IAM roles and permissions

This page applies to Apigee and Apigee hybrid.

You can view and grant roles using the permissions panel on the IAM & Admin > IAM page in your Google Cloud project.

Go to IAM & Admin

The following table lists the roles and the corresponding permissions required to create and manage API hub resources.

IAM role name Role scope Required permissions Description
Cloud Apigee Registry Editor Edit access to Cloud Apigee Registry resources.
  • apigeeregistry.apis.get
  • apigeeregistry.apis.list
  • apigeeregistry.apis.create
  • apigeeregistry.apis.update
  • apigeeregistry.apis.delete
  • apigeeregistry.deployments.get
  • apigeeregistry.deployments.list
  • apigeeregistry.deployments.create
  • apigeeregistry.deployments.update
  • apigeeregistry.deployments.delete
  • apigeeregistry.versions.get
  • apigeeregistry.versions.list
  • apigeeregistry.versions.create
  • apigeeregistry.versions.update
  • apigeeregistry.versions.delete
  • apigeeregistry.specs.get
  • apigeeregistry.specs.list
  • apigeeregistry.specs.create
  • apigeeregistry.specs.update
  • apigeeregistry.specs.delete
  • apigeeregistry.artifacts.get
  • apigeeregistry.artifacts.list
  • apigeeregistry.artifacts.create
  • apigeeregistry.artifacts.update
  • apigeeregistry.artifacts.delete
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Add, edit, or delete any API or API-specific information. Manages API hub, including top level settings, taxonomies, and lifecycle stages.
Cloud Apigee Registry Admin Full access to Cloud Apigee Registry and Runtime resources.

The Admin role has the same permissions as the Editor role, plus the following:

  • apigeeregistry.instances.get
  • apigeeregistry.instances.update
Admins have full access to all the resources in the registry, such as editors, plus features for automated provisioning and instance management.
Cloud Apigee Registry Viewer Read-only access to Cloud Apigee Registry resources.
  • apigeeregistry.apis.get
  • apigeeregistry.apis.list
  • apigeeregistry.deployments.get
  • apigeeregistry.deployments.list
  • apigeeregistry.versions.get
  • apigeeregistry.versions.list
  • apigeeregistry.specs.get
  • apigeeregistry.specs.list
  • apigeeregistry.artifacts.get
  • apigeeregistry.artifacts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Discover, view, and access, but not modify, any API. A Viewer is a potential consumer of the APIs. In other words, someone who uses an API product through a client application.
Cloud Apigee Registry Worker

This role is pre-defined for Apigee Registry application workers.

The Worker role has the same permissions as the Viewer role, plus the following:

  • apigeeregistry.apis.update
  • apigeeregistry.deployments.update
  • apigeeregistry.versions.update
  • apigeeregistry.specs.update
  • apigeeregistry.artifacts.create
  • apigeeregistry.artifacts.update
  • apigeeregistry.artifacts.delete
This role is suitable if you are integrating your custom application workers with API hub. Workers can read from the registry, perform a specific task, and attach additional information to the registry resources. For example, API scores.