Compute Engine has a specific set of
Identity and access management (IAM) roles.
Each predefined role contains a set of permissions.
When you add a new member to your project, you can use an IAM policy to give
that member one or more IAM roles. Each IAM role contains permissions that
grant the member access to specific resources.
To learn how to set policies at a project level, read
Granting, changing, and revoking access to resources
in the IAM documentation. To learn how to set policies on
Compute Engine resources, read
Granting access to Compute Engine resources.
To learn how to assign roles to a Compute Engine service account, read
Creating and enabling service accounts for instances.
To learn how to create custom roles that contain any subset
of permissions, read Creating and managing custom roles.
Before you begin
What is IAM?
Google Cloud offers
Cloud Identity and Access Management (Cloud IAM),
which lets you give more granular access to specific
Google Cloud resources and prevents unwanted access to other resources.
IAM lets you adopt the
security principle of least privilege,
so you grant only the necessary access to your resources.
IAM lets you control who (identity) has what (roles)
permission to
which resources by setting IAM policies. IAM policies grant specific
role(s)
to a project member, giving the identity certain permissions. For example, for a
given resource, such as a project, you can assign the
roles/compute.networkAdmin role to a Google Account and that account can
control network-related resources in the project, but cannot manage other
resources, like instances and disks. You can also use Cloud IAM to
manage the
Cloud Console legacy roles
granted to project team members.
Predefined Compute Engine Cloud IAM roles
With Cloud IAM, every API method in Compute Engine API requires
that the identity
making the API request has the appropriate permissions to use the resource.
Permissions are granted by setting policies that grant roles to a
member (user, group, or service account) of your project.
In addition to legacy roles
(viewer, editor, owner)
and custom roles,
you can assign the following Compute Engine predefined roles to the
members of your project.
You can grant multiple roles to a project member on the same resource. For
example, if your networking team also manages firewall rules, you can grant both
roles/compute.networkAdmin and roles/compute.securityAdmin to the networking
team's Google group.
The following tables describe the predefined Compute Engine
Cloud IAM roles,
as well as the permissions contained within each role. Each role contains a set
of permissions that is suitable for a specific task. For example, the first two
roles grant permissions to manage instances, the network-related roles include
permissions to manage network-related resources, and the security role includes
permissions to manage security-related resources, like firewalls and SSL
certificates.
Compute Admin role
| Name |
Description |
Permissions |
roles/
compute.admin
|
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
|
compute.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Image User role
| Name |
Description |
Permissions |
roles/
compute.imageUser
|
Permission to list and read images without having other permissions on the
image. Granting the compute.imageUser role at the project level
gives users the ability to list all images in the project and create
resources, such as instances and persistent disks, based on images in the
project.
|
compute.images.getcompute.images.getFromFamilycompute.images.listcompute.images.useReadOnlyresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Instance Admin (beta) role
| Name |
Description |
Permissions |
roles/
compute.instanceAdmin
|
Permissions to create, modify, and delete virtual machine instances.
This includes permissions to create, modify, and delete disks, and also to
configure Shielded VMBETA
settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
For example, if your company has someone who manages groups of virtual
machine instances but does not manage network or security settings and
does not manage instances that run as service accounts, you can grant this
role on the organization, folder, or project that contains the instances,
or you can grant it on individual instances.
|
compute.acceleratorTypes.*compute.addresses.getcompute.addresses.listcompute.addresses.usecompute.autoscalers.*compute.diskTypes.*compute.disks.createcompute.disks.createSnapshotcompute.disks.deletecompute.disks.getcompute.disks.listcompute.disks.resizecompute.disks.setLabelscompute.disks.updatecompute.disks.usecompute.disks.useReadOnlycompute.globalAddresses.getcompute.globalAddresses.listcompute.globalAddresses.usecompute.globalOperations.getcompute.globalOperations.listcompute.images.getcompute.images.getFromFamilycompute.images.listcompute.images.useReadOnlycompute.instanceGroupManagers.*compute.instanceGroups.*compute.instanceTemplates.*compute.instances.*compute.licenses.getcompute.licenses.listcompute.machineTypes.*compute.networkEndpointGroups.*compute.networks.getcompute.networks.listcompute.networks.usecompute.networks.useExternalIpcompute.projects.getcompute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.reservations.getcompute.reservations.listcompute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.subnetworks.useExternalIpcompute.targetPools.getcompute.targetPools.listcompute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Instance Admin (v1) role
| Name |
Description |
Permissions |
roles/
compute.instanceAdmin.v1
|
Full control of Compute Engine instances, instance groups, disks, snapshots, and images.
Read access to all Compute Engine networking resources.
If you grant a user this role only at an instance level, then that user cannot create new instances.
|
compute.acceleratorTypes.*compute.addresses.getcompute.addresses.listcompute.addresses.usecompute.autoscalers.*compute.backendBuckets.getcompute.backendBuckets.listcompute.backendServices.getcompute.backendServices.listcompute.diskTypes.*compute.disks.*compute.externalVpnGateways.getcompute.externalVpnGateways.listcompute.firewalls.getcompute.firewalls.listcompute.forwardingRules.getcompute.forwardingRules.listcompute.globalAddresses.getcompute.globalAddresses.listcompute.globalAddresses.usecompute.globalForwardingRules.getcompute.globalForwardingRules.listcompute.globalOperations.getcompute.globalOperations.listcompute.healthChecks.getcompute.healthChecks.listcompute.httpHealthChecks.getcompute.httpHealthChecks.listcompute.httpsHealthChecks.getcompute.httpsHealthChecks.listcompute.images.*compute.instanceGroupManagers.*compute.instanceGroups.*compute.instanceTemplates.*compute.instances.*compute.interconnectAttachments.getcompute.interconnectAttachments.listcompute.interconnectLocations.*compute.interconnects.getcompute.interconnects.listcompute.licenseCodes.*compute.licenses.*compute.machineTypes.*compute.networkEndpointGroups.*compute.networks.getcompute.networks.listcompute.networks.usecompute.networks.useExternalIpcompute.projects.getcompute.projects.setCommonInstanceMetadatacompute.regionBackendServices.getcompute.regionBackendServices.listcompute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.reservations.getcompute.reservations.listcompute.resourcePolicies.*compute.routers.getcompute.routers.listcompute.routes.getcompute.routes.listcompute.snapshots.*compute.sslCertificates.getcompute.sslCertificates.listcompute.sslPolicies.getcompute.sslPolicies.listcompute.sslPolicies.listAvailableFeaturescompute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.subnetworks.useExternalIpcompute.targetHttpProxies.getcompute.targetHttpProxies.listcompute.targetHttpsProxies.getcompute.targetHttpsProxies.listcompute.targetInstances.getcompute.targetInstances.listcompute.targetPools.getcompute.targetPools.listcompute.targetSslProxies.getcompute.targetSslProxies.listcompute.targetTcpProxies.getcompute.targetTcpProxies.listcompute.targetVpnGateways.getcompute.targetVpnGateways.listcompute.urlMaps.getcompute.urlMaps.listcompute.vpnGateways.getcompute.vpnGateways.listcompute.vpnTunnels.getcompute.vpnTunnels.listcompute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Load Balancer Admin role
| Name |
Description |
Permissions |
roles/
compute.loadBalancerAdmin
Beta
|
Permissions to create, modify, and delete load balancers and associate
resources.
For example, if your company has a load balancing team that manages load
balancers, SSL certificates for load balancers, SSL policies, and other
load balancing resources, and a separate networking team that manages
the rest of the networking resources, then grant the load balancing
team's group the loadBalancerAdmin role.
|
compute.addresses.*compute.backendBuckets.*compute.backendServices.*compute.forwardingRules.*compute.globalAddresses.*compute.globalForwardingRules.*compute.healthChecks.*compute.httpHealthChecks.*compute.httpsHealthChecks.*compute.instanceGroups.*compute.instances.getcompute.instances.listcompute.instances.usecompute.networkEndpointGroups.*compute.networks.getcompute.networks.listcompute.networks.usecompute.projects.getcompute.regionBackendServices.*compute.securityPolicies.getcompute.securityPolicies.listcompute.securityPolicies.usecompute.sslCertificates.*compute.sslPolicies.*compute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.targetHttpProxies.*compute.targetHttpsProxies.*compute.targetInstances.*compute.targetPools.*compute.targetSslProxies.*compute.targetTcpProxies.*compute.urlMaps.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Network Admin role
| Name |
Description |
Permissions |
roles/
compute.networkAdmin
|
Permissions to create, modify, and delete networking resources,
except for firewall rules and SSL certificates. The network admin role
allows read-only access to firewall rules, SSL certificates, and instances
(to view their ephemeral IP addresses). The network admin role does not
allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant the networking team's group the
networkAdmin role.
|
compute.addresses.*compute.autoscalers.getcompute.autoscalers.listcompute.backendBuckets.*compute.backendServices.*compute.externalVpnGateways.*compute.firewalls.getcompute.firewalls.listcompute.forwardingRules.*compute.globalAddresses.*compute.globalForwardingRules.*compute.globalOperations.getcompute.globalOperations.listcompute.healthChecks.*compute.httpHealthChecks.*compute.httpsHealthChecks.*compute.instanceGroupManagers.getcompute.instanceGroupManagers.listcompute.instanceGroupManagers.updatecompute.instanceGroupManagers.usecompute.instanceGroups.getcompute.instanceGroups.listcompute.instanceGroups.updatecompute.instanceGroups.usecompute.instances.getcompute.instances.getGuestAttributescompute.instances.getSerialPortOutputcompute.instances.listcompute.instances.listReferrerscompute.instances.usecompute.interconnectAttachments.*compute.interconnectLocations.*compute.interconnects.*compute.networkEndpointGroups.getcompute.networkEndpointGroups.listcompute.networkEndpointGroups.usecompute.networks.*compute.projects.getcompute.regionBackendServices.*compute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.routers.*compute.routes.*compute.securityPolicies.getcompute.securityPolicies.listcompute.securityPolicies.usecompute.sslCertificates.getcompute.sslCertificates.listcompute.sslPolicies.*compute.subnetworks.*compute.targetHttpProxies.*compute.targetHttpsProxies.*compute.targetInstances.*compute.targetPools.*compute.targetSslProxies.*compute.targetTcpProxies.*compute.targetVpnGateways.*compute.urlMaps.*compute.vpnGateways.*compute.vpnTunnels.*compute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listservicenetworking.operations.getservicenetworking.services.addPeeringservicenetworking.services.getserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Network User role
| Name |
Description |
Permissions |
roles/
compute.networkUser
|
Provides access to a shared VPC network
Once granted, service owners can use VPC networks and subnets that belong
to the host project. For example, a network user can create a VM instance
that belongs to a host project network but they cannot delete or create
new networks in the host project.
|
compute.addresses.createInternalcompute.addresses.deleteInternalcompute.addresses.getcompute.addresses.listcompute.addresses.useInternalcompute.externalVpnGateways.getcompute.externalVpnGateways.listcompute.externalVpnGateways.usecompute.firewalls.getcompute.firewalls.listcompute.interconnectAttachments.getcompute.interconnectAttachments.listcompute.interconnectLocations.*compute.interconnects.getcompute.interconnects.listcompute.interconnects.usecompute.networks.getcompute.networks.listcompute.networks.usecompute.networks.useExternalIpcompute.projects.getcompute.regions.*compute.routers.getcompute.routers.listcompute.routes.getcompute.routes.listcompute.subnetworks.getcompute.subnetworks.listcompute.subnetworks.usecompute.subnetworks.useExternalIpcompute.targetVpnGateways.getcompute.targetVpnGateways.listcompute.vpnGateways.getcompute.vpnGateways.listcompute.vpnGateways.usecompute.vpnTunnels.getcompute.vpnTunnels.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listservicenetworking.services.getserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Network Viewer role
| Name |
Description |
Permissions |
roles/
compute.networkViewer
|
Read-only access to all networking resources
For example, if you have software that inspects your network
configuration, you could grant that software's service account the
networkViewer role.
|
compute.addresses.getcompute.addresses.listcompute.autoscalers.getcompute.autoscalers.listcompute.backendBuckets.getcompute.backendBuckets.listcompute.backendServices.getcompute.backendServices.listcompute.firewalls.getcompute.firewalls.listcompute.forwardingRules.getcompute.forwardingRules.listcompute.globalAddresses.getcompute.globalAddresses.listcompute.globalForwardingRules.getcompute.globalForwardingRules.listcompute.healthChecks.getcompute.healthChecks.listcompute.httpHealthChecks.getcompute.httpHealthChecks.listcompute.httpsHealthChecks.getcompute.httpsHealthChecks.listcompute.instanceGroupManagers.getcompute.instanceGroupManagers.listcompute.instanceGroups.getcompute.instanceGroups.listcompute.instances.getcompute.instances.getGuestAttributescompute.instances.getSerialPortOutputcompute.instances.listcompute.instances.listReferrerscompute.interconnectAttachments.getcompute.interconnectAttachments.listcompute.interconnectLocations.*compute.interconnects.getcompute.interconnects.listcompute.networks.getcompute.networks.listcompute.projects.getcompute.regionBackendServices.getcompute.regionBackendServices.listcompute.regions.*compute.routers.getcompute.routers.listcompute.routes.getcompute.routes.listcompute.sslCertificates.getcompute.sslCertificates.listcompute.sslPolicies.getcompute.sslPolicies.listcompute.sslPolicies.listAvailableFeaturescompute.subnetworks.getcompute.subnetworks.listcompute.targetHttpProxies.getcompute.targetHttpProxies.listcompute.targetHttpsProxies.getcompute.targetHttpsProxies.listcompute.targetInstances.getcompute.targetInstances.listcompute.targetPools.getcompute.targetPools.listcompute.targetSslProxies.getcompute.targetSslProxies.listcompute.targetTcpProxies.getcompute.targetTcpProxies.listcompute.targetVpnGateways.getcompute.targetVpnGateways.listcompute.urlMaps.getcompute.urlMaps.listcompute.vpnGateways.getcompute.vpnGateways.listcompute.vpnTunnels.getcompute.vpnTunnels.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listservicenetworking.services.getserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Organization Security Policy Admin role
| Name |
Description |
Permissions |
roles/
compute.orgSecurityPolicyAdmin
Beta
|
Full control of Compute Engine Organization Security Policies.
|
compute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.globalOperations.setIamPolicycompute.projects.getcompute.securityPolicies.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Organization Security Policy User role
| Name |
Description |
Permissions |
roles/
compute.orgSecurityPolicyUser
Beta
|
View or use Compute Engine Security Policies to associate with the organization or folders.
|
compute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.globalOperations.setIamPolicycompute.projects.getcompute.securityPolicies.getcompute.securityPolicies.listcompute.securityPolicies.useresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Organization Resource Admin role
| Name |
Description |
Permissions |
roles/
compute.orgSecurityResourceAdmin
Beta
|
Full control of Compute Engine Security Policy associations to the organization or folders.
|
compute.globalOperations.getcompute.globalOperations.getIamPolicycompute.globalOperations.listcompute.globalOperations.setIamPolicycompute.projects.getresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute OS Admin Login role
| Name |
Description |
Permissions |
roles/
compute.osAdminLogin
|
Access to log in to a Compute Engine instance as an administrator
user.
|
compute.instances.getcompute.instances.listcompute.instances.osAdminLogincompute.instances.osLogincompute.projects.getresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute OS Login role
| Name |
Description |
Permissions |
roles/
compute.osLogin
|
Access to log in to a Compute Engine instance as a standard user.
|
compute.instances.getcompute.instances.listcompute.instances.osLogincompute.projects.getresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute OS Login External User role
| Name |
Description |
Permissions |
roles/
compute.osLoginExternalUser
|
Available only at the organization level.
Access for an external user to set OS Login information associated with
this organization. This role does not grant access to instances. External
users must be granted one of the required
OS Login roles
in order to allow access to instances using SSH.
|
|
Compute packet mirroring admin role
| Name |
Description |
Permissions |
roles/
compute.packetMirroringAdmin
Beta
|
Specify resources to be mirrored.
|
compute.networks.mirrorcompute.projects.getcompute.subnetworks.mirrorresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute packet mirroring user role
| Name |
Description |
Permissions |
roles/
compute.packetMirroringUser
Beta
|
Use Compute Engine packet mirrorings.
|
compute.packetMirrorings.*compute.projects.getresourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Security Admin role
| Name |
Description |
Permissions |
roles/
compute.securityAdmin
|
Permissions to create, modify, and delete firewall rules and SSL
certificates, and also to
configure Shielded VMBETA
settings.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant the security team's group the
securityAdmin role.
|
compute.firewalls.*compute.globalOperations.getcompute.globalOperations.listcompute.instances.setShieldedInstanceIntegrityPolicycompute.instances.setShieldedVmIntegrityPolicycompute.instances.updateShieldedInstanceConfigcompute.instances.updateShieldedVmConfigcompute.networks.getcompute.networks.listcompute.networks.updatePolicycompute.packetMirrorings.*compute.projects.getcompute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.routes.getcompute.routes.listcompute.securityPolicies.*compute.sslCertificates.*compute.sslPolicies.*compute.subnetworks.getcompute.subnetworks.listcompute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Storage Admin role
| Name |
Description |
Permissions |
roles/
compute.storageAdmin
|
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and
you don't want them to have the editor role on the project, then grant
their account the storageAdmin role on the project.
|
compute.diskTypes.*compute.disks.*compute.globalOperations.getcompute.globalOperations.listcompute.images.*compute.licenseCodes.*compute.licenses.*compute.projects.getcompute.regionOperations.getcompute.regionOperations.listcompute.regions.*compute.resourcePolicies.*compute.snapshots.*compute.zoneOperations.getcompute.zoneOperations.listcompute.zones.*resourcemanager.projects.getresourcemanager.projects.listserviceusage.quotas.getserviceusage.services.getserviceusage.services.list
|
Compute Viewer role
Compute Shared VPC Admin role
| Name |
Description |
Permissions |
roles/
compute.xpnAdmin
|
Permissions to administer shared VPC host projects,
specifically enabling the host projects and associating shared VPC service projects to the host
project's network.
This role can only be granted on the organization by an organization
admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host
project. The Shared VPC Admin is responsible for granting the compute.networkUser role
to service owners, and the shared VPC host project owner controls the project itself. Managing the
project is easier if a single principal (individual or group) can fulfill both roles.
|
compute.globalOperations.getcompute.globalOperations.listcompute.organizations.*compute.projects.getcompute.subnetworks.getIamPolicycompute.subnetworks.setIamPolicyresourcemanager.organizations.getresourcemanager.projects.getresourcemanager.projects.getIamPolicyresourcemanager.projects.list
|
DNS Administrator role
| Name |
Description |
Permissions |
roles/
dns.admin
|
Provides read-write access to all Cloud DNS resources.
|
compute.networks.getcompute.networks.listdns.changes.*dns.dnsKeys.*dns.managedZoneOperations.*dns.managedZones.*dns.networks.*dns.policies.createdns.policies.deletedns.policies.getdns.policies.listdns.policies.updatedns.projects.*dns.resourceRecordSets.*resourcemanager.projects.getresourcemanager.projects.list
|
DNS Peer role
| Name |
Description |
Permissions |
roles/
dns.peer
Beta
|
Access to target networks with DNS peering zones
|
dns.networks.targetWithPeeringZone
|
DNS Reader role
| Name |
Description |
Permissions |
roles/
dns.reader
|
Provides read-only access to all Cloud DNS resources.
|
compute.networks.getdns.changes.getdns.changes.listdns.dnsKeys.*dns.managedZoneOperations.*dns.managedZones.getdns.managedZones.listdns.policies.getdns.policies.listdns.projects.*dns.resourceRecordSets.listresourcemanager.projects.getresourcemanager.projects.list
|
Service Account Admin role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountAdmin
|
Create and manage service accounts.
|
iam.serviceAccounts.createiam.serviceAccounts.deleteiam.serviceAccounts.getiam.serviceAccounts.getIamPolicyiam.serviceAccounts.listiam.serviceAccounts.setIamPolicyiam.serviceAccounts.updateresourcemanager.projects.getresourcemanager.projects.list
|
Create Service Accounts role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountCreator
|
Access to create service accounts.
|
iam.serviceAccounts.createiam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Delete Service Accounts role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountDeleter
|
Access to delete service accounts.
|
iam.serviceAccounts.deleteiam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Service Account Key Admin role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountKeyAdmin
|
Create and manage (and rotate) service account keys.
|
iam.serviceAccountKeys.*iam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Service Account Token Creator role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountTokenCreator
|
Impersonate service accounts (create OAuth2 access tokens, sign blobs or
JWTs, etc).
|
iam.serviceAccounts.getiam.serviceAccounts.getAccessTokeniam.serviceAccounts.implicitDelegationiam.serviceAccounts.listiam.serviceAccounts.signBlobiam.serviceAccounts.signJwtresourcemanager.projects.getresourcemanager.projects.list
|
Service Account User role
| Name |
Description |
Permissions |
roles/
iam.serviceAccountUser
|
Run operations as the service account.
|
iam.serviceAccounts.actAsiam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getresourcemanager.projects.list
|
Workload Identity User role
| Name |
Description |
Permissions |
roles/
iam.workloadIdentityUser
|
Impersonate service accounts from GKE Workloads
|
iam.serviceAccounts.getiam.serviceAccounts.getAccessTokeniam.serviceAccounts.list
|
The serviceAccountUser role
When granted together with roles/compute.instanceAdmin.v1,
roles/iam.serviceAccountUser gives members the ability to create and
manage instances that use a service account. Specifically, granting
roles/iam.serviceAccountUser and roles/compute.instanceAdmin.v1 together
gives members permission to:
- Create an instance that runs as a
service account.
- Attach a persistent disk to an instance that runs as a service account.
- Set instance metadata on an instance that runs as a service account.
- Use SSH to connect to an instance that runs as a service account.
- Reconfigure an instance to run as a service account.
You can grant roles/iam.serviceAccountUser one of two ways:
Recommended. Grant the role to a member on a
specific service account.
This gives a member access to the service account for which they are an
iam.serviceAccountUser but prevents access to other service accounts for
which the member is not an iam.serviceAccountUser.
Grant the role to a member on the
project level. The member has access to all
service accounts in the project, including service accounts that are created
in the future.
If you aren't familiar with service accounts,
learn more about service accounts.
Connecting to an instance as an instanceAdmin
After you grant a project member the roles/compute.instanceAdmin.v1 role, they
can connect to virtual machine (VM) instances by using standard Google Cloud
tools, like the gcloud tool or
SSH from the Browser.
When a member uses the gcloud command-line tool or SSH from the browser, the
tools automatically generate a public/private key pair and add the public
key to the project metadata. If the member does not have permissions to edit
project metadata, the tool adds the member's public key to the instance
metadata instead.
If the member has an existing key pair they want to use, they
can manually add their public key to the instance's metadata.
Learn more about adding or removing SSH keys from an instance.
IAM with service accounts
Create new custom service accounts and grant Cloud IAM roles to service
accounts to limit the access of your instances. Use Cloud IAM roles
with custom
service accounts to:
- Limit the access your instances have to Google Cloud APIs using granular
Cloud IAM roles.
- Give each instance, or set of instances, a unique identity.
- Limit the access of your default service account.
Learn more about service accounts.
Managed instance groups and Cloud IAM
Managed instance groups, especially when
configured to be autoscaled, are resources that
perform actions on your behalf without direct user interaction. Managed instance
groups use a service account identity to create, delete, and manage
instances in the instance group. For more information, read the
managed instance groups and Cloud IAM
documentation.
Unsupported operations
You cannot grant access to perform
rolling updates
on instance groups using Cloud IAM roles.
To grant permission to perform these operations, use the broader
owner, editor, or viewer roles.
What's next
