使用 IAM 进行访问权限控制

Service Usage 使用 Identity and Access Management (IAM) 来控制对服务的访问权限。本页面说明了与 Service Usage 相关的 IAM 角色和权限,以及如何使用这些角色和权限来控制访问。

资源模型

对 Service Usage 而言,相关资源有三个:

  1. 您所使用的服务。

  2. 您从中使用该服务的项目。

  3. 某些方法返回的操作或长时间运行操作。

每种 Service Usage 方法都需要拥有访问其中一个或多个资源的权限。

IAM 权限

下表显示了每个 Service Usage API 方法所需的权限。您还可以在 API 参考文档中找到此信息。

方法 所需权限
services.batchEnable 针对项目:serviceusage.services.enable
针对服务:servicemanagement.services.bind
services.enable 针对项目:serviceusage.services.enable
针对服务:servicemanagement.services.bind
services.disable 针对项目:serviceusage.services.disable
services.get 针对项目:serviceusage.services.get
services.list 针对项目:serviceusage.services.list
services.consumerQuotaMetrics.list
services.consumerQuotaMetrics.get
services.consumerQuotaMetrics.limits.get
services.consumerQuotaMetrics.limits.consumerOverrides.list
services.consumerQuotaMetrics.limits.adminOverrides.list
services.consumerQuotaMetrics.limits.producerOverrides.list
针对项目:serviceusage.quota.get
针对服务:servicemanagement.services.bind
services.consumerQuotaMetrics.consumerOverrides.create
services.consumerQuotaMetrics.consumerOverrides.patch
services.consumerQuotaMetrics.consumerOverrides.delete
services.adminQuotaMetrics.adminOverrides.create
services.adminQuotaMetrics.adminOverrides.patch
services.adminQuotaMetrics.adminOverrides.delete
针对项目:serviceusage.quota.update
针对服务:servicemanagement.services.bind
使用项目进行配额计算和结算。如需了解详情,请参阅系统参数 针对项目:serviceusage.services.use

IAM 角色

借助 IAM,您可以为用户授予角色,从而为其提供权限。下表列出了 IAM 基本角色和预定义角色,以及这些角色具有的与 Service Usage 相关的权限。

如需详细了解角色,请参阅了解角色

基本角色

名称 称谓 权限
roles/viewer Viewer serviceusage.services.get
serviceusage.services.list
serviceusage.quotas.get

roles/editor

roles/owner

Editor

所有者

serviceusage.services.get
serviceusage.services.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.use
serviceusage.quotas.get
serviceusage.quotas.update

预定义角色

Role Permissions

(roles/serviceusage.apiKeysAdmin)

Ability to create, delete, update, get and list API keys for a project.

apikeys.*

  • apikeys.keys.create
  • apikeys.keys.delete
  • apikeys.keys.get
  • apikeys.keys.getKeyString
  • apikeys.keys.list
  • apikeys.keys.lookup
  • apikeys.keys.undelete
  • apikeys.keys.update

orgpolicy.policy.get

serviceusage.apiKeys.*

  • serviceusage.apiKeys.regenerate
  • serviceusage.apiKeys.revert

(roles/serviceusage.apiKeysViewer)

Ability to get and list API keys for a project.

apikeys.keys.get

apikeys.keys.getKeyString

apikeys.keys.list

apikeys.keys.lookup

(roles/serviceusage.serviceUsageAdmin)

Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.

monitoring.timeSeries.list

serviceusage.quotas.*

  • serviceusage.quotas.get
  • serviceusage.quotas.update

serviceusage.services.*

  • serviceusage.services.disable
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.use

(roles/serviceusage.serviceUsageConsumer)

Ability to inspect service states and operations, and consume quota and billing for a consumer project.

monitoring.timeSeries.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

(roles/serviceusage.serviceUsageViewer)

Ability to inspect service states and operations for a consumer project.

monitoring.timeSeries.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list