了解角色

当某个身份调用 Google Cloud API 时，Cloud Identity and Access Management 会要求该身份必须具有使用相应资源的适当权限。您可以通过为用户、群组或服务帐号授予角色来提供权限。

本页介绍您可以为身份授予 Cloud Platform 资源访问权限的 Cloud IAM 角色。

本指南的先决条件

了解 Cloud IAM 的基本概念

角色类型

Cloud IAM 中有三种类型的角色：

原初角色：包括在引入 Cloud IAM 之前已存在的 Owner、Editor 和 Viewer 角色
预定义角色：针对特定服务提供精细访问权限，并由 Google Cloud 管理
自定义角色：根据用户指定的权限列表提供精细访问权限

如需确定原初角色、预定义角色或自定义角色中是否包含一项或多项权限，您可以使用以下方法之一：

gcloud iam roles describe 命令。
roles.get() API

以下各部分介绍了每种角色类型并提供了有关如何使用它们的示例。

原初角色

在引入 Cloud IAM 之前存在三个角色：所有者、编辑者和查看者。这些角色是同心的；也就是说，Owner 角色包含 Editor 角色的权限，而 Editor 角色又包含 Viewer 角色的权限。

下表概括了原初角色在所有 Google Cloud 服务中包含的权限：

原初角色定义

角色	名称	权限
`roles/viewer`	Viewer	拥有执行不会影响状态的只读操作的权限，例如查看（但无法修改）现有资源或数据。
`roles/editor`	Editor	拥有所有查看权限，以及修改状态的操作（例如更改现有资源）的权限。注意：虽然 `roles/editor` 角色包含为大多数 Google Cloud 服务创建和删除资源的权限，但某些服务不包含这些权限。要详细了解如何检查某项角色是否具有您所需的权限，请参阅上文。
`roles/owner`	Owner	拥有所有修改权限，此外还有权执行以下操作：管理项目和项目中所有资源的角色和权限。为项目设置结算。注意：在资源级层授予 Owner 角色（如 Pub/Sub 主题）不会在父级项目上授予 Owner 角色。因此，在组织级层授予 Owner 角色，您将无法更新组织的元数据。但这样，您可以修改该组织名下的项目和其他资源。

您可以使用 Cloud Console、API 和 gcloud 命令行工具在项目或服务资源级层应用原初角色。

邀请流程

您无法使用 Cloud IAM API 或 gcloud 命令行工具将 Owner 角色授予项目的成员。您只能使用 Cloud Console 将所有者添加到项目中。系统会通过电子邮件向该成员发送邀请，该成员必须接受邀请才能成为项目的所有者。

请注意，在以下情况下，系统不会发送邀请电子邮件：

您要授予除所有者以外的角色时。
组织成员将其组织的其他成员添加为该组织中某个项目的所有者。

预定义角色

除了原初角色之外，Cloud IAM 还提供其他预定义角色，后者可让您为特定 Google Cloud Platform 资源授予更精确的访问权限，同时阻止对其他资源的不必要访问。

下表列出了这些角色、说明以及可设置这些角色的最低级层的资源类型。您可以为此资源类型授予特定角色，或者在大多数情况下可以为该类型在 Google Cloud 层次结构中的任何上级类型授予特定角色。您可以为同一位用户授予多个角色。例如，同一位用户可以拥有项目上的 Network Admin 和 Log Viewer 角色，并且对该项目中的 Pub/Sub 主题具有 Publisher 角色。有关角色中包含的权限的列表，请参阅获取角色元数据。

访问权限审批角色

角色	名称	说明	权限
`roles/accessapproval.approver`	Access Approval Approver ^{Beta 版}	能够查看或处理权限审批请求并查看配置	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.configEditor`	Access Approval Config Editor ^{Beta 版}	可更新访问权限审批配置	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.viewer`	Access Approval Viewer ^{Beta 版}	可查看访问权限审批请求和配置	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Access Context Manager 角色

角色	名称	说明	权限
`roles/accesscontextmanager.policyAdmin`	Access Context Manager 管理员	拥有政策、访问权限级别和访问地区的完整访问权限	accesscontextmanager.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyEditor`	Access Context Manager 编辑者	拥有对政策的修改权限。可创建、修改和更改访问权限级别和访问地区。	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyReader`	Access Context Manager 查看者	拥有政策、访问权限级别和访问地区的读取权限。	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.vpcScTroubleshooterViewer`	VPC Service Controls Troubleshooter Viewer ^{Alpha 版}		accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Actions 角色

角色	名称	说明	权限	最低资源要求
`roles/actions.Admin`	Actions Admin	拥有修改和部署操作的权限	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list
`roles/actions.Viewer`	Actions Viewer	拥有查看操作的权限	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list

Android Management 角色

角色	名称	说明	权限	最低资源要求
`roles/androidmanagement.user`	Android 管理用户	拥有管理设备的完整权限。	androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Apigee 角色

角色	名称	说明	权限
`roles/apigee.admin`	Apigee Organization Admin ^{Beta 版}	拥有对所有 Apigee 资源功能的完整访问权限	apigee.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.analyticsAgent`	Apigee Analytics Agent ^{Beta 版}	针对 Apigee Universal Data Collection Agent 的一组选定权限，用于为 Apigee 组织管理分析	apigee.environments.getDataLocation
`roles/apigee.analyticsEditor`	Apigee Analytics Editor ^{Beta 版}	可修改 Apigee 组织的分析数据	apigee.environments.get apigee.environments.getStats apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.analyticsViewer`	Apigee Analytics Viewer ^{Beta 版}	可查看 Apigee 组织的分析数据	apigee.environments.getStats apigee.organizations.get apigee.organizations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.apiCreator`	Apigee API Creator ^{Beta 版}	可创建 Apigee 资源	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.* apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.* apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.delete apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.update apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.deployer`	Apigee Deployer ^{Beta 版}	可部署 Apigee 资源	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.* apigee.deployments.* apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.flowhooks.* apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.developerAdmin`	Apigee Developer Admin ^{Beta 版}	可管理 Apigee 资源开发者	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developers.* apigee.environments.get apigee.environments.getStats apigee.organizations.get apigee.organizations.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.readOnlyAdmin`	Apigee Read-only Admin ^{Beta 版}	可查看所有 Apigee 资源	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.deployments.get apigee.deployments.list apigee.developerrappattributes.get apigee.developerrappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developers.get apigee.developers.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.synchronizerManager`	Apigee Synchronizer Manager ^{Beta 版}	Synchronizer 的精选权限集，用于管理 Apigee 组织中的环境	apigee.environments.get apigee.environments.manageRuntime

App Engine 角色

角色	名称	说明	权限	最低资源要求
`roles/appengine.appAdmin`	App Engine 管理员	拥有所有应用配置和设置的读取/写入/修改权限。	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.appViewer`	App Engine 查看者	对所有应用配置和设置的只读权限。	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.codeViewer`	App Engine 代码查看者	拥有所有应用配置、设置和部署的源代码的只读权限。	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.deployer`	App Engine 部署者	对所有应用配置和设置的只读权限。仅拥有创建新版本的写入权限；无法修改现有版本，但可删除未收到流量的版本。注意：如需使用 App Engine Admin API 进行部署，您只需具有 App Engine Deployer (`roles/appengine.deployer`) 角色即可获得足够的权限。如需使用其他 App Engine 工具（如 gcloud 命令），您还必须拥有 Compute Storage Admin (`roles/compute.storageAdmin`) 和 Cloud Build Editor (`cloudbuild.builds.editor`) 角色。	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/appengine.serviceAdmin`	App Engine 服务管理员	对所有应用配置和设置的只读权限。拥有模块级和版本级设置的写入权限。无法部署新版本。	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	项目

Artifact Registry 角色

角色	名称	说明	权限
`roles/artifactregistry.admin`	Artifact Registry Administrator ^{Beta 版}	拥有可创建和管理代码库的管理员权限。	artifactregistry.*
`roles/artifactregistry.reader`	Artifact Registry Reader ^{Beta 版}	可以读取代码库项。	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
`roles/artifactregistry.repoAdmin`	Artifact Registry Repository Administrator ^{Beta 版}	拥有管理代码库中的工件的权限。	artifactregistry.files.* artifactregistry.packages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.*
`roles/artifactregistry.writer`	Artifact Registry Writer ^{Beta 版}	可以读取和写入代码库项。	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list

AutoML 角色

角色	名称	说明	权限	最低资源要求
`roles/automl.admin`	AutoML Admin ^{Beta 版}	拥有所有 AutoML 资源的完整访问权限	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	数据集/模型
`roles/automl.editor`	AutoML Editor ^{Beta 版}	可修改所有 AutoML 资源	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	数据集/模型
`roles/automl.predictor`	AutoML Predictor ^{Beta 版}	可使用模型进行预测	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list	型号
`roles/automl.viewer`	AutoML Viewer ^{Beta 版}	可查看所有 AutoML 资源	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	数据集/模型

BigQuery 角色

角色	名称	说明	权限	最低资源要求
`roles/bigquery.admin`	BigQuery 管理	提供管理项目中所有资源的权限。可以管理项目中的所有数据，并可以从其他用户取消在项目中运行的作业。	bigquery.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/bigquery.connectionAdmin`	BigQuery Connection Admin ^{Beta 版}		bigquery.connections.*
`roles/bigquery.connectionUser`	BigQuery Connection User ^{Beta 版}		bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
`roles/bigquery.dataEditor`	BigQuery 数据编辑者	dataEditor 应用于数据集时，可提供以下权限：读取数据集的元数据以及列出数据集中的表。创建、更新、获取和删除数据集的表。此角色在应用于项目或组织级层时，还可提供创建新数据集的权限。	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list	数据集
`roles/bigquery.dataOwner`	BigQuery 数据所有者	dataOwner 应用于数据集时，可提供以下权限：读取、更新和删除数据集。创建、更新、获取和删除数据集的表。此角色在应用于项目或组织级层时，还可提供创建新数据集的权限。	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	数据集
`roles/bigquery.dataViewer`	BigQuery 数据查看者	dataViewer 应用于数据集时，可提供以下权限：读取数据集的元数据以及列出数据集中的表。从数据集的表中读取数据和元数据。此角色在应用于项目或组织级层时，还可提供枚举项目中所有数据集的权限。但若要运行作业，还需要具备其他角色。	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	数据集
`roles/bigquery.jobUser`	BigQuery 作业用户	提供在项目中运行作业（包括查询）的权限。此角色可以检查所有作业是否存在，以及枚举和取消自己的作业。	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/bigquery.metadataViewer`	BigQuery 元数据查看者	metadataViewer 应用于项目或组织级层时，可提供以下权限：列出项目中的所有数据集，以及读取所有数据集的元数据。列出项目中的所有表和视图，以及读取所有表和视图的元数据。但若要运行作业，还需要具备其他角色。	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/bigquery.readSessionUser`	BigQuery 读取会话用户	拥有创建和使用读取会话的权限	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceAdmin`	BigQuery Resource Admin ^{Beta 版}	管理所有 BigQuery 资源。	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.user`	BigQuery 用户	提供在项目中运行作业（包括查询）的权限。用户角色可枚举他们自己的作业，取消他们自己的作业，以及枚举项目中的数据集。另外，具有此角色的用户还可以在项目中创建新数据集；对于这些新数据集，系统会为创建者授予 `bigquery.dataOwner` 角色。	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Bigtable 角色

角色	名称	说明	权限	最低资源要求
`roles/bigtable.admin`	Bigtable 管理员	可以管理项目中的所有实例，包括存储在表中的数据。还可创建新实例。适用于项目管理员。	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	实例
`roles/bigtable.reader`	Bigtable 读取者	提供对表中所存储数据的只读权限。适用于数据科学家、信息中心生成器和其他数据分析场景。	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	实例
`roles/bigtable.user`	Bigtable 用户	提供对表中所存储数据的读写权限。适用于应用开发者或服务帐号。	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	实例
`roles/bigtable.viewer`	Bigtable 查看者	不提供数据访问权限。仅提供适用于 Bigtable 的 Cloud Console 的一组最低访问权限。	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	实例

Billing 角色

角色	名称	说明	权限	最低资源要求
`roles/billing.admin`	结算帐号管理员	提供查看和管理结算帐号所有方面的权限。	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	结算帐号
`roles/billing.creator`	结算帐号创建者	提供创建结算帐号的权限。	billing.accounts.create resourcemanager.organizations.get	项目
`roles/billing.projectManager`	项目结算管理员	提供为项目分配结算帐号或停用项目结算功能的权限。	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	项目
`roles/billing.user`	结算帐号用户	提供将项目与结算帐号相关联的权限。	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create	结算帐号
`roles/billing.viewer`	结算帐号查看者	查看结算帐号费用信息和交易。	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list	组织结算帐号

Binary Authorization 角色

角色	名称	说明	权限
`roles/binaryauthorization.attestorsAdmin`	Binary Authorization Attestor Admin ^{Beta 版}	Binary Authorization 证明者管理员	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsEditor`	Binary Authorization Attestor Editor ^{Beta 版}	二进制授权证明者的编辑者	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsVerifier`	Binary Authorization Attestor Image Verifier ^{Beta 版}	二进制授权证明者的映像验证者的调用者	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsViewer`	Binary Authorization Attestor Viewer ^{Beta 版}	二进制授权证明者的查看者	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyAdmin`	Binary Authorization Policy Administrator ^{Beta 版}	二进制授权政策的管理员	binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyEditor`	Binary Authorization Policy Editor ^{Beta 版}	二进制授权政策的编辑者	binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyViewer`	Binary Authorization Policy Viewer ^{Beta 版}	二进制授权政策的查看者	binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

Hangouts Chat 角色

角色	名称	说明	权限	最低资源要求
`roles/chat.owner`	聊天机器人所有者	可以查看和修改机器人配置	chat.*
`roles/chat.reader`	聊天机器人查看者	可以查看机器人配置	chat.bots.get

Cloud Asset 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudasset.owner`	云资源所有者	拥有云资源元数据的完整访问权限	cloudasset.*
`roles/cloudasset.viewer`	云资产查看者	拥有云资源元数据的只读权限	cloudasset.assets.*

Cloud Build 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudbuild.builds.builder`	Cloud Build 服务帐号	可以执行构建	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list cloudbuild.* logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudbuild.builds.editor`	Cloud Build 编辑者	提供创建和取消构建的权限。	cloudbuild.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/cloudbuild.builds.viewer`	Cloud Build 查看者	提供查看构建的权限。	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Data Fusion 角色

角色	名称	说明	权限	最低资源要求
`roles/datafusion.admin`	Cloud Data Fusion Admin ^{Beta 版}	拥有 Cloud Data Fusion 实例和相关资源的完整访问权限。	datafusion.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datafusion.viewer`	Cloud Data Fusion Viewer ^{Beta 版}	拥有 Cloud Data Fusion 实例及相关资源的只读权限。	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Debugger 角色

角色	名称	说明	权限	最低资源要求
`roles/clouddebugger.agent`	Cloud Debugger Agent ^{Beta 版}	提供注册调试目标、读取活动断点和报告断点结果的权限。	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create	服务帐号
`roles/clouddebugger.user`	Cloud Debugger User ^{Beta 版}	提供创建、查看、列出和删除断点（快照和日志点）以及列出调试目标（调试对象）的权限。	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list	项目

Cloud Functions 角色

角色	名称	说明	权限
`roles/cloudfunctions.admin`	Cloud Functions Admin^{Beta 版}	拥有函数、运算和位置的完整访问权限。	Cloudfunctions.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.developer`	Cloud Functions Developer^{Beta 版}	拥有所有函数相关资源的读写权限。	cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.invoker`	Cloud Functions Invoker^{Beta 版}	可使用受限的访问权限调用 HTTP 函数。	cloudfunctions.functions.invoke
`roles/cloudfunctions.viewer`	Cloud Functions Viewer^{Beta 版}	拥有函数和位置的只读权限。	cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud IAP 角色

角色	名称	说明	权限	最低资源要求
`roles/iap.admin`	IAP 政策管理员	提供对 Identity-Aware Proxy 资源的完整访问权限。	iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy	项目
`roles/iap.httpsResourceAccessor`	受 IAP 保护的网络应用用户	提供对使用 Identity-Aware Proxy 的 HTTPS 资源的访问权限。	iap.webServiceVersions.accessViaIAP	项目
`roles/iap.settingsAdmin`	IAP Settings Admin	IAP 设置管理员。	iap.projects.* iap.web.getSettings iap.web.updateSettings iap.webServiceVersions.getSettings iap.webServiceVersions.updateSettings iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings
`roles/iap.tunnelResourceAccessor`	受 IAP 保护的隧道用户	可访问使用 Identity-Aware Proxy 的隧道资源	iap.tunnelInstances.accessViaIAP

Cloud IoT 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudiot.admin`	Cloud IoT 管理员	能够完全控制所有 Cloud IoT 资源和权限。	cloudiot.* cloudiottoken.*	设备
`roles/cloudiot.deviceController`	Cloud IoT 设备控制者	访问以更新设备的配置，但不能创建或删除设备。	cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	设备
`roles/cloudiot.editor`	Cloud IoT 编辑者	拥有所有 Cloud IoT 资源的读写权限。	cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.*	设备
`roles/cloudiot.provisioner`	Cloud IoT 配置者	有权在注册表中创建和删除设备，但无权修改注册表。	cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	设备
`roles/cloudiot.viewer`	Cloud IoT 查看者	对所有 Cloud IoT 资源拥有只读权限。	cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	设备

Cloud Talent Solution 角色

角色	名称	说明	权限
`roles/cloudjobdiscovery.admin`	管理	拥有 Cloud Job Discovery 自助式工具的访问权限	cloudjobdiscovery.tools.* iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.jobsEditor`	作业编辑者	拥有所有 Cloud Job Discovery 数据的写入权限。	cloudjobdiscovery.companies.* cloudjobdiscovery.events.* cloudjobdiscovery.jobs.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.jobsViewer`	作业查看者	拥有所有 Cloud Job Discovery 数据的读取权限。	cloudjobdiscovery.companies.get cloudjobdiscovery.companies.list cloudjobdiscovery.jobs.get cloudjobdiscovery.jobs.search resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.profilesEditor`	个人资料编辑者	拥有 Cloud Talent Solution 中所有个人资料数据的写权限。	cloudjobdiscovery.events.* cloudjobdiscovery.profiles.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.profilesViewer`	个人资料查看者	拥有 Cloud Talent Solution 中所有个人资料数据的读权限。	cloudjobdiscovery.profiles.get cloudjobdiscovery.profiles.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list

Cloud KMS 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudkms.admin`	Cloud KMS 管理员	提供 Cloud KMS 资源的完整访问权限，但不提供执行加密和解密操作的权限。	cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeys.* cloudkms.importJobs.* cloudkms.keyRings.* resourcemanager.projects.get	加密密钥
`roles/cloudkms.cryptoKeyDecrypter`	Cloud KMS 加密密钥解密者	仅提供使用 Cloud KMS 资源执行解密操作的功能。	cloudkms.cryptoKeyVersions.useToDecrypt resourcemanager.projects.get	加密密钥
`roles/cloudkms.cryptoKeyEncrypter`	Cloud KMS 加密密钥加密者	仅提供使用 Cloud KMS 资源执行加密操作的功能。	cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get	加密密钥
`roles/cloudkms.cryptoKeyEncrypterDecrypter`	Cloud KMS 加密密钥加密者/解密者	仅提供使用 Cloud KMS 资源执行加密和解密操作的功能。	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get	加密密钥
`roles/cloudkms.importer`	Cloud KMS Importer	启用 ImportCryptoKeyVersion、CreateImportJob、ListImportJobs 和 GetImportJob 操作	cloudkms.importJobs.create cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.importJobs.useToImport resourcemanager.projects.get
`roles/cloudkms.publicKeyViewer`	Cloud KMS CryptoKey Public Key Viewer	启用 GetPublicKey 操作	cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get
`roles/cloudkms.signer`	Cloud KMS CryptoKey Signer	可启用 AsymmetricSign 操作	cloudkms.cryptoKeyVersions.useToSign resourcemanager.projects.get
`roles/cloudkms.signerVerifier`	Cloud KMS CryptoKey Signer/Verifier	可启用 AsymmetricSign 和 GetPublicKey 操作	cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get

Cloud Migration 角色

角色	名称	说明	权限
`roles/cloudmigration.inframanager`	Velostrata Manager ^{Beta 版}	可创建和管理 Compute 虚拟机以运行 Velostrata 基础架构	cloudmigration.* compute.addresses.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.updateNetworkInterface compute.instances.updateShieldedInstanceConfig compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.* gkehub.endpoints.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update
`roles/cloudmigration.storageaccess`	Velostrata Storage Access ^{Beta 版}	可访问迁移存储空间	storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudmigration.velostrataconnect`	Velostrata Manager Connection Agent ^{Beta 版}	可在 Velostrata Manager 与 Google 之间设置连接	cloudmigration.* gkehub.endpoints.*
`roles/vmmigration.admin`	VM Migration Administrator ^{Beta 版}	可查看和修改所有 VM Migration 对象	vmmigration.*
`roles/vmmigration.viewer`	VM Migration Viewer ^{Beta 版}	可查看所有 VM Migration 对象	vmmigration.deployments.get vmmigration.deployments.list

Cloud Private Catalog 角色

角色	名称	说明	权限
`roles/cloudprivatecatalog.consumer`	Catalog Consumer ^{Beta 版}	可以在目标资源情境中浏览目录。	cloudprivatecatalog.*
`roles/cloudprivatecatalogproducer.admin`	Catalog Admin ^{Beta 版}	可以管理目录并查看其关联。	cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get
`roles/cloudprivatecatalogproducer.manager`	Catalog Manager ^{Beta 版}	可管理目录和目标资源之间的关联。	cloudprivatecatalog.* cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.get cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get

Stackdriver Profiler 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudprofiler.agent`	Stackdriver Profiler Agent ^{Beta 版}	Stackdriver Profiler 代理可以注册和提供分析数据。	cloudprofiler.profiles.create cloudprofiler.profiles.update
`roles/cloudprofiler.user`	Stackdriver Profiler User ^{Beta 版}	Stackdriver Profiler 用户可以查询和查看分析数据。	cloudprofiler.profiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Scheduler 角色

角色	名称	说明	权限
`roles/cloudscheduler.admin`	Cloud Scheduler Admin ^{Beta 版}	拥有作业和执行作业的完整访问权限。	appengine.applications.get cloudscheduler.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/cloudscheduler.jobRunner`	Cloud Scheduler Job Runner ^{Beta 版}	可以运行作业。	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.run resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/cloudscheduler.viewer`	Cloud Scheduler Viewer ^{Beta 版}	可获取和列出作业、作业执行情况和位置。	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.list cloudscheduler.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list

Cloud Security Scanner 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudsecurityscanner.editor`	Web Security Scanner Editor	拥有所有 Cloud Security Scanner 资源的完整访问权限	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/cloudsecurityscanner.runner`	Web Security Scanner Runner	可以读取 Scan 和 ScanRun 并且能够启动扫描	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run	项目
`roles/cloudsecurityscanner.viewer`	Web Security Scanner Viewer	拥有所有 Cloud Security Scanner 资源的读取权限	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目

Cloud 服务角色

角色	名称	说明	权限	最低资源要求
`roles/servicebroker.admin`	Service Broker Admin ^{Beta 版}	拥有 ServiceBroker 资源的完整访问权限。	servicebroker.*
`roles/servicebroker.operator`	Service Broker Operator ^{Beta 版}	拥有 ServiceBroker 资源的操作权限。	servicebroker.bindingoperations.* servicebroker.bindings.create servicebroker.bindings.delete servicebroker.bindings.get servicebroker.bindings.list servicebroker.catalogs.create servicebroker.catalogs.delete servicebroker.catalogs.get servicebroker.catalogs.list servicebroker.instanceoperations.* servicebroker.instances.create servicebroker.instances.delete servicebroker.instances.get servicebroker.instances.list servicebroker.instances.update

Cloud SQL 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudsql.admin`	Cloud SQL 管理员	提供 Cloud SQL 资源的完全控制权。	cloudsql.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/cloudsql.client`	Cloud SQL 客户	可连接到 Cloud SQL 实例。	cloudsql.instances.connect cloudsql.instances.get	项目
`roles/cloudsql.editor`	Cloud SQL 编辑者	提供现有 Cloud SQL 实例的完全控制权，但不能修改用户、SSL 证书或删除资源。	cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql.instances.list cloudsq.instances.listServerCas cloudsql.instances.restart cloudsql.instances.rotateServerCa cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/cloudsql.viewer`	Cloud SQL 查看者	提供 Cloud SQL 资源的只读权限。	cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql.instances.list cloudsq.instances.listServerCas cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目

Cloud Tasks 角色

角色	名称	说明	权限
`roles/cloudtasks.admin`	Cloud Tasks Admin ^{Beta 版}	拥有队列和任务的完整访问权限。	cloudtasks.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.enqueuer`	Cloud Tasks Enqueuer ^{Beta 版}	有权创建任务。	cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.queueAdmin`	Cloud Tasks Queue Admin ^{Beta 版}	拥有对队列的管理员权限。	cloudtasks.locations.* cloudtasks.queues.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.taskDeleter`	Cloud Tasks Task Deleter ^{Beta 版}	有权删除任务。	cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.taskRunner`	Cloud Tasks Task Runner ^{Beta 版}	有权运行任务。	cloudtasks.tasks.fullView cloudtasks.tasks.run resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.viewer`	Cloud Tasks Viewer ^{Beta 版}	有权获取和列出任务、队列和位置。	cloudtasks.locations.* cloudtasks.queues.get cloudtasks.queues.list cloudtasks.tasks.fullView cloudtasks.tasks.get cloudtasks.tasks.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Trace 角色

角色	名称	说明	权限	最低资源要求
`roles/cloudtrace.admin`	云端跟踪管理员	提供 Trace 控制台的完整访问权限以及跟踪记录的读写权限。	cloudtrace.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/cloudtrace.agent`	云端跟踪代理	适用于服务帐号。提供通过将数据发送到 Stackdriver Trace 来写入跟踪记录的功能。	cloudtrace.traces.patch	项目
`roles/cloudtrace.user`	云端跟踪用户	提供 Trace 控制台的完整访问权限以及跟踪记录的读取权限。	cloudtrace.insights.* cloudtrace.stats.* cloudtrace.tasks.* cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list	项目

Cloud Translation 角色

角色	名称	说明	权限
`roles/cloudtranslate.admin`	Cloud Translation API 管理员	拥有所有 Cloud Translation 资源的完整访问权限	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.editor`	Cloud Translation API 编辑者	Cloud Translation 资源的编辑者	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.user`	Cloud Translation API 用户	Cloud Translation 和 AutoML 模型用户	automl.models.get automl.models.predict cloudtranslate.generalModels.* cloudtranslate.glossaries.batchPredict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict cloudtranslate.languageDetectionModels.* cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations_list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.viewer`	Cloud Translation API 查看者	所有 Translation 资源查看者	automl.models.get cloudtranslate.generalModels.get cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations_list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list

Codelab API Keys 角色

角色	名称	说明	权限
`roles/codelabapikeys.admin`	Codelab ApiKeys Admin ^{Beta 版}	拥有对 API 密钥的完整访问权限	resourcemanager.projects.get resourcemanager.projects.list
`roles/codelabapikeys.editor`	Codelab API Keys Editor ^{Beta 版}	此角色可查看和修改 API 密钥的所有属性。	resourcemanager.projects.get resourcemanager.projects.list
`roles/codelabapikeys.viewer`	Codelab API Keys Viewer ^{Beta 版}	此角色可查看 API 密钥更改历史记录以外的所有属性。	resourcemanager.projects.get resourcemanager.projects.list

Cloud Composer 角色

角色	名称	说明	权限	最低资源要求
`roles/composer.admin`	Composer 管理员	提供 Cloud Composer 资源的完全控制权。	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/composer.environmentAndStorageObjectAdmin`	环境和存储对象管理员	提供 Cloud Composer 资源和所有项目存储分区中对象的完全控制权。	composer.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.*	项目
`roles/composer.environmentAndStorageObjectViewer`	环境用户和存储对象查看者	提供列出及获取 Cloud Composer 环境和操作所需的权限。提供所有项目存储分区中对象的只读权限。	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list	项目
`roles/composer.user`	Composer 用户	提供列出及获取 Cloud Composer 环境和操作所需的权限。	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/composer.worker`	Composer 工作者	提供运行 Cloud Composer 环境虚拟机所需的权限。适用于服务帐号。	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list cloudbuild.* container.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.*	项目

Compute Engine 角色

角色	名称	说明	权限	最低资源要求
`roles/compute.admin`	计算管理员	拥有所有 Compute Engine 资源的完全控制权。如果用户要管理配置为以服务帐号身份运行的虚拟机实例，您还必须授予 `roles/iam.serviceAccountUser` 角色。	compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、实例、instanceTemplate、nodeGroup、nodeTemplate、快照^测试版
`roles/compute.imageUser`	计算映像用户	在无需其他映像权限的情况下列出和读取映像的权限。在项目级层授予 `compute.imageUser` 角色后，获授此角色的用户可以列出项目中的所有映像，并根据项目中的映像创建实例和永久性磁盘等资源。	compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	映像^测试版
`roles/compute.instanceAdmin`	计算实例管理员（测试版）	拥有创建、修改和删除虚拟机实例的权限。这包括创建、修改和删除磁盘的权限，以及配置安全强化型虚拟机^{Beta 版}设置的权限。如果用户要管理配置为以服务帐号身份运行的虚拟机实例，您还必须授予 `roles/iam.serviceAccountUser` 角色。例如，如果贵公司的某位员工负责管理多组虚拟机实例，但不负责管理网络或安全设置，也不负责管理以服务帐号身份运行的实例，则您可以在这些实例所属的组织、文件夹或项目级层授予此角色，也可以在个别实例级层授予此角色。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、实例、instanceTemplate、快照^测试版
`roles/compute.instanceAdmin.v1`	计算实例管理员 (v1)	拥有 Compute Engine 实例、实例组、磁盘、快照和映像的完整控制权。拥有所有 Compute Engine 网络资源的读取权限。如果仅在实例级层向用户授予此角色，则该用户无法创建新实例。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.loadBalancerAdmin`	Compute Load Balancer Admin ^{Beta 版}	拥有创建、修改和删除负载平衡器及相关资源的权限。举例来说，如果贵公司的负载平衡团队负责管理负载平衡器、负载平衡器的 SSL 证书、SSL 政策和其他负载平衡资源，而另一个网络团队负责管理其余网络资源，那么请将 `loadBalancerAdmin` 角色授予负载平衡团队所属的群组。	compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^测试版
`roles/compute.networkAdmin`	计算网络管理员	拥有创建、修改和删除网络资源（不包括防火墙规则和 SSL 证书）的权限。Network Admin 角色允许以只读方式访问防火墙规则、SSL 证书和实例（以查看其临时 IP 地址），但无法让用户创建、启动、停止或删除实例。举例来说，如果贵公司的安全团队负责管理防火墙和 SSL 证书，而网络团队负责管理其余网络资源，那么请将 `networkAdmin` 角色授予网络团队所属的群组。	compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.externalVpnGateways.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.instances.use compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.machineTypes.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.projects.get compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^测试版
`roles/compute.networkUser`	计算网络用户	提供共享 VPC 网络的访问权限获授此角色的服务所有者可以使用属于宿主项目的 VPC 网络和子网。例如，网络用户可以创建属于宿主项目网络的虚拟机实例，但不能在宿主项目中删除网络或者创建新网络。	compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.externalVpnGateways.get compute.externalVpnGateways.list compute.externalVpnGateways.use compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.access compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/compute.networkViewer`	计算网络查看者	提供所有网络资源的只读权限举例来说，如果您使用软件来检查网络配置，则可以向该软件的服务帐号授予 `networkViewer` 角色。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^测试版
`roles/compute.orgSecurityPolicyAdmin`	Compute Organization Security Policy Admin ^{Beta 版}	拥有 Compute Engine 组织安全政策的完整控制权。	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityPolicyUser`	Compute Organization Security Policy User ^{Beta 版}	可以查看或使用 Compute Engine 安全政策，以便与组织或文件夹相关联。	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityResourceAdmin`	Compute Organization Resource Admin ^{Beta 版}	拥有与组织或文件夹关联的 Compute Engine 安全政策的完全控制权。	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.osAdminLogin`	计算操作系统管理员登录	拥有以管理员用户身份登录 Compute Engine 实例的权限。	compute.instances.get compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^测试版
`roles/compute.osLogin`	计算操作系统登录	能够以标准用户身份登录到 Compute Engine 实例。	compute.instances.get compute.instances.list compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^测试版
`roles/compute.osLoginExternalUser`	计算操作系统登录外部用户	仅在组织级层提供。此角色可为外部用户授予设置与该组织关联的 OS Login 信息的权限，但不授予对实例的访问权限。外部用户必须获授一个必要的 OS Login 角色才能使用 SSH 访问实例。	compute.oslogin.*	组织
`roles/compute.packetMirroringAdmin`	Compute Packet Mirroring Admin	指定要生成镜像的资源。	compute.networks.mirror compute.projects.get compute.subnetworks.mirror resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.packetMirroringUser`	Compute Packet Mirroring User	使用 Compute Engine 数据包镜像。	compute.packetMirrorings.* compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.securityAdmin`	计算安全管理员	拥有创建、修改和删除防火墙规则和 SSL 证书的权限，以及配置安全强化型虚拟机^{Beta 版}设置的权限。举例来说，如果贵公司的安全团队负责管理防火墙和 SSL 证书，而网络团队负责管理其余网络资源，那么请将 `securityAdmin` 角色授予安全团队所属的群组。	compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.list compute.networks.updatePolicy compute.packetMirrorings.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	实例^测试版
`roles/compute.storageAdmin`	计算存储管理员	拥有创建、修改和删除磁盘、映像及快照的权限。举例来说，如果贵公司的某位员工负责管理项目映像，但您不希望该员工拥有项目的 Editor 角色，那么您可以向其帐号授予项目的 `storageAdmin` 角色。	compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、快照^测试版
`roles/compute.viewer`	计算查看者	拥有以只读方式获取和列出 Compute Engine 资源的权限，但无权读取这些资源中存储的数据。例如，获授此角色的帐号可以清点项目中的所有磁盘，但无法读取这些磁盘上的任何数据。	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	磁盘、映像、实例、instanceTemplate、nodeGroup、nodeTemplate、快照^测试版
`roles/compute.xpnAdmin`	计算共享 VPC 管理员	拥有管理共享 VPC 宿主项目的权限，具体来说，就是可以启用宿主项目并将共享 VPC 服务项目关联到宿主项目所在的网络。此角色只能由组织管理员在组织层级授予。 Google Cloud 建议将 Shared VPC Admin 设为共享 VPC 宿主项目的所有者。Shared VPC Admin 负责向服务所有者授予 `compute.networkUser` 角色，而共享 VPC 宿主项目所有者则负责控制项目本身。如果单个主体（个人或群组）可以同时担任这两个角色，那么项目管理会变得更加容易。	compute.globalOperations.get compute.globalOperations.list compute.organizations.* compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	组织
`roles/osconfig.assignmentAdmin`	Assignment Admin ^{Alpha 版}	对分配拥有完整的管理员访问权限	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.assignmentEditor`	Assignment Editor ^{Alpha 版}	能编辑分配资源的用户	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.assignmentViewer`	Assignment Viewer ^{Alpha 版}	能查看分配资源的用户	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyAdmin`	GuestPolicy Admin ^{Alpha 版}	拥有对 GuestPolicy 的完整管理员权限	osconfig.guestPolicies.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyEditor`	GuestPolicy Editor ^{Alpha 版}	可以修改 GuestPolicy 资源	osconfig.guestPolicies.get osconfig.guestPolicies.list osconfig.guestPolicies.update resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyViewer`	GuestPolicy Viewer ^{Alpha 版}	可以查看 GuestPolicy 资源	osconfig.guestPolicies.get osconfig.guestPolicies.list resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigAdmin`	OsConfig Admin ^{Alpha 版}	对 OsConfigs 拥有完整的管理员访问权限	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigEditor`	OsConfig Editor ^{Alpha 版}	能编辑 OsConfig 资源	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigViewer`	OsConfig Viewer ^{Alpha b版}	OsConfig 资源的查看者	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchDeploymentAdmin`	PatchDeployment Admin ^{Alpha 版}	拥有对 PatchDeployments 的完整管理员权限	osconfig.patchDeployments.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchDeploymentViewer`	PatchDeployment Viewer ^{Alpha 版}	可以查看 PatchDeployment 资源	osconfig.patchDeployments.get osconfig.patchDeployments.list resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchJobExecutor`	Patch Job Executor ^{Alpha 版}	有权执行修补作业。	osconfig.patchJobs.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchJobViewer`	Patch Job Viewer ^{Alpha 版}	获取并列出修补作业。	osconfig.patchJobs.get osconfig.patchJobs.list resourcemanager.projects.get resourcemanager.projects.list

Kubernetes Engine 角色

角色	名称	说明	权限	最低资源要求
`roles/container.admin`	Kubernetes Engine 管理员	提供对集群及其 Kubernetes API 对象的完全管理权限。	container.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/container.clusterAdmin`	Kubernetes Engine 集群管理员	提供管理集群的权限。	container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.operations.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/container.clusterViewer`	Kubernetes Engine 集群查看者	拥有 Kubernetes 集群的只读权限。	container.clusters.get container.clusters.list resourcemanager.projects.get resourcemanager.projects.list
`roles/container.developer`	Kubernetes Engine 开发者	提供对集群内 Kubernetes API 对象的访问权限。	container.apiServices.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpoints.* container.events.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.limitRanges.* container.localSubjectAccessReviews.* container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/container.hostServiceAgentUser`	Kubernetes Engine 主机服务代理用户	可以使用 Kubernetes Engine 主机服务代理。	compute.firewalls.get container.hostServiceAgent.*
`roles/container.viewer`	Kubernetes Engine 查看者	提供 GKE 资源的只读权限。	container.apiServices.get container.apiServices.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getStatus container.deployments.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.limitRanges.get container.limitRanges.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list	项目

Container Analysis 角色

角色	名称	说明	权限
`roles/containeranalysis.admin`	Container Analysis Admin^{Alpha 版}	有权访问所有资源。	resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.notes.attacher`	Container Analysis Notes Attacher^{Alpha 版}	有权将事件附加到备注中
`roles/containeranalysis.notes.editor`	Container Analysis Notes Editor^{Alpha 版}	有权修改容器分析备注	resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.notes.viewer`	Container Analysis Notes Viewer^{Alpha 版}	有权查看容器分析备注	resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.occurrences.editor`	Container Analysis Occurrences Editor^{Alpha 版}	有权修改容器分析事件	resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.occurrences.viewer`	Container Analysis Occurrences Viewer^{Alpha 版}	有权查看容器分析事件	resourcemanager.projects.get resourcemanager.projects.list

Data Catalog 角色

角色	名称	说明	权限
`roles/datacatalog.admin`	Data Catalog Admin ^{Beta 版}	拥有所有 DataCatalog 资源的完全访问权限	bigquery.datasets.get bigquery.datasets.updateTag bigquery.models.getMetadata bigquery.models.updateTag bigquery.tables.get bigquery.tables.updateTag datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.* datacatalog.entryGroups.* datacatalog.tagTemplates.* datacatalog.taxonomies.* pubsub.topics.get pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.categoryAdmin`	Policy Tag Admin ^{Beta 版}	可管理分类	datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.taxonomies.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.categoryFineGrainedReader`	Fine-Grained Reader ^{Beta 版}	拥有对包含特定政策标记的子资源（例如 BigQuery 列）的读取权限	datacatalog.categories.fineGrainedGet
`roles/datacatalog.entryGroupCreator`	DataCatalog EntryGroup Creator ^{Beta 版}	可创建新的 entryGroup	datacatalog.entryGroups.create datacatalog.entryGroups.get datacatalog.entryGroups.list resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryGroupOwner`	DataCatalog entryGroup Owner ^{Beta 版}	拥有对 entryGroup 的完整访问权限	datacatalog.entries.* datacatalog.entryGroups.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryOwner`	DataCatalog Entry Owner ^{Beta 版}	拥有对条目的完整访问权限	datacatalog.entries.* datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryViewer`	DataCatalog Entry Viewer ^{Beta 版}	拥有条目的读取权限	datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagEditor`	Data Catalog Tag Editor ^{Beta 版}	授予修改 GCP 资产（BigQuery、Pub/Sub 等）标记的权限。	bigquery.datasets.updateTag bigquery.models.updateTag bigquery.tables.updateTag datacatalog.entries.updateTag pubsub.topics.updateTag
`roles/datacatalog.tagTemplateCreator`	Data Catalog TagTemplate Creator ^{Beta 版}	可创建新的标记模板	datacatalog.tagTemplates.create datacatalog.tagTemplates.get
`roles/datacatalog.tagTemplateOwner`	Data Catalog TagTemplate Owner ^{Beta 版}	拥有标记模板的完全访问权限	datacatalog.tagTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagTemplateUser`	Data Catalog TagTemplate User ^{Beta 版}	可使用标记模板来标记资源	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagTemplateViewer`	Data Catalog TagTemplate Viewer ^{Beta 版}	拥有模板和使用模板创建的标志的读取权限	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.viewer`	Data Catalog Viewer ^{Beta 版}	在 DataCatalog 中查看资源	bigquery.datasets.get bigquery.models.getMetadata bigquery.tables.get datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get datacatalog.entryGroups.list datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.taxonomies.get datacatalog.taxonomies.list pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.list

Dataflow 角色

角色	名称	说明	权限	最低资源要求
`roles/dataflow.admin`	Dataflow 管理员	提供创建和管理 Dataflow 作业所需的最低权限。	compute.machineTypes.get dataflow.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list
`roles/dataflow.developer`	Dataflow 开发者	提供执行和操作 Dataflow 作业所需的权限。	dataflow.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataflow.viewer`	Dataflow 查看者	提供对所有 Dataflow 相关资源的只读权限。	dataflow.jobs.get dataflow.jobs.list dataflow.messages.* dataflow.metrics.* dataflow.snapshots.get dataflow.snapshots.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataflow.worker`	Dataflow 工作处理者	提供让 Compute Engine 服务帐号执行 Cloud Dataflow 流水线工作单元所需的权限。	compute.instanceGroupManagers.update compute.instances.delete compute.instances.setDiskAutoDelete dataflow.jobs.get logging.logEntries.create storage.objects.create storage.objects.get	项目

Cloud Data Labeling 角色

角色	名称	说明	权限
`roles/datalabeling.admin`	DataLabeling Service Admin ^{Beta 版}	拥有所有 DataLabeling 资源的完整访问权限	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.editor`	DataLabeling Service Editor ^{Beta 版}	可修改所有 DataLabeling 资源	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.viewer`	DataLabeling Service Viewer ^{Beta 版}	可查看所有 DataLabeling 资源	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Dataprep 角色

角色	名称	说明	权限	最低资源要求
`roles/dataprep.projects.user`	Dataprep User ^{Beta 版}	可以使用 Dataprep。	dataprep.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Dataproc 角色

角色	名称	说明	权限	最低资源要求
`roles/dataproc.admin`	Dataproc Administrator	拥有 Dataproc 资源的完全控制权。	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.* dataproc.clusters.* dataproc.jobs.* dataproc.operations.* dataproc.workflowTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/dataproc.editor`	Dataproc 编辑者	提供查看管理 Dataproc 所需资源（包括机器类型、网络、项目和地区）应具备的权限。	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataproc.viewer`	Dataproc 查看者	提供对 Dataproc 资源的只读权限。	compute.machineTypes.get compute.regions.* compute.zones.get dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.clusters.get dataproc.clusters.list dataproc.jobs.get dataproc.jobs.list dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.get dataproc.workflowTemplates.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dataproc.worker`	Dataproc 工作处理者	拥有处理 Dataproc 作业的权限。适用于服务帐号。	dataproc.agents.* dataproc.tasks.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create storage.buckets.get storage.objects.*

Datastore 角色

角色	名称	说明	权限	最低资源要求
`roles/datastore.importExportAdmin`	Cloud Datastore 导入导出管理员	提供管理导入和导出的完整访问权限。	appengine.applications.get datastore.databases.export datastore.databases.import datastore.operations.cancel datastore.operations.get datastore.operations.list resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.indexAdmin`	Cloud Datastore 索引管理员	提供对索引定义的完全管理权限。	appengine.applications.get datastore.indexes.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.owner`	Cloud Datastore 所有者	提供对 Datastore 资源的完整访问权限。	appengine.applications.get datastore.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.user`	Cloud Datastore 用户	提供对 Cloud Datastore 数据库中数据的读写权限。	appengine.applications.get datastore.databases.get datastore.entities.* datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/datastore.viewer`	Cloud Datastore 查看者	提供对 Cloud Datastore 资源的读取权限。	appengine.applications.get datastore.databases.get datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	项目

Deployment Manager 角色

角色	名称	说明	权限	最低资源要求
`roles/deploymentmanager.editor`	部署管理器编辑者	提供创建和管理部署所需的权限。	deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目
`roles/deploymentmanager.typeEditor`	部署管理器类型编辑者	提供所有类型注册表资源的读写权限。	deploymentmanager.compositeTypes.* deploymentmanager.operations.get deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	项目
`roles/deploymentmanager.typeViewer`	部署管理器类型查看者	提供所有类型注册表资源的只读权限。	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	项目
`roles/deploymentmanager.viewer`	部署管理器查看者	提供所有部署管理器资源的只读权限。	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	项目

Dialogflow 角色

角色	名称	说明	权限	最低资源要求
`roles/dialogflow.admin`	Dialogflow API 管理员	提供 Dialogflow（仅限 API）资源的完整访问权限。使用 `roles/owner` 或 `roles/editor` 原初角色可同时授予对 API 和 Dialogflow 控制台的访问权限（在 Dialogflow 控制台中创建代理时，通常需要使用此类角色）。	dialogflow.* resourcemanager.projects.get	项目
`roles/dialogflow.client`	Dialogflow API 客户端	提供 Dialogflow（仅限 API）资源的客户端访问权限。这授予了检测意图和读/写会话属性（上下文、会话实体类型等）的权限。	dialogflow.contexts.* dialogflow.sessionEntityTypes.* dialogflow.sessions.*	项目
`roles/dialogflow.consoleAgentEditor`	Dialogflow 控制台代理编辑器	可在 Dialogflow 控制台中修改代理	actions.agentVersions.create dialogflow.* resourcemanager.projects.get
`roles/dialogflow.reader`	Dialogflow API 读取者	拥有对 Dialogflow（仅限 API）资源的读取权限，无法检测意图。使用 `roles/viewer` 原初角色可同时授予与此类似的 API 和 Dialogflow 控制台访问权限。	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.search dialogflow.contexts.get dialogflow.contexts.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.operations.* dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list resourcemanager.projects.get	项目

Cloud DLP 角色

角色	名称	说明	权限
`roles/dlp.admin`	DLP 管理员	可管理 DLP，包括作业和模板。	dlp.* serviceusage.services.use
`roles/dlp.analyzeRiskTemplatesEditor`	DLP 分析风险模板编辑者	可修改 DLP 分析风险模板。	dlp.analyzeRiskTemplates.*
`roles/dlp.analyzeRiskTemplatesReader`	DLP 分析风险模板读取者	可读取 DLP 分析风险模板。	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
`roles/dlp.deidentifyTemplatesEditor`	DLP 去标识化模板编辑者	可修改 DLP 去标识化模板。	dlp.deidentifyTemplates.*
`roles/dlp.deidentifyTemplatesReader`	DLP 去标识化模板读取者	可读取 DLP 去标识化模板。	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
`roles/dlp.inspectTemplatesEditor`	DLP 检查模板编辑者	可修改 DLP 检查模板。	dlp.inspectTemplates.*
`roles/dlp.inspectTemplatesReader`	DLP 检查模板读取者	可读取 DLP 检查模板。	dlp.inspectTemplates.get dlp.inspectTemplates.list
`roles/dlp.jobTriggersEditor`	DLP 作业触发器编辑者	可修改作业触发器配置。	dlp.jobTriggers.*
`roles/dlp.jobTriggersReader`	DLP 作业触发器读取者	可读取作业触发器。	dlp.jobTriggers.get dlp.jobTriggers.list
`roles/dlp.jobsEditor`	DLP 作业编辑者	可修改和创建作业	dlp.jobs.* dlp.kms.*
`roles/dlp.jobsReader`	DLP 作业读取者	读取作业	dlp.jobs.get dlp.jobs.list
`roles/dlp.reader`	DLP 读取者	可读取作业和模板等 DLP 实体。	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.storedInfoTypesEditor`	DLP 存储的 InfoTypes 编辑者	可修改 DLP 存储的信息类型。	dlp.storedInfoTypes.*
`roles/dlp.storedInfoTypesReader`	DLP 存储的 InfoTypes 读取者	可读取 DLP 存储的信息类型。	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.user`	DLP 用户	检查和遮盖内容，以及对内容进行反识别处理	dlp.kms.* serviceusage.services.use

DNS 角色

角色	名称	说明	权限	最低资源要求
`roles/dns.admin`	DNS 管理员	提供所有 Cloud DNS 资源的读写权限。	compute.networks.get compute.networks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* resourcemanager.projects.get resourcemanager.projects.list	项目
`roles/dns.peer`	DNS 对等方	可访问具有 DNS 对等互连地区的目标网络	dns.networks.targetWithPeeringZone
`roles/dns.reader`	DNS 读取者	提供所有 Cloud DNS 资源的只读权限。	compute.networks.get dns.changes.get dns.changes.list dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list dns.projects.* dns.resourceRecordSets.list resourcemanager.projects.get resourcemanager.projects.list	项目

Endpoints 角色

角色	名称	说明	权限	最低资源要求
`roles/endpoints.portalAdmin`	Endpoints Portal Admin ^{Beta 版}	提供在 GCP Console 的 Endpoints> 开发者门户页面上添加、查看和删除自定义网域所需的所有权限。在为 API 创建的门户上，提供更改设置页面上网站级标签页中设置的权限。	endpoints.* resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get	项目

Error Reporting 角色

角色	名称	说明	权限	最低资源要求
`roles/errorreporting.admin`	Error Reporting Admin ^{Beta 版}	提供错误报告数据的完整访问权限。	cloudnotifications.* errorreporting.*	项目
`roles/errorreporting.user`	Error Reporting User ^{Beta 版}	提供读取和写入 Error Reporting 数据的权限，但不提供发送新错误事件的权限。	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.delete errorreporting.errorEvents.list errorreporting.groupMetadata.* errorreporting.groups.*	项目
`roles/errorreporting.viewer`	Error Reporting Viewer ^{Beta 版}	提供错误报告数据的只读权限。	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groupMetadata.get errorreporting.groups.*	项目
`roles/errorreporting.writer`	Errors Writer ^{Beta 版}	提供将错误事件发送到错误报告的权限。	errorreporting.errorEvents.create	服务帐号

Cloud Filestore 角色

角色	名称	说明	权限	最低资源要求
`roles/file.editor`	Cloud Filestore Editor ^{Beta 版}	拥有 Filestore 实例及相关资源的读写权限。	file.*
`roles/file.viewer`	Cloud Filestore Viewer ^{Beta 版}	拥有 Filestore 实例及相关资源的只读权限。	file.instances.get file.instances.list file.locations.* file.operations.get file.operations.list file.snapshots.get file.snapshots.list

Firebase 角色

角色	名称	说明	权限
`roles/firebase.admin`	Firebase 管理员	拥有 Firebase 产品的完整访问权限。	appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.delete clientauthconfig.clients.get clientauthconfig.clients.list clientauthconfig.clients.update cloudconfig.* cloudfunctions.* cloudmessaging.* cloudnotifications.* cloudtestservice.* cloudtoolresults.* datastore.* errorreporting.groups.* firebase.* firebaseabt.* firebaseanalytics.* firebaseappdistro.* firebaseauth.* firebasecrash.* firebasecrashlytics.* firebasedatabase.* firebasedynamiclinks.* firebaseextensions.* firebasehosting.* firebaseinappmessaging.* firebaseml.* firebasenotifications.* firebaseperformance.* firebasepredictions.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.*
`roles/firebase.analyticsAdmin`	Firebase Analytics Admin	拥有 Google Analytics for Firebase 的完整访问权限。	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/firebase.analyticsViewer`	Firebase Analytics 查看者	拥有 Google Analytics for Firebase 的读取权限。	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/firebase.developAdmin`	Firebase Develop Admin	拥有 Firebase 开发类产品和 Analytics 的完整访问权限。	appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.get clientauthconfig.clients.list cloudfunctions.* cloudnotifications.* datastore.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseauth.* firebasedatabase.* firebaseextensions.configs.list firebasehosting.* firebaseml.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.*
`roles/firebase.developViewer`	Firebase Develop Viewer	拥有 Firebase 开发类产品和 Analytics 的读取权限。	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseauth.configs.get firebaseauth.users.get firebasedatabase.instances.get firebasedatabase.instances.list firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list
`roles/firebase.growthAdmin`	Firebase 发展类产品管理员	拥有 Firebase 发展类产品和 Analytics 的完整访问权限。	clientauthconfig.clients.get clientauthconfig.clients.list cloudconfig.* cloudmessaging.* cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.* firebaseanalytics.* firebasedynamiclinks.* firebaseextensions.configs.list firebaseinappmessaging.* firebasenotifications.* firebasepredictions.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.growthViewer`	Firebase 发展类产品查看者	拥有 Firebase 发展类产品和 Analytics 的读取权限。	cloudconfig.configs.get cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebasenotifications.messages.get firebasenotifications.messages.list firebasepredictions.predictions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.qualityAdmin`	Firebase 质量管理员	拥有 Firebase 质量类产品和 Analytics 的完整访问权限。	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseappdistro.* firebasecrash.* firebasecrashlytics.* firebaseextensions.configs.list firebaseperformance.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.qualityViewer`	Firebase 质量查看者	拥有 Firebase 质量类产品和 Analytics 的读取权限。	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebaseextensions.configs.list firebaseperformance.data.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.viewer`	Firebase 查看者	拥有 Firebase 产品的只读权限。	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudconfig.configs.get cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebaseauth.configs.get firebaseauth.users.get firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebasedatabase.instances.get firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebasenotifications.messages.get firebasenotifications.messages.list firebaseperformance.data.* firebasepredictions.predictions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list

Firebase 产品角色

角色	名称	说明	权限
`roles/cloudconfig.admin`	Firebase Remote Config Admin	拥有对 Firebase 远程配置资源的完整访问权限。	cloudconfig.* firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudconfig.viewer`	Firebase Remote Config Viewer	拥有对 Firebase 远程配置资源的读取权限。	cloudconfig.configs.get firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtestservice.testAdmin`	Firebase 测试实验室管理员	拥有所有测试实验室功能的完整访问权限	cloudtestservice.* cloudtoolresults.* firebase.billingPlans.get firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.get storage.buckets.update storage.objects.create storage.objects.get storage.objects.list
`roles/cloudtestservice.testViewer`	Firebase 测试实验室查看者	拥有测试实验室功能的读取权限	cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
`roles/firebaseabt.admin`	Firebase A/B Testing Admin ^{Beta 版}	拥有 Firebase A/B 测试资源的完全读写权限。	firebase.clients.get firebase.projects.get firebaseabt.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseabt.viewer`	Firebase A/B Testing Viewer ^{Beta 版}	拥有 Firebase A/B 测试资源的只读权限。	firebase.clients.get firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseappdistro.admin`	Firebase App Distribution Admin ^{Beta 版}	拥有 Firebase 应用分发资源的完全读写权限。	firebase.clients.get firebase.projects.get firebaseappdistro.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseappdistro.viewer`	Firebase App Distribution Viewer ^{Beta 版}	拥有 Firebase 应用分发资源的只读权限。	firebase.clients.get firebase.projects.get firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseauth.admin`	Firebase 身份验证管理员	拥有 Firebase 身份验证资源的完全读写权限。	firebase.clients.get firebase.projects.get firebaseauth.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseauth.viewer`	Firebase 身份验证查看者	拥有 Firebase 身份验证资源的只读权限。	firebase.clients.get firebase.projects.get firebaseauth.configs.get firebaseauth.users.get resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasecrashlytics.admin`	Firebase Crashlytics 管理员	拥有 Firebase Crashlytics 资源的完全读写权限。	firebase.clients.get firebase.projects.get firebasecrashlytics.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasecrashlytics.viewer`	Firebase Crashlytics 查看者	拥有 Firebase Crashlytics 资源的只读权限。	firebase.clients.get firebase.projects.get firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedatabase.admin`	Firebase Realtime Database Admin	拥有 Firebase 实时数据库资源的完全读写权限。	firebase.clients.get firebase.projects.get firebasedatabase.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedatabase.viewer`	Firebase Realtime Database Viewer	拥有 Firebase 实时数据库资源的只读权限。	firebase.clients.get firebase.projects.get firebasedatabase.instances.get firebasedatabase.instances.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedynamiclinks.admin`	Firebase Dynamic Links Admin	拥有对 Firebase 动态链接资源的完整读写权限。	firebase.clients.get firebase.projects.get firebasedynamiclinks.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedynamiclinks.viewer`	Firebase 动态链接查看者	拥有 Firebase 动态链接资源的只读权限。	firebase.clients.get firebase.projects.get firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasehosting.admin`	Firebase 托管管理员	拥有 Firebase 托管资源的完全读写权限。	firebase.clients.get firebase.projects.get firebasehosting.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasehosting.viewer`	Firebase 托管查看者	拥有 Firebase 托管资源的只读权限。	firebase.clients.get firebase.projects.get firebasehosting.sites.get firebasehosting.sites.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseinappmessaging.admin`	Firebase In-App Messaging Admin ^{Beta 版}	拥有 Firebase 应用内消息资源的完全读写权限。	firebase.clients.get firebase.projects.get firebaseinappmessaging.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseinappmessaging.viewer`	Firebase In-App Messaging Viewer ^{Beta 版}	拥有 Firebase 应用内消息资源的只读权限。	firebase.clients.get firebase.projects.get firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseml.admin`	Firebase ML Kit Admin ^{Beta 版}	拥有 Firebase 机器学习套件资源的完全读写权限。	firebase.clients.get firebase.projects.get firebaseml.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseml.viewer`	Firebase ML Kit Viewer ^{Beta 版}	拥有 Firebase 机器学习套件资源的只读权限。	firebase.clients.get firebase.projects.get firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasenotifications.admin`	Firebase Cloud Messaging Admin	拥有 Firebase 云消息传递资源的完全读写权限。	firebase.clients.get firebase.projects.get firebasenotifications.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasenotifications.viewer`	Firebase Cloud Messaging Viewer	拥有 Firebase 云消息传递资源的只读权限。	firebase.clients.get firebase.projects.get firebasenotifications.messages.get firebasenotifications.messages.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseperformance.admin`	Firebase Performance Reporting Admin	拥有对 firebaseperformance 资源的完整访问权限。	firebase.clients.get firebase.projects.get firebaseperformance.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseperformance.viewer`	Firebase Performance Reporting Viewer	拥有 firebaseperformance 资源的只读权限。	firebase.clients.get firebase.projects.get firebaseperformance.data.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasepredictions.admin`	Firebase 预测管理员	拥有 Firebase 预测资源的完全读写权限。	firebase.clients.get firebase.projects.get firebasepredictions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasepredictions.viewer`	Firebase 预测查看者	拥有 Firebase 预测资源的只读权限。	firebase.clients.get firebase.projects.get firebasepredictions.predictions.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaserules.admin`	Firebase Rules Admin	拥有 Firebase 规则的完全管理权限。	firebaserules.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaserules.viewer`	Firebase Rules Viewer	拥有对具有规则集测试功能的所有资源的只读权限。	firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Game Services 角色

角色	名称	说明	权限	最低资源要求
`roles/gameservices.admin`	Game Services API Admin ^{Beta 版}	拥有对 Game Services API 及相关资源的完全访问权限。	gameservices.* resourcemanager.projects.get resourcemanager.projects.list
`roles/gameservices.viewer`	Game Services API Viewer ^{Beta 版}	拥有对 Game Services API 及相关资源的只读权限。	gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list

Genomics 角色

角色	名称	说明	权限
`roles/genomics.admin`	Genomics 管理员	拥有基因组数据集和操作的完整访问权限。	genomics.*
`roles/genomics.editor`	Genomics 编辑者	可以读取和编辑基因组数据集和操作。	genomics.datasets.create genomics.datasets.delete genomics.datasets.get genomics.datasets.list genomics.datasets.update genomics.operations.*
`roles/genomics.pipelinesRunner`	Genomics 流水线运行者	拥有对基因组管道进行操作的完整访问权限。	genomics.operations.*
`roles/genomics.viewer`	Genomics 查看者	有权查看基因组数据集和操作。	genomics.datasets.get genomics.datasets.list genomics.operations.get genomics.operations.list

GKE Hub 角色

角色	名称	说明	权限
`roles/gkehub.admin`	GKE Hub Admin ^{Beta 版}	拥有 GKE Hub 和相关资源的完整访问权限。	gkehub.locations.* gkehub.memberships.* gkehub.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/gkehub.connect`	GKE Hub Connection Agent ^{Beta 版}	可在外部集群与 Google 之间设置 GKE Connect。	gkehub.endpoints.*
`roles/gkehub.viewer`	GKE Hub Viewer ^{Beta 版}	拥有 GKE Hub 和相关资源的只读权限。	gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Healthcare 角色

角色	名称	说明	权限
`roles/healthcare.annotationEditor`	Healthcare Annotation Editor ^{Beta 版}	可创建、删除、更新、读取和列出注释。	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationReader`	Healthcare Annotation Reader ^{Beta 版}	可读取和列出注释存储区中的注释。	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationStoreAdmin`	Healthcare Annotation Administrator ^{Beta 版}	可管理注释存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationStoreViewer`	Healthcare Annotation Store Viewer ^{Beta 版}	可列出数据集中的注释存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.datasetAdmin`	Healthcare Dataset Administrator ^{Beta 版}	可以管理医疗保健数据集。	healthcare.datasets.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.datasetViewer`	Healthcare Dataset Viewer ^{Beta 版}	可以在项目中列出医疗保健数据集。	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomEditor`	Healthcare DICOM Editor ^{Beta 版}	可逐个及批量修改 DICOM 映像。	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomStoreAdmin`	Healthcare DICOM Store Administrator ^{Beta 版}	可管理 DICOM 存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.deidentify healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomStoreViewer`	Healthcare DICOM Store Viewer ^{Beta 版}	可列出数据集中的 DICOM 存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomViewer`	Healthcare DICOM Viewer ^{Beta 版}	可从 DICOM 存储区检索 DICOM 映像。	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirResourceEditor`	Healthcare FHIR Resource Editor ^{Beta 版}	可创建、删除、更新、读取和搜索 FHIR 资源。	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.update healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirResourceReader`	Healthcare FHIR Resource Reader ^{Beta 版}	可读取和搜索 FHIR 资源。	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirStoreAdmin`	Healthcare FHIR Store Administrator ^{Beta 版}	可管理 FHIR 资源存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare.fhirStores.create healthcare.fhirStores.deidentify healthcare.fhirStores.delete healthcare.fhirStores.export healthcare.fhirStores.get healthcare.fhirStores.getIamPolicy healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.fhirStores.update healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirStoreViewer`	Healthcare FHIR Store Viewer ^{Beta 版}	可列出数据集中的 FHIR 存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Consumer`	Healthcare HL7v2 Message Consumer ^{Beta 版}	可列出和读取 HL7v2 消息，更新消息标签，以及发布新消息。	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.create healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare.hl7V2Messages.update healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Editor`	Healthcare HL7v2 Message Editor ^{Beta 版}	拥有 HL7v2 消息的读取、写入和删除权限。	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Ingest`	Healthcare HL7v2 Message Ingest ^{Beta 版}	可提取从源网络中收到的 HL7v2 消息。	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.ingest healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2StoreAdmin`	Healthcare HL7v2 Store Administrator ^{Beta 版}	可管理 HL7v2 存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2StoreViewer`	Healthcare HL7v2 Store Viewer ^{Beta 版}	可查看数据集中的 HL7v2 存储区。	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list

IAM 角色

roles/iam.securityAdmin Security Admin 安全管理员角色，拥有获取和设置任意 IAM 政策的权限。

accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.setIamPolicy
accesscontextmanager.accessZones.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.setIamPolicy
accesscontextmanager.servicePerimeters.list
actions.agentVersions.list
apigee.apiproductattributes.list
apigee.apiproducts.list
apigee.apps.list
apigee.deployments.list
apigee.developerrappattributes.list
apigee.developerapps.list
apigee.developerattributes.list
apigee.developers.list
apigee.environments.getIamPolicy
apigee.environments.list
apigee.environments.setIamPolicy
apigee.flowhooks.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemaps.list
apigee.organizations.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.sharedflowrevisions.list
apigee.sharedflows.list
apigee.targetservers.list
apigee.tracesessions.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
artifactregistry.files.list
artifactregistry.packages.list
artifactregistry.repositories.getIamPolicy
artifactregistry.repositories.list
artifactregistry.repositories.setIamPolicy
artifactregistry.tags.list
artifactregistry.versions.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.datasets.setIamPolicy
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.models.setIamPolicy
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.*
bigquery.capacityCommitments.list
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.reservationAssignments.list
bigquery.reservations.list
bigquery.routines.list
bigquery.savedqueries.list
bigquery.tables.list
bigtable.appProfiles.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.instances.setIamPolicy
bigtable.keyvisualizer.list
bigtable.locations.*
bigtable.tables.getIamPolicy
bigtable.tables.list
bigtable.tables.setIamPolicy
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.setIamPolicy
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.attestors.setIamPolicy
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudasset.feeds.list
cloudbuild.builds.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy
cloudfunctions.locations.*