大多数情况下可以为该类型在 Google Cloud 层次结构中的任何上级类型授予特定角色。您可以为同一位用户授予多个角色。例如,同一位用户可以拥有项目上的 Network Admi 和 Log Viewer 角色,并且对该项目中的 Pub/Sub 主题具有 Publisher 角色。有关角色中包含的权限的列表,请参阅获取角色元数据

Access Approval 角色

角色 权限

Access Approval Approver Beta 版
(roles/accessapproval.approver)

能够查看或操作访问权限审批请求以及查看配置

  • accessapproval.requests.*
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Approval Config Editor Beta 版
(roles/accessapproval.configEditor)

可更新访问权限审批配置

  • accessapproval.settings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Approval Viewer Beta 版
(roles/accessapproval.viewer)

可查看访问权限审批请求和配置

  • accessapproval.requests.get
  • accessapproval.requests.list
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Context Manager 角色

角色 权限

Cloud Access Binding Admin
(roles/accesscontextmanager.gcpAccessAdmin)

可以创建、修改和更改 Cloud 访问权限绑定。

  • accesscontextmanager.gcpUserAccessBindings.*

Cloud Access Binding Reader
(roles/accesscontextmanager.gcpAccessReader)

拥有对 Cloud 访问权限绑定的读取权限。

  • accesscontextmanager.gcpUserAccessBindings.get
  • accesscontextmanager.gcpUserAccessBindings.list

Access Context Manager Admin
(roles/accesscontextmanager.policyAdmin)

拥有对政策、访问权限级别和访问区域的完整访问权限

  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.*
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.*
  • accesscontextmanager.servicePerimeters.*
  • cloudasset.assets.searchAllResources
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Context Manager Editor
(roles/accesscontextmanager.policyEditor)

拥有对政策的修改权限。可创建、修改和更改访问权限级别和访问区域。

  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.create
  • accesscontextmanager.accessPolicies.delete
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessPolicies.update
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.create
  • accesscontextmanager.policies.delete
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.policies.update
  • accesscontextmanager.servicePerimeters.*
  • cloudasset.assets.searchAllResources
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Context Manager Reader
(roles/accesscontextmanager.policyReader)

拥有对政策、访问权限级别和访问区域的读取权限。

  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessZones.get
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

VPC Service Controls Troubleshooter Viewer
(roles/accesscontextmanager.vpcScTroubleshooterViewer)

  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

操作角色

角色 权限

Actions Admin
(roles/actions.Admin)

拥有修改和部署某项操作的权限

  • actions.*
  • firebase.projects.get
  • firebase.projects.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Actions Viewer
(roles/actions.Viewer)

拥有查看某项操作的权限

  • actions.agent.get
  • actions.agentVersions.get
  • actions.agentVersions.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

AI Notebooks 角色

角色 权限

Notebooks Admin
(roles/notebooks.admin)

拥有对笔记本中所有资源的完整访问权限。

您可以授予此角色的最低级层资源:

  • 实例
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Legacy Admin
(roles/notebooks.legacyAdmin)

具有通过 Compute API 访问笔记本中的所有资源的完整权限。

  • compute.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Legacy Viewer
(roles/notebooks.legacyViewer)

拥有通过 Compute API 对笔记本中所有资源进行只读访问的权限。

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.nvironments.list
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Runner
(roles/notebooks.runner)

拥有受限的权限,能够运行已安排的笔记本。

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.nvironments.list
  • notebooks.executions.create
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.create
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.create
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.create
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Viewer
(roles/notebooks.viewer)

拥有对笔记本中所有资源的只读权限。

您可以授予此角色的最低级层资源:

  • 实例
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listTagBindings
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listTagBindings
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listTagBindings
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.nvironments.list
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

AI Platform 角色

角色 权限

AI Platform Admin
(roles/ml.admin)

提供 AI Platform 资源及其作业、操作、模型和版本的完整访问权限。

您可以授予此角色的最低级层资源:

  • 项目
  • ml.*
  • resourcemanager.projects.get

AI Platform Developer
(roles/ml.developer)

能够使用 AI Platform 资源创建模型、版本、作业,以用于训练和预测以及发送在线预测请求。

您可以授予此角色的最低级层资源:

  • 项目
  • ml.jobs.create
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.locations.*
  • ml.models.create
  • ml.models.get
  • ml.models.getIamPolicy
  • ml.models.list
  • ml.models.predict
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.*
  • ml.trials.*
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict
  • resourcemanager.projects.get

AI Platform Job Owner
(roles/ml.jobOwner)

提供特定作业资源的所有权限的完整访问权限。系统会自动向创建该作业的用户授予此角色。

您可以授予此角色的最低级层资源:

  • 作业
  • ml.jobs.*

AI Platform Model Owner
(roles/ml.modelOwner)

提供模型及其版本的完整访问权限。系统会将此角色自动授予创建模型的用户。

您可以授予此角色的最低级层资源:

  • 模型
  • ml.models.*
  • ml.versions.*

AI Platform Model User
(roles/ml.modelUser)

提供读取模型及其版本并使用其进行预测的权限。

您可以授予此角色的最低级层资源:

  • 模型
  • ml.models.get
  • ml.models.predict
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict

AI Platform Operation Owner
(roles/ml.operationOwner)

提供对特定操作资源的所有权限的完整访问权限。

您可以授予此角色的最低级层资源:

  • 操作
  • ml.operations.*

AI Platform Viewer
(roles/ml.viewer)

提供 AI Platform 资源的只读权限。

您可以授予此角色的最低级层资源:

  • 项目
  • ml.jobs.get
  • ml.jobs.list
  • ml.locations.*
  • ml.models.get
  • ml.models.list
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.get
  • ml.studies.getIamPolicy
  • ml.studies.list
  • ml.trials.get
  • ml.trials.list
  • ml.versions.get
  • ml.versions.list
  • resourcemanager.projects.get

Android 管理角色

角色 权限

Android Management User
(roles/androidmanagement.user)

拥有管理设备的完整权限。

  • androidmanagement.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Anthos 多云端角色

角色 权限

Anthos Multi-cloud Admin
(roles/gkemulticloud.admin)

可以管理 Anthos 多云资源。

  • gkemulticloud.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Anthos Multi-cloud Telemetry Writer
(roles/gkemulticloud.telemetryWriter)

授予写入集群遥测数据(例如日志、指标和资源元数据)的权限。

  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • opsconfigmonitoring.resourceMetadata.write

Anthos Multi-cloud Viewer
(roles/gkemulticloud.viewer)

可以查看 Anthos 多云资源。

  • gkemulticloud.awsClusters.generateAccessToken
  • gkemulticloud.awsClusters.get
  • gkemulticloud.awsClusters.list
  • gkemulticloud.awsNodePools.get
  • gkemulticloud.awsNodePools.list
  • gkemulticloud.awsServerConfigs.*
  • gkemulticloud.azureClients.get
  • gkemulticloud.azureClients.list
  • gkemulticloud.azureClusters.generateAccessToken
  • gkemulticloud.azureClusters.get
  • gkemulticloud.azureClusters.list
  • gkemulticloud.azureNodePools.get
  • gkemulticloud.azureNodePools.list
  • gkemulticloud.azureServerConfigs.*
  • gkemulticloud.operations.get
  • gkemulticloud.operations.list
  • gkemulticloud.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list

API Gateway 角色

角色 权限

ApiGateway Admin
(roles/apigateway.admin)

拥有对 ApiGateway 及相关资源的完全访问权限。

  • apigateway.*
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
  • serviceusage.services.list

ApiGateway Viewer
(roles/apigateway.viewer)

拥有对 ApiGateway 及相关资源的只读权限。

  • apigateway.apiconfigs.get
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.gateways.get
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.locations.*
  • apigateway.operations.get
  • apigateway.operations.list
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
  • serviceusage.services.list

Apigee 角色

角色 权限

Apigee Organization Admin
(roles/apigee.admin)

拥有对所有 Apigee 资源功能的完全访问权限

  • apigee.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Analytics Agent
(roles/apigee.analyticsAgent)

针对 Apigee Universal Data Collection Agent 的一组选定权限,用于为 Apigee 组织管理分析

  • apigee.environments.getDataLocation
  • apigee.runtimeconfigs.*

Apigee Analytics Editor
(roles/apigee.analyticsEditor)

可修改 Apigee 组织的分析数据

  • apigee.datacollectors.*
  • apigee.datastores.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.*
  • apigee.hostqueries.*
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.*
  • apigee.reports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Analytics Viewer
(roles/apigee.analyticsViewer)

可查看 Apigee 组织的分析数据

  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.reports.get
  • apigee.reports.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee API Admin
(roles/apigee.apiAdmin)

拥有对所有 Apigee API 资源的完整读写权限

  • apigee.apiproductattributes.*
  • apigee.apiproducts.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.keyvaluemaps.list
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.*
  • apigee.proxyrevisions.*
  • apigee.sharedflowrevisions.*
  • apigee.sharedflows.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee API Reader
(roles/apigee.apiReader)

可以读取 apigee 资源

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.keyvaluemaps.list
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.sharedflowrevisions.deploy
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflowrevisions.undeploy
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.tracesessions.get
  • apigee.tracesessions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Developer Admin
(roles/apigee.developerAdmin)

可管理 Apigee 资源开发者

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.*
  • apigee.apps.*
  • apigee.datacollectors.*
  • apigee.developerappattributes.*
  • apigee.developerapps.*
  • apigee.developerattributes.*
  • apigee.developerbalances.*
  • apigee.developermonetizationconfigs.*
  • apigee.developers.*
  • apigee.developersubscriptions.*
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.rateplans.get
  • apigee.rateplans.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Environment Admin
(roles/apigee.environmentAdmin)

拥有对 Apigee 环境资源(包括部署)的完整读写权限。

  • apigee.archivedeployments.*
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.deployments.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.environments.setIamPolicy
  • apigee.environments.update
  • apigee.flowhooks.*
  • apigee.ingressconfigs.*
  • apigee.keystorealiases.*
  • apigee.keystores.*
  • apigee.keyvaluemaps.*
  • apigee.maskconfigs.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.references.*
  • apigee.resourcefiles.*
  • apigee.sharedflowrevisions.deploy
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflowrevisions.undeploy
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Monetization Admin
(roles/apigee.monetizationAdmin)

与获利相关的所有权限

  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.developerbalances.*
  • apigee.developermonetizationconfigs.*
  • apigee.developersubscriptions.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.rateplans.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Portal Admin
(roles/apigee.portalAdmin)

可以管理 Apigee 组织的门户

  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.portals.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Read-only Admin
(roles/apigee.readOnlyAdmin)

可查看所有 Apigee 资源

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.get
  • apigee.apps.*
  • apigee.archivedeployments.download
  • apigee.archivedeployments.get
  • apigee.archivedeployments.list
  • apigee.caches.list
  • apigee.canaryevaluations.get
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.deployments.get
  • apigee.deployments.list
  • apigee.developerrappattributes.get
  • apigee.developerrappattributes.list
  • apigee.developerapps.get
  • apigee.developerapps.list
  • apigee.developerattributes.get
  • apigee.developerattributes.list
  • apigee.developerbalances.get
  • apigee.developermonetizationconfigs.get
  • apigee.developers.get
  • apigee.developers.list
  • apigee.developersubscriptions.get
  • apigee.developersubscriptions.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getDataLocation
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.flowhooks.getSharedFlow
  • apigee.flowhooks.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hostsecurityreports.get
  • apigee.hostsecurityreports.list
  • apigee.hoststats.*
  • apigee.ingressconfigs.*
  • apigee.instanceattachments.get
  • apigee.instanceattachments.list
  • apigee.instances.get
  • apigee.instances.list
  • apigee.keystorealiases.get
  • apigee.keystorealiases.list
  • apigee.keystores.get
  • apigee.keystores.list
  • apigee.keyvaluemaps.list
  • apigee.maskconfigs.get
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.portals.get
  • apigee.portals.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.rateplans.get
  • apigee.rateplans.list
  • apigee.references.get
  • apigee.references.list
  • apigee.reports.get
  • apigee.reports.list
  • apigee.resourcefiles.get
  • apigee.resourcefiles.list
  • apigee.runtimeconfigs.*
  • apigee.securityreports.get
  • apigee.securityreports.list
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.get
  • apigee.targetservers.list
  • apigee.tracesessions.get
  • apigee.tracesessions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Runtime Agent
(roles/apigee.runtimeAgent)

提供一组特选权限,可让运行时代理访问 Apigee 组织资源

  • apigee.canaryevaluations.*
  • apigee.ingressconfigs.*
  • apigee.instances.reportStatus
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.runtimeconfigs.*

Apigee Security Admin
(roles/apigee.securityAdmin)

可以管理 Apigee 组织的安全设置

  • apigee.hostsecurityreports.*
  • apigee.securityreports.*

Apigee Security Viewer
(roles/apigee.securityViewer)

可查看 Apigee 组织的安全设置

  • apigee.hostsecurityreports.get
  • apigee.hostsecurityreports.list
  • apigee.securityreports.get
  • apigee.securityreports.list

Apigee Synchronizer Manager
(roles/apigee.synchronizerManager)

提供一组特选权限,可让 Synchronizer 管理 Apigee 组织中的环境

  • apigee.environments.get
  • apigee.environments.manageRuntime
  • apigee.ingressconfigs.*

Apigee Connect Admin
(roles/apigeeconnect.Admin)

可以管理 Apigee Connect

  • apigeeconnect.connections.*

Apigee Connect Agent
(roles/apigeeconnect.Agent)

能够在外部集群和 Google 之间设置 Apigee Connect 代理。

  • apigeeconnect.endpoints.*

App Engine 角色

角色 权限

App Engine Admin
(roles/appengine.appAdmin)

拥有所有应用配置和设置的读取/写入/修改权限。

要部署新版本,主帐号必须具有 App Engine 默认服务帐号Service Account User (roles/iam.serviceAccountUser) 角色以及项目的 Cloud Build Editor (roles/cloudbuild.builds.editor) 和 Cloud Storage Object Admin (roles/storage.objectAdmin) 角色。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.operations.*
  • appengine.runtimes.*
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Creator
(roles/appengine.appCreator)

能够为项目创建 App Engine 资源。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Viewer
(roles/appengine.appViewer)

拥有对所有应用配置和设置的只读权限。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Code Viewer
(roles/appengine.codeViewer)

拥有对所有应用配置、设置和已部署源代码的只读权限。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.getFileContents
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Deployer
(roles/appengine.deployer)

对所有应用配置和设置的只读权限。

要部署新版本,您还必须具有 App Engine 默认服务帐号Service Account User (roles/iam.serviceAccountUser) 角色以及项目的 Cloud Build Editor (roles/cloudbuild.builds.editor) 和 Cloud Storage Object Admin (roles/storage.objectAdmin) 角色。

无法修改现有版本,但可删除未收到流量的版本。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Service Admin
(roles/appengine.serviceAdmin)

对所有应用配置和设置的只读权限。

拥有模块级和版本级设置的写权限。无权部署新版本。

您可以授予此角色的最低级层资源:

  • 项目
  • appengine.applications.get
  • appengine.instances.*
  • appengine.operations.*
  • appengine.services.*
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Artifact Registry 角色

角色 权限

Artifact Registry Administrator
(roles/artifactregistry.admin)

拥有可创建和管理代码库的管理员权限。

  • artifactregistry.*

Artifact Registry Reader
(roles/artifactregistry.reader)

可以读取代码库项。

  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list

Artifact Registry Repository Administrator
(roles/artifactregistry.repoAdmin)

拥有管理代码库中的工件的权限。

  • artifactregistry.aptartifacts.*
  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.packages.*
  • artifactregistry.repositories.deleteArtifacts
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.*
  • artifactregistry.versions.*
  • artifactregistry.yumartifacts.*

Artifact Registry Writer
(roles/artifactregistry.writer)

可以读取和写入代码库项。

  • artifactregistry.aptartifacts.*
  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.*

Assured Workloads 角色

角色 权限

Assured Workloads Administrator
(roles/assuredworkloads.admin)

授予对 Assured Workloads 资源和 CRM 资源(项目/文件夹和组织政策管理)的完全访问权限

  • assuredworkloads.*
  • orgpolicy.policy.*
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Assured Workloads Editor
(roles/assuredworkloads.editor)

授予对 Assured Workloads 资源和 CRM 资源(项目/文件夹和组织政策管理)的读写权限

  • assuredworkloads.*
  • orgpolicy.policy.*
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Assured Workloads Reader
(roles/assuredworkloads.reader)

授予对所有 Assured Workloads 资源和 CRM 资源(项目/文件夹)的读取权限

  • assuredworkloads.operations.*
  • assuredworkloads.workload.get
  • assuredworkloads.workload.list
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AutoML 角色

角色 权限

AutoML Admin Beta 版
(roles/automl.admin)

拥有所有 AutoML 资源的完整访问权限

您可以授予此角色的最低级层资源:

  • 数据集
  • 模型
  • automl.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

AutoML Editor Beta 版
(roles/automl.editor)

可修改所有 AutoML 资源

您可以授予此角色的最低级层资源:

  • 数据集
  • 模型
  • automl.annotationSpecs.*
  • automl.annotations.*
  • automl.columnSpecs.*
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.update
  • automl.examples.*
  • automl.humanAnnotationTasks.*
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.*
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • automl.models.undeploy
  • automl.operations.*
  • automl.tableSpecs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

AutoML Predictor Beta 版
(roles/automl.predictor)

可使用模型进行预测

您可以授予此角色的最低级层资源:

  • 模型
  • automl.models.predict
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AutoML Viewer Beta 版
(roles/automl.viewer)

可查看所有 AutoML 资源

您可以授予此角色的最低级层资源:

  • 数据集
  • 模型
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

BigQuery 角色

角色 权限

BigQuery Admin
(roles/bigquery.admin)

提供管理项目中所有资源的权限。获授此角色的用户可以管理项目中的所有数据,也可以取消其他用户正在项目中运行的作业。

您可以授予此角色的最低级层资源:

  • 项目
  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.config.*
  • bigquery.connections.*
  • bigquery.datasets.*
  • bigquery.jobs.*
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.savedqueries.*
  • bigquery.tables.*
  • bigquery.transfers.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Connection Admin
(roles/bigquery.connectionAdmin)

  • bigquery.connections.*

BigQuery Connection User
(roles/bigquery.connectionUser)

  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use

BigQuery Data Editor
(roles/bigquery.dataEditor)

此角色在应用于表或视图时,可提供以下权限:

  • 读取和更新表或视图的数据和元数据。
  • 删除表或视图。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 读取数据集的元数据以及列出数据集中的表。
  • 创建、更新、获取和删除数据集的表。

此角色在应用于项目或组织级层时,还可提供创建新数据集的权限。

您可以授予此角色的最低级层资源:

  • 查看
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Data Owner
(roles/bigquery.dataOwner)

此角色在应用于表或视图时,可提供以下权限:

  • 读取和更新表或视图的数据和元数据。
  • 共享表或视图。
  • 删除表或视图。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 读取、更新和删除数据集。
  • 创建、更新、获取和删除数据集的表。

此角色在应用于项目或组织级层时,还可提供创建新数据集的权限。

您可以授予此角色的最低级层资源:

  • 查看
  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Data Viewer
(roles/bigquery.dataViewer)

此角色在应用于表或视图时,可提供以下权限:

  • 从表或视图中读取数据和元数据。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 读取数据集的元数据以及列出数据集中的表。
  • 从数据集的表中读取数据和元数据。

此角色在应用于项目或组织级层时,还可提供枚举项目中所有数据集的权限。但若要运行作业,还需要具备其他角色。

您可以授予此角色的最低级层资源:

  • 查看
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.createSnapshot
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Filtered Data Viewer
(roles/bigquery.filteredDataViewer)

可以查看由行访问权限政策定义的已过滤表数据

  • bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User
(roles/bigquery.jobUser)

提供在项目中运行作业(包括查询)的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Metadata Viewer
(roles/bigquery.metadataViewer)

此角色在应用于表或视图时,可提供以下权限:

  • 从表或视图中读取元数据。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 列出数据集中的表和视图。
  • 从数据集的表和视图中读取元数据。

此角色在应用于项目或组织级层时,可提供以下权限:

  • 列出项目中的所有数据集,以及读取所有数据集的元数据。
  • 列出项目中的所有表和视图,以及读取所有表和视图的元数据。

但若要运行作业,还需要具备其他角色。

您可以授予此角色的最低级层资源:

  • 查看
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Read Session User
(roles/bigquery.readSessionUser)

拥有创建和使用读取会话的权限

  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Admin
(roles/bigquery.resourceAdmin)

管理所有 BigQuery 资源。

  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • recommender.bigqueryCapacityCommitmentsInsights.*
  • recommender.bigqueryCapacityCommitmentsRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Editor
(roles/bigquery.resourceEditor)

管理所有 BigQuery 资源,但不能做出购买决定。

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Viewer
(roles/bigquery.resourceViewer)

可查看所有 BigQuery 资源,但不能执行更改或做出购买决定。

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery User
(roles/bigquery.user)

此角色应用于数据集时,让您可以读取数据集的元数据并列出数据集中的表。

应用于项目时,此角色还提供在项目内运行作业(包括查询)的能力。具有此角色的主帐号可以枚举自己的作业、取消自己的作业,还可以枚举项目中的数据集。此外,具有此角色的用户还可以在项目中创建新数据集;对于这些新数据集,系统会为创建者授予 BigQuery Data Owner 角色 (roles/bigquery.dataOwner)。

您可以授予此角色的最低级层资源:

  • 数据集
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

结算服务角色

角色 权限

Billing Account Administrator
(roles/billing.admin)

提供查看和管理结算帐号所有方面的权限。

您可以授予此角色的最低级层资源:

  • 结算帐号
  • billing.accounts.close
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.move
  • billing.accounts.redeemPromotion
  • billing.accounts.removeFromOrganization
  • billing.accounts.reopen
  • billing.accounts.setIamPolicy
  • billing.accounts.update
  • billing.accounts.updatePaymentInfo
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.credits.*
  • billing.resourceAssociations.*
  • billing.subscriptions.*
  • cloudnotifications.*
  • commerceoffercatalog.*
  • consumerprocurement.accounts.*
  • consumerprocurement.orders.*
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • logging.logEntries.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • recommender.commitmentUtilizationInsights.*
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Billing Account Costs Manager
(roles/billing.costsManager)

可以查看和导出结算帐号的费用信息。

  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.resourceAssociations.list

Billing Account Creator
(roles/billing.creator)

提供创建结算帐号的权限。

您可以授予此角色的最低级层资源:

  • 组织
  • billing.accounts.create
  • resourcemanager.organizations.get

Project Billing Manager
(roles/billing.projectManager)

提供为项目分配结算帐号或停用项目结算功能的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Billing Account User
(roles/billing.user)

提供将项目与结算帐号相关联的权限。

您可以授予此角色的最低级层资源:

  • 结算帐号
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.redeemPromotion
  • billing.credits.*
  • billing.resourceAssociations.create

Billing Account Viewer
(roles/billing.viewer)

查看结算帐号费用信息和交易。

您可以授予此角色的最低级层资源:

  • 结算帐号
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.budgets.get
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.get
  • billing.subscriptions.list
  • commerceoffercatalog.*
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list

Binary Authorization 角色

角色 权限

Binary Authorization Attestor Admin
(roles/binaryauthorization.attestorsAdmin)

Binary Authorization 证明者管理员

  • binaryauthorization.attestors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Editor
(roles/binaryauthorization.attestorsEditor)

可修改 Binary Authorization 证明者

  • binaryauthorization.attestors.create
  • binaryauthorization.attestors.delete
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.update
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Image Verifier
(roles/binaryauthorization.attestorsVerifier)

可调用 Binary Authorization Attestors VerifyImageAttested

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Viewer
(roles/binaryauthorization.attestorsViewer)

可以查看 Binary Authorization 证明者

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Administrator
(roles/binaryauthorization.policyAdmin)

Binary Authorization 政策管理员

  • binaryauthorization.continuousValidationConfig.*
  • binaryauthorization.policy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Editor
(roles/binaryauthorization.policyEditor)

可修改 Binary Authorization 政策

  • binaryauthorization.continuousValidationConfig.get
  • binaryauthorization.continuousValidationConfig.update
  • binaryauthorization.policy.get
  • binaryauthorization.policy.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Viewer
(roles/binaryauthorization.policyViewer)

可查看 Binary Authorization 政策

  • binaryauthorization.continuousValidationConfig.get
  • binaryauthorization.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service 角色

角色 权限

CA Service Admin
(roles/privateca.admin)

具有对所有 CA 服务资源的完整访问权限。

  • privateca.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create

CA Service Auditor
(roles/privateca.auditor)

具有对所有 CA 服务资源的只读权限。

  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service Operation Manager
(roles/privateca.caManager)

可以创建和管理 CA、撤消证书、创建证书模板且拥有对 CA 服务资源的只读权限。

  • privateca.caPools.create
  • privateca.caPools.delete
  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.caPools.update
  • privateca.certificateAuthorities.create
  • privateca.certificateAuthorities.delete
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateAuthorities.update
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateRevocationLists.update
  • privateca.certificateTemplates.create
  • privateca.certificateTemplates.delete
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.update
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.certificates.update
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.create
  • privateca.reusableConfigs.delete
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • privateca.reusableConfigs.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create

CA Service Certificate Manager
(roles/privateca.certificateManager)

能够创建证书,并具有对 CA 服务资源的只读权限。

  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.create
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service Certificate Requester
(roles/privateca.certificateRequester)

可从 CA 服务请求证书。

  • privateca.certificates.create

CA Service Certificate Template User
(roles/privateca.templateUser)

读取、列出和使用证书模板。

  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.use

CA Service Workload Certificate Requester
(roles/privateca.workloadCertificateRequester)

以调用方的身份从 CA Service 请求证书。

  • privateca.certificates.createForSelf

Cloud Asset 角色

角色 权限

Cloud Asset Owner
(roles/cloudasset.owner)

拥有云资源元数据的完整访问权限

  • cloudasset.*
  • recommender.cloudAssetInsights.*
  • recommender.locations.*

Cloud Asset Viewer
(roles/cloudasset.viewer)

拥有云资源元数据的只读权限

  • cloudasset.assets.*
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*

Cloud Bigtable 角色

角色 权限

Bigtable Administrator
(roles/bigtable.admin)

管理项目中的所有实例,包括存储在表中的数据。还可创建新实例。适用于项目管理员。

您可以授予此角色的最低级层资源:

  • bigtable.*
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable Reader
(roles/bigtable.reader)

提供表中所存储数据的只读权限。适用于数据科学家、信息中心生成器和其他数据分析情景。

您可以授予此角色的最低级层资源:

  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable User
(roles/bigtable.user)

提供表中所存储数据的读写权限。适用于应用开发者或服务帐号。

您可以授予此角色的最低级层资源:

  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.mutateRows
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable Viewer
(roles/bigtable.viewer)

不提供数据访问权限。仅提供适用于 Bigtable 的 Cloud Console 的一组最低访问权限。

您可以授予此角色的最低级层资源:

  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Cloud Build 角色

角色 权限

Cloud Build Approver
(roles/cloudbuild.builds.approver)

可批准或拒绝待处理的构建。

  • cloudbuild.builds.approve
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Service Account
(roles/cloudbuild.builds.builder)

提供执行构建的权限。

  • artifactregistry.aptartifacts.*
  • artifactregistry.dockerimages.*
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • pubsub.topics.create
  • pubsub.topics.publish
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Cloud Build Editor
(roles/cloudbuild.builds.editor)

提供创建和取消构建作业的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Viewer
(roles/cloudbuild.builds.viewer)

提供查看构建作业的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Editor
(roles/cloudbuild.integrationsEditor)

可以更新集成

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Owner
(roles/cloudbuild.integrationsOwner)

可以创建/删除集成

  • compute.firewalls.create
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.networks.get
  • compute.networks.updatePolicy
  • compute.regions.get
  • compute.subnetworks.get
  • compute.subnetworks.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Viewer
(roles/cloudbuild.integrationsViewer)

可以查看集成

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool Editor
(roles/cloudbuild.workerPoolEditor)

可以更新和查看工作器池

  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • cloudbuild.workerpools.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool Owner
(roles/cloudbuild.workerPoolOwner)

可以创建、删除、更新和查看工作器池

  • cloudbuild.workerpools.create
  • cloudbuild.workerpools.delete
  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • cloudbuild.workerpools.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool User
(roles/cloudbuild.workerPoolUser)

可以在工作器池中运行构建

  • cloudbuild.workerpools.use

Cloud Build WorkerPool Viewer
(roles/cloudbuild.workerPoolViewer)

可以查看工作器池

  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Composer 角色

角色 权限

Cloud Composer v2 API Service Agent Extension
(roles/composer.ServiceAgentV2Ext)

Cloud Composer v2 API Service Agent Extension 是管理 Composer v2 环境所需的补充角色。

  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy

Composer Administrator
(roles/composer.admin)

提供对 Cloud Composer 资源的完全控制权。

您可以授予此角色的最低级层资源:

  • 项目
  • composer.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Environment and Storage Object Administrator
(roles/composer.environmentAndStorageObjectAdmin)

提供对 Cloud Composer 资源和所有项目存储分区中对象的完全控制权。

您可以授予此角色的最低级层资源:

  • 项目
  • composer.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.*

Environment User and Storage Object Viewer
(roles/composer.environmentAndStorageObjectViewer)

提供列出及获取 Cloud Composer 环境和操作所需的权限。 以及对所有项目存储分区中对象的只读权限。

您可以授予此角色的最低级层资源:

  • 项目
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list

Composer Shared VPC Agent
(roles/composer.sharedVpcAgent)

应分配给共享 VPC 宿主项目中的 Composer Agent 服务帐号的角色

  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.updatePeering
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zones.*

Composer User
(roles/composer.user)

提供列出及获取 Cloud Composer 环境和操作所需的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Composer Worker
(roles/composer.worker)

提供运行 Cloud Composer 环境虚拟机所需的权限。适用于服务帐号。

您可以授予此角色的最低级层资源:

  • 项目
  • artifactregistry.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • composer.environments.get
  • container.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.*

Cloud Connectors 角色

角色 权限

Connector Admin
(roles/connectors.admin)

拥有对 Connectors 服务的所有资源的完全访问权限。

  • connectors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Connectors Viewer
(roles/connectors.viewer)

拥有对 Connectors 的所有资源的只读权限。

  • connectors.connections.get
  • connectors.connections.getConnectionSchemaMetadata
  • connectors.connections.getIamPolicy
  • connectors.connections.getRuntimeActionSchema
  • connectors.connections.getRuntimeEntitySchema
  • connectors.connections.list
  • connectors.connectors.*
  • connectors.locations.*
  • connectors.operations.get
  • connectors.operations.list
  • connectors.providers.*
  • connectors.runtimeconfig.*
  • connectors.versions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Data Fusion 角色

角色 权限

Cloud Data Fusion Admin Beta 版
(roles/datafusion.admin)

拥有对 Cloud Data Fusion 实例、命名空间和相关资源的完整访问权限。

您可以授予此角色的最低级层资源:

  • 项目
  • datafusion.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Data Fusion Runner Beta 版
(roles/datafusion.runner)

提供对 Cloud Data Fusion 运行时资源的访问权限。

  • datafusion.instances.runtime

Cloud Data Fusion Viewer Beta 版
(roles/datafusion.viewer)

拥有对 Cloud Data Fusion 实例、命名空间及相关资源的只读权限。

您可以授予此角色的最低级层资源:

  • 项目
  • datafusion.instances.get
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.instances.runtime
  • datafusion.locations.*
  • datafusion.operations.get
  • datafusion.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Data Labeling 角色

角色 权限

Data Labeling Service Admin Beta 版
(roles/datalabeling.admin)

拥有对所有 Data Labeling 资源的完全访问权限

  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Labeling Service Editor Beta 版
(roles/datalabeling.editor)

可以修改所有 Data Labeling 资源

  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Labeling Service Viewer Beta 版
(roles/datalabeling.viewer)

可以查看所有 Data Labeling 资源

  • datalabeling.annotateddatasets.get
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.get
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.*
  • datalabeling.datasets.get
  • datalabeling.datasets.list
  • datalabeling.examples.*
  • datalabeling.instructions.get
  • datalabeling.instructions.list
  • datalabeling.operations.get
  • datalabeling.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Debugger 角色

角色 权限

Cloud Debugger Agent Beta 版
(roles/clouddebugger.agent)

提供注册调试目标、读取活跃断点和报告断点结果的权限。

您可以授予此角色的最低级层资源:

  • 服务帐号
  • clouddebugger.breakpoints.list
  • clouddebugger.breakpoints.listActive
  • clouddebugger.breakpoints.update
  • clouddebugger.debuggees.create

Cloud Debugger User Beta 版
(roles/clouddebugger.user)

提供创建、查看、列出和删除断点(快照和日志点)以及列出调试目标(调试对象)的权限。

您可以授予此角色的最低级层资源:

  • 项目
  • clouddebugger.breakpoints.create
  • clouddebugger.breakpoints.delete
  • clouddebugger.breakpoints.get
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list

Cloud Deploy 角色

角色 权限

Cloud Deploy Admin Beta 版
(roles/clouddeploy.admin)

拥有对 Cloud Deploy 资源的完全控制权。

  • clouddeploy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Approver Beta 版
(roles/clouddeploy.approver)

拥有批准或拒绝发布的权限。

  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.rollouts.approve
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Developer Beta 版
(roles/clouddeploy.developer)

有权管理部署配置,但无权访问操作资源,例如目标。

  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.*
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Runner Beta 版
(roles/clouddeploy.jobRunner)

拥有执行 Cloud Deploy 作业的权限,但无权将其传送到目标。

  • logging.logEntries.create
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list

Cloud Deploy Operator Beta 版
(roles/clouddeploy.operator)

拥有管理部署配置的权限。

  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.*
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.create
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • clouddeploy.targets.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Releaser Beta 版
(roles/clouddeploy.releaser)

拥有创建 Cloud Deploy 版本和发布的权限。

  • clouddeploy.deliveryPipelines.get
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.create
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Viewer Beta 版
(roles/clouddeploy.viewer)

可以查看 Cloud Deploy 资源。

  • clouddeploy.config.*
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.locations.*
  • clouddeploy.operations.get
  • clouddeploy.operations.list
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud DLP 角色

角色 权限

DLP Administrator
(roles/dlp.admin)

可管理 DLP,包括作业和模板。

  • dlp.*
  • serviceusage.services.use

DLP Analyze Risk Templates Editor
(roles/dlp.analyzeRiskTemplatesEditor)

可修改 DLP 分析风险模板。

  • dlp.analyzeRiskTemplates.*

DLP Analyze Risk Templates Reader
(roles/dlp.analyzeRiskTemplatesReader)

可读取 DLP 分析风险模板。

  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list

DLP Column Data Profiles Reader
(roles/dlp.columnDataProfilesReader)

可读取 DLP 列配置文件。

  • dlp.columnDataProfiles.*

DLP Data Profiles Reader
(roles/dlp.dataProfilesReader)

可读取 DLP 配置文件。

  • dlp.columnDataProfiles.*
  • dlp.projectDataProfiles.*
  • dlp.tableDataProfiles.*

DLP De-identify Templates Editor
(roles/dlp.deidentifyTemplatesEditor)

可修改 DLP 去标识化模板。

  • dlp.deidentifyTemplates.*

DLP De-identify Templates Reader
(roles/dlp.deidentifyTemplatesReader)

可读取 DLP 去标识化模板。

  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list

DLP Cost Estimation
(roles/dlp.estimatesAdmin)

管理 DLP 费用估算。

  • dlp.estimates.*

DLP Inspect Findings Reader
(roles/dlp.inspectFindingsReader)

可读取 DLP 存储的发现结果。

  • dlp.inspectFindings.*

DLP Inspect Templates Editor
(roles/dlp.inspectTemplatesEditor)

可修改 DLP 检查模板。

  • dlp.inspectTemplates.*

DLP Inspect Templates Reader
(roles/dlp.inspectTemplatesReader)

可读取 DLP 检查模板。

  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list

DLP Job Triggers Editor
(roles/dlp.jobTriggersEditor)

可修改作业触发器配置。

  • dlp.jobTriggers.*

DLP Job Triggers Reader
(roles/dlp.jobTriggersReader)

可读取作业触发器。

  • dlp.jobTriggers.get
  • dlp.jobTriggers.list

DLP Jobs Editor
(roles/dlp.jobsEditor)

可修改和创建作业

  • dlp.jobs.*
  • dlp.kms.*

DLP Jobs Reader
(roles/dlp.jobsReader)

可读取作业

  • dlp.jobs.get
  • dlp.jobs.list

DLP Organization Data Profiles Driver
(roles/dlp.orgdriver)

DLP 服务帐号在组织或文件夹中生成数据配置文件所需的权限。

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.connections.updateTag
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • cloudasset.assets.*
  • datacatalog.categories.fineGrainedGet
  • datacatalog.entries.updateTag
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • dlp.*
  • pubsub.topics.updateTag
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

DLP Project Data Profiles Reader
(roles/dlp.projectDataProfilesReader)

可读取 DLP 项目配置文件。

  • dlp.projectDataProfiles.*

DLP Project Data Profiles Driver
(roles/dlp.projectdriver)

DLP 服务帐号在项目中生成数据配置文件所需的权限。

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.connections.updateTag
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • cloudasset.assets.*
  • datacatalog.categories.fineGrainedGet
  • datacatalog.entries.updateTag
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • dlp.*
  • pubsub.topics.updateTag
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

DLP Reader
(roles/dlp.reader)

可读取作业和模板等 DLP 实体。

  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list
  • dlp.inspectFindings.*
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.get
  • dlp.jobTriggers.list
  • dlp.jobs.get
  • dlp.jobs.list
  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list

DLP Stored InfoTypes Editor
(roles/dlp.storedInfoTypesEditor)

可修改 DLP 存储的信息类型。

  • dlp.storedInfoTypes.*

DLP Stored InfoTypes Reader
(roles/dlp.storedInfoTypesReader)

可读取 DLP 存储的信息类型。

  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list

DLP Table Data Profiles Reader
(roles/dlp.tableDataProfilesReader)

可读取 DLP 表配置文件。

  • dlp.tableDataProfiles.*

DLP User
(roles/dlp.user)

可检查和遮盖内容,以及对内容进行去标识化处理

  • dlp.kms.*
  • serviceusage.services.use

Cloud Domains 角色

角色 权限

Cloud Domains Admin
(roles/domains.admin)

拥有 Cloud 网域注册信息和相关资源的完整访问权限。

  • domains.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Domains Viewer
(roles/domains.viewer)

拥有 Cloud 网域注册信息及相关资源的只读权限。

  • domains.locations.*
  • domains.operations.get
  • domains.operations.list
  • domains.registrations.get
  • domains.registrations.getIamPolicy
  • domains.registrations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Filestore 角色

角色 权限

Cloud Filestore Editor Beta 版
(roles/file.editor)

拥有对 Filestore 实例及相关资源的读写权限。

  • file.*

Cloud Filestore Viewer Beta 版
(roles/file.viewer)

拥有对 Filestore 实例及相关资源的只读权限。

  • file.backups.get
  • file.backups.list
  • file.instances.get
  • file.instances.list
  • file.locations.*
  • file.operations.get
  • file.operations.list

Cloud Functions 角色

角色 权限

Cloud Functions Admin
(roles/cloudfunctions.admin)

拥有对函数、运算和位置的完整访问权限。

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.*
  • eventarc.*
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Functions Developer
(roles/cloudfunctions.developer)

拥有对所有函数相关资源的读写权限。

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.call
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.invoke
  • cloudfunctions.functions.list
  • cloudfunctions.functions.sourceCodeGet
  • cloudfunctions.functions.sourceCodeSet
  • cloudfunctions.functions.update
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • eventarc.locations.*
  • eventarc.operations.*
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.undelete
  • eventarc.triggers.update
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.*
  • run.routes.*
  • run.services.create
  • run.services.delete
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • run.services.update
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Functions Invoker
(roles/cloudfunctions.invoker)

可使用受限的访问权限调用 HTTP 函数。

  • cloudfunctions.functions.invoke

Cloud Functions Viewer
(roles/cloudfunctions.viewer)

拥有对函数和位置的只读权限。

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • eventarc.locations.*
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.operations.get
  • run.operations.list
  • run.revisions.get
  • run.revisions.list
  • run.routes.get
  • run.routes.list
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Game Services 角色

角色 权限

Game Services API Admin
(roles/gameservices.admin)

拥有对 Game Services API 及相关资源的完全访问权限。

  • gameservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Game Services API Viewer
(roles/gameservices.viewer)

拥有对 Game Services API 及相关资源的只读权限。

  • gameservices.gameServerClusters.get
  • gameservices.gameServerClusters.list
  • gameservices.gameServerConfigs.get
  • gameservices.gameServerConfigs.list
  • gameservices.gameServerDeployments.get
  • gameservices.gameServerDeployments.list
  • gameservices.locations.*
  • gameservices.operations.get
  • gameservices.operations.list
  • gameservices.realms.get
  • gameservices.realms.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Healthcare 角色

角色 权限

Healthcare Annotation Editor
(roles/healthcare.annotationEditor)

可创建、删除、更新、读取、列出注释。

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.annotations.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Annotation Reader
(roles/healthcare.annotationReader)

可读取和列出注释存储区中的注释。

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.annotations.get
  • healthcare.annotations.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Annotation Administrator
(roles/healthcare.annotationStoreAdmin)

可管理注释存储区。

  • healthcare.annotationStores.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Annotation Store Viewer
(roles/healthcare.annotationStoreViewer)

可列出数据集中的注释存储区。

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Attribute Definition Editor
(roles/healthcare.attributeDefinitionEditor)

可以修改 AttributeDefinition 对象。

  • healthcare.attributeDefinitions.*
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Attribute Definition Reader
(roles/healthcare.attributeDefinitionReader)

可以读取许可存储区中的 AttributeDefinition 对象。

  • healthcare.attributeDefinitions.get
  • healthcare.attributeDefinitions.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Artifact Administrator
(roles/healthcare.consentArtifactAdmin)

可以管理 ConsentArtifact 对象。

  • healthcare.consentArtifacts.*
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Artifact Editor
(roles/healthcare.consentArtifactEditor)

可以修改 ConsentArtifact 对象。

  • healthcare.consentArtifacts.create
  • healthcare.consentArtifacts.get
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Artifact Reader
(roles/healthcare.consentArtifactReader)

可以读取许可存储区中的 ConsentArtifact 对象。

  • healthcare.consentArtifacts.get
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Editor
(roles/healthcare.consentEditor)

可以修改 Consent 对象。

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.consents.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Reader
(roles/healthcare.consentReader)

可以读取许可存储区中的 Consent 对象。

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.consents.get
  • healthcare.consents.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Store Administrator
(roles/healthcare.consentStoreAdmin)

可以管理许可存储区。

  • healthcare.consentStores.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Store Viewer
(roles/healthcare.consentStoreViewer)

可以列出数据集中的许可存储区。

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Dataset Administrator
(roles/healthcare.datasetAdmin)

可以管理医疗保健数据集。

  • healthcare.datasets.*
  • healthcare.locations.*
  • healthcare.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Dataset Viewer
(roles/healthcare.datasetViewer)

可以列出项目中的医疗保健数据集。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare DICOM Editor
(roles/healthcare.dicomEditor)

可逐个及批量修改 DICOM 映像。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.dicomWebRead
  • healthcare.dicomStores.dicomWebWrite
  • healthcare.dicomStores.export
  • healthcare.dicomStores.get
  • healthcare.dicomStores.import
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare DICOM Store Administrator
(roles/healthcare.dicomStoreAdmin)

可管理 DICOM 存储区。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.create
  • healthcare.dicomStores.deidentify
  • healthcare.dicomStores.delete
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.get
  • healthcare.dicomStores.getIamPolicy
  • healthcare.dicomStores.list
  • healthcare.dicomStores.setIamPolicy
  • healthcare.dicomStores.update
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare DICOM Store Viewer
(roles/healthcare.dicomStoreViewer)

可列出数据集中的 DICOM 存储区。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.get
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare DICOM Viewer
(roles/healthcare.dicomViewer)

可从 DICOM 存储区检索 DICOM 映像。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.dicomWebRead
  • healthcare.dicomStores.export
  • healthcare.dicomStores.get
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare FHIR Resource Editor
(roles/healthcare.fhirResourceEditor)

可创建、删除、更新、读取和搜索 FHIR 资源。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.create
  • healthcare.fhirResources.delete
  • healthcare.fhirResources.get
  • healthcare.fhirResources.patch
  • healthcare.fhirResources.translateConceptMap
  • healthcare.fhirResources.update
  • healthcare.fhirStores.executeBundle
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.fhirStores.searchResources
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare FHIR Resource Reader
(roles/healthcare.fhirResourceReader)

可读取和搜索 FHIR 资源。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.get
  • healthcare.fhirResources.translateConceptMap
  • healthcare.fhirStores.executeBundle
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.fhirStores.searchResources
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare FHIR Store Administrator
(roles/healthcare.fhirStoreAdmin)

可以管理 FHIR 资源存储区。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.purge
  • healthcare.fhirStores.configureSearch
  • healthcare.fhirStores.create
  • healthcare.fhirStores.deidentify
  • healthcare.fhirStores.delete
  • healthcare.fhirStores.export
  • healthcare.fhirStores.get
  • healthcare.fhirStores.getIamPolicy
  • healthcare.fhirStores.import
  • healthcare.fhirStores.list
  • healthcare.fhirStores.setIamPolicy
  • healthcare.fhirStores.update
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare FHIR Store Viewer
(roles/healthcare.fhirStoreViewer)

可列出数据集中的 FHIR 存储区。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare HL7v2 Message Consumer
(roles/healthcare.hl7V2Consumer)

可列出和读取 HL7v2 消息,更新消息标签,以及发布新消息。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.create
  • healthcare.hl7V2Messages.get
  • healthcare.hl7V2Messages.list
  • healthcare.hl7V2Messages.update
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare HL7v2 Message Editor
(roles/healthcare.hl7V2Editor)

拥有对 HL7v2 消息的读取、写入和删除权限。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.*
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare HL7v2 Message Ingest
(roles/healthcare.hl7V2Ingest)

可提取从来源网络接收到的 HL7v2 消息。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.ingest
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare HL7v2 Store Administrator
(roles/healthcare.hl7V2StoreAdmin)

可管理 HL7v2 存储区。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Stores.*
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare HL7v2 Store Viewer
(roles/healthcare.hl7V2StoreViewer)

可查看数据集中的 HL7v2 存储区。

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare NLP Service Viewer Beta 版
(roles/healthcare.nlpServiceViewer)

从给定文字中提取和分析医疗实体。

  • healthcare.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare User Data Mapping Editor
(roles/healthcare.userDataMappingEditor)

可以修改 UserDataMapping 对象。

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • healthcare.userDataMappings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare User Data Mapping Reader
(roles/healthcare.userDataMappingReader)

可以读取许可存储区中的 UserDataMapping 对象。

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • healthcare.userDataMappings.get
  • healthcare.userDataMappings.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud IAP 角色

角色 权限

IAP Policy Admin
(roles/iap.admin)

提供对 Identity-Aware Proxy 资源的完整访问权限。

您可以授予此角色的最低级层资源:

  • 项目
  • iap.tunnel.*
  • iap.tunnelInstances.getIamPolicy
  • iap.tunnelInstances.setIamPolicy
  • iap.tunnelZones.*
  • iap.web.getIamPolicy
  • iap.web.setIamPolicy
  • iap.webServiceVersions.getIamPolicy
  • iap.webServiceVersions.setIamPolicy
  • iap.webServices.getIamPolicy
  • iap.webServices.setIamPolicy
  • iap.webTypes.getIamPolicy
  • iap.webTypes.setIamPolicy

IAP-secured Web App User
(roles/iap.httpsResourceAccessor)

提供对使用 Identity-Aware Proxy 的 HTTPS 资源的访问权限。

  • iap.webServiceVersions.accessViaIAP

IAP Settings Admin
(roles/iap.settingsAdmin)

IAP 设置管理员。

  • iap.projects.*
  • iap.web.getSettings
  • iap.web.updateSettings
  • iap.webServiceVersions.getSettings
  • iap.webServiceVersions.updateSettings
  • iap.webServices.getSettings
  • iap.webServices.updateSettings
  • iap.webTypes.getSettings
  • iap.webTypes.updateSettings

IAP-secured Tunnel User
(roles/iap.tunnelResourceAccessor)

可访问使用 Identity-Aware Proxy 的隧道资源

  • iap.tunnelInstances.accessViaIAP

Cloud IoT 角色

角色 权限

Cloud IoT Admin
(roles/cloudiot.admin)

拥有对所有 Cloud IoT 资源和权限的完全控制权。

您可以授予此角色的最低级层资源:

  • 设备
  • cloudiot.*
  • cloudiottoken.*

Cloud IoT Device Controller
(roles/cloudiot.deviceController)

有权更新设备配置,但无权创建或删除设备。

您可以授予此角色的最低级层资源:

  • 设备
  • cloudiot.devices.get
  • cloudiot.devices.list
  • cloudiot.devices.sendCommand
  • cloudiot.devices.updateConfig
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get

Cloud IoT Editor
(roles/cloudiot.editor)

拥有对所有 Cloud IoT 资源的读写权限。

您可以授予此角色的最低级层资源:

  • 设备
  • cloudiot.devices.*
  • cloudiot.registries.create
  • cloudiot.registries.delete
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiot.registries.update
  • cloudiottoken.*

Cloud IoT Provisioner
(roles/cloudiot.provisioner)

拥有在注册表中创建和删除设备的权限,但无权修改注册表,并且允许设备发布到与 IoT 注册表相关联的主题。

您可以授予此角色的最低级层资源:

  • 设备
  • cloudiot.devices.*
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get

Cloud IoT Viewer
(roles/cloudiot.viewer)

拥有对所有 Cloud IoT 资源的只读权限。

您可以授予此角色的最低级层资源:

  • 设备
  • cloudiot.devices.get
  • cloudiot.devices.list
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get

Cloud KMS 角色

角色 权限

Cloud KMS Admin
(roles/cloudkms.admin)

提供 Cloud KMS 资源的完整访问权限,但不提供执行加密和解密操作的权限。

您可以授予此角色的最低级层资源:

  • 加密密钥
  • cloudkms.cryptoKeyVersions.create
  • cloudkms.cryptoKeyVersions.destroy
  • cloudkms.cryptoKeyVersions.get
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.cryptoKeyVersions.restore
  • cloudkms.cryptoKeyVersions.update
  • cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
  • cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
  • cloudkms.cryptoKeys.*
  • cloudkms.importJobs.*
  • cloudkms.keyRings.*
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Cloud KMS CryptoKey Decrypter
(roles/cloudkms.cryptoKeyDecrypter)

仅提供使用 Cloud KMS 资源执行解密操作的权限。