IAM roles and permissions

Access control in Cloud Build is controlled using Identity and Access Management (IAM). IAM enables you to create and manage permissions for Google Cloud resources. Cloud Build provides a specific set of predefined IAM roles where each role contains a set of permissions. You can use these roles to give more granular access to specific Google Cloud resources and prevent unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

This page describes Cloud Build roles and permissions.

Predefined Cloud Build roles

With IAM, every API method in Cloud Build API requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a member (user, group, or service account) of your project. You can grant multiple roles to a project member on the same resource.

The table below lists the Cloud Build IAM roles and the permissions that they include:

Role Description Permissions:
roles/cloudbuild.builds.viewer Can view Cloud Build resources cloudbuild.builds.get
cloudbuild.builds.list
roles/cloudbuild.builds.editor Full control of Cloud Build resources cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.create
cloudbuild.builds.update

In addition to the above Cloud Build predefined roles, the primitive viewer, editor, and owner roles also include permissions related to Cloud Build. However, we recommend that you grant predefined roles where possible to comply with the security principle of least privilege.

The table below lists the primitive roles and the Cloud Build IAM roles that they include.

Role includes role
roles/viewer roles/cloudbuild.builds.viewer
roles/editor or roles/owner roles/cloudbuild.builds.editor

Permissions

The following table lists the permissions that the caller must have to call each method:

API Method Required Permission Role Title
builds.create()
triggers.create()
triggers.patch()
triggers.delete()
triggers.run()
cloudbuild.builds.create Cloud Build Editor
builds.cancel() cloudbuild.builds.update Cloud Build Editor
builds.get()
triggers.get()
cloudbuild.builds.get Cloud Build Editor, Cloud Build Viewer
builds.list()
triggers.list()
cloudbuild.builds.list Cloud Build Editor, Cloud Build Viewer

Permissions to view build logs

To view build logs, you require additional permissions depending on whether you're storing your build logs in the default Cloud Storage bucket or in a user-specified Cloud Storage bucket. For more information on permissions required to view build logs, see Storing and viewing build logs.

What's next