使用 IAM 进行访问权限控制

Identity and Access Management (IAM) 角色介绍了如何使用 Managed Service for Microsoft Active Directory (Managed Microsoft AD) API。下面列出了一系列可用于代管式 Microsoft AD 的 IAM 角色及其可用的方法。

此外,服务账号必须具有 servicemanagement.services.bind 权限才能查看和启用托管式 Microsoft AD。详细了解服务管理角色和权限

Role Permissions

(roles/managedidentities.admin)

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.

managedidentities.*

  • managedidentities.backups.create
  • managedidentities.backups.delete
  • managedidentities.backups.get
  • managedidentities.backups.getIamPolicy
  • managedidentities.backups.list
  • managedidentities.backups.setIamPolicy
  • managedidentities.backups.update
  • managedidentities.domains.attachTrust
  • managedidentities.domains.checkMigrationPermission
  • managedidentities.domains.create
  • managedidentities.domains.createTagBinding
  • managedidentities.domains.delete
  • managedidentities.domains.deleteTagBinding
  • managedidentities.domains.detachTrust
  • managedidentities.domains.disableMigration
  • managedidentities.domains.domainJoinMachine
  • managedidentities.domains.enableMigration
  • managedidentities.domains.extendSchema
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.list
  • managedidentities.domains.listEffectiveTags
  • managedidentities.domains.listTagBindings
  • managedidentities.domains.reconfigureTrust
  • managedidentities.domains.resetpassword
  • managedidentities.domains.restore
  • managedidentities.domains.setIamPolicy
  • managedidentities.domains.update
  • managedidentities.domains.updateLDAPSSettings
  • managedidentities.domains.validateTrust
  • managedidentities.locations.get
  • managedidentities.locations.list
  • managedidentities.operations.cancel
  • managedidentities.operations.delete
  • managedidentities.operations.get
  • managedidentities.operations.list
  • managedidentities.peerings.create
  • managedidentities.peerings.delete
  • managedidentities.peerings.get
  • managedidentities.peerings.getIamPolicy
  • managedidentities.peerings.list
  • managedidentities.peerings.setIamPolicy
  • managedidentities.peerings.update
  • managedidentities.sqlintegrations.get
  • managedidentities.sqlintegrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.backupAdmin)

Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level

managedidentities.backups.*

  • managedidentities.backups.create
  • managedidentities.backups.delete
  • managedidentities.backups.get
  • managedidentities.backups.getIamPolicy
  • managedidentities.backups.list
  • managedidentities.backups.setIamPolicy
  • managedidentities.backups.update

managedidentities.domains.get

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.*

  • managedidentities.operations.cancel
  • managedidentities.operations.delete
  • managedidentities.operations.get
  • managedidentities.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.backupViewer)

Read-only access to Google Cloud Managed Identities Backup and related resources.

managedidentities.backups.get

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.domains.get

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.domainAdmin)

Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.

managedidentities.backups.*

  • managedidentities.backups.create
  • managedidentities.backups.delete
  • managedidentities.backups.get
  • managedidentities.backups.getIamPolicy
  • managedidentities.backups.list
  • managedidentities.backups.setIamPolicy
  • managedidentities.backups.update

managedidentities.domains.attachTrust

managedidentities.domains.checkMigrationPermission

managedidentities.domains.createTagBinding

managedidentities.domains.delete

managedidentities.domains.deleteTagBinding

managedidentities.domains.detachTrust

managedidentities.domains.disableMigration

managedidentities.domains.domainJoinMachine

managedidentities.domains.enableMigration

managedidentities.domains.extendSchema

managedidentities.domains.get

managedidentities.domains.getIamPolicy

managedidentities.domains.listEffectiveTags

managedidentities.domains.listTagBindings

managedidentities.domains.reconfigureTrust

managedidentities.domains.resetpassword

managedidentities.domains.restore

managedidentities.domains.update

managedidentities.domains.updateLDAPSSettings

managedidentities.domains.validateTrust

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

managedidentities.sqlintegrations.*

  • managedidentities.sqlintegrations.get
  • managedidentities.sqlintegrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.domainJoin)

Access to domain join VMs with Cloud AD

managedidentities.domains.domainJoinMachine

managedidentities.domains.get

(roles/managedidentities.peeringAdmin)

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.*

  • managedidentities.operations.cancel
  • managedidentities.operations.delete
  • managedidentities.operations.get
  • managedidentities.operations.list

managedidentities.peerings.*

  • managedidentities.peerings.create
  • managedidentities.peerings.delete
  • managedidentities.peerings.get
  • managedidentities.peerings.getIamPolicy
  • managedidentities.peerings.list
  • managedidentities.peerings.setIamPolicy
  • managedidentities.peerings.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.peeringViewer)

Read-only access to Google Cloud Managed Identities Peering and related resources.

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

managedidentities.peerings.get

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.serviceAgent)

Gives Managed Identities service account access to managed resources.

compute.globalOperations.get

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.update

compute.routes.list

dns.changes.*

  • dns.changes.create
  • dns.changes.get
  • dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.list

dns.managedZones.update

dns.networks.bindPrivateDNSPolicy

dns.networks.bindPrivateDNSZone

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

dns.responsePolicies.*

  • dns.responsePolicies.create
  • dns.responsePolicies.delete
  • dns.responsePolicies.get
  • dns.responsePolicies.list
  • dns.responsePolicies.update

dns.responsePolicyRules.*

  • dns.responsePolicyRules.create
  • dns.responsePolicyRules.delete
  • dns.responsePolicyRules.get
  • dns.responsePolicyRules.list
  • dns.responsePolicyRules.update

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

resourcemanager.projects.get

resourcemanager.projects.list

telemetry.metrics.write

(roles/managedidentities.viewer)

Read-only access to Google Cloud Managed Identities Domains and related resources.

managedidentities.backups.get

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.domains.get

managedidentities.domains.getIamPolicy

managedidentities.domains.list

managedidentities.domains.listEffectiveTags

managedidentities.domains.listTagBindings

managedidentities.locations.*

  • managedidentities.locations.get
  • managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

managedidentities.peerings.get

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

managedidentities.sqlintegrations.*

  • managedidentities.sqlintegrations.get
  • managedidentities.sqlintegrations.list

resourcemanager.projects.get

resourcemanager.projects.list

如需详细了解 IAM 角色,请参阅 了解角色