使用 IAM 控管存取權
透過集合功能整理內容
你可以依據偏好儲存及分類內容。
當您建立 Google Cloud 專案時,您是專案的唯一使用者。根據預設,其他使用者都不能存取您的專案或專案資源。身分與存取權管理 (IAM) 會管理叢集等 Google Cloud 資源的存取權。權限會指派給 IAM 主體。
IAM 可讓您將角色授予主體。角色其實就是一組權限,指派給主體後,即可控制一或多項 Google Cloud 資源的存取權。您可以使用下列類型的角色:
- 基本角色提供限於擁有者、編輯者和檢視者的粗略權限。
- 預先定義角色:提供比基本角色更精細的存取權,且適用於許多常見用途。
- 自訂角色可讓您建立唯一的權限組合。
主體可以是下列任一項:
- 使用者帳戶
- 服務帳戶
- Google Workspace Google 群組
- Google Workspace 網域
- Cloud Identity 網域
IAM 政策類型
IAM 支援下列政策類型:
- 允許政策:將角色授予主體。詳情請參閱「允許政策」。
- 拒絕政策:無論主體獲得何種角色,都能防止主體使用特定身分與存取權管理權限。詳情請參閱「拒絕政策」。
使用拒絕政策,限制特定主體在專案、資料夾或機構中執行特定動作,即使 IAM 允許政策授予這些主體包含相關權限的角色,也一樣。
預先定義的角色
IAM 提供預先定義的角色,可授予特定 Google Cloud 資源的精細存取權,並防止其他資源遭到未經授權的存取。 Google Cloud 會建立及維護這些角色,並視需要自動更新權限,例如 Google Cloud Observability 新增新功能時。
Google Cloud Observability 的預先定義角色包含跨多個產品領域的功能權限。因此,您可能會在這些產品領域的預先定義角色中,看到 observability.scopes.get 等權限。舉例來說,除了許多記錄專屬權限外,「記錄檢視者」角色 (roles/logging.viewer) 還包含 observability.scopes.get 權限。
下表列出 Google Cloud Observability 的預先定義角色。表格會針對每個角色顯示角色名稱、說明、包含的權限,以及可授予角色的最低層級資源類型。您可以在 Google Cloud 專案層級授予預先定義的角色,或在大多數情況下,授予資源階層中較高層級的任何類型角色。
如要取得角色包含的所有個別權限清單,請參閱「取得角色中繼資料」一文。
觀測角色
| Role |
Permissions |
Observability Admin
Beta
(roles/observability.admin)
Full access to Observability resources.
|
observability.*
observability.analyticsViews.createobservability.analyticsViews.deleteobservability.analyticsViews.getobservability.analyticsViews.listobservability.analyticsViews.updateobservability.buckets.createobservability.buckets.deleteobservability.buckets.getobservability.buckets.listobservability.buckets.undeleteobservability.buckets.updateobservability.datasets.createobservability.datasets.deleteobservability.datasets.getobservability.datasets.listobservability.datasets.undeleteobservability.datasets.updateobservability.links.createobservability.links.deleteobservability.links.getobservability.links.listobservability.links.updateobservability.operations.cancelobservability.operations.deleteobservability.operations.getobservability.operations.listobservability.scopes.getobservability.scopes.updateobservability.traceScopes.createobservability.traceScopes.deleteobservability.traceScopes.getobservability.traceScopes.listobservability.traceScopes.updateobservability.views.accessobservability.views.createobservability.views.deleteobservability.views.getobservability.views.listobservability.views.update
|
Observability Analytics User
Beta
(roles/observability.analyticsUser)
Grants permissions to use Cloud Observability Analytics.
|
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
observability.analyticsViews.*
observability.analyticsViews.createobservability.analyticsViews.deleteobservability.analyticsViews.getobservability.analyticsViews.listobservability.analyticsViews.update
observability.buckets.get
observability.buckets.list
observability.datasets.get
observability.datasets.list
observability.links.get
observability.links.list
observability.operations.get
observability.operations.list
observability.scopes.get
observability.traceScopes.get
observability.traceScopes.list
observability.views.get
observability.views.list
|
Observability Editor
Beta
(roles/observability.editor)
Edit access to Observability resources.
|
observability.analyticsViews.*
observability.analyticsViews.createobservability.analyticsViews.deleteobservability.analyticsViews.getobservability.analyticsViews.listobservability.analyticsViews.update
observability.buckets.create
observability.buckets.get
observability.buckets.list
observability.buckets.update
observability.datasets.create
observability.datasets.get
observability.datasets.list
observability.datasets.update
observability.links.*
observability.links.createobservability.links.deleteobservability.links.getobservability.links.listobservability.links.update
observability.operations.*
observability.operations.cancelobservability.operations.deleteobservability.operations.getobservability.operations.list
observability.scopes.*
observability.scopes.getobservability.scopes.update
observability.traceScopes.*
observability.traceScopes.createobservability.traceScopes.deleteobservability.traceScopes.getobservability.traceScopes.listobservability.traceScopes.update
observability.views.create
observability.views.delete
observability.views.get
observability.views.list
observability.views.update
|
Observability Scopes Editor
Beta
(roles/observability.scopesEditor)
Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes
|
logging.logScopes.*
logging.logScopes.createlogging.logScopes.deletelogging.logScopes.getlogging.logScopes.listlogging.logScopes.update
monitoring.metricsScopes.link
observability.scopes.*
observability.scopes.getobservability.scopes.update
observability.traceScopes.*
observability.traceScopes.createobservability.traceScopes.deleteobservability.traceScopes.getobservability.traceScopes.listobservability.traceScopes.update
|
Observability Service Agent
(roles/observability.serviceAgent)
Grants Observability service account the ability to list, create and link datasets in the consumer project.
|
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.link
|
Observability View Accessor
Beta
(roles/observability.viewAccessor)
Read only access to data defined by an Observability View.
|
observability.views.access
|
Observability Viewer
Beta
(roles/observability.viewer)
Read only access to Observability resources.
|
observability.analyticsViews.get
observability.analyticsViews.list
observability.buckets.get
observability.buckets.list
observability.datasets.get
observability.datasets.list
observability.links.get
observability.links.list
observability.operations.get
observability.operations.list
observability.scopes.get
observability.traceScopes.get
observability.traceScopes.list
observability.views.get
observability.views.list
|
Telemetry API 角色
| Role |
Permissions |
Cloud Telemetry Metrics Writer
(roles/telemetry.metricsWriter)
Access to write metrics.
|
telemetry.metrics.write
|
Integrated Service Telemetry Logs Writer
Beta
(roles/telemetry.serviceLogsWriter)
Allows an onboarded service to write log data to a destination.
|
telemetry.consumers.writeLogs
|
Integrated Service Telemetry Metrics Writer
Beta
(roles/telemetry.serviceMetricsWriter)
Allows an onboarded service to write metrics data to a destination.
|
telemetry.consumers.writeMetrics
|
Integrated Service Telemetry Writer
Beta
(roles/telemetry.serviceTelemetryWriter)
Allows an onboarded service to write all telemetry data to a destination.
|
telemetry.consumers.*
telemetry.consumers.writeLogstelemetry.consumers.writeMetricstelemetry.consumers.writeTraces
|
Integrated Service Telemetry Traces Writer
Beta
(roles/telemetry.serviceTracesWriter)
Allows an onboarded service to write trace data to a destination.
|
telemetry.consumers.writeTraces
|
Cloud Telemetry Traces Writer
(roles/telemetry.tracesWriter)
Access to write trace spans.
|
telemetry.traces.write
|
Cloud Telemetry Writer
(roles/telemetry.writer)
Full access to write all telemetry data.
|
telemetry.metrics.write
telemetry.traces.write
|
後續步驟
除非另有註明,否則本頁面中的內容是採用創用 CC 姓名標示 4.0 授權,程式碼範例則為阿帕契 2.0 授權。詳情請參閱《Google Developers 網站政策》。Java 是 Oracle 和/或其關聯企業的註冊商標。
上次更新時間:2025-10-19 (世界標準時間)。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-10-19 (世界標準時間)。"],[],[]]
