Compute Engine IAM Roles

This page describes Identity and Access Management (IAM) roles and the permissions granted to each Compute Engine IAM role. When you add a new project member to your project, you can assign IAM roles to the new member using IAM policies. To learn how to set policies, read Managing Policies in the IAM documentation. To learn how to assign roles to a Compute Engine service account, read the Creating and Enabling Service Accounts for Instances documentation.

Before you begin

What is IAM?

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (identity) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a project member, giving the identity certain permissions. For example, you can assign the compute.networkAdmin role to a Google account and the account can control network-related resources in the project, but cannot manage other resources, like instances and disks. You can also use IAM to apply the Cloud Platform Console legacy roles granted to project team members.

Compute Engine IAM roles

With IAM, every API method in Compute Engine requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account as a member of your project. In addition to the legacy roles, owner, editor, and viewer, you can assign the following Compute Engine roles to the members of your project.

The following table lists the IAM roles available to Compute Engine users. The table is divided into different roles. For example, the first two roles in the table grant permissions to manage instances, followed by roles that grant permissions to manage network-related resources. Lastly, the security roles grant permissions to manage security-related resources, like firewalls and SSL certificates.

Roles

Role Name

roles/compute.instanceAdmin.v1

Role Title

Compute Engine Instance Admin

Purpose

Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read-only access to all networking resources.

If the member will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountActor role.

For example, if your company has a team dedicated to managing Compute Engine resources, grant them the roles/compute.instanceAdmin.v1 role.

API Methods Allowed

  • compute.addresses.{get|list|aggregatedList}
  • compute.autoscalers.*
  • compute.backendServices.{get|list}
  • compute.disks.*
  • compute.diskTypes.*
  • compute.firewalls.{get|list}
  • compute.forwardingRules.{get|list|aggregatedList}
  • compute.globalAddresses.{get|list}
  • compute.globalForwardingRules.{get|list}
  • compute.globalOperations.{get|list|aggregatedList}
  • compute.healthChecks.{get|list}
  • compute.httpHealthChecks.{get|list}
  • compute.httpsHealthChecks.{get|list}
  • compute.images.*
  • compute.instances.*
  • compute.instanceGroups.*
  • compute.instanceGroupManagers.*
  • compute.instanceTemplates.*
  • compute.licenses.{get|list}
  • compute.networks.{get|list|aggregatedList}
  • compute.machineTypes.{get|list}
  • compute.projects.{get|moveDisk|setCommonInstanceMetadata}
  • compute.regions.{get|list}
  • compute.regionOperations.{get|list}
  • compute.routes.{get|list}
  • compute.routers.{get|list}
  • compute.snapshots.*
  • compute.sslCertificates.{get|list}
  • compute.subnetworks.{get|list|aggregatedList}
  • compute.targetHttpProxies.{get|list}
  • compute.targetHttpsProxies.{get|list}
  • compute.targetInstances.{get|list}
  • compute.targetPools.{get|list}
  • compute.targetSslProxies.{get|list}
  • compute.targetVpnGateways.{get|list}
  • compute.urlMaps.{get|list}
  • compute.vpnTunnels.{get|list}
  • compute.zones.{get|list}
  • compute.zoneOperations.{get|list}

This role permits members to connect to an instance using SSH.

Role Name

roles/iam.serviceAccountActor

Role Title

Service Account Actor

Purpose

Permission to create instances that use service accounts, and permission to attach a disk and set metadata on an instance already configured to run as a service account.

You should grant this role alongside the compute.instanceAdmin role.

For example, if your company uses instances that run as service accounts, grant this role to the instance administrator responsible for those instances.

API Methods Allowed

Does not directly grant Compute Engine API permissions but is required for the following API methods:

  • compute.instances.attachDisk
  • compute.instances.insert
  • compute.instances.setMetadata
  • compute.instances.setServiceAccount
  • compute.instanceGroupManagers.{insert|setInstanceTemplate}

This role also permits users to connect to an instance that is configured to run as a service account, using SSH.

Role Name

roles/compute.imageUser

Role Title

Compute Engine Image User

Purpose

Permission to list and read images without having other permissions to resources in the project. Granting the compute.imageUser role gives members the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

API Methods Allowed

  • compute.images.{get|list}

Role Name

roles/compute.networkUserBeta

Role Title

Network User

Purpose

Permissions to use a [shared VPC](/compute/docs/shared-vpc) network. Specifically, grant this role to service owners that need to use resources in the shared VPC host project network. Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

API Methods Allowed

  • compute.addresses.{get|list|aggregatedList}
  • compute.firewalls.{get|list}
  • compute.networks.{get|list}
  • compute.projects.get
  • compute.regions.{get|list}
  • compute.routers.(get|getRouterStatus|list|aggregatedList}
  • compute.routes.{get|list}
  • compute.subnetworks.{get|list|aggregatedList}
  • compute.targetVpnGateways.{get|list|aggregatedList}
  • compute.urlMaps.get
  • compute.vpnTunnels.{get|list|aggregatedList}
  • compute.zones.{get|list}

Role Name

roles/compute.networkViewerBeta

Role Title

Network Viewer

Purpose

Read-only access to all networking resources.

For example, if you have software that inspects your network configuration, you could grant that software’s service account the compute.networkViewer role.

API Methods Allowed

  • compute.{global}addresses.{get|list|aggregatedList}
  • compute.backendServices.{get|list|getHealth}
  • compute.firewalls.{get|list}
  • compute.{global}forwardingRules.{get|list|aggregatedList}
  • compute.httpHealthChecks.{get|list}
  • compute.httpsHealthChecks.{get|list}
  • compute.instances.{get|list|aggregatedList| getSerialPortOutput}
  • compute.instanceGroups.{get|list|aggregatedList|listInstances}
  • compute.machineTypes.{get|list}
  • compute.networks.{get|list}
  • compute.projects.get
  • compute.regions.{get|list}
  • compute.routers.(get|getRouterStatus|list|aggregatedList}
  • compute.routes.{get|list}
  • compute.sslCertificates.{get|list}
  • compute.subnetworks.{get|list|aggregatedList}
  • compute.targetHttpProxies.{get|list}
  • compute.targetHttpsProxies.{get|list}
  • compute.targetInstances.{get|list|aggregatedList}
  • compute.targetPools.{get|list|aggregatedList|getHealth}
  • compute.targetSslProxies.{get|list}
  • compute.targetVpnGateways.{get|list|aggregatedList}
  • compute.urlMaps.get
  • compute.vpnTunnels.{get|list|aggregatedList}
  • compute.zones.{get|list}

Role Name

roles/compute.networkAdmin

Role Title

Network Admin

Purpose

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not grant permissions to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the networking team’s group the compute.networkAdmin role.

API Methods Allowed

All the permissions of compute.networkViewer, plus:

  • compute.{global}addresses.{insert|delete}
  • compute.backendServices.{insert|delete|update}
  • compute.firewalls.{get|list}
  • compute.{global}forwardingRules.{insert|delete|setTarget}
  • compute.httpHealthChecks.{insert|delete|update}
  • compute.httpsHealthChecks.{insert|delete|update}
  • compute.instanceGroupManagers.{recreateInstances| resize|
    deleteInstances|listManagedInstances|abandonInstances}
  • compute.networks.{insert|delete|switchToCustomMode}
  • compute.routers.{insert|delete| update}
  • compute.routes.{insert|delete}
  • compute.sslCertificates.{get|list}
  • compute.subnetworks.{insert|delete}
  • compute.targetHttpProxies.{insert|delete|setUrlMap}
  • compute.targetHttpsProxies.{insert|delete|setUrlMap| setSslCertificates}
  • compute.targetInstances.{insert|delete}
  • compute.targetPools.{addHealthcheck|addInstance|delete|insert| removeHealthCheck|removeInstance|setBackup}
  • compute.targetVpnGateways.{delete|insert}
  • compute.urlMaps.{insert|delete|validate|invalidateCache}
  • compute.vpnTunnels.{insert|delete}

Role Name

roles/compute.securityAdmin

Role Title

Security Admin

Purpose

Permissions to create, modify, and delete firewall rules and SSL certificates.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the security team’s group the compute.securityAdmin role.

API Methods Allowed

  • compute.firewalls.*
  • compute.networks.{get|list}
  • compute.projects.get
  • compute.regions.*
  • compute.routes.{get|list}
  • compute.sslCertificates.*
  • compute.zones.*

Role Name

roles/compute.storageAdminBeta

Role Title

Compute Engine Storage Admin

Purpose

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages images and you don’t want them to have the editor role on the project, then grant their account the compute.storageAdmin role.

API Methods Allowed

  • compute.disks.*
  • compute.diskTypes.*
  • compute.images.*
  • compute.projects.{get|moveDisk}
  • compute.regions.*
  • compute.snapshots.*
  • compute.zones.*
  • compute.licenses.*

Role Name

roles/compute.xpnAdmin

Role Title

Shared VPC Admin

Purpose

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. This role can only be granted on the organization by an organization admin.

Google Cloud Platform recommends that the shared VPC admin be the owner of the shared VPC host project. The shared VPC admin is responsible for granting compute.networkUser role to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

API Methods Allowed

  • compute.globalOperations.{get|list|aggregatedList}
  • compute.projects.get
  • compute.networks.{get|list}
  • compute.subnetworks.getIamPolicy
  • resourcemanager.projects.{get|list|getIamPolicy}

Role Name

roles/compute.instanceAdminBeta

Role Title

Compute Engine Instance Admin

Purpose

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks.

If the member will be managing virtual machine instances that are configured to run as a service account, you must also grant the iam.serviceAccountActor role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, grant this role.

API Methods Allowed

  • compute.{global}addresses.{get|list|aggregatedList}
  • compute.autoscalers.*
  • compute.disks.{insert|delete|get|list|aggregatedList}
  • compute.disksTypes.{get|list|aggregatedList}
  • compute.globalOperations.{get|list}
  • compute.licenses.{list}
  • compute.machineTypes.{get|list|aggregatedList}
  • compute.networks.{get|list}
  • compute.images.{get|list}
  • compute.instances.*
  • compute.instanceGroups.*
  • compute.instanceGroupManagers.*
  • compute.instanceTemplates.*
  • compute.projects.get
  • compute.regions.{get|list}
  • compute.regionOperations.{get|list}
  • compute.subnetworks.{get|list|aggregatedList}
  • compute.zones.{get|list}
  • compute.zoneOperations.{get|list}

This role also permits users to connect to an instance using SSH.

You can grant multiple roles to a project member on the same project. For example, if your networking team manages firewall rules instead of leaving those to a separate security team, you can grant the compute.networkAdmin and compute.securityAdmin roles to the networking team’s Google group.

The serviceAccountActor role

When granted together with the compute.instanceAdmin.v1 role, the iam.serviceAccountActor role gives members the ability to create and manage instances that use a service account. Specifically, granting the iam.serviceAccountActor and the compute.instanceAdmin.v1 roles together gives members permission to:

  • Create an instance that runs as a service account.
  • Attach a persistent disk to an instance that runs as a service account.
  • Set instance metadata on an instance that runs as a service account.
  • Use SSH to connect to an instance that runs as a service account.
  • Reconfigure an instance to run as a service account.

You can grant the iam.serviceAccountActor role one of two ways:

  • [Recommended] Grant the role to a member on a specific service account. This gives a member access to the service account for which they are an iam.serviceAccountActor but prevents access to other service accounts for which the member is not an iam.serviceAccountActor.

  • Grant the role to a member on the project level. The member has access to all service accounts in the project, including service accounts that are created in the future.

If you aren't familiar with service accounts, learn more about service accounts.

Connecting to an instance as an instanceAdmin

After you grant a project member the roles/compute.instanceAdmin.v1 role, they can connect to virtual machine instances using the standard Google Cloud Platform tools, like the gcloud tool or SSH from the Browser.

When a member uses the gcloud command-line tool or SSH from the browser, the tools will automatically generate a public/private keypair and add the public key to the project metadata. If the member does not have permissions to edit project metadata, the tool will add the member's public key to the instance metadata instead.

If the member has an existing keypair they want to use, they can manually add their public key to the instance's metadata. Learn more about adding and removing SSH keys from an instance.

IAM with service accounts

Create new custom service accounts and grant IAM roles to service accounts to limit the access of your instances. Use IAM roles with custom service accounts to:

  • Limit the access your instances have to Cloud Platform APIs using granular IAM roles.
  • Give each instance, or set of instances, a unique identity.
  • Limit the access of your default service account.

Learn more about service accounts.

Managed Instance Groups and IAM

Managed instance groups, especially when configured to be autoscaled, are resources that perform actions on your behalf without direct user interaction. Managed instance groups use a service account identity to create, delete, and manage instances in the instance group. For more information, read the managed instance groups and IAM documentation.

Unsupported operations

You cannot grant access to perform rolling updates on instance groups using IAM roles.

To grant permission to perform these operations, use the broader owner, editor, or viewer roles.

Known issues

  • Some IAM roles are still in Beta so IAM might not be supported by all available clients. We recommend using the gcloud command-line tool or the Google Cloud Platform APIs directly to use IAM.

What's next

Send feedback about...

This page
Documentation feedback
Compute Engine Documentation
Product feedback