The following table describes the roles that are required to install Anthos Service Mesh.
| Role name | Role ID | Grant location | Description |
|---|---|---|---|
| GKE Hub Admin | roles/gkehub.admin | Fleet project | Full access to GKE Hubs and related resources. |
| Kubernetes Engine Admin | roles/container.admin | Cluster project. Note that this role must be granted in both Fleet and cluster project for cross-project bindings. | Provides access to full management of Container Clusters and their Kubernetes API objects. |
| Mesh Config Admin | roles/meshconfig.admin | Fleet and cluster project | Provides permissions required to initialize managed components of Anthos Service Mesh, such as managed control plane and backend permission that allows workloads to talk to Stackdriver without each being individually authorized (for both managed and in-cluster control planes). |
| Project IAM Admin | roles/resourcemanager.projectIamAdmin | Cluster project | Provides permissions to administer IAM policies on projects. |
| Service Account Admin | roles/iam.serviceAccountAdmin | Fleet project | Authenticate as a service account. |
| Service Management Admin | roles/servicemanagement.admin | Fleet project | Full control of Google Service Management resources. |
| Service Usage Admin | roles/serviceusage.serviceUsageAdmin | Fleet project | Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project. |
| CA Service Admin Beta | roles/privateca.admin | Fleet project | Full access to all Certificate Authority Service resources. |
What's next
For a list of the specific permissions in each role, copy the role and search for it Understanding roles.
To learn more about how to grant IAM roles, see Granting, changing, and revoking access to resources.