此页面由 Cloud Translation API 翻译。

使用 IAM 进行访问权限控制

Service Usage 使用 Identity and Access Management (IAM) 来控制对服务的访问权限。本页面说明了与 Service Usage 相关的 IAM 角色和权限，以及如何使用这些角色和权限来控制访问。

资源模型

对 Service Usage 而言，相关资源有三个：

您所使用的服务。
您从中使用该服务的项目。
某些方法返回的操作或长时间运行操作。

每种 Service Usage 方法都需要拥有访问其中一个或多个资源的权限。

IAM 权限

下表显示了每个 Service Usage API 方法所需的权限。您还可以在 API 参考文档中找到此信息。

方法	所需权限
`services.batchEnable`	针对项目：`serviceusage.services.enable` 针对服务：`servicemanagement.services.bind`
`services.enable`	针对项目：`serviceusage.services.enable` 针对服务：`servicemanagement.services.bind`
`services.disable`	针对项目：`serviceusage.services.disable`
`services.get`	针对项目：`serviceusage.services.get`
`services.list`	针对项目：`serviceusage.services.list`
`services.consumerQuotaMetrics.list services.consumerQuotaMetrics.get services.consumerQuotaMetrics.limits.get services.consumerQuotaMetrics.limits.consumerOverrides.list services.consumerQuotaMetrics.limits.adminOverrides.list services.consumerQuotaMetrics.limits.producerOverrides.list`	针对项目：`serviceusage.quota.get` 针对服务：`servicemanagement.services.bind`
`services.consumerQuotaMetrics.consumerOverrides.create services.consumerQuotaMetrics.consumerOverrides.patch services.consumerQuotaMetrics.consumerOverrides.delete services.adminQuotaMetrics.adminOverrides.create services.adminQuotaMetrics.adminOverrides.patch services.adminQuotaMetrics.adminOverrides.delete`	针对项目：`serviceusage.quota.update` 针对服务：`servicemanagement.services.bind`
使用项目进行配额计算和结算。如需了解详情，请参阅系统参数。	针对项目：`serviceusage.services.use`

IAM 角色

借助 IAM，您可以为用户授予角色，从而为其提供权限。下表列出了 IAM 基本角色和预定义角色，以及这些角色具有的与 Service Usage 相关的权限。

如需详细了解角色，请参阅了解角色。

基本角色

名称称谓权限

roles/viewer Viewer serviceusage.services.get
serviceusage.services.list
serviceusage.quotas.get

名称	称谓	权限
`roles/viewer`	Viewer	serviceusage.services.get serviceusage.services.list serviceusage.quotas.get
`roles/editor` `roles/owner`	Editor 所有者	serviceusage.services.get serviceusage.services.list serviceusage.services.disable serviceusage.services.enable serviceusage.services.use serviceusage.quotas.get serviceusage.quotas.update

roles/editor

roles/owner

Editor

所有者

serviceusage.services.get
serviceusage.services.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.use
serviceusage.quotas.get
serviceusage.quotas.update

预定义角色

Role Permissions

Role	Permissions
API Keys Admin (`roles/serviceusage.apiKeysAdmin`) Ability to create, delete, update, get and list API keys for a project.	`apikeys.` `apikeys.keys.create` `apikeys.keys.delete` `apikeys.keys.get` `apikeys.keys.getKeyString` `apikeys.keys.list` `apikeys.keys.lookup` `apikeys.keys.undelete` `apikeys.keys.update` `orgpolicy.policy.get` `serviceusage.apiKeys.` `serviceusage.apiKeys.regenerate` `serviceusage.apiKeys.revert`
API Keys Viewer (`roles/serviceusage.apiKeysViewer`) Ability to get and list API keys for a project.	`apikeys.keys.get` `apikeys.keys.getKeyString` `apikeys.keys.list` `apikeys.keys.lookup`
Service Usage Admin (`roles/serviceusage.serviceUsageAdmin`) Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.	`monitoring.timeSeries.list` `serviceusage.quotas.` `serviceusage.quotas.get` `serviceusage.quotas.update` `serviceusage.services.` `serviceusage.services.disable` `serviceusage.services.enable` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.services.use`
Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`) Ability to inspect service states and operations, and consume quota and billing for a consumer project.	`monitoring.timeSeries.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list` `serviceusage.services.use`
Service Usage Viewer (`roles/serviceusage.serviceUsageViewer`) Ability to inspect service states and operations for a consumer project.	`monitoring.timeSeries.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

API Keys Admin

(roles/serviceusage.apiKeysAdmin)

Ability to create, delete, update, get and list API keys for a project.

apikeys.*

apikeys.keys.create
apikeys.keys.delete
apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
apikeys.keys.undelete
apikeys.keys.update

orgpolicy.policy.get

serviceusage.apiKeys.*

serviceusage.apiKeys.regenerate
serviceusage.apiKeys.revert

API Keys Viewer

(roles/serviceusage.apiKeysViewer)

Ability to get and list API keys for a project.

apikeys.keys.get

apikeys.keys.getKeyString

apikeys.keys.list

apikeys.keys.lookup

Service Usage Admin

(roles/serviceusage.serviceUsageAdmin)

Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.

monitoring.timeSeries.list

serviceusage.quotas.*

serviceusage.quotas.get
serviceusage.quotas.update

serviceusage.services.*

serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use

Service Usage Consumer

(roles/serviceusage.serviceUsageConsumer)

Ability to inspect service states and operations, and consume quota and billing for a consumer project.

monitoring.timeSeries.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

Service Usage Viewer

(roles/serviceusage.serviceUsageViewer)

Ability to inspect service states and operations for a consumer project.

monitoring.timeSeries.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list