IAM roles

This topic describes the Identity and Access Management (IAM) roles you can use to configure Assured Workloads. Roles limit an authenticated identity's ability to access resources. Only grant an identity the permissions it needs in order to interact with applicable Google Cloud APIs, features, or resources.

To be able to create an Assured Workloads environment, you must be assigned one of the roles listed below with that ability, as well as a Cloud Billing access control role. You must also have an active, valid billing account. For more information, see Overview of Cloud Billing access control.

Required roles

Following are the minimum required Assured Workloads-related roles. To learn how to grant, change, or revoke access to resources using IAM roles, see Granting, changing, and revoking access to resources.

  • Assured Workloads Administrator: For creating workload environments.
  • Resource Manager Organization Admin: Access to administer all resources belonging to an organization.

Assured Workloads roles

Following are the IAM roles that are associated with Assured Workloads, and how to grant these roles using the gcloud command-line tool. To learn how to grant these roles in the Cloud Console or programmatically, see Granting, changing, and revoking access to resources in IAM documentation.

Replace the ORGANIZATION_ID placeholder with the actual organization identifier and example@customer.org with the user email address. To retrieve your organization ID, see Retrieving your organization ID.


For creating workloads. Allows read-write access.

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \


Allows read-write access.

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \


For getting and listing workloads. Allows read-only access.

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \

Custom roles

If you want to define your own roles to contain bundles of permissions that you specify, use custom roles.

Assured Workloads IAM best practices

Properly securing IAM roles to follow least privileged is a Google Cloud security best practice. This principle follows the rule that users should only have access to the products, services, and applications required by their role. Users are not currently restricted from using out-of-scope services with Assured Workloads projects when deploying products and services outside of the Assured Workloads environment.

The list of in-scope products by compliance regime helps to guide security admins when creating custom roles that limit user access to only in-scope products within the Assured Workloads environment. Custom roles are able to help support obtaining and maintaining compliance within an Assured Workloads environment.