App Engine 角色和权限

本页面列出了 App Engine 的 IAM 角色和权限。如需搜索所有角色和权限,请参阅角色和权限索引

App Engine 角色

Role Permissions

(roles/appengine.appAdmin)

Read/Write/Modify access to all application configuration and settings.

To deploy new versions, a principal must have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.applications.update

appengine.instances.*

  • appengine.instances.delete
  • appengine.instances.enableDebug
  • appengine.instances.get
  • appengine.instances.list

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

appengine.operations.*

  • appengine.operations.get
  • appengine.operations.list

appengine.runtimes.actAsAdmin

appengine.services.*

  • appengine.services.delete
  • appengine.services.get
  • appengine.services.list
  • appengine.services.update

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry.projectsettings.get

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.uploadArtifacts

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.appCreator)

Ability to create the App Engine resource for the project.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.appViewer)

Read-only access to all application configuration and settings.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

  • appengine.operations.get
  • appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

artifactregistry.projectsettings.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.codeViewer)

Read-only access to all application configuration, settings, and deployed source code.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

  • appengine.operations.get
  • appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.getFileContents

appengine.versions.list

artifactregistry.projectsettings.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.debugger)

Ability to read or manage v2 instances.

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.*

  • appengine.instances.delete
  • appengine.instances.enableDebug
  • appengine.instances.get
  • appengine.instances.list

appengine.operations.*

  • appengine.operations.get
  • appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.deployer)

Read-only access to all application configuration and settings.

To deploy new versions, you must also have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

Cannot modify existing versions other than deleting versions that are not receiving traffic.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

  • appengine.operations.get
  • appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

artifactregistry.projectsettings.get

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.uploadArtifacts

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.memcacheDataAdmin)

Can get, set, delete, and flush App Engine Memcache items.

appengine.applications.get

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.serviceAdmin)

Read-only access to all application configuration and settings.

Write access to module-level and version-level settings. Cannot deploy a new version.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.delete

appengine.instances.get

appengine.instances.list

appengine.operations.*

  • appengine.operations.get
  • appengine.operations.list

appengine.services.*

  • appengine.services.delete
  • appengine.services.get
  • appengine.services.list
  • appengine.services.update

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry.projectsettings.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.serviceAgent)

Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

  • artifactregistry.locations.get
  • artifactregistry.locations.list

artifactregistry.mavenartifacts.*

  • artifactregistry.mavenartifacts.get
  • artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

  • artifactregistry.npmpackages.get
  • artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

  • artifactregistry.pythonpackages.get
  • artifactregistry.pythonpackages.list

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

datastore.databases.get

datastore.entities.create

datastore.entities.delete

datastore.entities.get

datastore.entities.list

datastore.entities.update

datastore.indexes.list

datastore.namespaces.*

  • datastore.namespaces.get
  • datastore.namespaces.list

datastore.statistics.*

  • datastore.statistics.get
  • datastore.statistics.list

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.signBlob

serviceusage.services.enable

serviceusage.services.get

storage.buckets.create

storage.buckets.get

App Engine 权限

权限 以下角色拥有此权限

Owner (roles/owner)

App Engine Creator (roles/appengine.appCreator)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Viewer (roles/appengine.appViewer)

App Engine Code Viewer (roles/appengine.codeViewer)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Deployer (roles/appengine.deployer)

App Engine Memcache Data Admin (roles/appengine.memcacheDataAdmin)

App Engine Service Admin (roles/appengine.serviceAdmin)

Cloud Scheduler Admin (roles/cloudscheduler.admin)

Cloud Scheduler Job Runner (roles/cloudscheduler.jobRunner)

Cloud Scheduler Viewer (roles/cloudscheduler.viewer)

Web Security Scanner Editor (roles/cloudsecurityscanner.editor)

Cloud Datastore Import Export Admin (roles/datastore.importExportAdmin)

Cloud Datastore Index Admin (roles/datastore.indexAdmin)

Cloud Datastore Owner (roles/datastore.owner)

Cloud Datastore User (roles/datastore.user)

Cloud Datastore Viewer (roles/datastore.viewer)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Firebase Admin SDK Administrator Service Agent (roles/firebase.sdkAdminServiceAgent)

Firebase Extensions API Service Agent (roles/firebasemods.serviceAgent)

Security Center Admin (roles/securitycenter.admin)

Security Center Admin Editor (roles/securitycenter.adminEditor)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Viewer (roles/appengine.appViewer)

App Engine Code Viewer (roles/appengine.codeViewer)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Deployer (roles/appengine.deployer)

App Engine Service Admin (roles/appengine.serviceAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Service Admin (roles/appengine.serviceAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

App Engine Managed VM Debug Access (roles/appengine.debugger)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Viewer (roles/appengine.appViewer)

App Engine Code Viewer (roles/appengine.codeViewer)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Deployer (roles/appengine.deployer)

App Engine Service Admin (roles/appengine.serviceAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Viewer (roles/appengine.appViewer)

App Engine Code Viewer (roles/appengine.codeViewer)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Deployer (roles/appengine.deployer)

App Engine Service Admin (roles/appengine.serviceAdmin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

App Engine Memcache Data Admin (roles/appengine.memcacheDataAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

App Engine Memcache Data Admin (roles/appengine.memcacheDataAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Memcache Data Admin (roles/appengine.memcacheDataAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

App Engine Memcache Data Admin (roles/appengine.memcacheDataAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Viewer (roles/appengine.appViewer)

App Engine Code Viewer (roles/appengine.codeViewer)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Deployer (roles/appengine.deployer)

App Engine Service Admin (roles/appengine.serviceAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Viewer (roles/appengine.appViewer)

App Engine Code Viewer (roles/appengine.codeViewer)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Deployer (roles/appengine.deployer)

App Engine Service Admin (roles/appengine.serviceAdmin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

App Engine Service Admin (roles/appengine.serviceAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Viewer (roles/appengine.appViewer)

App Engine Code Viewer (roles/appengine.codeViewer)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Deployer (roles/appengine.deployer)

App Engine Service Admin (roles/appengine.serviceAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Viewer (roles/appengine.appViewer)

App Engine Code Viewer (roles/appengine.codeViewer)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Deployer (roles/appengine.deployer)

App Engine Service Admin (roles/appengine.serviceAdmin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

App Engine Service Admin (roles/appengine.serviceAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

App Engine Deployer (roles/appengine.deployer)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

App Engine Deployer (roles/appengine.deployer)

App Engine Service Admin (roles/appengine.serviceAdmin)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Viewer (roles/appengine.appViewer)

App Engine Code Viewer (roles/appengine.codeViewer)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Deployer (roles/appengine.deployer)

App Engine Service Admin (roles/appengine.serviceAdmin)

服务代理角色

Owner (roles/owner)

App Engine Code Viewer (roles/appengine.codeViewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

App Engine Admin (roles/appengine.appAdmin)

App Engine Viewer (roles/appengine.appViewer)

App Engine Code Viewer (roles/appengine.codeViewer)

App Engine Managed VM Debug Access (roles/appengine.debugger)

App Engine Deployer (roles/appengine.deployer)

App Engine Service Admin (roles/appengine.serviceAdmin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

服务代理角色

Owner (roles/owner)

Editor (roles/editor)

App Engine Admin (roles/appengine.appAdmin)

App Engine Service Admin (roles/appengine.serviceAdmin)

服务代理角色