The following table lists the roles and the corresponding permissions required to create and
manage API hub resources.
IAM role name
Role scope
Required permissions
Description
Cloud Apigee Registry Editor
Edit access to Cloud Apigee Registry resources.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.apis.create
apigeeregistry.apis.update
apigeeregistry.apis.delete
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.create
apigeeregistry.deployments.update
apigeeregistry.deployments.delete
apigeeregistry.versions.get
apigeeregistry.versions.list
apigeeregistry.versions.create
apigeeregistry.versions.update
apigeeregistry.versions.delete
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.specs.create
apigeeregistry.specs.update
apigeeregistry.specs.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.artifacts.create
apigeeregistry.artifacts.update
apigeeregistry.artifacts.delete
resourcemanager.projects.get
resourcemanager.projects.list
Add, edit, or delete any API or API-specific information. Manages API hub, including
top level settings, taxonomies, and lifecycle stages.
Cloud Apigee Registry Admin
Full access to Cloud Apigee Registry and Runtime resources.
The Admin role has the same permissions as the Editor role, plus the following:
apigeeregistry.instances.get
apigeeregistry.instances.update
Admins have full access to all the resources in the registry, such as editors,
plus features for automated provisioning and instance management.
Cloud Apigee Registry Viewer
Read-only access to Cloud Apigee Registry resources.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.versions.get
apigeeregistry.versions.list
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
resourcemanager.projects.get
resourcemanager.projects.list
Discover, view, and access, but not modify, any API. A Viewer is a potential consumer of
the APIs. In other words, someone who uses an API product through a client application.
Cloud Apigee Registry Worker
This role is pre-defined for Apigee Registry application workers.
The Worker role has the same permissions as the Viewer role, plus the following:
apigeeregistry.apis.update
apigeeregistry.deployments.update
apigeeregistry.versions.update
apigeeregistry.specs.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.update
apigeeregistry.artifacts.delete
This role is suitable if you are integrating your custom application workers with API hub.
Workers can read from the registry, perform a specific task, and attach additional
information to the registry resources. For example, API scores.