Access control with IAM

This page describes Infrastructure Manager roles and permissions.

Infra Manager uses Identity and Access Management (IAM) to control access to the service. To grant access to deploy resources with Infra Manager, assign the needed Infra Manager IAM roles to the service account that you use to call Infra Manager. For details about how to grant permissions to service accounts, see Manage access to service accounts.

A service account is not required to view Infra Manager deployments, revisions, and IAM policies. To view Infra Manager, grant access to the user, group, or service account.

To deploy or view the Google Cloud resources defined in the Terraform configuration, you need to grant the service account permissions that are specific to these resources. These permissions are in addition to the Infra Manager permissions listed on this page. For a list of all roles and the permissions they contain, see Identity and Access Management basic and predefined roles reference.

Predefined Infra Manager roles

IAM provides predefined roles that grant access to specific Google Cloud resources and prevent unauthorized access to other resources.

The following table lists the Infra Manager IAM roles and the permissions that they include:

Role Description Permissions
Infra Manager Admin (roles/config.admin) For a user, full control to Infra Manager resources config.deployments.create
config.deployments.delete
config.deployments.get
config.deployments.getIamPolicy
config.deployments.list
config.deployments.setIamPolicy
config.deployments.update
config.previews.create
config.previews.delete
config.previews.get
config.previews.list
config.previews.export
config.previews.upload
config.locations.get
config.locations.list
config.operations.cancel
config.operations.delete
config.operations.get
config.operations.list
config.resources.get
config.resources.list
config.revisions.get
config.revisions.list
config.artifacts.import
config.terraformversions.get
config.terraformversions.listt
resourcemanager.projects.get
resourcemanager.projects.list
Infra Manager Service Agent (roles/config.agent) Provide access to a service account to work with Infra Manager, including deployments, revisions, logging, and Terraform state files. storage.buckets.get
storage.buckets.list
storage.buckets.create
storage.buckets.update
storage.buckets.delete
storage.objects.get
storage.objects.list
storage.objects.create
storage.objects.update
storage.objects.delete
logging.logEntries.create
config.deployments.getState
config.deployments.updateState
config.deployments.deleteState
config.deployments.getLock
config.previews.upload
config.artifacts.import
config.revisions.getState
cloudbuild.connections.list
cloudbuild.repositories.accessReadToken
cloudbuild.repositories.list
Infra Manager Service Account (roles/cloudconfig.serviceAgent) When you enable the Infra Manager API, the Infra Manager service account is automatically created in the project and is granted this role for the resources in the project. The Infra Manager service account uses this role only as required to perform actions when creating, managing, or deleting deployments and revisions. cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.create
cloudbuild.builds.update
cloudbuild.workerpools.use
storage.buckets.get
storage.buckets.list
storage.buckets.create
storage.buckets.update
storage.buckets.delete
storage.objects.get
storage.objects.list
storage.objects.create
storage.objects.update
storage.objects.delete
Infra Manager Viewer (roles/config.viewer) Read deployments, revisions, and IAM policies. config.deployments.get
config.deployments.getIamPolicy
config.deployments.list
config.previews.get
config.previews.list
config.locations.get
config.locations.list
config.operations.get
config.operations.list
config.resources.get
config.resources.list
config.revisions.get
config.revisions.list
config.terraformversions.get
config.terraformversions.listt
resourcemanager.projects.get
resourcemanager.projects.list

In addition to the Infra Manager predefined roles, the basic Viewer and Owner roles also include permissions related to Infra Manager. However, we recommend that you grant predefined roles where possible to comply with the security principle of least privilege.

The following table lists the basic roles and the Infra Manager IAM roles that they include.

Role Includes role
Viewer roles/config.viewer
Owner roles/config.admin

Permissions

Permissions that the caller must have to call each method is listed in the REST API reference.

What's next