リソースに対して付与可能な役割の表示

リソースのユーザーに IAM の役割を付与する前に、特定のリソースに対して付与できる役割の種類について確認することをおすすめします。このページでは、gcloud コマンドライン ツールを使用してリソースに対して付与できるすべての役割を一覧表示する方法について説明します。

リソースに付与できる役割を一覧表示する

list-grantable-roles コマンドを使用して、リソースに付与できるすべての役割を一覧表示します。このコマンドでは、プロジェクト内で有効とされているサービスに対する役割だけが一覧表示されます。

次の例では、プロジェクトで Google Compute Engine、Google App Engine、Cloud Storage、Cloud Logging、Cloud Dataflow が有効になっています。

gcloud iam list-grantable-roles [PROJECT_ID]

ここで:

  • [PROJECT_ID] は情報を返すプロジェクトの ID で、//cloudresourcemanager.googleapis.com/projects/PROJECT_ID の形式です。

このコマンドでは、[PROJECT_ID] で指定されたプロジェクトに付与できるすべての役割が出力されます。


    ---
    description: Ability to view App Engine app status.
    name: roles/appengine.appViewer
    title: App Engine Viewer
    ---
    description: Read and use image resources.
    name: roles/compute.imageUser
    title: Compute Image User
    ---
    description: Full control of Compute Engine instance resources.
    name: roles/compute.instanceAdmin.v1
    title: Compute Instance Admin
    ---
    description: Read and Write access to all Deployment Manager resources.
    name: roles/deploymentmanager.editor
    title: Deployment Manager Editor
    ---
    description: Edit access to all resources.
    name: roles/editor
    title: Editor
    ---
    description: Access to obtain credentials for a service account.
    name: roles/iam.serviceAccountActor
    title: Service Account Actor
    ---
    description: Full access to all resources.
    name: roles/owner
    title: Owner
    ---
    description: Full control of Google Cloud Storage objects.
    name: roles/storage.objectAdmin
    title: Storage Object Admin
    ---
    description: Read access to all resources.
    name: roles/viewer
    title: Viewer
    ---
    description: Full management of App Engine apps (but not storage).
    name: roles/appengine.appAdmin
    title: App Engine Admin
    ---
    description: Necessary permissions to deploy new code to App Engine, and remove old
    versions.
    name: roles/appengine.deployer
    title: App Engine Deployer
    ---
    description: Can view and change traffic splits, scaling settings, and delete old
    versions; cannot create new versions.
    name: roles/appengine.serviceAdmin
    title: App Engine Service Admin
    ---
    description: Authorized to see and manage all aspects of billing accounts.
    name: roles/billing.admin
    title: Billing Account Administrator
    ---
    description: Read access to browse the hierarchy for a project, including
    the folder, organization, and IAM policy. This role doesn't include
    permission to view resources in the project.
    name: roles/browser
    title: Browser
    ---
    description: Full control of Compute Engine networking resources.
    name: roles/compute.networkAdmin
    title: Compute Network Admin
    ---
    description: Read-only access to Compute Engine networking resources.
    name: roles/compute.networkViewer
    title: Compute Network Viewer
    ---
    description: Full control of Compute Engine security resources.
    name: roles/compute.securityAdmin
    title: Compute Security Admin
    ---
    description: Full control of Compute Engine storage resources.
    name: roles/compute.storageAdmin
    title: Compute Storage Admin
    ---
    description: Full operational access to Dataflow jobs.
    name: roles/dataflow.developer
    title: Dataflow Developer
    ---
    description: Read only access to Dataflow jobs.
    name: roles/dataflow.viewer
    title: Dataflow Viewer
    ---
    description: Worker access to Dataflow.  Intended for service accounts.
    name: roles/dataflow.worker
    title: Dataflow Worker
    ---
    description: Security reviewer role, with permissions to get any IAM policy.
    name: roles/iam.securityReviewer
    title: Security Reviewer
    ---
    description: Access to configure log exporting and metrics.
    name: roles/logging.configWriter
    title: Logs Configuration Writer
    ---
    description: Access to write logs.
    name: roles/logging.logWriter
    title: Logs Writer
    ---
    description: Access to view all logs, including logs with private contents.
    name: roles/logging.privateLogViewer
    title: Private Logs Viewer
    ---
    description: Access to view logs, except for logs with private contents.
    name: roles/logging.viewer
    title: Logs Viewer
    ---
    description: Full access to topics and subscriptions.
    name: roles/pubsub.admin
    title: Pub/Sub Admin
    ---
    description: Modify topics and subscriptions, publish and consume messages.
    name: roles/pubsub.editor
    title: Pub/Sub Editor
    ---
    description: Access to publish messages to a topic.
    name: roles/pubsub.publisher
    title: Pub/Sub Publisher
    ---
    description: Access to consume messages from a subscription and to attach subscriptions
    to a topic.
    name: roles/pubsub.subscriber
    title: Pub/Sub Subscriber
    ---
    description: Can view topics and subscriptions.
    name: roles/pubsub.viewer
    title: Pub/Sub Viewer
    ---
    description: Runtime control of checking and reporting usage of a service.
    name: roles/servicemanagement.runtimeController
    title: Service Runtime Controller
    ---
    description: Admin access to all repos in a project
    name: roles/source.admin
    title: Source Repository Administrator
    ---
    description: Read access to all repos in a project
    name: roles/source.reader
    title: Source Repository Reader
    ---
    description: Read / Write access to all repos in a project
    name: roles/source.writer
    title: Source Repository Writer
    ---
    description: Full control of Google Cloud Storage resources.
    name: roles/storage.admin
    title: Storage Admin
    ---
    description: Access to create objects in Google Cloud Storage.
    name: roles/storage.objectCreator
    title: Storage Object Creator
    ---
    description: Read-Only access to Google Cloud Storage objects.
    name: roles/storage.objectViewer
    title: Storage Object Viewer

次のステップ

このページは役立ちましたか?評価をお願いいたします。

フィードバックを送信...

Cloud Identity and Access Management のドキュメント