了解角色

一个角色包含一组权限,可让您对 Google Cloud 资源执行特定操作。如需向成员(包括用户、群组和服务帐号)提供权限,您可以向成员授予角色。

本页面介绍了您可以授予的 IAM 角色。

本指南的先决条件

角色类型

IAM 中有三种类型的角色:

  • 基本角色:包括在引入 IAM 之前已存在的 Owner、Editor 和 Viewer 角色。
  • 预定义角色:针对特定服务提供精细访问权限,并由 Google Cloud 管理。
  • 自定义角色:根据用户指定的权限列表提供精细访问权限。

如需确定基本角色、预定义角色或自定义角色中是否包含一项或多项权限,您可以使用以下方法之一:

以下各部分介绍了每种角色类型并提供了有关如何使用它们的示例。

基本角色

在引入 IAM 之前已存在多个基本角色:Owner、Editor 和 Viewer。这些角色是嵌套的;也就是说,Owner 角色具有 Editor 角色的权限,而 Editor 角色又具有 Viewer 角色的权限。它们最初称为“原初角色”。

下表汇总了基本角色针对所有 Google Cloud 服务所具有的权限:

基本角色定义

名称 名称 权限
roles/viewer Viewer 拥有执行不会影响状态的只读操作的权限,例如查看(但无法修改)现有资源或数据。
roles/editor Editor 拥有所有查看权限,以及修改状态的操作(例如更改现有资源)的权限。
注意:虽然 roles/editor 角色包含为大多数 Google Cloud 服务创建和删除资源的权限,但某些服务不包含这些权限。要详细了解如何检查某项角色是否具有您所需的权限,请参阅上文
roles/owner Owner 拥有所有修改权限,此外还有权执行以下操作:
  • 管理项目和项目中所有资源的角色和权限。
  • 为项目设置结算。
注意
  • 在资源级层(如 Pub/Sub 主题)授予 Owner 角色并不会授予父级项目上的 Owner 角色。
  • 因此,在组织级层获授 Owner 角色后,您不能更新组织的元数据,不过您可以修改组织下的项目和其他资源。

您可以使用 Cloud Console、API 和 gcloud 工具在项目或服务资源级层应用基本角色。如需了解相关说明,请参阅授予、更改和撤消访问权限

邀请流程

您无法使用 Identity and Access Management API 或 gcloud 命令行工具将 Owner 角色授予项目的成员。您只能使用 Cloud Console 将所有者添加到项目中。系统会通过电子邮件向该成员发送邀请,该成员必须接受邀请才能成为项目的所有者。

请注意,在以下情况下,系统不会发送邀请电子邮件:

  • 您要授予除 Owner 以外的角色时。
  • 组织成员将其组织的其他成员添加为该组织中某个项目的所有者。

如需了解如何使用 Cloud Console 授予角色,请参阅授予、更改和撤消访问权限

预定义角色

除了基本角色之外,IAM 还提供其他预定义角色,这些角色可提供对特定 Google Cloud 资源的精细访问权限,同时阻止对其他资源的不必要的访问。

下表列出了这些角色、说明以及可设置这些角色的最低级层的资源类型。您可以为此资源类型授予特定角色,或者在大多数情况下可以为该类型在 Google Cloud 层次结构中的任何上级类型授予特定角色。您可以为同一位用户授予多个角色。例如,同一位用户可以拥有项目上的 Network Admi 和 Log Viewer 角色,并且对该项目中的 Pub/Sub 主题具有 Publisher 角色。有关角色中包含的权限的列表,请参阅获取角色元数据

Access Approval 角色

角色 名称 说明 权限 最低资源要求
roles/accessapproval.approver Access Approval Approver Beta 版 能够查看或处理权限审批请求并查看配置
  • accessapproval.requests.*
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/accessapproval.configEditor Access Approval Config Editor Beta 版 可更新访问权限审批配置
  • accessapproval.settings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/accessapproval.viewer Access Approval Viewer Beta 版 可查看访问权限审批请求和配置
  • accessapproval.requests.get
  • accessapproval.requests.list
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Context Manager 角色

角色 名称 说明 权限 最低资源要求
roles/accesscontextmanager.gcpAccessAdmin Cloud Access Binding Admin 可以创建、修改和更改 Cloud 访问权限绑定。
  • accesscontextmanager.gcpUserAccessBindings.*
roles/accesscontextmanager.gcpAccessReader Cloud Access Binding Reader 拥有对 Cloud 访问权限绑定的读取权限。
  • accesscontextmanager.gcpUserAccessBindings.get
  • accesscontextmanager.gcpUserAccessBindings.list
roles/accesscontextmanager.policyAdmin Access Context Manager Admin 拥有对政策、访问权限级别和访问区域的完整访问权限
  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.*
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.*
  • accesscontextmanager.servicePerimeters.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/accesscontextmanager.policyEditor Access Context Manager Editor 拥有对政策的修改权限。可创建、修改和更改访问权限级别和访问区域。
  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.create
  • accesscontextmanager.accessPolicies.delete
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessPolicies.update
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.create
  • accesscontextmanager.policies.delete
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.policies.update
  • accesscontextmanager.servicePerimeters.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/accesscontextmanager.policyReader Access Context Manager Reader 拥有对政策、访问权限级别和访问区域的读取权限。
  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessZones.get
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/accesscontextmanager.vpcScTroubleshooterViewer VPC Service Controls Troubleshooter Viewer
  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Actions 角色

角色 名称 说明 权限 最低资源要求
roles/actions.Admin Actions Admin 拥有修改和部署某项操作的权限
  • actions.*
  • firebase.projects.get
  • firebase.projects.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use
roles/actions.Viewer Actions Viewer 拥有查看某项操作的权限
  • actions.agent.get
  • actions.agentVersions.get
  • actions.agentVersions.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Android Management 角色

角色 名称 说明 权限 最低资源要求
roles/androidmanagement.user Android 管理用户 拥有管理设备的完整权限。
  • androidmanagement.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

API Gateway 角色

角色 名称 说明 权限 最低资源要求
roles/apigateway.admin ApiGateway Admin Beta 版 拥有对 ApiGateway 及相关资源的完全访问权限。
  • apigateway.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/apigateway.viewer ApiGateway Viewer Beta 版 拥有对 ApiGateway 及相关资源的只读权限。
  • apigateway.apiconfigs.get
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.gateways.get
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.locations.*
  • apigateway.operations.get
  • apigateway.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee 角色

角色 名称 说明 权限 最低资源要求
roles/apigee.admin Apigee Organization Admin 拥有对所有 Apigee 资源功能的完全访问权限
  • apigee.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/apigee.analyticsAgent Apigee Analytics Agent 提供一组特选权限,可让 Apigee Universal Data Collection Agent 管理 Apigee 组织的分析数据
  • apigee.environments.getDataLocation
roles/apigee.analyticsEditor Apigee Analytics Editor 可修改 Apigee 组织的分析数据
  • apigee.datacollectors.*
  • apigee.datastores.*
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.exports.*
  • apigee.hostqueries.*
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.*
  • apigee.reports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/apigee.analyticsViewer Apigee Analytics Viewer 可查看 Apigee 组织的分析数据
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.environments.getStats
  • apigee.exports.get
  • apigee.exports.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.reports.get
  • apigee.reports.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/apigee.apiCreator Apigee API Creator 可创建 Apigee 资源
  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.apps.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.ingressconfigs.*
  • apigee.keyvaluemaps.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.*
  • apigee.proxyrevisions.delete
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.update
  • apigee.sharedflowrevisions.*
  • apigee.sharedflows.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/apigee.deployer Apigee Deployer 可部署 Apigee 资源
  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.apps.*
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.deployments.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.environments.setIamPolicy
  • apigee.flowhooks.*
  • apigee.ingressconfigs.*
  • apigee.keystorealiases.*
  • apigee.keystores.*
  • apigee.keyvaluemaps.*
  • apigee.maskconfigs.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.references.*
  • apigee.resourcefiles.*
  • apigee.sharedflowrevisions.*
  • apigee.sharedflows.*
  • apigee.targetservers.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/apigee.developerAdmin Apigee Developer Admin 可管理 Apigee 资源开发者
  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.*
  • apigee.datacollectors.*
  • apigee.developerappattributes.*
  • apigee.developerapps.*
  • apigee.developerattributes.*
  • apigee.developers.*
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/apigee.readOnlyAdmin Apigee Read-only Admin 可查看所有 Apigee 资源
  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.get
  • apigee.apps.*
  • apigee.caches.list
  • apigee.canaryevaluations.get
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.deployments.get
  • apigee.deployments.list
  • apigee.developerrappattributes.get
  • apigee.developerrappattributes.list
  • apigee.developerapps.get
  • apigee.developerapps.list
  • apigee.developerattributes.get
  • apigee.developerattributes.list
  • apigee.developers.get
  • apigee.developers.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getDataLocation
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.flowhooks.getSharedFlow
  • apigee.flowhooks.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hoststats.*
  • apigee.ingressconfigs.*
  • apigee.instanceattachments.get
  • apigee.instanceattachments.list
  • apigee.instances.get
  • apigee.instances.list
  • apigee.keystorealiases.get
  • apigee.keystorealiases.list
  • apigee.keystores.get
  • apigee.keystores.list
  • apigee.keyvaluemaps.list
  • apigee.maskconfigs.get
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.references.get
  • apigee.references.list
  • apigee.reports.get
  • apigee.reports.list
  • apigee.resourcefiles.get
  • apigee.resourcefiles.list
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.get
  • apigee.targetservers.list
  • apigee.tracesessions.get
  • apigee.tracesessions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/apigee.runtimeAgent Apigee Runtime Agent 提供一组特选权限,可让运行时代理访问 Apigee 组织资源
  • apigee.canaryevaluations.*
  • apigee.ingressconfigs.*
  • apigee.instances.reportStatus
  • apigee.operations.*
roles/apigee.synchronizerManager Apigee Synchronizer Manager 提供一组特选权限,可让 Synchronizer 管理 Apigee 组织中的环境
  • apigee.environments.get
  • apigee.environments.manageRuntime
  • apigee.ingressconfigs.*
roles/apigeeconnect.Admin Apigee Connect Admin 可以管理 Apigee Connect
  • apigeeconnect.connections.*
roles/apigeeconnect.Agent Apigee Connect Agent 能够在外部集群和 Google 之间设置 Apigee Connect 代理。
  • apigeeconnect.endpoints.*

App Engine 角色

角色 名称 说明 权限 最低资源要求
roles/appengine.appAdmin App Engine Admin

拥有所有应用配置和设置的读取/写入/修改权限。

如需部署新版本,您还必须授予 Service Account User (roles/iam.serviceAccountUser) 角色。

如需使用 gcloud 工具进行部署,您必须添加 Storage Admin (roles/compute.storageAdmin) 和 Cloud Build Editor (roles/cloudbuild.builds.editor) 角色。

  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.operations.*
  • appengine.runtimes.*
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/appengine.appCreator App Engine Creator 能够为项目创建 App Engine 资源。
  • appengine.applications.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/appengine.appViewer App Engine Viewer 拥有对所有应用配置和设置的只读权限。
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/appengine.codeViewer App Engine Code Viewer 拥有对所有应用配置、设置和已部署源代码的只读权限。
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.getFileContents
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/appengine.deployer App Engine Deployer

拥有所有应用配置和设置的只读权限。

如需部署新版本,您还必须授予 Service Account User (roles/iam.serviceAccountUser) 角色。

如需使用 gcloud 工具进行部署,您必须添加 Storage Admin (roles/compute.storageAdmin) 和 Cloud Build Editor (roles/cloudbuild.builds.editor) 角色。

无法修改现有版本,但可删除未收到流量的版本。

  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/appengine.serviceAdmin App Engine Service Admin

拥有所有应用配置和设置的只读权限。

拥有模块级和版本级设置的写权限。无权部署新版本。

  • appengine.applications.get
  • appengine.instances.*
  • appengine.operations.*
  • appengine.services.*
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目

Artifact Registry 角色

角色 名称 说明 权限 最低资源要求
roles/artifactregistry.admin Artifact Registry Administrator Beta 版 拥有可创建和管理代码库的管理员权限。
  • artifactregistry.*
roles/artifactregistry.reader Artifact Registry Reader Beta 版 可以读取代码库项。
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
roles/artifactregistry.repoAdmin Artifact Registry Repository Administrator Beta 版 拥有管理代码库中的工件的权限。
  • artifactregistry.files.*
  • artifactregistry.packages.*
  • artifactregistry.repositories.deleteArtifacts
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.*
  • artifactregistry.versions.*
roles/artifactregistry.writer Artifact Registry Writer Beta 版 可以读取和写入代码库项。
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list

Assured Workloads 角色

角色 名称 说明 权限 最低资源要求
roles/assuredworkloads.admin Assured Workloads Administrator 可授予对 Assured Workloads 资源的完全访问权限,包括管理 IAM 政策。
  • assuredworkloads.*
  • orgpolicy.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/assuredworkloads.editor Assured Workloads Editor 可授予对 Assured Workloads 资源的读取和写入权限。
  • assuredworkloads.*
  • orgpolicy.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/assuredworkloads.reader Assured Workloads Reader 可授予对所有 Assured Workloads 资源的读取权限。
  • assuredworkloads.operations.*
  • assuredworkloads.workload.get
  • assuredworkloads.workload.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AutoML 角色

角色 名称 说明 权限 最低资源要求
roles/automl.admin AutoML Admin Beta 版 拥有所有 AutoML 资源的完整访问权限
  • automl.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
数据集/模型
roles/automl.editor AutoML Editor Beta 版 可修改所有 AutoML 资源
  • automl.annotationSpecs.*
  • automl.annotations.*
  • automl.columnSpecs.*
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.update
  • automl.examples.*
  • automl.humanAnnotationTasks.*
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.*
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • automl.models.undeploy
  • automl.operations.*
  • automl.tableSpecs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
数据集/模型
roles/automl.predictor AutoML Predictor Beta 版 可使用模型进行预测
  • automl.models.predict
  • resourcemanager.projects.get
  • resourcemanager.projects.list
型号
roles/automl.viewer AutoML Viewer Beta 版 可查看所有 AutoML 资源
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
数据集/模型

BigQuery 角色

角色 名称 说明 权限 最低资源要求
roles/bigquery.admin BigQuery Admin 提供管理项目中所有资源的权限。获授此角色的用户可以管理项目中的所有数据,也可以取消其他用户正在项目中运行的作业。
  • bigquery.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/bigquery.connectionAdmin BigQuery Connection Admin
  • bigquery.connections.*
roles/bigquery.connectionUser BigQuery Connection User
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use
roles/bigquery.dataEditor BigQuery Data Editor

此角色在应用于表或视图时,可提供以下权限:

  • 读取和更新表或视图的数据和元数据。
  • 删除表或视图。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 读取数据集的元数据以及列出数据集中的表。
  • 创建、更新、获取和删除数据集的表。

此角色在应用于项目或组织级层时,还可提供创建新数据集的权限。

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
表或视图
roles/bigquery.dataOwner BigQuery Data Owner

此角色在应用于表或视图时,可提供以下权限:

  • 读取和更新表或视图的数据和元数据。
  • 共享表或视图。
  • 删除表或视图。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 读取、更新和删除数据集。
  • 创建、更新、获取和删除数据集的表。

此角色在应用于项目或组织级层时,还可提供创建新数据集的权限。

  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
表或视图
roles/bigquery.dataViewer BigQuery Data Viewer

此角色在应用于表或视图时,可提供以下权限:

  • 从表或视图中读取数据和元数据。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 读取数据集的元数据以及列出数据集中的表。
  • 从数据集的表中读取数据和元数据。

此角色在应用于项目或组织级层时,还可提供枚举项目中所有数据集的权限。但若要运行作业,还需要具备其他角色。

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
表或视图
roles/bigquery.jobUser BigQuery Job User 提供在项目中运行作业(包括查询)的权限。
  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/bigquery.metadataViewer BigQuery Metadata Viewer

此角色在应用于表或视图时,可提供以下权限:

  • 从表或视图中读取元数据。

此角色无法应用于单个模型或例程。

此角色在应用于数据集时,可提供以下权限:

  • 列出数据集中的表和视图。
  • 从数据集的表和视图中读取元数据。

此角色在应用于项目或组织级层时,可提供以下权限:

  • 列出项目中的所有数据集,以及读取所有数据集的元数据。
  • 列出项目中的所有表和视图,以及读取所有表和视图的元数据。

但若要运行作业,还需要具备其他角色。

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
表或视图
roles/bigquery.readSessionUser BigQuery Read Session User 拥有创建和使用读取会话的权限
  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceAdmin BigQuery Resource Admin 管理所有 BigQuery 资源。
  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceEditor BigQuery Resource Editor 管理所有 BigQuery 资源,但不能做出购买决定。
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceViewer BigQuery Resource Viewer 可查看所有 BigQuery 资源,但不能执行更改或做出购买决定。
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.user BigQuery User

此角色应用于数据集时,让您可以读取数据集的元数据并列出数据集中的表。

应用于项目时,此角色还提供在项目内运行作业(包括查询)的能力。具有此角色的成员可以枚举自己的作业、取消自己的作业,还可以枚举项目中的数据集。此外,具有此角色的用户还可以在项目中创建新数据集;对于这些新数据集,系统会为创建者授予 BigQuery Data Owner 角色 (roles/bigquery.dataOwner)。

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
数据集

Cloud Bigtable 角色

角色 名称 说明 权限 最低资源要求
roles/bigtable.admin Bigtable Administrator 可管理项目中的所有实例(包括表中存储的数据),还可创建新实例。适用于项目管理员。
  • bigtable.*
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
实例
roles/bigtable.reader Bigtable Reader 提供对表中所存储数据的只读权限。适用于数据科学家、信息中心生成器和其他数据分析情景。
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
实例
roles/bigtable.user Bigtable User 提供对表中所存储数据的读写权限。适用于应用开发者或服务帐号。
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.mutateRows
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
实例
roles/bigtable.viewer Bigtable Viewer 不提供数据访问权限。仅提供通过 Cloud Console 访问 Cloud Bigtable 所需的一组最低权限。
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
实例

Billing 角色

角色 名称 说明 权限 最低资源要求
roles/billing.admin Billing Account Administrator 提供查看和管理结算帐号所有方面的权限。
  • billing.accounts.close
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.move
  • billing.accounts.redeemPromotion
  • billing.accounts.removeFromOrganization
  • billing.accounts.reopen
  • billing.accounts.setIamPolicy
  • billing.accounts.update
  • billing.accounts.updatePaymentInfo
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.credits.*
  • billing.resourceAssociations.*
  • billing.subscriptions.*
  • cloudnotifications.*
  • consumerprocurement.accounts.*
  • consumerprocurement.orders.*
  • dataprocessing.groupcontrols.list
  • logging.logEntries.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • recommender.commitmentUtilizationInsights.*
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment
结算帐号
roles/billing.creator Billing Account Creator 提供创建结算帐号的权限。
  • billing.accounts.create
  • resourcemanager.organizations.get
组织
roles/billing.projectManager Project Billing Manager 提供为项目分配结算帐号或停用项目结算功能的权限。
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment
项目
roles/billing.user Billing Account User 提供将项目与结算帐号相关联的权限。
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.redeemPromotion
  • billing.credits.*
  • billing.resourceAssociations.create
结算帐号
roles/billing.viewer Billing Account Viewer 查看结算帐号费用信息和交易。
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.budgets.get
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.get
  • billing.subscriptions.list
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • dataprocessing.groupcontrols.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list
结算帐号

Binary Authorization 角色

角色 名称 说明 权限 最低资源要求
roles/binaryauthorization.attestorsAdmin Binary Authorization Attestor Admin Beta 版 Binary Authorization 证明者管理员
  • binaryauthorization.attestors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.attestorsEditor Binary Authorization Attestor Editor Beta 版 可修改 Binary Authorization 证明者
  • binaryauthorization.attestors.create
  • binaryauthorization.attestors.delete
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.update
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.attestorsVerifier Binary Authorization Attestor Image Verifier Beta 版 可调用 Binary Authorization Attestors VerifyImageAttested
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.attestorsViewer Binary Authorization Attestor Viewer Beta 版 可以查看 Binary Authorization 证明者
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.policyAdmin Binary Authorization Policy Administrator Beta 版 Binary Authorization 政策管理员
  • binaryauthorization.policy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.policyEditor Binary Authorization Policy Editor Beta 版 可修改 Binary Authorization 政策
  • binaryauthorization.policy.get
  • binaryauthorization.policy.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.policyViewer Binary Authorization Policy Viewer Beta 版 可以查看 Binary Authorization 政策
  • binaryauthorization.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Hangouts Chat 角色

角色 名称 说明 权限 最低资源要求
roles/chat.owner 聊天机器人所有者 可以查看和修改机器人配置
  • chat.*
roles/chat.reader 聊天机器人查看者 可以查看机器人配置
  • chat.bots.get

Cloud Asset 角色

角色 名称 说明 权限 最低资源要求
roles/cloudasset.owner 云资源所有者 拥有云资源元数据的完整访问权限
  • cloudasset.*
roles/cloudasset.viewer 云资产查看者 拥有云资源元数据的只读权限
  • cloudasset.assets.*

Cloud Build 角色

角色 名称 说明 权限 最低资源要求
roles/cloudbuild.builds.builder Cloud Build Service Account 提供执行构建的权限。
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • cloudbuild.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • pubsub.topics.create
  • pubsub.topics.publish
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update
roles/cloudbuild.builds.editor Cloud Build Editor 提供创建和取消构建作业的权限。
  • cloudbuild.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/cloudbuild.builds.viewer Cloud Build Viewer 提供查看构建作业的权限。
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目

Cloud Data Fusion 角色

角色 名称 说明 权限 最低资源要求
roles/datafusion.admin Cloud Data Fusion Admin Beta 版 提供对 Cloud Data Fusion 实例和相关资源的完整访问权限。
  • datafusion.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/datafusion.runner Cloud Data Fusion Runner Beta 版 提供对 Cloud Data Fusion 运行时资源的访问权限。
  • datafusion.instances.runtime
roles/datafusion.viewer Cloud Data Fusion Viewer Beta 版 提供对 Cloud Data Fusion 实例及相关资源的只读权限。
  • datafusion.instances.get
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.instances.runtime
  • datafusion.locations.*
  • datafusion.operations.get
  • datafusion.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目

Cloud Debugger 角色

角色 名称 说明 权限 最低资源要求
roles/clouddebugger.agent Cloud Debugger Agent Beta 版 提供注册调试目标、读取活跃断点和报告断点结果的权限。
  • clouddebugger.breakpoints.list
  • clouddebugger.breakpoints.listActive
  • clouddebugger.breakpoints.update
  • clouddebugger.debuggees.create
服务帐号
roles/clouddebugger.user Cloud Debugger User Beta 版 提供创建、查看、列出和删除断点(快照和日志点)以及列出调试目标(调试对象)的权限。
  • clouddebugger.breakpoints.create
  • clouddebugger.breakpoints.delete
  • clouddebugger.breakpoints.get
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list
项目

Cloud DocumentAI 角色

角色 名称 说明 权限 最低资源要求
roles/documentai.admin Cloud DocumentAI Administrator。 Alpha 版 授予对 Cloud Document AI 中所有资源的完整访问权限
  • documentai.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/documentai.apiUser Cloud DocumentAI API User Alpha 版 授予处理 Cloud Document AI 中文档的权限
  • documentai.humanReviewConfigs.review
  • documentai.operations.*
  • documentai.processors.processBatch
  • documentai.processors.processOnline
roles/documentai.editor Cloud DocumentAI Editor Alpha 版 授予使用 Cloud DocumentAI 中所有资源的权限
  • documentai.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/documentai.viewer Cloud DocumentAI Viewer Alpha 版 授予查看 Cloud DocumentAI 中所有资源和处理其中的文档的权限
  • documentai.humanReviewConfigs.get
  • documentai.humanReviewConfigs.review
  • documentai.labelerPools.get
  • documentai.labelerPools.list
  • documentai.locations.*
  • documentai.operations.*
  • documentai.processorTypes.*
  • documentai.processorVersions.get
  • documentai.processorVersions.list
  • documentai.processors.fetchHumanReviewDetails
  • documentai.processors.get
  • documentai.processors.list
  • documentai.processors.processBatch
  • documentai.processors.processOnline
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Functions 角色

角色 名称 说明 权限 最低资源要求
roles/cloudfunctions.admin Cloud Functions Admin 拥有对函数、运算和位置的完整访问权限。
  • cloudfunctions.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/cloudfunctions.developer Cloud Functions Developer 拥有对所有函数相关资源的读写权限。
  • cloudfunctions.functions.call
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.invoke
  • cloudfunctions.functions.list
  • cloudfunctions.functions.sourceCodeGet
  • cloudfunctions.functions.sourceCodeSet
  • cloudfunctions.functions.update
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/cloudfunctions.invoker Cloud Functions Invoker 可使用受限的访问权限调用 HTTP 函数。
  • cloudfunctions.functions.invoke
roles/cloudfunctions.viewer Cloud Functions Viewer 拥有对函数和位置的只读权限。
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud IAP 角色

角色 名称 说明 权限 最低资源要求
roles/iap.admin IAP Policy Admin 提供对 Identity-Aware Proxy 资源的完整访问权限。
  • iap.tunnel.*
  • iap.tunnelInstances.getIamPolicy
  • iap.tunnelInstances.setIamPolicy
  • iap.tunnelZones.*
  • iap.web.getIamPolicy
  • iap.web.setIamPolicy
  • iap.webServiceVersions.getIamPolicy
  • iap.webServiceVersions.setIamPolicy
  • iap.webServices.getIamPolicy
  • iap.webServices.setIamPolicy
  • iap.webTypes.getIamPolicy
  • iap.webTypes.setIamPolicy
项目
roles/iap.httpsResourceAccessor IAP-secured Web App User 提供对使用 Identity-Aware Proxy 的 HTTPS 资源的访问权限。
  • iap.webServiceVersions.accessViaIAP
项目
roles/iap.settingsAdmin IAP Settings Admin IAP 设置管理员。
  • iap.projects.*
  • iap.web.getSettings
  • iap.web.updateSettings
  • iap.webServiceVersions.getSettings
  • iap.webServiceVersions.updateSettings
  • iap.webServices.getSettings
  • iap.webServices.updateSettings
  • iap.webTypes.getSettings
  • iap.webTypes.updateSettings
roles/iap.tunnelResourceAccessor IAP-secured Tunnel User 可访问使用 Identity-Aware Proxy 的隧道资源
  • iap.tunnelInstances.accessViaIAP

Cloud IoT 角色

角色 名称 说明 权限 最低资源要求
roles/cloudiot.admin Cloud IoT Admin 拥有对所有 Cloud IoT 资源和权限的完全控制权。
  • cloudiot.*
  • cloudiottoken.*
设备
roles/cloudiot.deviceController Cloud IoT Device Controller 有权更新设备配置,但无权创建或删除设备。
  • cloudiot.devices.get
  • cloudiot.devices.list
  • cloudiot.devices.sendCommand
  • cloudiot.devices.updateConfig
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get
设备
roles/cloudiot.editor Cloud IoT Editor 拥有对所有 Cloud IoT 资源的读写权限。
  • cloudiot.devices.*
  • cloudiot.registries.create
  • cloudiot.registries.delete
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiot.registries.update
  • cloudiottoken.*
设备
roles/cloudiot.provisioner Cloud IoT Provisioner 拥有在注册表中创建和删除设备的权限,但无权修改注册表。
  • cloudiot.devices.*
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get
设备
roles/cloudiot.viewer Cloud IoT Viewer 拥有对所有 Cloud IoT 资源的只读权限。
  • cloudiot.devices.get
  • cloudiot.devices.list
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get
设备

Cloud Talent Solution 角色

角色 名称 说明 权限 最低资源要求
roles/cloudjobdiscovery.admin Admin 拥有 Cloud Talent Solution 自助式工具的访问权限。
  • cloudjobdiscovery.tools.*
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudjobdiscovery.jobsEditor Job Editor 拥有 Cloud Talent Solution 中所有作业数据的写入权限。
  • cloudjobdiscovery.companies.*
  • cloudjobdiscovery.events.*
  • cloudjobdiscovery.jobs.*
  • cloudjobdiscovery.tenants.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudjobdiscovery.jobsViewer Job Viewer 拥有 Cloud Talent Solution 中所有作业数据的读取权限。
  • cloudjobdiscovery.companies.get
  • cloudjobdiscovery.companies.list
  • cloudjobdiscovery.jobs.get
  • cloudjobdiscovery.jobs.search
  • cloudjobdiscovery.tenants.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudjobdiscovery.profilesEditor Profile Editor 拥有 Cloud Talent Solution 中所有个人资料数据的写入权限。
  • cloudjobdiscovery.events.*
  • cloudjobdiscovery.profiles.*
  • cloudjobdiscovery.tenants.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudjobdiscovery.profilesViewer Profile Viewer 拥有 Cloud Talent Solution 中所有个人资料数据的读取权限。
  • cloudjobdiscovery.profiles.get
  • cloudjobdiscovery.profiles.search
  • cloudjobdiscovery.tenants.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud KMS 角色

角色 名称 说明 权限 最低资源要求
roles/cloudkms.admin Cloud KMS Admin 提供 Cloud KMS 资源的完整访问权限,但不提供执行加密和解密操作的权限。
  • cloudkms.cryptoKeyVersions.create
  • cloudkms.cryptoKeyVersions.destroy
  • cloudkms.cryptoKeyVersions.get
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.cryptoKeyVersions.restore
  • cloudkms.cryptoKeyVersions.update
  • cloudkms.cryptoKeys.*
  • cloudkms.importJobs.*
  • cloudkms.keyRings.*
  • resourcemanager.projects.get
CryptoKey
roles/cloudkms.cryptoKeyDecrypter Cloud KMS CryptoKey Decrypter 仅提供使用 Cloud KMS 资源执行解密操作的权限。
  • cloudkms.cryptoKeyVersions.useToDecrypt
  • resourcemanager.projects.get
CryptoKey
roles/cloudkms.cryptoKeyEncrypter Cloud KMS CryptoKey Encrypter 仅提供使用 Cloud KMS 资源执行加密操作的权限。
  • cloudkms.cryptoKeyVersions.useToEncrypt
  • resourcemanager.projects.get
CryptoKey
roles/cloudkms.cryptoKeyEncrypterDecrypter Cloud KMS CryptoKey Encrypter/Decrypter 仅提供使用 Cloud KMS 资源执行加密和解密操作的权限。
  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.cryptoKeyVersions.useToEncrypt
  • resourcemanager.projects.get
CryptoKey
roles/cloudkms.importer Cloud KMS Importer 可启用 ImportCryptoKeyVersion、CreateImportJob、ListImportJobs 和 GetImportJob 操作
  • cloudkms.importJobs.create
  • cloudkms.importJobs.get
  • cloudkms.importJobs.list
  • cloudkms.importJobs.useToImport
  • resourcemanager.projects.get
roles/cloudkms.publicKeyViewer Cloud KMS CryptoKey Public Key Viewer 可启用 GetPublicKey 操作
  • cloudkms.cryptoKeyVersions.viewPublicKey
  • resourcemanager.projects.get
roles/cloudkms.signer Cloud KMS CryptoKey Signer 可启用 AsymmetricSign 操作
  • cloudkms.cryptoKeyVersions.useToSign
  • resourcemanager.projects.get
roles/cloudkms.signerVerifier Cloud KMS CryptoKey Signer/Verifier 可启用 AsymmetricSign 和 GetPublicKey 操作
  • cloudkms.cryptoKeyVersions.useToSign
  • cloudkms.cryptoKeyVersions.viewPublicKey
  • resourcemanager.projects.get

Cloud Marketplace 角色

角色 名称 说明 权限 最低资源要求
roles/consumerprocurement.entitlementManager Consumer Procurement Entitlement Manager Beta 版 允许管理使用方项目的授权,启用、停用使用方项目以及检查其服务状态。
  • consumerprocurement.entitlements.*
  • consumerprocurement.freeTrials.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.services.disable
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list
roles/consumerprocurement.entitlementViewer Consumer Procurement Entitlement Viewer Beta 版 允许检查使用方项目的授权和服务状态。
  • consumerprocurement.entitlements.*
  • consumerprocurement.freeTrials.get
  • consumerprocurement.freeTrials.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/consumerprocurement.orderAdmin Consumer Procurement Order Administrator Beta 版 允许管理购买交易。
  • consumerprocurement.accounts.*
  • consumerprocurement.orders.*
roles/consumerprocurement.orderViewer Consumer Procurement Order Viewer Beta 版 允许检查购买交易。
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list

Cloud Migration 角色

角色 名称 说明 权限 最低资源要求
roles/cloudmigration.inframanager Velostrata Manager Beta 版 可创建和管理 Compute 虚拟机以运行 Velostrata 基础架构
  • cloudmigration.*
  • compute.addresses.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalOperations.get
  • compute.images.get
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.reset
  • compute.instances.setDiskAutoDelete
  • compute.instances.setLabels
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setScheduling
  • compute.instances.setServiceAccount
  • compute.instances.setTags
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.update
  • compute.instances.updateNetworkInterface
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.use
  • compute.licenseCodes.get
  • compute.licenseCodes.list
  • compute.licenseCodes.update
  • compute.licenseCodes.use
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.nodeGroups.get
  • compute.nodeGroups.list
  • compute.nodeTemplates.list
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regions.*
  • compute.snapshots.create
  • compute.snapshots.delete
  • compute.snapshots.get
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zoneOperations.get
  • compute.zones.*
  • gkehub.endpoints.*
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.update
roles/cloudmigration.storageaccess Velostrata Storage Access Beta 版 可访问迁移存储空间
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update
roles/cloudmigration.velostrataconnect Velostrata Manager Connection Agent Beta 版 可在 Velostrata Manager 与 Google 之间设置连接
  • cloudmigration.*
  • gkehub.endpoints.*
roles/vmmigration.admin VM Migration Administrator Beta 版 可查看和修改所有 VM Migration 对象
  • vmmigration.*
roles/vmmigration.viewer VM Migration Viewer Beta 版 可查看所有 VM Migration 对象
  • vmmigration.deployments.get
  • vmmigration.deployments.list

Cloud Private Catalog 角色

角色 名称 说明 权限 最低资源要求
roles/cloudprivatecatalog.consumer Catalog Consumer Beta 版 可以在目标资源上下文中浏览目录。
  • cloudprivatecatalog.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudprivatecatalogproducer.admin Catalog Admin Beta 版 可以管理目录并查看其关联情况。
  • cloudprivatecatalog.*
  • cloudprivatecatalogproducer.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudprivatecatalogproducer.manager Catalog Manager Beta 版 可以管理目录和目标资源之间的关联。
  • cloudprivatecatalog.*
  • cloudprivatecatalogproducer.associations.*
  • cloudprivatecatalogproducer.catalogs.get
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.targets.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Profiler 角色

角色 名称 说明 权限 最低资源要求
roles/cloudprofiler.agent Cloud Profiler Agent Cloud Profiler 代理可以注册和提供性能剖析数据。
  • cloudprofiler.profiles.create
  • cloudprofiler.profiles.update
roles/cloudprofiler.user Cloud Profiler User Cloud Profiler 用户可以查询和查看性能剖析数据。
  • cloudprofiler.profiles.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Scheduler 角色

角色 名称 说明 权限 最低资源要求
roles/cloudscheduler.admin Cloud Scheduler Admin 拥有对作业和作业执行的完全访问权限。
  • appengine.applications.get
  • cloudscheduler.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/cloudscheduler.jobRunner Cloud Scheduler Job Runner 拥有运行作业的权限。
  • appengine.applications.get
  • cloudscheduler.jobs.fullView
  • cloudscheduler.jobs.run
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/cloudscheduler.viewer Cloud Scheduler Viewer 拥有获取和列出作业、作业执行和位置的权限。
  • appengine.applications.get
  • cloudscheduler.jobs.fullView
  • cloudscheduler.jobs.get
  • cloudscheduler.jobs.list
  • cloudscheduler.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Security Scanner 角色

角色 名称 说明 权限 最低资源要求
roles/cloudsecurityscanner.editor Web Security Scanner Editor 拥有所有 Web Security Scanner 资源的完整访问权限
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目
roles/cloudsecurityscanner.runner Web Security Scanner Runner 拥有 Scan 和 ScanRun 的读取权限以及启动扫描的权限
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
项目
roles/cloudsecurityscanner.viewer Web Security Scanner Viewer 拥有所有 Web Security Scanner 资源的读取权限
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目

Cloud 服务角色

角色 名称 说明 权限 最低资源要求
roles/servicebroker.admin Service Broker Admin 拥有对 ServiceBroker 资源的完整访问权限。
  • servicebroker.*
roles/servicebroker.operator Service Broker Operator 拥有对 ServiceBroker 资源的操作权限。
  • servicebroker.bindingoperations.*
  • servicebroker.bindings.create
  • servicebroker.bindings.delete
  • servicebroker.bindings.get
  • servicebroker.bindings.list
  • servicebroker.catalogs.create
  • servicebroker.catalogs.delete
  • servicebroker.catalogs.get
  • servicebroker.catalogs.list
  • servicebroker.instanceoperations.*
  • servicebroker.instances.create
  • servicebroker.instances.delete
  • servicebroker.instances.get
  • servicebroker.instances.list
  • servicebroker.instances.update

Cloud SQL 角色

角色 名称 说明 权限 最低资源要求
roles/cloudsql.admin Cloud SQL Admin 提供 Cloud SQL 资源的完全控制权。
  • cloudsql.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目
roles/cloudsql.client Cloud SQL Client 提供 Cloud SQL 实例的连接权限。
  • cloudsql.instances.connect
  • cloudsql.instances.get
项目
roles/cloudsql.editor Cloud SQL Editor 提供现有 Cloud SQL 实例的完全控制权,但不能修改用户、SSL 证书或删除资源。
  • cloudsql.backupRuns.create
  • cloudsql.backupRuns.get
  • cloudsql.backupRuns.list
  • cloudsql.databases.create
  • cloudsql.databases.get
  • cloudsql.databases.list
  • cloudsql.databases.update
  • cloudsql.instances.addServerCa
  • cloudsql.instances.connect
  • cloudsql.instances.export
  • cloudsql.instances.failover
  • cloudsql.instances.get
  • cloudsql.instances.list
  • cloudsq.instances.listServerCas
  • cloudsql.instances.restart
  • cloudsql.instances.rotateServerCa
  • cloudsql.instances.truncateLog
  • cloudsql.instances.update
  • cloudsql.sslCerts.get
  • cloudsql.sslCerts.list
  • cloudsql.users.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目
roles/cloudsql.instanceUser Cloud SQL Instance User 此角色可访问 Cloud SQL 实例
  • cloudsql.instances.get
  • cloudsql.instances.login
roles/cloudsql.viewer Cloud SQL Viewer 提供 Cloud SQL 资源的只读权限。
  • cloudsql.backupRuns.get
  • cloudsql.backupRuns.list
  • cloudsql.databases.get
  • cloudsql.databases.list
  • cloudsql.instances.export
  • cloudsql.instances.get
  • cloudsql.instances.list
  • cloudsq.instances.listServerCas
  • cloudsql.sslCerts.get
  • cloudsql.sslCerts.list
  • cloudsql.users.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目

Cloud Tasks 角色

角色 名称 说明 权限 最低资源要求
roles/cloudtasks.admin Cloud Tasks Admin Beta 版 拥有对队列和任务的完整访问权限。
  • cloudtasks.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtasks.enqueuer Cloud Tasks Enqueuer Beta 版 有权创建任务。
  • cloudtasks.tasks.create
  • cloudtasks.tasks.fullView
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtasks.queueAdmin Cloud Tasks Queue Admin Beta 版 拥有对队列的管理员权限。
  • cloudtasks.locations.*
  • cloudtasks.queues.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtasks.taskDeleter Cloud Tasks Task Deleter Beta 版 有权删除任务。
  • cloudtasks.tasks.delete
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtasks.taskRunner Cloud Tasks Task Runner Beta 版 拥有运行任务的权限。
  • cloudtasks.tasks.fullView
  • cloudtasks.tasks.run
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtasks.viewer Cloud Tasks Viewer Beta 版 拥有获取和列出任务、队列和位置的权限。
  • cloudtasks.locations.*
  • cloudtasks.queues.get
  • cloudtasks.queues.list
  • cloudtasks.tasks.fullView
  • cloudtasks.tasks.get
  • cloudtasks.tasks.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Trace 角色

角色 名称 说明 权限 最低资源要求
roles/cloudtrace.admin Cloud Trace Admin 提供 Trace 控制台的完整访问权限以及跟踪记录的读写权限。
  • cloudtrace.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/cloudtrace.agent Cloud Trace Agent 适用于服务帐号。提供通过将数据发送到 Stackdriver Trace 来写入跟踪记录的权限。
  • cloudtrace.traces.patch
项目
roles/cloudtrace.user Cloud Trace User 提供 Trace 控制台的完整访问权限以及跟踪记录的读取权限。
  • cloudtrace.insights.*
  • cloudtrace.stats.*
  • cloudtrace.tasks.*
  • cloudtrace.traces.get
  • cloudtrace.traces.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目

Cloud Translation 角色

角色 名称 说明 权限 最低资源要求
roles/cloudtranslate.admin Cloud Translation API 管理员 拥有所有 Cloud Translation 资源的完整访问权限
  • automl.models.get
  • automl.models.predict
  • cloudtranslate.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtranslate.editor Cloud Translation API 编辑者 Cloud Translation 资源的编辑者
  • automl.models.get
  • automl.models.predict
  • cloudtranslate.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtranslate.user Cloud Translation API 用户 Cloud Translation 和 AutoML 模型用户
  • automl.models.get
  • automl.models.predict
  • cloudtranslate.generalModels.*
  • cloudtranslate.glossaries.batchPredict
  • cloudtranslate.glossaries.get
  • cloudtranslate.glossaries.list
  • cloudtranslate.glossaries.predict
  • cloudtranslate.languageDetectionModels.*
  • cloudtranslate.locations.*
  • cloudtranslate.operations.get
  • cloudtranslate.operations_list
  • cloudtranslate.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtranslate.viewer Cloud Translation API 查看者 所有 Translation 资源查看者
  • automl.models.get
  • cloudtranslate.generalModels.get
  • cloudtranslate.glossaries.get
  • cloudtranslate.glossaries.list
  • cloudtranslate.locations.*
  • cloudtranslate.operations.get
  • cloudtranslate.operations_list
  • cloudtranslate.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Workflows 角色

角色 名称 说明 权限 最低资源要求
roles/workflows.admin Workflows Admin Beta 版 拥有对工作流及相关资源的完全访问权限。
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.*
roles/workflows.editor Workflows Editor Beta 版 拥有对工作流及相关资源的读写权限。
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.executions.*
  • workflows.locations.*
  • workflows.operations.*
  • workflows.workflows.create
  • workflows.workflows.delete
  • workflows.workflows.get
  • workflows.workflows.getIamPolicy
  • workflows.workflows.list
  • workflows.workflows.update
roles/workflows.invoker Workflows Invoker Beta 版 拥有执行工作流及管理执行任务的权限。
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.executions.*
roles/workflows.viewer Workflows Viewer Beta 版 拥有对工作流及相关资源的只读权限。
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.executions.get
  • workflows.executions.list
  • workflows.locations.*
  • workflows.operations.get
  • workflows.operations.list
  • workflows.workflows.get
  • workflows.workflows.getIamPolicy
  • workflows.workflows.list

Codelab API Keys 角色

角色 名称 说明 权限 最低资源要求
roles/codelabapikeys.admin Codelab ApiKeys Admin Beta 版 拥有对 API 密钥的完整访问权限
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/codelabapikeys.editor Codelab API Keys Editor Beta 版 此角色可查看和修改 API 密钥的所有属性。
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/codelabapikeys.viewer Codelab API Keys Viewer Beta 版 此角色可查看 API 密钥更改历史记录以外的所有属性。
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Composer 角色

角色 名称 说明 权限 最低资源要求
roles/composer.admin Composer Administrator 提供对 Cloud Composer 资源的完全控制权。
  • composer.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目
roles/composer.environmentAndStorageObjectAdmin Environment and Storage Object Administrator 提供对 Cloud Composer 资源和所有项目存储分区中对象的完全控制权。
  • composer.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.*
项目
roles/composer.environmentAndStorageObjectViewer Environment User and Storage Object Viewer 提供列出及获取 Cloud Composer 环境和操作所需的权限。 以及对所有项目存储分区中对象的只读权限。
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list
项目
roles/composer.user Composer User 提供列出及获取 Cloud Composer 环境和操作所需的权限。
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目
roles/composer.worker Composer Worker 提供运行 Cloud Composer 环境虚拟机所需的权限。适用于服务帐号。
  • artifactregistry.*
  • cloudbuild.*
  • container.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.*
项目

Compute Engine 角色

角色 名称 说明 权限 最低资源要求
roles/compute.admin Compute Admin

拥有对所有 Compute Engine 资源的完整控制权。

如果用户要管理配置为以服务帐号身份运行的虚拟机实例,您还必须授予 roles/iam.serviceAccountUser 角色。

  • compute.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
磁盘、映像、实例、instanceTemplate、nodeGroup、nodeTemplate、快照Beta 版
roles/compute.imageUser Compute Image User

可在不具备其他映像权限的情况下列出和读取映像。在项目级层授予此角色后,获授此角色的用户可以列出项目中的所有映像,并根据项目中的映像创建实例和永久性磁盘等资源。

  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
映像Beta 版
roles/compute.instanceAdmin Compute Instance Admin(Beta 版)

拥有创建、修改和删除虚拟机实例的权限。 这包括创建、修改和删除磁盘的权限,以及配置安全强化型虚拟机Beta 版设置的权限。

如果用户要管理配置为以服务帐号身份运行的虚拟机实例,您还必须授予 roles/iam.serviceAccountUser 角色。

例如,如果贵公司的某位员工负责管理多组虚拟机实例,但不负责管理网络或安全设置,也不负责管理以服务帐号身份运行的实例,则您可以在这些实例所属的组织、文件夹或项目级层授予此角色,也可以在个别实例级层授予此角色。

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.resize
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regionNetworkEndpointGroups.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
磁盘、映像、实例、instanceTemplate、快照Beta 版
roles/compute.instanceAdmin.v1 Compute Instance Admin (v1)

拥有对 Compute Engine 实例、实例组、磁盘、快照和映像的完整控制权, 拥有所有 Compute Engine 网络资源的读取权限。

如果仅在实例级层向用户授予此角色,则该用户无法创建新实例。

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.loadBalancerAdmin Compute Load Balancer Admin Beta 版

拥有创建、修改和删除负载平衡器及相关资源的权限。

例如,如果您公司的负载平衡团队负责管理负载平衡器、负载平衡器的 SSL 证书、SSL 政策和其他负载平衡资源,而另一个网络团队负责管理其余网络资源,则向负载平衡团队群组授予此角色。

  • compute.addresses.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.*
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.instanceGroups.*
  • compute.instances.get
  • compute.instances.list
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.projects.get
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.*
  • compute.regionSslCertificates.*
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.urlMaps.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
实例Beta 版
roles/compute.networkAdmin Compute Network Admin

拥有创建、修改和删除网络资源(不包括防火墙规则和 SSL 证书)的权限。Network Admin 角色允许以只读方式访问防火墙规则、SSL 证书和实例(以查看其临时 IP 地址),但无法让用户创建、启动、停止或删除实例。

例如,如果您公司的安全团队负责管理防火墙和 SSL 证书,而网络团队负责管理其余网络资源,则向网络团队群组授予此角色。

  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.externalVpnGateways.*
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.use
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.use
  • compute.networks.*
  • compute.projects.get
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.use
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.regions.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • networksecurity.*
  • networkservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
实例Beta 版
roles/compute.networkUser Compute Network User

提供对共享 VPC 网络的访问权限

获授此角色的服务所有者可以使用属于宿主项目的 VPC 网络和子网。例如,网络用户可以创建属于宿主项目网络的虚拟机实例,但不能在宿主项目中删除网络或者创建新网络。

  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.useInternal
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.interconnects.use
  • compute.networks.access
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.use
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.use
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.use
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.use
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.use
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpFilters.use
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.httpfilters.use
  • networkservices.locations.*
  • networkservices.operations.get
  • networkservices.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目
roles/compute.networkViewer Compute Network Viewer

提供所有网络资源的只读权限

例如,如果您有用于检查网络配置的软件,则可以向该软件的服务帐号授予此角色。

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.locations.*
  • networkservices.operations.get
  • networkservices.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
实例Beta 版
roles/compute.orgSecurityPolicyAdmin Compute Organization Security Policy Admin Beta 版 拥有对 Compute Engine 组织安全政策的完整控制权。
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.orgSecurityPolicyUser Compute Organization Security Policy User Beta 版 可以查看或使用 Compute Engine 安全政策,以便与组织或文件夹相关联。
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.orgSecurityResourceAdmin Compute Organization Resource Admin Beta 版 拥有与组织或文件夹关联的 Compute Engine 安全政策的完整控制权。
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.organizations.listAssociations
  • compute.organizations.setSecurityPolicy
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.osAdminLogin Compute OS Admin Login 拥有以管理员用户身份登录 Compute Engine 实例的权限。
  • compute.instances.get
  • compute.instances.list
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
实例Beta 版
roles/compute.osLogin Compute OS Login 拥有以标准用户身份登录 Compute Engine 实例的权限。
  • compute.instances.get
  • compute.instances.list
  • compute.instances.osLogin
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
实例Beta 版
roles/compute.osLoginExternalUser Compute OS Login External User

此角色仅在组织级层提供。

此角色可为外部用户授予设置与该组织关联的 OS Login 信息的权限,但不授予对实例的访问权限。外部用户必须获授一个必要的 OS Login 角色才能使用 SSH 访问实例。

  • compute.oslogin.*
组织
roles/compute.packetMirroringAdmin Compute Packet Mirroring Admin 指定要生成镜像的资源。
  • compute.networks.mirror
  • compute.projects.get
  • compute.subnetworks.mirror
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.packetMirroringUser Compute Packet Mirroring User 可使用 Compute Engine 数据包镜像。
  • compute.packetMirrorings.*
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.publicIpAdmin Compute Public IP Admin Beta 版 拥有对 Compute Engine 公共 IP 地址管理的完整控制权。
  • compute.addresses.*
  • compute.globalAddresses.*
  • compute.globalPublicDelegatedPrefixes.*
  • compute.publicAdvertisedPrefixes.*
  • compute.publicDelegatedPrefixes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/compute.securityAdmin Compute Security Admin

拥有创建、修改和删除防火墙规则和 SSL 证书的权限,以及配置安全强化型虚拟机Beta 版设置的权限。

例如,如果您的公司拥有一个负责管理防火墙和 SSL 证书的安全团队和一个负责管理其余网络资源的网络团队,则向安全团队群组授予此角色。

  • compute.firewalls.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.instances.getEffectiveFirewalls
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.updatePolicy
  • compute.packetMirrorings.*
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.*
  • compute.regions.*
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.*
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
实例Beta 版
roles/compute.storageAdmin Compute Storage Admin

拥有创建、修改和删除磁盘、映像及快照的权限。

例如,如果您公司的某位员工负责管理项目映像,但您不希望该员工拥有项目的 Editor 角色,则向其帐号授予项目的此角色。

  • compute.diskTypes.*
  • compute.disks.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.resourcePolicies.*
  • compute.snapshots.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
磁盘、映像、快照Beta 版
roles/compute.viewer Compute Viewer

拥有以只读方式获取和列出 Compute Engine 资源的权限,但无权读取这些资源中存储的数据。

例如,获授此角色的帐号可以清点项目中的所有磁盘,但无法读取这些磁盘上的任何数据。

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
磁盘、映像、实例、instanceTemplate、nodeGroup、nodeTemplate、快照Beta 版
roles/compute.xpnAdmin Compute Shared VPC Admin

拥有管理共享 VPC 宿主项目的权限,具体来说,就是可以启用宿主项目并将共享 VPC 服务项目关联到宿主项目所在的网络。

在组织层级,此角色只能由组织管理员授予。

Google Cloud 建议将 Shared VPC Admin 设为共享 VPC 宿主项目的所有者。Shared VPC Admin 负责向服务所有者授予 Compute Network User 角色 (roles/compute.networkUser),共享 VPC 宿主项目的 Owner 则控制项目本身。如果单个主体(个人或群组)可以同时担任这两个角色,则项目管理会变得更加容易。

  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.organizations.administerXpn
  • compute.organizations.disableXpnHost
  • compute.organizations.disableXpnResource
  • compute.organizations.enableXpnHost
  • compute.organizations.enableXpnResource
  • compute.projects.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.setIamPolicy
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
文件夹
roles/osconfig.assignmentAdmin Assignment Admin 拥有对 Assignment 的完整管理员权限
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.assignmentEditor Assignment Editor 可以修改 Assignment 资源
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.assignmentViewer Assignment Viewer 可以查看 Assignment 资源
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.guestPolicyAdmin GuestPolicy Admin Beta 版 拥有对 GuestPolicy 的完整管理员权限
  • osconfig.guestPolicies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.guestPolicyEditor GuestPolicy Editor Beta 版 可以修改 GuestPolicy 资源
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • osconfig.guestPolicies.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.guestPolicyViewer GuestPolicy Viewer Beta 版 可以查看 GuestPolicy 资源
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.osConfigAdmin OsConfig Admin 拥有对 OsConfig 的完整管理员权限
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.osConfigEditor OsConfig Editor 可以修改 OsConfig 资源
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.osConfigViewer OsConfig Viewer 可以查看 OsConfig 资源
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.patchDeploymentAdmin PatchDeployment Admin 拥有对 PatchDeployment 的完整管理员权限
  • osconfig.patchDeployments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.patchDeploymentViewer PatchDeployment Viewer 可以查看 PatchDeployment 资源
  • osconfig.patchDeployments.get
  • osconfig.patchDeployments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.patchJobExecutor Patch Job Executor 有权执行修补作业。
  • osconfig.patchJobs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.patchJobViewer Patch Job Viewer 获取并列出修补作业。
  • osconfig.patchJobs.get
  • osconfig.patchJobs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Kubernetes Engine 角色

角色 名称 说明 权限 最低资源要求
roles/container.admin Kubernetes Engine Admin

提供对集群及其 Kubernetes API 对象的完整管理权限。

如需在节点上设置一个服务帐号,您还必须授予 Service Account User 角色 (roles/iam.serviceAccountUser)。

  • container.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/container.clusterAdmin Kubernetes Engine Cluster Admin

提供管理集群的权限。

如需在节点上设置一个服务帐号,您还必须授予 Service Account User 角色 (roles/iam.serviceAccountUser)。

  • container.clusters.create
  • container.clusters.delete
  • container.clusters.get
  • container.clusters.list
  • container.clusters.update
  • container.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/container.clusterViewer Kubernetes Engine Cluster Viewer 拥有获取和列出 GKE 集群的权限。
  • container.clusters.get
  • container.clusters.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/container.developer Kubernetes Engine Developer 提供对集群内 Kubernetes API 对象的访问权限。
  • container.apiServices.*
  • container.backendConfigs.*
  • container.bindings.*
  • container.certificateSigningRequests.create
  • container.certificateSigningRequests.delete
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.list
  • container.certificateSigningRequests.update
  • container.certificateSigningRequests.updateStatus
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.*
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.*
  • container.csiDrivers.*
  • container.csiNodes.*
  • container.customResourceDefinitions.*
  • container.daemonSets.*
  • container.deployments.*
  • container.endpoints.*
  • container.events.*
  • container.horizontalPodAutoscalers.*
  • container.ingresses.*
  • container.initializerConfigurations.*
  • container.jobs.*
  • container.limitRanges.*
  • container.localSubjectAccessReviews.*
  • container.namespaces.*
  • container.networkPolicies.*
  • container.nodes.*
  • container.persistentVolumeClaims.*
  • container.persistentVolumes.*
  • container.petSets.*
  • container.podDisruptionBudgets.*
  • container.podPresets.*
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.*
  • container.pods.*
  • container.replicaSets.*
  • container.replicationControllers.*
  • container.resourceQuotas.*
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.*
  • container.scheduledJobs.*
  • container.secrets.*
  • container.selfSubjectAccessReviews.*
  • container.serviceAccounts.*
  • container.services.*
  • container.statefulSets.*
  • container.storageClasses.*
  • container.subjectAccessReviews.*
  • container.thirdPartyObjects.*
  • container.thirdPartyResources.*
  • container.tokenReviews.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/container.hostServiceAgentUser Kubernetes Engine Host Service Agent User 允许宿主项目中的 Kubernetes Engine 服务帐号为集群管理配置共享网络资源。另外,还授予检查宿主项目中的防火墙规则的权限。
  • compute.firewalls.get
  • container.hostServiceAgent.*
roles/container.viewer Kubernetes Engine Viewer 提供对 GKE 资源的只读权限。
  • container.apiServices.get
  • container.apiServices.list
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.bindings.get
  • container.bindings.list
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.get
  • container.configMaps.list
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiNodes.get
  • container.csiNodes.list
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.list
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.deployments.get
  • container.deployments.getStatus
  • container.deployments.list
  • container.endpoints.get
  • container.endpoints.list
  • container.events.get
  • container.events.list
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.limitRanges.get
  • container.limitRanges.list
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.operations.*
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.petSets.get
  • container.petSets.list
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podPresets.get
  • container.podPresets.list
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.get
  • container.podTemplates.list
  • container.pods.get
  • container.pods.getStatus
  • container.pods.list
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.statefulSets.get
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.storageClasses.get
  • container.storageClasses.list
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.tokenReviews.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目

Container Analysis 角色

角色 名称 说明 权限 最低资源要求
roles/containeranalysis.admin Container Analysis Admin 拥有对所有 Container Analysis 资源的访问权限。
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.getIamPolicy
  • containeranalysis.notes.list
  • containeranalysis.notes.setIamPolicy
  • containeranalysis.notes.update
  • containeranalysis.occurrences.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.notes.attacher Container Analysis Notes Attacher 可以将 Container Analysis 发生实例附加到备注。
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.get
roles/containeranalysis.notes.editor Container Analysis Notes Editor 可以修改 Container Analysis 备注。
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.notes.occurrences.viewer Container Analysis Occurrences for Notes Viewer
  • containeranalysis.notes.get
  • containeranalysis.notes.listOccurrences
roles/containeranalysis.notes.viewer Container Analysis Notes Viewer 可以查看 Container Analysis 备注。
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.occurrences.editor Container Analysis Occurrences Editor 可以修改 Container Analysis 发生实例。
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.occurrences.viewer Container Analysis Occurrences Viewer 可以查看 Container Analysis 发生实例。
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Catalog 角色

角色 名称 说明 权限 最低资源要求
roles/datacatalog.admin Data Catalog Admin 拥有对所有 DataCatalog 资源的完整访问权限
  • bigquery.datasets.get
  • bigquery.datasets.updateTag
  • bigquery.models.getMetadata
  • bigquery.models.updateTag
  • bigquery.tables.get
  • bigquery.tables.updateTag
  • datacatalog.categories.getIamPolicy
  • datacatalog.categories.setIamPolicy
  • datacatalog.entries.*
  • datacatalog.entryGroups.*
  • datacatalog.tagTemplates.*
  • datacatalog.taxonomies.*
  • pubsub.topics.get
  • pubsub.topics.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.categoryAdmin Policy Tag Admin Beta 版 可管理分类
  • datacatalog.categories.getIamPolicy
  • datacatalog.categories.setIamPolicy
  • datacatalog.taxonomies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.categoryFineGrainedReader Fine-Grained Reader Beta 版 拥有对包含特定政策标记的子资源(例如 BigQuery 列)的读取权限
  • datacatalog.categories.fineGrainedGet
roles/datacatalog.entryGroupCreator DataCatalog EntryGroup Creator 可以新建 entryGroup
  • datacatalog.entryGroups.create
  • datacatalog.entryGroups.get
  • datacatalog.entryGroups.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.entryGroupOwner DataCatalog entryGroup Owner 拥有对 entryGroup 的完全访问权限
  • datacatalog.entries.*
  • datacatalog.entryGroups.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.entryOwner DataCatalog entry Owner 拥有对条目的完全访问权限
  • datacatalog.entries.*
  • datacatalog.entryGroups.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.entryViewer DataCatalog Entry Viewer 拥有对条目的读取权限
  • datacatalog.entries.get
  • datacatalog.entries.list
  • datacatalog.entryGroups.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.tagEditor Data Catalog Tag Editor 提供修改用于 BigQuery 和 Pub/Sub 的 Google Cloud 资产标记的权限
  • bigquery.datasets.updateTag
  • bigquery.models.updateTag
  • bigquery.tables.updateTag
  • datacatalog.entries.updateTag
  • pubsub.topics.updateTag
roles/datacatalog.tagTemplateCreator Data Catalog TagTemplate Creator 可以创建新的标记模板
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
roles/datacatalog.tagTemplateOwner Data Catalog TagTemplate Owner 拥有对标记模板的完全访问权限
  • datacatalog.tagTemplates.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.tagTemplateUser Data Catalog TagTemplate User 可以使用模板标记资源
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.tagTemplateViewer Data Catalog TagTemplate Viewer 拥有对模板和使用模板创建的标记的读取权限
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.viewer Data Catalog Viewer 提供对用于 BigQuery 和 Pub/Sub 且已编入目录的 Google Cloud 资产的元数据读取权限
  • bigquery.datasets.get
  • bigquery.models.getMetadata
  • bigquery.tables.get
  • datacatalog.entries.get
  • datacatalog.entries.list
  • datacatalog.entryGroups.get
  • datacatalog.entryGroups.list
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.taxonomies.get
  • datacatalog.taxonomies.list
  • pubsub.topics.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataflow 角色

角色 名称 说明 权限 最低资源要求
roles/dataflow.admin Dataflow Admin 创建和管理 Dataflow 作业需要的最低权限角色。
  • compute.machineTypes.get
  • dataflow.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list
roles/dataflow.developer Dataflow Developer 提供执行和操作 Dataflow 作业所需的权限。
  • dataflow.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/dataflow.viewer Dataflow Viewer 提供对所有 Dataflow 相关资源的只读权限。
  • dataflow.jobs.get
  • dataflow.jobs.list
  • dataflow.messages.*
  • dataflow.metrics.*
  • dataflow.snapshots.get
  • dataflow.snapshots.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/dataflow.worker Dataflow Worker 提供让 Compute Engine 服务帐号执行 Cloud Dataflow 流水线工作单元所需的权限。
  • compute.instanceGroupManagers.update
  • compute.instances.delete
  • compute.instances.setDiskAutoDelete
  • dataflow.jobs.get
  • logging.logEntries.create
  • storage.objects.create
  • storage.objects.get
项目

Cloud Data Labeling 角色

角色 名称 说明 权限 最低资源要求
roles/datalabeling.admin DataLabeling Service Admin Beta 版 拥有所有 DataLabeling 资源的完整访问权限
  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datalabeling.editor DataLabeling Service Editor Beta 版 可修改所有 DataLabeling 资源
  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datalabeling.viewer DataLabeling Service Viewer Beta 版 可查看所有 DataLabeling 资源
  • datalabeling.annotateddatasets.get
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.get
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.*
  • datalabeling.datasets.get
  • datalabeling.datasets.list
  • datalabeling.examples.*
  • datalabeling.instructions.get
  • datalabeling.instructions.list
  • datalabeling.operations.get
  • datalabeling.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Migration 角色

角色 名称 说明 权限 最低资源要求
roles/datamigration.admin Database Migration Admin Beta 版 拥有对 Database Migration 的所有资源的完整访问权限。
  • datamigration.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataprep 角色

角色 名称 说明 权限 最低资源要求
roles/dataprep.projects.user Dataprep User Beta 版 可以使用 Dataprep。
  • dataprep.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Dataproc 角色

角色 名称 说明 权限 最低资源要求
roles/dataproc.admin Dataproc Administrator 拥有对 Dataproc 资源的完全控制权。
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.regions.*
  • compute.zones.*
  • dataproc.autoscalingPolicies.*
  • dataproc.clusters.*
  • dataproc.jobs.*
  • dataproc.operations.*
  • dataproc.workflowTemplates.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/dataproc.editor Dataproc Editor 提供查看管理 Dataproc 所需资源(包括机器类型、网络、项目和区域)而应具备的权限。
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.regions.*
  • compute.zones.*
  • dataproc.autoscalingPolicies.create
  • dataproc.autoscalingPolicies.delete
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.update
  • dataproc.autoscalingPolicies.use
  • dataproc.clusters.create
  • dataproc.clusters.delete
  • dataproc.clusters.get
  • dataproc.clusters.list
  • dataproc.clusters.update
  • dataproc.clusters.use
  • dataproc.jobs.cancel
  • dataproc.jobs.create
  • dataproc.jobs.delete
  • dataproc.jobs.get
  • dataproc.jobs.list
  • dataproc.jobs.update
  • dataproc.operations.delete
  • dataproc.operations.get
  • dataproc.operations.list
  • dataproc.workflowTemplates.create
  • dataproc.workflowTemplates.delete
  • dataproc.workflowTemplates.get
  • dataproc.workflowTemplates.instantiate
  • dataproc.workflowTemplates.instantiateInline
  • dataproc.workflowTemplates.list
  • dataproc.workflowTemplates.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/dataproc.viewer Dataproc Viewer 提供对 Dataproc 资源的只读权限。
  • compute.machineTypes.get
  • compute.regions.*
  • compute.zones.*
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.clusters.get
  • dataproc.clusters.list
  • dataproc.jobs.get
  • dataproc.jobs.list
  • dataproc.operations.get
  • dataproc.operations.list
  • dataproc.workflowTemplates.get
  • dataproc.workflowTemplates.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/dataproc.worker Dataproc Worker 提供对 Dataproc 资源的处理权限。适用于服务帐号。
  • dataproc.agents.*
  • dataproc.tasks.*
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • storage.buckets.get
  • storage.objects.*

Datastore 角色

角色 名称 说明 权限 最低资源要求
roles/datastore.importExportAdmin Cloud Datastore Import Export Admin 提供对导入和导出作业的完整管理权限。
  • appengine.applications.get
  • datastore.databases.export
  • datastore.databases.import
  • datastore.operations.cancel
  • datastore.operations.get
  • datastore.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/datastore.indexAdmin Cloud Datastore Index Admin 提供对索引定义的完整访问权限。
  • appengine.applications.get
  • datastore.indexes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/datastore.owner Cloud Datastore Owner 提供对 Datastore 资源的完整访问权限。
  • appengine.applications.get
  • datastore.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/datastore.user Cloud Datastore User 提供对 Cloud Datastore 数据库中数据的读写权限。
  • appengine.applications.get
  • datastore.databases.get
  • datastore.entities.*
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.list
  • datastore.statistics.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/datastore.viewer Cloud Datastore Viewer 提供对 Cloud Datastore 资源的读取权限。
  • appengine.applications.get
  • datastore.databases.get
  • datastore.databases.list
  • datastore.entities.get
  • datastore.entities.list
  • datastore.indexes.get
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.list
  • datastore.statistics.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目

Deployment Manager 角色

角色 名称 说明 权限 最低资源要求
roles/deploymentmanager.editor Deployment Manager Editor 提供创建和管理部署所需的权限。
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.deployments.cancelPreview
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.stop
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目
roles/deploymentmanager.typeEditor Deployment Manager Type Editor 提供对所有类型注册表资源的读写权限。
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.operations.get
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
项目
roles/deploymentmanager.typeViewer Deployment Manager Type Viewer 提供对所有类型注册表资源的只读权限。
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
项目
roles/deploymentmanager.viewer Deployment Manager Viewer 提供对所有 Deployment Manager 相关资源的只读权限。
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
项目

Dialogflow 角色

角色 名称 说明 权限 最低资源要求
roles/dialogflow.admin Dialogflow API Admin 向需要对 Dialogflow 特定资源完整访问权限的 Dialogflow API 管理员授予权限。 另请参阅 Dialogflow 访问权限控制
  • dialogflow.*
  • resourcemanager.projects.get
项目
roles/dialogflow.client Dialogflow API Client 授予使用执行 Dialogflow 特定修改并使用 Dialogflow API 检测意图调用的 Dialogflow API 客户端。 另请参阅 Dialogflow 访问权限控制
  • dialogflow.contexts.*
  • dialogflow.sessionEntityTypes.*
  • dialogflow.sessions.*
项目
roles/dialogflow.consoleAgentEditor Dialogflow Console Agent Editor 授予修改现有代理的 Dialogflow 控制台编辑者。 另请参阅 Dialogflow 访问权限控制
  • actions.agentVersions.create
  • dialogflow.*
  • resourcemanager.projects.get
项目
roles/dialogflow.conversationManager Dialogflow Conversation Manager Alpha 版 可以管理与 Dialogflow 对话相关的所有资源。
roles/dialogflow.integrationManager Dialogflow Integration Manager Alpha 版 可以添加、移除、启用和停用 Dialogflow 集成。
roles/dialogflow.reader Dialogflow API Reader 授予使用 Dialogflow API 执行 Dialogflow 特定只读调用的 Dialogflow API 客户端。 另请参阅 Dialogflow 访问权限控制
  • dialogflow.agents.export
  • dialogflow.agents.get
  • dialogflow.agents.list
  • dialogflow.agents.search
  • dialogflow.contexts.get
  • dialogflow.contexts.list
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.entityTypes.get
  • dialogflow.entityTypes.list
  • dialogflow.environments.get
  • dialogflow.environments.list
  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.fulfillments.get
  • dialogflow.intents.get
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.operations.*
  • dialogflow.pages.get
  • dialogflow.pages.list
  • dialogflow.sessionEntityTypes.get
  • dialogflow.sessionEntityTypes.list
  • dialogflow.transitionRouteGroups.get
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.get
  • dialogflow.versions.list
  • dialogflow.webhooks.get
  • dialogflow.webhooks.list
  • resourcemanager.projects.get
项目

Cloud DLP 角色

角色 名称 说明 权限 最低资源要求
roles/dlp.admin DLP Administrator 可管理 DLP,包括作业和模板。
  • dlp.*
  • serviceusage.services.use
roles/dlp.analyzeRiskTemplatesEditor DLP Analyze Risk Templates Editor 可修改 DLP 分析风险模板。
  • dlp.analyzeRiskTemplates.*
roles/dlp.analyzeRiskTemplatesReader DLP Analyze Risk Templates Reader 可读取 DLP 分析风险模板。
  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
roles/dlp.deidentifyTemplatesEditor DLP De-identify Templates Editor 可修改 DLP 去标识化模板。
  • dlp.deidentifyTemplates.*
roles/dlp.deidentifyTemplatesReader DLP De-identify Templates Reader 可读取 DLP 去标识化模板。
  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list
roles/dlp.inspectFindingsReader DLP Inspect Findings Reader 可读取 DLP 存储的发现结果。
  • dlp.inspectFindings.*
roles/dlp.inspectTemplatesEditor DLP Inspect Templates Editor 可修改 DLP 检查模板。
  • dlp.inspectTemplates.*
roles/dlp.inspectTemplatesReader DLP Inspect Templates Reader 可读取 DLP 检查模板。
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
roles/dlp.jobTriggersEditor DLP Job Triggers Editor 可修改作业触发器配置。
  • dlp.jobTriggers.*
roles/dlp.jobTriggersReader DLP Job Triggers Reader 可读取作业触发器。
  • dlp.jobTriggers.get
  • dlp.jobTriggers.list
roles/dlp.jobsEditor DLP Jobs Editor 可修改和创建作业
  • dlp.jobs.*
  • dlp.kms.*
roles/dlp.jobsReader DLP Jobs Reader 可读取作业
  • dlp.jobs.get
  • dlp.jobs.list
roles/dlp.reader DLP Reader 可读取作业和模板等 DLP 实体。
  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list
  • dlp.inspectFindings.*
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.get
  • dlp.jobTriggers.list
  • dlp.jobs.get
  • dlp.jobs.list
  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list
roles/dlp.storedInfoTypesEditor DLP Stored InfoTypes Editor 可修改 DLP 存储的信息类型。
  • dlp.storedInfoTypes.*
roles/dlp.storedInfoTypesReader DLP Stored InfoTypes Reader 可读取 DLP 存储的信息类型。
  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list
roles/dlp.user DLP User 可检查和遮盖内容,以及对内容进行去标识化处理
  • dlp.kms.*
  • serviceusage.services.use

DNS 角色

角色 名称 说明 权限 最低资源要求
roles/dns.admin DNS Administrator 提供对所有 Cloud DNS 资源的读写权限。
  • compute.networks.get
  • compute.networks.list
  • dns.changes.*
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.*
  • dns.networks.*
  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.list
  • dns.policies.update
  • dns.projects.*
  • dns.resourceRecordSets.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目
roles/dns.peer DNS Peer 可通过 DNS 对等互连地区访问目标网络
  • dns.networks.targetWithPeeringZone
roles/dns.reader DNS Reader 提供对所有 Cloud DNS 资源的只读权限。
  • compute.networks.get
  • dns.changes.get
  • dns.changes.list
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.policies.get
  • dns.policies.list
  • dns.projects.*
  • dns.resourceRecordSets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
项目

Endpoints 角色

角色 名称 说明 权限 最低资源要求
roles/endpoints.portalAdmin Endpoints Portal Admin Beta 版 提供在 Cloud Console 的 Endpoints > 开发者门户页面中添加、查看和删除自定义网域所需的全部权限。在为 API 创建的门户上,提供更改设置页面上网站级标签页中设置的权限。
  • endpoints.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
项目

Error Reporting 角色

角色 名称 说明 权限 最低资源要求
roles/errorreporting.admin Error Reporting Admin Beta 版 提供对 Error Reporting 数据的完整访问权限。
  • cloudnotifications.*
  • errorreporting.*
项目
roles/errorreporting.user Error Reporting User Beta 版 提供读取和写入 Error Reporting 数据的权限,但不提供发送新错误事件的权限。
  • cloudnotifications.*
  • errorreporting.applications.*
  • errorreporting.errorEvents.delete
  • errorreporting.errorEvents.list
  • errorreporting.groupMetadata.*
  • errorreporting.groups.*
项目
roles/errorreporting.viewer Error Reporting Viewer Beta 版 提供对 Error Reporting 数据的只读权限。
  • cloudnotifications.*
  • errorreporting.applications.*
  • errorreporting.errorEvents.list
  • errorreporting.groupMetadata.get
  • errorreporting.groups.*
项目
roles/errorreporting.writer Errors Writer Beta 版 提供将错误事件发送到 Error Reporting 的权限。
  • errorreporting.errorEvents.create
服务帐号

Eventarc 角色

角色 名称 说明 权限 最低资源要求
roles/eventarc.admin Eventarc Admin Beta 版 拥有对所有 Eventarc 资源的完全控制权。
  • eventarc.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/eventarc.viewer Eventarc Viewer Beta 版 可查看所有 Eventarc 资源(包括 IAM 政策)的状态。
  • eventarc.locations.*
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Filestore 角色

角色 名称 说明 权限 最低资源要求
roles/file.editor Cloud Filestore Editor Beta 版 拥有对 Filestore 实例及相关资源的读写权限。
  • file.*
roles/file.viewer Cloud Filestore Viewer Beta 版 拥有对 Filestore 实例及相关资源的只读权限。
  • file.backups.get
  • file.backups.list
  • file.instances.get
  • file.instances.list
  • file.locations.*
  • file.operations.get
  • file.operations.list

Firebase 角色

角色 名称 说明 权限 最低资源要求
roles/firebase.admin Firebase Admin 拥有对 Firebase 产品的完整访问权限。
  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • automl.*
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.brands.update
  • clientauthconfig.clients.create
  • clientauthconfig.clients.delete
  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • clientauthconfig.clients.update
  • cloudconfig.*
  • cloudfunctions.*
  • cloudmessaging.*
  • cloudnotifications.*
  • cloudtestservice.*
  • cloudtoolresults.*
  • datastore.*
  • errorreporting.groups.*
  • firebase.*
  • firebaseabt.*
  • firebaseanalytics.*
  • firebaseappdistro.*
  • firebaseauth.*
  • firebasecrash.*
  • firebasecrashlytics.*
  • firebasedatabase.*
  • firebasedynamiclinks.*
  • firebaseextensions.*
  • firebasehosting.*
  • firebaseinappmessaging.*
  • firebaseml.*
  • firebasenotifications.*
  • firebaseperformance.*
  • firebasepredictions.*
  • firebaserules.*
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • runtimeconfig.configs.create
  • runtimeconfig.configs.delete
  • runtimeconfig.configs.get
  • runtimeconfig.configs.list
  • runtimeconfig.configs.update
  • runtimeconfig.operations.*
  • runtimeconfig.variables.create
  • runtimeconfig.variables.delete
  • runtimeconfig.variables.get
  • runtimeconfig.variables.list
  • runtimeconfig.variables.update
  • runtimeconfig.variables.watch
  • runtimeconfig.waiters.create
  • runtimeconfig.waiters.delete
  • runtimeconfig.waiters.get
  • runtimeconfig.waiters.list
  • runtimeconfig.waiters.update
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.*
  • storage.objects.*
roles/firebase.analyticsAdmin Firebase Analytics Admin 拥有对 Google Analytics for Firebase 的完整访问权限。
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.*
  • firebaseextensions.configs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/firebase.analyticsViewer Firebase Analytics Viewer 拥有对 Google Analytics for Firebase 的读取权限。
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseextensions.configs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/firebase.developAdmin Firebase Develop Admin 拥有对 Firebase 开发类产品和 Analytics 的完整访问权限。
  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • automl.*
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.brands.update
  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • cloudfunctions.*
  • cloudnotifications.*
  • datastore.*
  • errorreporting.groups.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.*
  • firebaseauth.*
  • firebasedatabase.*
  • firebaseextensions.configs.list
  • firebasehosting.*
  • firebaseml.*
  • firebaserules.*
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • runtimeconfig.configs.create
  • runtimeconfig.configs.delete
  • runtimeconfig.configs.get
  • runtimeconfig.configs.list
  • runtimeconfig.configs.update
  • runtimeconfig.operations.*
  • runtimeconfig.variables.create
  • runtimeconfig.variables.delete
  • runtimeconfig.variables.get
  • runtimeconfig.variables.list
  • runtimeconfig.variables.update
  • runtimeconfig.variables.watch
  • runtimeconfig.waiters.create
  • runtimeconfig.waiters.delete
  • runtimeconfig.waiters.get
  • runtimeconfig.waiters.list
  • runtimeconfig.waiters.update
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.*
  • storage.objects.*
roles/firebase.developViewer Firebase Develop Viewer 拥有对 Firebase 开发类产品和 Analytics 的读取权限。
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • cloudnotifications.*
  • datastore.databases.get
  • datastore.databases.getIamPolicy
  • datastore.databases.list
  • datastore.entities.get
  • datastore.entities.list
  • datastore.indexes.get
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.getIamPolicy
  • datastore.namespaces.list
  • datastore.statistics.*
  • errorreporting.groups.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseauth.configs.get
  • firebaseauth.users.get
  • firebasedatabase.instances.get
  • firebasedatabase.instances.list
  • firebaseextensions.configs.list
  • firebasehosting.sites.get
  • firebasehosting.sites.list
  • firebaseml.compressionjobs.get
  • firebaseml.compressionjobs.list
  • firebaseml.models.get
  • firebaseml.models.list
  • firebaseml.modelversions.get
  • firebaseml.modelversions.list
  • firebaserules.releases.get
  • firebaserules.releases.list
  • firebaserules.rulesets.get
  • firebaserules.rulesets.list
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
roles/firebase.growthAdmin Firebase Grow Admin 拥有对 Firebase 发展类产品和 Analytics 的完整访问权限。
  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • cloudconfig.*
  • cloudmessaging.*
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseabt.*
  • firebaseanalytics.*
  • firebasedynamiclinks.*
  • firebaseextensions.configs.list
  • firebaseinappmessaging.*
  • firebasenotifications.*
  • firebasepredictions.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/firebase.growthViewer Firebase Grow Viewer 拥有对 Firebase 发展类产品和 Analytics 的读取权限。
  • cloudconfig.configs.get
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseabt.experimentresults.*
  • firebaseabt.experiments.get
  • firebaseabt.experiments.list
  • firebaseabt.projectmetadata.*
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.get
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.get
  • firebasedynamiclinks.links.list
  • firebasedynamiclinks.stats.*
  • firebaseextensions.configs.list
  • firebaseinappmessaging.campaigns.get
  • firebaseinappmessaging.campaigns.list
  • firebasenotifications.messages.get
  • firebasenotifications.messages.list
  • firebasepredictions.predictions.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/firebase.qualityAdmin Firebase Quality Admin 拥有对 Firebase 质量类产品和 Analytics 的完整访问权限。
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.*
  • firebaseappdistro.*
  • firebasecrash.*
  • firebasecrashlytics.*
  • firebaseextensions.configs.list
  • firebaseperformance.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/firebase.qualityViewer Firebase Quality Viewer 拥有对 Firebase 质量类产品和 Analytics 的读取权限。
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • firebasecrash.reports.*
  • firebasecrashlytics.config.get
  • firebasecrashlytics.data.*
  • firebasecrashlytics.issues.get
  • firebasecrashlytics.issues.list
  • firebasecrashlytics.sessions.*
  • firebaseextensions.configs.list
  • firebaseperformance.data.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/firebase.viewer Firebase Viewer 拥有对 Firebase 产品的只读权限。
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • cloudconfig.configs.get
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • cloudnotifications.*
  • cloudtestservice.environmentcatalog.*
  • cloudtestservice.matrices.get
  • cloudtoolresults.executions.get
  • cloudtoolresults.executions.list
  • cloudtoolresults.histories.get
  • cloudtoolresults.histories.list
  • cloudtoolresults.settings.get
  • cloudtoolresults.steps.get
  • cloudtoolresults.steps.list
  • datastore.databases.get