Workflows 角色和权限

本页介绍了可用于控制对 Workflows 资源的访问权限的 Identity and Access Management (IAM) 角色和权限。

概览

Workflows 使用 IAM 进行访问权限控制。

如需详细了解如何使用 IAM 访问权限控制权限,请参阅管理项目、文件夹和组织的访问权限

每种 Workflows 方法都要求调用者拥有必要的权限。如需查看 Workflows 支持的角色及其对应的权限列表,请参阅本文档中的 Workflows 角色部分。

Workflows 权限

下表介绍了 Workflows 中可用的权限。

权限 定义
workflows.callbacks.list 列出工作流执行的回调。
workflows.callbacks.send 触发工作流执行回调。
workflows.executions.cancel 取消工作流执行操作,但不删除跟踪记录。
workflows.executions.create 触发工作流执行操作。
workflows.executions.get 获取工作流执行操作的最新状态。
workflows.executions.list 列出工作流的执行操作。
workflows.locations.get 获取工作流的位置。
workflows.locations.list 列出可提供相应服务的位置。
workflows.operations.cancel 取消长时间运行的操作。
workflows.operations.get 获取长时间运行的操作的详细信息。
workflows.operations.list 获取长时间运行的操作的列表。
workflows.stepEntries.get 获取工作流执行的步骤条目。
workflows.stepEntries.list 列出工作流执行的步骤条目。
workflows.workflows.create 创建和部署新的工作流。
workflows.workflows.delete 删除现有工作流。
workflows.workflows.get 获取工作流的设置,包括源代码、标签和说明。
workflows.workflows.list 列出项目中的工作流。
workflows.workflows.listRevision 列出工作流的修订版本。
workflows.workflows.update 更新工作流的设置,包括其源代码、标签和说明。

Workflows 角色

下表列出了工作流预定义的 IAM 角色以及每个角色包含的所有权限的列表。

可用角色可满足大多数典型的使用场景。如果预定义角色无法满足您的用例,您可以创建 IAM 自定义角色

Role Permissions

(roles/workflows.admin)

Full access to workflows and related resources.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.*

  • workflows.callbacks.list
  • workflows.callbacks.send
  • workflows.executions.cancel
  • workflows.executions.create
  • workflows.executions.get
  • workflows.executions.list
  • workflows.locations.get
  • workflows.locations.list
  • workflows.operations.cancel
  • workflows.operations.get
  • workflows.operations.list
  • workflows.stepEntries.get
  • workflows.stepEntries.list
  • workflows.workflows.create
  • workflows.workflows.createTagBinding
  • workflows.workflows.delete
  • workflows.workflows.deleteTagBinding
  • workflows.workflows.get
  • workflows.workflows.list
  • workflows.workflows.listEffectiveTags
  • workflows.workflows.listRevision
  • workflows.workflows.listTagBindings
  • workflows.workflows.update

(roles/workflows.editor)

Read and write access to workflows and related resources, including development and debugging of workflows.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.*

  • workflows.callbacks.list
  • workflows.callbacks.send
  • workflows.executions.cancel
  • workflows.executions.create
  • workflows.executions.get
  • workflows.executions.list
  • workflows.locations.get
  • workflows.locations.list
  • workflows.operations.cancel
  • workflows.operations.get
  • workflows.operations.list
  • workflows.stepEntries.get
  • workflows.stepEntries.list
  • workflows.workflows.create
  • workflows.workflows.createTagBinding
  • workflows.workflows.delete
  • workflows.workflows.deleteTagBinding
  • workflows.workflows.get
  • workflows.workflows.list
  • workflows.workflows.listEffectiveTags
  • workflows.workflows.listRevision
  • workflows.workflows.listTagBindings
  • workflows.workflows.update

(roles/workflows.invoker)

Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.callbacks.*

  • workflows.callbacks.list
  • workflows.callbacks.send

workflows.executions.*

  • workflows.executions.cancel
  • workflows.executions.create
  • workflows.executions.get
  • workflows.executions.list

workflows.stepEntries.*

  • workflows.stepEntries.get
  • workflows.stepEntries.list

(roles/workflows.serviceAgent)

Gives Cloud Workflows service account access to managed resources.

container.clusters.connect

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

serviceusage.services.use

(roles/workflows.viewer)

Read-only access to workflows and related resources.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.callbacks.list

workflows.executions.get

workflows.executions.list

workflows.locations.*

  • workflows.locations.get
  • workflows.locations.list

workflows.operations.get

workflows.operations.list

workflows.stepEntries.*

  • workflows.stepEntries.get
  • workflows.stepEntries.list

workflows.workflows.get

workflows.workflows.list

workflows.workflows.listEffectiveTags

workflows.workflows.listRevision

workflows.workflows.listTagBindings

后续步骤

创建和管理自定义角色