预定义 Cloud SQL IAM 角色
Cloud SQL 提供了一些预定义角色,您可以使用这些角色来为项目成员提供更细粒度的权限。
您授予某项目成员的角色决定了该成员可以执行的操作。项目成员可以是个人、群组或服务账号。 如果您拥有相关权限,可向同一项目成员授予多个角色,还可随时更改授予某项目成员的角色。
权限范围较广的角色拥有权限范围较窄的角色的所有权限。例如,Cloud SQL 编辑者角色不但拥有 Cloud SQL 查看者角色的所有权限,还拥有额外的专有权限。
同样,Cloud SQL Admin 角色不但拥有 Cloud SQL Editor 角色的所有权限,还添加了一些专有权限。
基本角色(Owner、Editor、Viewer)提供对整个 Google Cloud 的权限。Cloud SQL 专有角色仅提供 Cloud SQL 权限,但以下 Google Cloud 权限除外,因为这些是 Google Cloud 常规使用所需的权限:
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.use
下表列出了适用于 Cloud SQL 的预定义角色及其所含 Cloud SQL 权限:
角色 名称 |
说明 Cloud SQL 权限 |
---|---|
roles/owner Owner |
对所有 Google Cloud 资源拥有完整访问权限和控制权;管理用户访问权限。cloudsql.* |
roles/editor Editor |
对所有 Google Cloud 和 Cloud SQL 资源拥有读写权限(拥有完全控制权,但不能修改权限) 除以下权限以外的所有 cloudsql 权限cloudsql.*.getIamPolicy
cloudsql.*.setIamPolicy |
roles/viewer Viewer |
对所有 Google Cloud 资源(包括 Cloud SQL 资源)拥有只读权限。cloudsql.*.export cloudsql.*.get cloudsql.*.list |
roles/cloudsql.admin Cloud SQL Admin |
对所有 Cloud SQL 资源拥有完全控制权。cloudsql.* recommender.cloudsqlInstanceDiskUsageTrendInsights.* recommender.cloudsqlInstanceOutOfDiskRecommendations.* recommender.cloudsqlInstancePerformanceInsights.* recommender.cloudsqlInstancePerformanceRecommendations.* recommender.cloudsqlUnderProvisionedInstanceRecommendations.* recommender.cloudsqlInstanceOomProbabilityInsights.* recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.* recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*
|
roles/cloudsql.editor Cloud SQL Editor |
管理 Cloud SQL 资源。 不能查看或修改权限,也不能修改用户或 sslCert。不能导入数据或从备份恢复实例,也不能克隆、删除或升级实例。不能启动或停止副本。不能删除数据库、副本或备份。cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.instances.migrate cloudsql.instances.reencrypt cloudsql.instances.restart cloudsql.instances.rotateServerCa cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.schemas.view
cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list recommender.cloudsqlInstanceDiskUsageTrendInsights.get recommender.cloudsqlInstanceDiskUsageTrendInsights.list recommender.cloudsqlInstanceDiskUsageTrendInsights.update recommender.cloudsqlInstanceOutOfDiskRecommendations.get recommender.cloudsqlInstanceOutOfDiskRecommendations.list recommender.cloudsqlInstanceOutOfDiskRecommendations.update
recommender.cloudsqlInstancePerformanceInsights.get recommender.cloudsqlInstancePerformanceInsights.list recommender.cloudsqlInstancePerformanceInsights.update recommender.cloudsqlInstancePerformanceRecommendations.get recommender.cloudsqlInstancePerformanceRecommendations.list recommender.cloudsqlInstancePerformanceRecommendations.update recommender.cloudsqlUnderProvisionedInstanceRecommendations.get recommender.cloudsqlUnderProvisionedInstanceRecommendations.list recommender.cloudsqlUnderProvisionedInstanceRecommendations.update recommender.cloudsqlInstanceOomProbabilityInsights.get recommender.cloudsqlInstanceOomProbabilityInsights.list recommender.cloudsqlInstanceOomProbabilityInsights.update recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update
|
roles/cloudsql.viewer Cloud SQL Viewer |
对所有 Cloud SQL 资源拥有只读权限。cloudsql.*.export cloudsql.*.get cloudsql.*.list cloudsql.instances.listServerCas recommender.cloudsqlInstanceOutOfDiskRecommendations.get recommender.cloudsqlInstanceOutOfDiskRecommendations.list recommender.cloudsqlInstanceDiskUsageTrendInsights.get recommender.cloudsqlInstanceDiskUsageTrendInsights.list recommender.cloudsqlInstancePerformanceInsights.get recommender.cloudsqlInstancePerformanceInsights.list recommender.cloudsqlInstancePerformanceRecommendations.get recommender.cloudsqlInstancePerformanceRecommendations.list recommender.cloudsqlUnderProvisionedInstanceRecommendations.get recommender.cloudsqlUnderProvisionedInstanceRecommendations.list recommender.cloudsqlInstanceOomProbabilityInsights.get recommender.cloudsqlInstanceOomProbabilityInsights.list recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list
|
roles/cloudsql.client Cloud SQL Client |
拥有从 App Engine 和 Cloud SQL Auth 代理连接到 Cloud SQL 实例的权限。使用 IP 地址访问实例时不需要此角色。cloudsql.instances.connect cloudsql.instances.get
|
roles/cloudsql.instanceUser Cloud SQL Instance User |
此角色可访问 Cloud SQL 实例。cloudsql.instances.get cloudsql.instances.login
|
roles/cloudsql.schemaViewer Cloud SQL Schema Viewer |
此角色可访问 Dataplex 中的 Cloud SQL 实例架构。cloudsql.schemas.view
|
权限及其对应的角色
下表列出了 Cloud SQL 支持的各项权限、可提供该权限的 Cloud SQL 角色及其基本角色。
权限 | Cloud SQL 角色 | 旧版角色 |
---|---|---|
cloudsql.backupRuns.create |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.backupRuns.delete |
Cloud SQL Admin | Editor |
cloudsql.backupRuns.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.backupRuns.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.databases.create |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.databases.delete |
Cloud SQL Admin | Editor |
cloudsql.databases.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.databases.getIamPolicy |
Cloud SQL Admin | Owner |
cloudsql.databases.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.databases.setIamPolicy |
Cloud SQL Admin | Owner |
cloudsql.databases.update |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.addServerCa |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.clone |
Cloud SQL Admin | Editor |
cloudsql.instances.connect |
Cloud SQL Admin Cloud SQL Client Cloud SQL Editor |
编辑者 |
cloudsql.instances.create |
Cloud SQL Admin | Editor |
cloudsql.instances.delete |
Cloud SQL Admin | Editor |
cloudsql.instances.demoteMaster |
Cloud SQL Admin | Editor |
cloudsql.instances.executeSql |
Cloud SQL Admin | Owner |
cloudsql.instances.export |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.instances.failover |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.get |
Cloud SQL Admin Cloud SQL Client Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.instances.getIamPolicy |
Cloud SQL Admin | Owner |
cloudsql.instances.import |
Cloud SQL Admin | Editor |
cloudsql.instances.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.instances.listServerCas |
Cloud SQL Viewer | Viewer |
cloudsql.instances.promoteReplica |
Cloud SQL Admin | Editor |
cloudsql.instances.resetSslConfig |
Cloud SQL Admin | Editor |
cloudsql.instances.reencrypt |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.restart |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.restoreBackup |
Cloud SQL Admin | Editor |
cloudsql.instance.rotateServerCa |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.setIamPolicy |
Cloud SQL Admin | Owner |
cloudsql.instances.startReplica |
Cloud SQL Admin | Editor |
cloudsql.instances.stopReplica |
Cloud SQL Admin | Editor |
cloudsql.instances.truncateLog |
Cloud SQL Admin Cloud SQL Editor |
Editor |
cloudsql.instances.update |
Cloud SQL Admin Cloud SQL Editor |
编辑者 |
cloudsql.schemas.view |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Schema Viewer |
查看者 |
cloudsql.sslCerts.create |
Cloud SQL Admin | Editor |
cloudsql.sslCerts.delete |
Cloud SQL Admin | Editor |
cloudsql.sslCerts.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.sslCerts.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.users.create |
Cloud SQL Admin | Editor |
cloudsql.users.delete |
Cloud SQL Admin | Editor |
cloudsql.users.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
Viewer |
cloudsql.users.update |
Cloud SQL Admin | Editor |
recommender.cloudsqlInstanceDiskUsageTrendInsights.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstanceDiskUsageTrendInsights.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstanceDiskUsageTrendInsights.update |
Cloud SQL Admin Cloud SQL Editor |
不适用 |
recommender.cloudsqlInstanceOutOfDiskRecommendations.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstanceOutOfDiskRecommendations.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstanceOutOfDiskRecommendations.update |
Cloud SQL Admin Cloud SQL Editor |
不适用 |
recommender.cloudsqlInstancePerformanceInsights.get
|
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstancePerformanceInsights.list
|
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstancePerformanceInsights.update
|
Cloud SQL Admin Cloud SQL Editor |
不适用 |
recommender.cloudsqlInstancePerformanceRecommendations.get
|
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstancePerformanceRecommendations.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstancePerformanceRecommendations.update |
Cloud SQL Admin Cloud SQL Editor |
不适用 |
recommender.cloudsqlInstanceOomProbabilityInsights.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstanceOomProbabilityInsights.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstanceOomProbabilityInsights.update |
Cloud SQL Admin Cloud SQL Editor |
不适用 |
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update |
Cloud SQL Admin Cloud SQL Editor |
不适用 |
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update |
Cloud SQL Admin Cloud SQL Editor |
不适用 |
recommender.cloudsqlUnderProvisionedInstanceRecommendations.get |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list |
Cloud SQL Admin Cloud SQL Editor Cloud SQL Viewer |
不适用 |
recommender.cloudsqlUnderProvisionedInstanceRecommendations.update |
Cloud SQL Admin Cloud SQL Editor |
不适用 |
自定义角色
如果预定义角色不能满足您的独特业务需求,您可以使用指定的权限定义自己的自定义角色。为此,IAM 提供了自定义角色。
为 Cloud SQL 创建自定义角色时,如果要添加 cloudsql.instances.list
或 cloudsql.instances.get
,请务必同时添加这两项权限。否则,Google Cloud 控制台将无法正常处理 Cloud SQL。