IAM roles

This page describes the Identity and Access Management (IAM) roles you can use to configure Assured Workloads. Roles limit a principal's ability to access resources. Only grant a principal the permissions it needs in order to interact with applicable Google Cloud APIs, features, or resources.

To be able to create an Assured Workloads environment, you must be assigned one of the roles listed below with that ability, as well as a Cloud Billing access control role. You must also have an active, valid billing account. For more information, see Overview of Cloud Billing access control.

Required roles

Following are the minimum required Assured Workloads-related roles. To learn how to grant, change, or revoke access to resources using IAM roles, see Granting, changing, and revoking access to resources.

  • Assured Workloads Administrator (roles/assuredworkloads.admin): For creating and deleting workload environments.
  • Resource Manager Organization Viewer (roles/resourcemanager.organizationViewer): Access to view all resources belonging to an organization.

Assured Workloads roles

Following are the IAM roles that are associated with Assured Workloads, and how to grant these roles using the Google Cloud CLI. To learn how to grant these roles in the Google Cloud console or programmatically, see Granting, changing, and revoking access to resources in the IAM documentation.

Replace the ORGANIZATION_ID placeholder with the actual organization identifier and example@customer.org with the user email address. To retrieve your organization ID, see Retrieving your organization ID.


For creating and deleting workloads. Allows read-write access.

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \


Allows read-write access.

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \


For getting and listing workloads. Allows read-only access.

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \

Custom roles

If you want to define your own roles to contain bundles of permissions that you specify, use custom roles.

Assured Workloads IAM best practices

Properly securing IAM roles to follow least privilege is a Google Cloud security best practice. This principle follows the rule that users should only have access to the products, services, and applications required by their role. Users are not currently restricted from using out-of-scope services with Assured Workloads projects when deploying products and services outside of the Assured Workloads environment.

The list of in-scope products by compliance program helps to guide security admins when creating custom roles that limit user access to only in-scope products within the Assured Workloads environment. Custom roles are able to help support obtaining and maintaining compliance within an Assured Workloads environment.