Config Controller roles and permissions

This page describes the Identity and Access Management (IAM) roles and permissions for Config Controller. To help you control access, Config Controller uses IAM roles and permissions. IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources.

Roles

Config Controller has predefined roles. The following table lists these roles and the permissions that the roles include:

For more information on how you should assign roles, see Choose predefined roles. You can also create your own custom roles that contain exactly the permissions that you specify.

Permissions

Permissions granted by roles

The following table lists the permissions that the caller must have to call each Config Controller method and which roles grant the permissions:

Permission	Granted by roles
krmapihosting.krmApiHosts.create	Owner (roles/owner) Editor (roles/editor) Config Controller Admin (roles/krmapihosting.admin)
krmapihosting.krmApiHosts.delete	Owner (roles/owner) Editor (roles/editor) Config Controller Admin (roles/krmapihosting.admin)
krmapihosting.krmApiHosts.get	Owner (roles/owner) Editor (roles/editor) Config Controller Admin (roles/krmapihosting.admin) Config Controller Viewer (roles/krmapihosting.viewer)
krmapihosting.krmApiHosts.getIamPolicy	Owner (roles/owner) Editor (roles/editor) Security Admin (roles/iam.securityAdmin) Security Reviewer (roles/iam.securityReviewer) Config Controller Admin (roles/krmapihosting.admin) Config Controller Viewer (roles/krmapihosting.viewer)
krmapihosting.krmApiHosts.list	Owner (roles/owner) Editor (roles/editor) Security Admin (roles/iam.securityAdmin) Security Reviewer (roles/iam.securityReviewer) Config Controller Admin (roles/krmapihosting.admin) Config Controller Viewer (roles/krmapihosting.viewer)
krmapihosting.krmApiHosts.setIamPolicy	Owner (roles/owner) Security Admin (roles/iam.securityAdmin) Config Controller Admin (roles/krmapihosting.admin)
krmapihosting.krmApiHosts.update	Owner (roles/owner) Editor (roles/editor) Config Controller Admin (roles/krmapihosting.admin)
krmapihosting.locations.get	Owner (roles/owner) Editor (roles/editor) Viewer (roles/viewer) Config Controller Admin (roles/krmapihosting.admin) Config Controller Viewer (roles/krmapihosting.viewer)
krmapihosting.locations.list	Owner (roles/owner) Editor (roles/editor) Viewer (roles/viewer) Security Admin (roles/iam.securityAdmin) Security Reviewer (roles/iam.securityReviewer) Config Controller Admin (roles/krmapihosting.admin) Config Controller Viewer (roles/krmapihosting.viewer)
krmapihosting.operations.cancel	Owner (roles/owner) Editor (roles/editor) Config Controller Admin (roles/krmapihosting.admin)
krmapihosting.operations.delete	Owner (roles/owner) Editor (roles/editor) Config Controller Admin (roles/krmapihosting.admin)
krmapihosting.operations.get	Owner (roles/owner) Editor (roles/editor) Viewer (roles/viewer) Config Controller Admin (roles/krmapihosting.admin) Config Controller Viewer (roles/krmapihosting.viewer)
krmapihosting.operations.list	Owner (roles/owner) Editor (roles/editor) Viewer (roles/viewer) Security Admin (roles/iam.securityAdmin) Security Reviewer (roles/iam.securityReviewer) Config Controller Admin (roles/krmapihosting.admin) Config Controller Viewer (roles/krmapihosting.viewer)

Permissions needed for actions

The following table lists which permission you need to perform specific actions.

Required permission	Method
krmapihosting.krmApiHosts.create	projects.locations.krmApiHosts.create
krmapihosting.krmApiHosts.delete	projects.locations.krmApiHosts.delete
krmapihosting.krmApiHosts.get	projects.locations.krmApiHosts.get
krmapihosting.krmApiHosts.list	projects.locations.krmApiHosts.list
krmapihosting.krmApiHosts.update	projects.locations.krmApiHosts.update
krmapihosting.operations.get	projects.locations.operations.get
krmapihosting.operations.list	projects.locations.operations.list

What's next

• Learn about IAM.