リソースのユーザーに IAM の役割を付与する前に、特定のリソースに対して付与できる役割の種類について確認することをおすすめします。このページでは、gcloud コマンドライン ツールを使用してリソースに対して付与できるすべての役割を一覧表示する方法について説明します。
リソースに付与できる役割を一覧表示する
list-grantable-roles コマンドを使用して、リソースに付与できるすべての役割を一覧表示します。このコマンドでは、プロジェクト内で有効とされているサービスに対する役割だけが一覧表示されます。
次の例では、プロジェクトで Google Compute Engine、Google App Engine、Cloud Storage、Cloud Logging、Cloud Dataflow が有効になっています。
gcloud iam list-grantable-roles [PROJECT_ID]
ここで:
[PROJECT_ID]は情報を返すプロジェクトの ID で、//cloudresourcemanager.googleapis.com/projects/PROJECT_IDの形式です。
このコマンドでは、[PROJECT_ID] で指定されたプロジェクトに付与できるすべての役割が出力されます。
---
description: Ability to view App Engine app status.
name: roles/appengine.appViewer
title: App Engine Viewer
---
description: Read and use image resources.
name: roles/compute.imageUser
title: Compute Image User
---
description: Full control of Compute Engine instance resources.
name: roles/compute.instanceAdmin.v1
title: Compute Instance Admin
---
description: Read and Write access to all Deployment Manager resources.
name: roles/deploymentmanager.editor
title: Deployment Manager Editor
---
description: Edit access to all resources.
name: roles/editor
title: Editor
---
description: Access to obtain credentials for a service account.
name: roles/iam.serviceAccountActor
title: Service Account Actor
---
description: Full access to all resources.
name: roles/owner
title: Owner
---
description: Full control of Google Cloud Storage objects.
name: roles/storage.objectAdmin
title: Storage Object Admin
---
description: Read access to all resources.
name: roles/viewer
title: Viewer
---
description: Full management of App Engine apps (but not storage).
name: roles/appengine.appAdmin
title: App Engine Admin
---
description: Necessary permissions to deploy new code to App Engine, and remove old
versions.
name: roles/appengine.deployer
title: App Engine Deployer
---
description: Can view and change traffic splits, scaling settings, and delete old
versions; cannot create new versions.
name: roles/appengine.serviceAdmin
title: App Engine Service Admin
---
description: Authorized to see and manage all aspects of billing accounts.
name: roles/billing.admin
title: Billing Account Administrator
---
description: Read access to browse the hierarchy for a project, including
the folder, organization, and IAM policy. This role doesn't include
permission to view resources in the project.
name: roles/browser
title: Browser
---
description: Full control of Compute Engine networking resources.
name: roles/compute.networkAdmin
title: Compute Network Admin
---
description: Read-only access to Compute Engine networking resources.
name: roles/compute.networkViewer
title: Compute Network Viewer
---
description: Full control of Compute Engine security resources.
name: roles/compute.securityAdmin
title: Compute Security Admin
---
description: Full control of Compute Engine storage resources.
name: roles/compute.storageAdmin
title: Compute Storage Admin
---
description: Full operational access to Dataflow jobs.
name: roles/dataflow.developer
title: Dataflow Developer
---
description: Read only access to Dataflow jobs.
name: roles/dataflow.viewer
title: Dataflow Viewer
---
description: Worker access to Dataflow. Intended for service accounts.
name: roles/dataflow.worker
title: Dataflow Worker
---
description: Security reviewer role, with permissions to get any IAM policy.
name: roles/iam.securityReviewer
title: Security Reviewer
---
description: Access to configure log exporting and metrics.
name: roles/logging.configWriter
title: Logs Configuration Writer
---
description: Access to write logs.
name: roles/logging.logWriter
title: Logs Writer
---
description: Access to view all logs, including logs with private contents.
name: roles/logging.privateLogViewer
title: Private Logs Viewer
---
description: Access to view logs, except for logs with private contents.
name: roles/logging.viewer
title: Logs Viewer
---
description: Full access to topics and subscriptions.
name: roles/pubsub.admin
title: Pub/Sub Admin
---
description: Modify topics and subscriptions, publish and consume messages.
name: roles/pubsub.editor
title: Pub/Sub Editor
---
description: Access to publish messages to a topic.
name: roles/pubsub.publisher
title: Pub/Sub Publisher
---
description: Access to consume messages from a subscription and to attach subscriptions
to a topic.
name: roles/pubsub.subscriber
title: Pub/Sub Subscriber
---
description: Can view topics and subscriptions.
name: roles/pubsub.viewer
title: Pub/Sub Viewer
---
description: Runtime control of checking and reporting usage of a service.
name: roles/servicemanagement.runtimeController
title: Service Runtime Controller
---
description: Admin access to all repos in a project
name: roles/source.admin
title: Source Repository Administrator
---
description: Read access to all repos in a project
name: roles/source.reader
title: Source Repository Reader
---
description: Read / Write access to all repos in a project
name: roles/source.writer
title: Source Repository Writer
---
description: Full control of Google Cloud Storage resources.
name: roles/storage.admin
title: Storage Admin
---
description: Access to create objects in Google Cloud Storage.
name: roles/storage.objectCreator
title: Storage Object Creator
---
description: Read-Only access to Google Cloud Storage objects.
name: roles/storage.objectViewer
title: Storage Object Viewer
次のステップ
- 利用可能な IAM の役割を確認します。
- プロジェクト メンバーに対してアクセス権を付与、変更、取り消す方法について学習します。
