Como ver os papéis atribuíveis a recursos

Antes de conceder um papel do IAM a um usuário de um recurso, conheça os papéis disponíveis para essa tarefa. Nesta página, você aprende a listar todos os papéis que podem ser concedidos a um recurso com a ferramenta de linha de comando gcloud.

Como listar os papéis que podem ser concedidos a um recurso

Use o comando list-grantable-roles para listar todos os papéis que podem ser concedidos a um recurso. Com esse comando, somente os papéis dos serviços ativados em um projeto são listados.

No exemplo abaixo, o Google Compute Engine, o Google App Engine, o Google Cloud Storage, o Cloud Logging e o Cloud Dataflow estão ativados no projeto.

gcloud iam list-grantable-roles [PROJECT_ID]

em que:

  • [PROJECT_ID] é o código do projeto em que as informações são retornadas, no seguinte formato: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID.

Todos os papéis que podem ser concedidos ao projeto especificado pelo [PROJECT_ID] são listados com o comando.

---
description: Ability to view App Engine app status.
name: roles/appengine.appViewer
title: App Engine Viewer
---
description: Read and use image resources.
name: roles/compute.imageUser
title: Compute Image User
---
description: Full control of Compute Engine instance resources.
name: roles/compute.instanceAdmin.v1
title: Compute Instance Admin
---
description: Read and Write access to all Deployment Manager resources.
name: roles/deploymentmanager.editor
title: Deployment Manager Editor
---
description: Edit access to all resources.
name: roles/editor
title: Editor
---
description: Access to obtain credentials for a service account.
name: roles/iam.serviceAccountActor
title: Service Account Actor
---
description: Full access to all resources.
name: roles/owner
title: Owner
---
description: Full control of Google Cloud Storage objects.
name: roles/storage.objectAdmin
title: Storage Object Admin
---
description: Read access to all resources.
name: roles/viewer
title: Viewer
---
description: Full management of App Engine apps (but not storage).
name: roles/appengine.appAdmin
title: App Engine Admin
---
description: Necessary permissions to deploy new code to App Engine, and remove old
versions.
name: roles/appengine.deployer
title: App Engine Deployer
---
description: Can view and change traffic splits, scaling settings, and delete old
versions; cannot create new versions.
name: roles/appengine.serviceAdmin
title: App Engine Service Admin
---
description: Authorized to see and manage all aspects of billing accounts.
name: roles/billing.admin
title: Billing Account Administrator
---
description: Access to browse GCP resources.
name: roles/browser
title: Browser
---
description: Full control of Compute Engine networking resources.
name: roles/compute.networkAdmin
title: Compute Network Admin
---
description: Read-only access to Compute Engine networking resources.
name: roles/compute.networkViewer
title: Compute Network Viewer
---
description: Full control of Compute Engine security resources.
name: roles/compute.securityAdmin
title: Compute Security Admin
---
description: Full control of Compute Engine storage resources.
name: roles/compute.storageAdmin
title: Compute Storage Admin
---
description: Full operational access to Dataflow jobs.
name: roles/dataflow.developer
title: Dataflow Developer
---
description: Read only access to Dataflow jobs.
name: roles/dataflow.viewer
title: Dataflow Viewer
---
description: Worker access to Dataflow.  Intended for service accounts.
name: roles/dataflow.worker
title: Dataflow Worker
---
description: Security reviewer role, with permissions to get any IAM policy.
name: roles/iam.securityReviewer
title: Security Reviewer
---
description: Access to configure log exporting and metrics.
name: roles/logging.configWriter
title: Logs Configuration Writer
---
description: Access to write logs.
name: roles/logging.logWriter
title: Logs Writer
---
description: Access to view all logs, including logs with private contents.
name: roles/logging.privateLogViewer
title: Private Logs Viewer
---
description: Access to view logs, except for logs with private contents.
name: roles/logging.viewer
title: Logs Viewer
---
description: Full access to topics and subscriptions.
name: roles/pubsub.admin
title: Pub/Sub Admin
---
description: Modify topics and subscriptions, publish and consume messages.
name: roles/pubsub.editor
title: Pub/Sub Editor
---
description: Access to publish messages to a topic.
name: roles/pubsub.publisher
title: Pub/Sub Publisher
---
description: Access to consume messages from a subscription and to attach subscriptions
to a topic.
name: roles/pubsub.subscriber
title: Pub/Sub Subscriber
---
description: Can view topics and subscriptions.
name: roles/pubsub.viewer
title: Pub/Sub Viewer
---
description: Runtime control of checking and reporting usage of a service.
name: roles/servicemanagement.runtimeController
title: Service Runtime Controller
---
description: Admin access to all repos in a project
name: roles/source.admin
title: Source Repository Administrator
---
description: Read access to all repos in a project
name: roles/source.reader
title: Source Repository Reader
---
description: Read / Write access to all repos in a project
name: roles/source.writer
title: Source Repository Writer
---
description: Full control of Google Cloud Storage resources.
name: roles/storage.admin
title: Storage Admin
---
description: Access to create objects in Google Cloud Storage.
name: roles/storage.objectCreator
title: Storage Object Creator
---
description: Read-Only access to Google Cloud Storage objects.
name: roles/storage.objectViewer
title: Storage Object Viewer

Próximas etapas

Esta página foi útil? Conte sua opinião sobre:

Enviar comentários sobre…

Documentação do Cloud Identity and Access Management