Configuring access control

Access control in Google Cloud is controlled using Google Cloud Identity and Access Management (IAM). IAM allows you to set permissions specifying who has what kind of access to which resources in your project. IAM provides primitive and predefined roles that you can grant to users on certain resources. It also allows you to create custom roles.

Cloud Build uses IAM for access control. You can use IAM to add team members to your project and to grant them permissions to create, view, and cancel builds. Users require the necessary Cloud IAM permissions to call Cloud Build API methods.

This page explains describes the IAM permissions and roles necessary to call Cloud Build method and explains how to use IAM to configure permissions for your project's team members and service accounts.


The following table lists the permissions that the caller must have to call each method:

API Method Required Permission Role Title
cloudbuild.builds.create Cloud Build Editor
builds.cancel() cloudbuild.builds.update Cloud Build Editor
cloudbuild.builds.get Cloud Build Editor, Cloud Build Viewer
cloudbuild.builds.list Cloud Build Editor, Cloud Build Viewer


With IAM, every API method in Cloud Build requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by granting roles, which includes that permission. In addition to the primitive roles owner, editor, and viewer, you can grant Cloud Build roles to the users of your project.

The table below lists the Cloud Build IAM roles and the permissions that they include:

Role Role Title includes permissions:
roles/cloudbuild.builds.viewer Cloud Build Viewer cloudbuild.builds.get
roles/cloudbuild.builds.editor Cloud Build Editor All of the above, and:

The table below lists the primitive roles that existed prior to Cloud IAM, and the Cloud Build IAM roles that they include.

Role Role Title includes role
roles/viewer Viewer roles/cloudbuild.builds.viewer
roles/editor or roles/owner Editor or Owner roles/cloudbuild.builds.editor

Managing IAM roles via the Cloud Console

To grant IAM roles for a new team member or service account:

  1. Open the Identity and Access Management page in the Google Cloud Console.
  2. Select your project, and click Continue.
  3. Click Add.
  4. Enter the team member's or service account's email address.
  5. Select the desired Role Title from the drop-down menu. Cloud Build roles are found under Cloud Build.
  6. Click Add.

Creating IAM custom roles

To create an Cloud IAM custom role with Cloud Build permissions:

  1. Go to the Roles page in the Cloud Console.

    Open the Roles page

  2. Select your project and organization.
  3. Click Create Role.
  4. Enter a Name, and Description for the role.
  5. Click Add Permissions.
  6. In the All services drop-down, select cloudbuild.
  7. Select the one or more permissions and click Add Permissions.
  8. Click Create.

For more instructions on using Cloud IAM custom roles, see Creating and Managing Custom Roles.

Cloud Build service account

Cloud Build uses a special service account to execute builds on your behalf.

When you enable the Cloud Build API, the service account is automatically created and granted the Cloud Build Service Account role for your project. This role is sufficient for several tasks, however it does not allow the account to perform certain actions for which additional IAM roles must be granted manually. See the IAM & Admin section in the Cloud Console to add the appropriate roles to the service account.

For instructions on granting access to Cloud Build service accounts see Granting additional access.

What's next