Access control with IAM

This page describes the Identity and Access Management (IAM) roles required to configure to Access Context Manager.

Required roles

The following curated IAM roles provide the necessary permissions to view or configure access levels using the gcloud command-line tool:

  • Access Context Manager Admin: roles/accesscontextmanager.policyAdmin
  • Access Context Manager Editor: roles/accesscontextmanager.policyEditor
  • Access Context Manager Reader: roles/accesscontextmanager.policyReader

Additionally, to let your users manage Access Context Manager using the Google Cloud Console, the Resource Manager Organization Viewer (roles/resourcemanager.organizationViewer) role is required.

To grant one of these roles, use the Cloud Console or use the gcloud command-line tool:

Admin allows read-write access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/accesscontextmanager.policyAdmin"

Editor allows read-write access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/accesscontextmanager.policyEditor"

Reader allows read-only access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/accesscontextmanager.policyReader"

Organization Viewer allows access to VPC Service Controls using the Cloud Console

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/resourcemanager.organizationViewer"