主體存取邊界政策封鎖的權限

當主體嘗試存取不符合存取資格的資源時,主體存取邊界政策會禁止主體使用部分 (而非全部) Identity and Access Management (IAM) 權限存取資源。

如果主體存取邊界政策封鎖了某項權限,則 IAM 會強制執行該權限的主體存取邊界政策。換句話說,如果主體不符合存取資源的資格,就無法使用該權限存取資源。

如果主體存取邊界政策未封鎖權限,主體存取邊界政策就不會影響主體是否能使用該權限。

身分與存取權管理系統會定期新增主體存取邊界強制執行版本,這些版本可能會封鎖額外權限。新版本也可以封鎖舊版本的所有權限。

本頁面列出各個強制執行版本可封鎖的權限。

如要進一步瞭解主體存取邊界政策版本號碼,請參閱主體存取邊界政策總覽

強制規定版本 3

強制執行版本為 3 的政策可以封鎖下列強制執行版本中列出的所有權限:

此外,如果政策的強制執行版本為 3,也可能會封鎖下表列出的所有權限。

每個資料列都包含下列資訊:

  • 主體存取邊界政策可封鎖的服務名稱。

  • 主體存取邊界政策可封鎖的服務權限。

    在某些情況下,權限名稱的某個部分會替換為萬用字元 (*)。這種格式表示主體存取邊界政策可以封鎖符合該模式的所有權限。

服務 權限 例外狀況
重要聯絡人
  • essentialcontacts.googleapis.com/contacts.*
    		•
    Identity and Access Management
  • iam.googleapis.com/serviceAccounts.*
  • iam.googleapis.com/serviceAccountKeys.*
  • iam.googleapis.com/roles.*
  • iam.googleapis.com/denypolicies.*
    		•
  • iam.googleapis.com/serviceAccounts.createTagBinding
  • iam.googleapis.com/serviceAccounts.deleteTagBinding
  • iam.googleapis.com/serviceAccounts.listTagBindings
  • iam.googleapis.com/serviceAccounts.listEffectiveTags
  • iam.googleapis.com/serviceAccounts.getCertificateAs
    		•
    Dataproc
  • dataproc.googleapis.com/autoscalingPolicies.*
  • dataproc.googleapis.com/batches.*
  • dataproc.googleapis.com/operations.*
  • dataproc.googleapis.com/sessionTemplates.*
  • dataproc.googleapis.com/sessions.*
  • dataproc.googleapis.com/workflowTemplates.*
  • dataproc.googleapis.com/autoscalingPolicies.*
  • dataproc.googleapis.com/clusters.*
  • dataproc.googleapis.com/jobs.*
    		•
    服務管理
  • servicemanagement.googleapis.com/services.check
  • servicemanagement.googleapis.com/services.report
    		•
    Bigtable
  • bigtable.googleapis.com/*.*
    		•
    Cloud Bigtable Admin API
  • bigtableadmin.googleapis.com/*.*
    		•
    Cloud SQL
  • cloudsql.googleapis.com/*.*
    		•
    網路服務
  • networkservices.googleapis.com/endpointPolicies.*
  • networkservices.googleapis.com/gateways.*
  • networkservices.googleapis.com/grpcRoutes.*
  • networkservices.googleapis.com/httpfilters.*
  • networkservices.googleapis.com/httpRoutes.*
  • networkservices.googleapis.com/meshes.*
  • networkservices.googleapis.com/route_views.*
  • networkservices.googleapis.com/serviceBindings.*
  • networkservices.googleapis.com/tcpRoutes.*
  • networkservices.googleapis.com/tlsRoutes.*
  • networkservices.googleapis.com/serviceLbPolicies.*
    		•
    Cloud Service Mesh
  • trafficdirector.googleapis.com/*.*
    		•
    Network Management API
  • networkmanagement.googleapis.com/*.*
    		•
    Compute Engine
  • compute.googleapis.com/healthChecks.*
  • compute.googleapis.com/regionHealthChecks.*
  • compute.googleapis.com/httpHealthChecks.*
  • compute.googleapis.com/httpsHealthChecks.*
  • compute.googleapis.com/forwardingRules.*
  • compute.googleapis.com/globalForwardingRules.*
  • compute.googleapis.com/regionBackendServices.*
  • compute.googleapis.com/targetInstances.*
  • compute.googleapis.com/targetPools.*
  • compute.googleapis.com/firewallPolicies.*
  • compute.googleapis.com/firewalls.*
  • compute.googleapis.com/regionFirewallPolicies.*
  • compute.googleapis.com/backendBuckets.*
  • compute.googleapis.com/backendServices.*
  • compute.googleapis.com/regionSslPolicies.*
  • compute.googleapis.com/regionTargetHttpProxies.*
  • compute.googleapis.com/regionTargetTcpProxies.*
  • compute.googleapis.com/regionUrlMaps.*
  • compute.googleapis.com/sslPolicies.*
  • compute.googleapis.com/targetGrpcProxies.*
  • compute.googleapis.com/targetHttpProxies.*
  • compute.googleapis.com/targetHttpsProxies.*
  • compute.googleapis.com/targetSslProxies.*
  • compute.googleapis.com/targetTcpProxies.*
  • compute.googleapis.com/urlMaps.*
  • compute.googleapis.com/addresses.*
  • compute.googleapis.com/globalAddresses.*
  • compute.googleapis.com/networks.*
  • compute.googleapis.com/packetMirrorings.*
  • compute.googleapis.com/publicAdvertisedPrefixes.*
  • compute.googleapis.com/publicDelegatedPrefixes.*
  • compute.googleapis.com/routes.*
  • compute.googleapis.com/subnetworks.*
  • compute.googleapis.com/externalVpnGateways.*
  • compute.googleapis.com/targetVpnGateways.*
  • compute.googleapis.com/vpnGateways.*
  • compute.googleapis.com/interconnectAttachments.*
  • compute.googleapis.com/interconnectLocations.*
  • compute.googleapis.com/interconnectRemoteLocations.*
  • compute.googleapis.com/interconnects.*
    		•
    Artifact Registry
  • artifactregistry.googleapis.com/*.*
    		•
    Pub/Sub
  • pubsub.googleapis.com/*.*
    		•
    工作流程
  • workflows.googleapis.com/*.*
    		•
    Google Distributed Cloud
  • gkeonprem.googleapis.com/*.*
    		•
    API 金鑰

  • apikeys.googleapis.com/apikeys.*

  • apikeys.googleapis.com/keys.*
    		•
    Cloud DNS
  • dns.googleapis.com/*.*
    		•
    Datastore
  • datastore.googleapis.com/backupSchedules.*
  • datastore.googleapis.com/databases.*
  • datastore.googleapis.com/indexes.*
  • datastore.googleapis.com/entities.*
  • datastore.googleapis.com/operations.*
  • datastore.googleapis.com/userCreds.*
  • datastore.googleapis.com/backups.get
  • datastore.googleapis.com/backups.list
  • datastore.googleapis.com/backups.delete
  • datastore.googleapis.com/locations.*
    		•
    Cloud Key Management Service
  • cloudkms.googleapis.com/ekmConfigs.*
  • cloudkms.googleapis.com/keyRings.*
  • cloudkms.googleapis.com/importJobs.*
  • cloudkms.googleapis.com/cryptoKeyVersions.create
  • cloudkms.googleapis.com/cryptoKeyVersions.get
  • cloudkms.googleapis.com/cryptoKeyVersions.list
  • cloudkms.googleapis.com/cryptoKeyVersions.update
  • cloudkms.googleapis.com/cryptoKeyVersions.restore
  • cloudkms.googleapis.com/cryptoKeyVersions.useToEncrypt
  • cloudkms.googleapis.com/cryptoKeyVersions.useToDecrypt
  • cloudkms.googleapis.com/cryptoKeyVersions.useToSign
  • cloudkms.googleapis.com/cryptoKeyVersions.useToVerify
  • cloudkms.googleapis.com/cryptoKeyVersions.viewPublicKey
  • cloudkms.googleapis.com/cryptoKeyVersions.destroy
  • cloudkms.googleapis.com/keyHandles.*
  • cloudkms.googleapis.com/autokeyConfigs.*
    		•
  • cloudkms.googleapis.com/importJobs.useToImport
    		•
    機構政策服務
  • orgpolicy.googleapis.com/*.*
    		•
    Dataplex Universal Catalog
  • dataplex.googleapis.com/aspectTypes.*
  • dataplex.googleapis.com/datascans.*
  • dataplex.googleapis.com/entries.*
  • dataplex.googleapis.com/entryTypes.*
  • dataplex.googleapis.com/metadataJobs.*
  • dataplex.googleapis.com/entryGroups.import
  • dataplex.googleapis.com/entryGroups.getIamPolicy
  • dataplex.googleapis.com/entryGroups.setIamPolicy
  • dataplex.googleapis.com/entryGroups.create
  • dataplex.googleapis.com/entryGroups.get
  • dataplex.googleapis.com/entryGroups.update
  • dataplex.googleapis.com/entryGroups.delete
  • dataplex.googleapis.com/entryGroups.list
  • dataplex.googleapis.com/entryGroups.useGenericAspect
  • dataplex.googleapis.com/entryGroups.useContactsAspect
  • dataplex.googleapis.com/entryGroups.useOverviewAspect
  • dataplex.googleapis.com/entryGroups.useSchemaAspect
  • dataplex.googleapis.com/entryGroups.useGenericEntry
    		•
    Data Lineage API
  • datalineage.googleapis.com/locations.*
  • datalineage.googleapis.com/operations.*
  • datalineage.googleapis.com/processes.*
  • datalineage.googleapis.com/runs.*
  • datalineage.googleapis.com/events.*
    		•
    GKE Hub
  • gkehub.googleapis.com/fleets.*
    		•
    Cloud Run 函式
  • cloudfunctions.googleapis.com/*.*
    		•
    Spanner
  • spanner.googleapis.com/*.*
    		•
    Google Kubernetes Engine
  • container.googleapis.com/*.*
    		•

    強制規定版本 2

    如果政策的強制執行版本為 2,則可封鎖「強制執行版本 1」中列出的所有權限。此外,如果政策的強制執行版本為 2,也可能會封鎖下表列出的所有權限。

    每個資料列都包含下列資訊:

    • 主體存取邊界政策可封鎖的服務名稱。

    • 主體存取邊界政策可封鎖的服務權限。

      在某些情況下,權限名稱的某個部分會替換為萬用字元 (*)。這種格式表示主體存取邊界政策可以封鎖符合該模式的所有權限。

    服務 權限 例外狀況
    Access Context Manager
    • accesscontextmanager.googleapis.com/*
    Artifact Analysis
    • containeranalysis.googleapis.com/*
    BigQuery
    • bigquery.googleapis.com/datasets.*
    • bigquery.googleapis.com/jobs.*
    • bigquery.googleapis.com/models.*
    • bigquery.googleapis.com/routines.*
    • bigquery.googleapis.com/rowAccessPolicies.*
    • bigquery.googleapis.com/tables.*
    BigQuery 資料政策
    • bigquerydatapolicy.googleapis.com/*
    BigQuery 資料移轉服務
    • bigquerydatatransfer.googleapis.com/transfers.*
    Chrome Enterprise Premium
    • beyondcorp.googleapis.com/*
    Cloud Asset Inventory
    • cloudasset.googleapis.com/*
    Cloud Billing
    • billing.googleapis.com/budgets.*
    Cloud Build
    • cloudbuild.googleapis.com/*
    Cloud Monitoring
    • monitoring.googleapis.com/*
    • monitoring.googleapis.com/timeSeries.list
    • monitoring.googleapis.com/metricsScopes.link
    Cloud Service Mesh
    • meshconfig.googleapis.com/*
    Cloud Storage
    • storage.googleapis.com/bucketOperations.*
    • storage.googleapis.com/buckets.*
    • storage.googleapis.com/folders.*
    • storage.googleapis.com/hmacKeys.*
    • storage.googleapis.com/managedFolders.*
    • storage.googleapis.com/multipartUploads.*
    • storage.googleapis.com/objects.*
    Cloud Trace
    • cloudtrace.googleapis.com/*
    Compute Engine
    • compute.googleapis.com/networkAttachments.*
    • compute.googleapis.com/networkEdgeSecurityServices.*
    • compute.googleapis.com/regionSecurityPolicies.*
    • compute.googleapis.com/routers.*
    • compute.googleapis.com/serviceAttachments.*
    • compute.googleapis.com/securityPolicies.*
    Firebase 規則
    • firebaserules.googleapis.com/*
    GKE Multi-cloud
    • gkemulticloud.googleapis.com/*
    Identity-Aware Proxy
    • iap.googleapis.com/*
    Memorystore for Redis
    • redis.googleapis.com/*
    Network Management API
    • networkmanagement.googleapis.com/*
    Network Services API
    • networkservices.googleapis.com/edgeCacheOrigins.*
    • networkservices.googleapis.com/edgeCacheKeysets.*
    • networkservices.googleapis.com/edgeCacheServices.*
    reCAPTCHA
    • recaptchaenterprise.googleapis.com/*
    Resource Manager
    • cloudresourcemanager.googleapis.com/*
    • cloudresourcemanager.googleapis.com/*.createPolicyBinding
    • cloudresourcemanager.googleapis.com/*.updatePolicyBinding
    • cloudresourcemanager.googleapis.com/*.deletePolicyBinding
    • cloudresourcemanager.googleapis.com/*.searchPolicyBindings
    Video Stitcher API
    • videostitcher.googleapis.com/*

    強制規定版本 1

    下表列出主體存取邊界政策 (強制執行版本 1) 可封鎖的權限。

    每個資料列都包含下列資訊:

    • 主體存取邊界政策可封鎖的服務名稱。

    • 主體存取邊界政策可封鎖的服務權限。

      在某些情況下,權限名稱的某個部分會替換為萬用字元 (*)。這種格式表示主體存取邊界政策可以封鎖符合該模式的所有權限。

    • 主體存取邊界無法封鎖的服務權限,即使這些權限符合其中一個支援的權限模式也一樣。

    服務 權限 例外狀況
    存取權核准
    • accessapproval.googleapis.com/serviceaccounts.get
    • accessapproval.googleapis.com/settings.*
    • accessapproval.googleapis.com/requests.list
    Access Context Manager
    • accesscontextmanager.googleapis.com/*
    • accesscontextmanager.googleapis.com/gcpUserAccessBindings.*
    BigQuery
    • bigquery.googleapis.com/datasets.create
    • bigquery.googleapis.com/datasets.delete
    • bigquery.googleapis.com/datasets.get
    • bigquery.googleapis.com/datasets.update
    • bigquery.googleapis.com/datasets.setIamPolicy
    • bigquery.googleapis.com/jobs.get
    • bigquery.googleapis.com/jobs.create
    • bigquery.googleapis.com/jobs.delete
    • bigquery.googleapis.com/jobs.list
    • bigquery.googleapis.com/models.create
    • bigquery.googleapis.com/models.delete
    • bigquery.googleapis.com/models.list
    • bigquery.googleapis.com/models.updateMetadata
    • bigquery.googleapis.com/routines.create
    • bigquery.googleapis.com/routines.delete
    • bigquery.googleapis.com/routines.list
    • bigquery.googleapis.com/routines.update
    二進位授權
    • binaryauthorization.googleapis.com/*
    Cloud Logging
    • logging.googleapis.com/logEntries.create
    • logging.googleapis.com/logMetrics.*
    Cloud Run
    • run.googleapis.com/authorizeddomains.*
    • run.googleapis.com/configurations.get
    • run.googleapis.com/configurations.list
    • run.googleapis.com/domainmappings.*
    • run.googleapis.com/executions.*
    • run.googleapis.com/jobs.create
    • run.googleapis.com/jobs.delete
    • run.googleapis.com/jobs.get
    • run.googleapis.com/jobs.list
    • run.googleapis.com/jobs.run
    • run.googleapis.com/revisions.*
    • run.googleapis.com/routes.get
    • run.googleapis.com/routes.list
    • run.googleapis.com/services.create
    • run.googleapis.com/services.delete
    • run.googleapis.com/services.get
    • run.googleapis.com/services.list
    • run.googleapis.com/services.update
    • run.googleapis.com/tasks.*
    Cloud Storage
    • storage.googleapis.com/buckets.get
    • storage.googleapis.com/buckets.update
    • storage.googleapis.com/buckets.list
    • storage.googleapis.com/buckets.getIamPolicy
    • storage.googleapis.com/buckets.setIamPolicy
    • storage.googleapis.com/hmacKeys.update
    • storage.googleapis.com/objects.get
    • storage.googleapis.com/objects.setRetention
    • storage.googleapis.com/objects.delete
    Dataflow
    • dataflow.googleapis.com/jobs.*
    • dataflow.googleapis.com/metrics.get
    • dataflow.googleapis.com/workItems.*
    • dataflow.googleapis.com/messages.list
    • dataflow.googleapis.com/snapshots.list
    • dataflow.googleapis.com/jobs.snapshot
    Datastore
    • datastore.googleapis.com/databases.get
    • datastore.googleapis.com/databases.getMetadata
    • datastore.googleapis.com/databases.create
    • datastore.googleapis.com/databases.delete
    • datastore.googleapis.com/databases.list
    Firebase 安全性規則
    • firebaserules.googleapis.com/*
    GKE Hub
    • gkehub.googleapis.com/features.*
    • gkehub.googleapis.com/fleet.create
    • gkehub.googleapis.com/fleet.get
    • gkehub.googleapis.com/fleet.patch
    • gkehub.googleapis.com/locations.*
    • gkehub.googleapis.com/membershipbindings.*
    • gkehub.googleapis.com/memberships.*
    • gkehub.googleapis.com/rbacrolebindings.*
    • gkehub.googleapis.com/scopes.*
    • gkehub.googleapis.com/*.createTagBinding
    • gkehub.googleapis.com/*.deleteTagBinding
    • gkehub.googleapis.com/*.listEffectiveTags
    • gkehub.googleapis.com/*.listTagBindings
    Pub/Sub
    • pubsub.googleapis.com/*
    • pubsub.googleapis.com/schemas.delete
    • pubsub.googleapis.com/schemas.validate
    • pubsub.googleapis.com/subscriptions.consume
    • pubsub.googleapis.com/*.getIamPolicy
    • pubsub.googleapis.com/*.setIamPolicy
    Memorystore for Redis
    • redis.googleapis.com/instances.create
    • redis.googleapis.com/instances.delete
    • redis.googleapis.com/instances.get
    • redis.googleapis.com/instances.failover
    • redis.googleapis.com/instances.getAuthString
    • redis.googleapis.com/instances.list
    • redis.googleapis.com/instances.upgrade
    • redis.googleapis.com/instances.update
    Vertex AI
    • aiplatform.googleapis.com/*
    • aiplatform.googleapis.com/operations.*