Compute Engine IAM roles and permissions

When you add a new member to your project, you can use an Identity and Access Management (IAM) policy to give that member one or more IAM roles. Each IAM role contains permissions that grant the member access to specific resources.

Compute Engine has a set of predefined IAM roles that are described on this page. You can also create custom roles that contain subsets of permissions that map directly to your needs.

To learn which permissions are required for each method, see the Compute Engine API reference documentation:

For information about granting access, see the following pages.

To set IAM policies at a project level, see Granting, changing, and revoking access to resources in the IAM documentation.
To set policies on specific Compute Engine resources, read Granting access to Compute Engine resources.
To assign roles to a Compute Engine service account, read Creating and enabling service accounts for instances.

Before you begin

Read the IAM documentation.

What is IAM?

Google Cloud offers IAM, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (identity) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a project member, giving that identity certain permissions. For example, for a given resource, such as a project, you can assign the roles/compute.networkAdmin role to a Google Account and that account can control network-related resources in the project, but cannot manage other resources, like instances and disks. You can also use IAM to manage the Cloud Console legacy roles granted to project team members.

The serviceAccountUser role

When granted together with roles/compute.instanceAdmin.v1, roles/iam.serviceAccountUser gives members the ability to create and manage instances that use a service account. Specifically, granting roles/iam.serviceAccountUser and roles/compute.instanceAdmin.v1 together gives members permission to:

Create an instance that runs as a service account.
Attach a persistent disk to an instance that runs as a service account.
Set instance metadata on an instance that runs as a service account.
Use SSH to connect to an instance that runs as a service account.
Reconfigure an instance to run as a service account.

You can grant roles/iam.serviceAccountUser one of two ways:

Recommended. Grant the role to a member on a specific service account. This gives a member access to the service account for which they are an iam.serviceAccountUser but prevents access to other service accounts for which the member is not an iam.serviceAccountUser.
Grant the role to a member on the project level. The member has access to all service accounts in the project, including service accounts that are created in the future.

If you aren't familiar with service accounts, learn more about service accounts.

Google Cloud Console permission

To use the Google Cloud Console to access Compute Engine resources, you must have a role that contains the following permission on the project:

compute.projects.get

Connecting to an instance as an instanceAdmin

After you grant a project member the roles/compute.instanceAdmin.v1 role, they can connect to virtual machine (VM) instances by using standard Google Cloud tools, like the gcloud tool or SSH from the Browser.

When a member uses the gcloud tool or SSH from the browser, the tools automatically generate a public/private key pair and add the public key to the project metadata. If the member does not have permissions to edit project metadata, the tool adds the member's public key to the instance metadata instead.

If the member has an existing key pair they want to use, they can manually add their public key to the instance's metadata. Learn more about adding or removing SSH keys from an instance.

IAM with service accounts

Create new custom service accounts and grant IAM roles to service accounts to limit the access of your instances. Use IAM roles with custom service accounts to:

Limit the access your instances have to Google Cloud APIs using granular IAM roles.
Give each instance, or set of instances, a unique identity.
Limit the access of your default service account.

Learn more about service accounts.

Managed instance groups and IAM

Managed instance groups, especially when configured to be autoscaled, are resources that perform actions on your behalf without direct user interaction. Managed instance groups use a service account identity to create, delete, and manage instances in the instance group. For more information, read the managed instance groups and IAM documentation.

Unsupported operations

You cannot grant access to perform rolling updates on instance groups using IAM roles.

To grant permission to perform these operations, use the broader owner, editor, or viewer roles.

Predefined Compute Engine IAM roles

With IAM, every API method in Compute Engine API requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a member (user, group, or service account) of your project.

In addition to basic roles (viewer, editor, owner) and custom roles, you can assign the following Compute Engine predefined roles to the members of your project.

You can grant multiple roles to a project member on the same resource. For example, if your networking team also manages firewall rules, you can grant both roles/compute.networkAdmin and roles/compute.securityAdmin to the networking team's Google group.

The following tables describe the predefined Compute Engine IAM roles, as well as the permissions contained within each role. Each role contains a set of permissions that is suitable for a specific task. For example, the Instance Admin roles grant permissions to manage instances, the network-related roles include permissions to manage network-related resources, and the security role includes permissions to manage security-related resources, like firewalls and SSL certificates.

Compute Admin role

Name Description Permissions

Name	Description	Permissions
`roles/compute.admin`	Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role.	`compute.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.admin

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Image User role

Name	Description	Permissions
`roles/compute.imageUser`	Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.	`compute.images.get` `compute.images.getFromFamily` `compute.images.list` `compute.images.useReadOnly` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute Instance Admin (beta) role

Name Description Permissions

Name	Description	Permissions
`roles/compute.instanceAdmin`	Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM^BETA settings. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role. For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.	`compute.acceleratorTypes.` `compute.addresses.get` `compute.addresses.list` `compute.addresses.use` `compute.autoscalers.` `compute.diskTypes.` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.delete` `compute.disks.get` `compute.disks.list` `compute.disks.resize` `compute.disks.setLabels` `compute.disks.update` `compute.disks.use` `compute.disks.useReadOnly` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalAddresses.use` `compute.globalOperations.get` `compute.globalOperations.list` `compute.images.get` `compute.images.getFromFamily` `compute.images.list` `compute.images.useReadOnly` `compute.instanceGroupManagers.` `compute.instanceGroups.` `compute.instanceTemplates.` `compute.instances.` `compute.licenses.get` `compute.licenses.list` `compute.machineImages.` `compute.machineTypes.` `compute.networkEndpointGroups.` `compute.networks.get` `compute.networks.list` `compute.networks.use` `compute.networks.useExternalIp` `compute.projects.get` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.reservations.get` `compute.reservations.list` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.targetPools.get` `compute.targetPools.list` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.instanceAdmin

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM^BETA settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Instance Admin (v1) role

Name Description Permissions

Name	Description	Permissions
`roles/compute.instanceAdmin.v1`	Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances.	`compute.acceleratorTypes.` `compute.addresses.get` `compute.addresses.list` `compute.addresses.use` `compute.autoscalers.` `compute.backendBuckets.get` `compute.backendBuckets.list` `compute.backendServices.get` `compute.backendServices.list` `compute.diskTypes.` `compute.disks.` `compute.externalVpnGateways.get` `compute.externalVpnGateways.list` `compute.firewalls.get` `compute.firewalls.list` `compute.forwardingRules.get` `compute.forwardingRules.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalAddresses.use` `compute.globalForwardingRules.get` `compute.globalForwardingRules.list` `compute.globalOperations.get` `compute.globalOperations.list` `compute.healthChecks.get` `compute.healthChecks.list` `compute.httpHealthChecks.get` `compute.httpHealthChecks.list` `compute.httpsHealthChecks.get` `compute.httpsHealthChecks.list` `compute.images.` `compute.instanceGroupManagers.` `compute.instanceGroups.` `compute.instanceTemplates.` `compute.instances.` `compute.interconnectAttachments.get` `compute.interconnectAttachments.list` `compute.interconnectLocations.` `compute.interconnects.get` `compute.interconnects.list` `compute.licenseCodes.` `compute.licenses.` `compute.machineImages.` `compute.machineTypes.` `compute.networkEndpointGroups.` `compute.networks.get` `compute.networks.list` `compute.networks.use` `compute.networks.useExternalIp` `compute.projects.get` `compute.projects.setCommonInstanceMetadata` `compute.regionBackendServices.get` `compute.regionBackendServices.list` `compute.regionHealthCheckServices.get` `compute.regionHealthCheckServices.list` `compute.regionNotificationEndpoints.get` `compute.regionNotificationEndpoints.list` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.reservations.get` `compute.reservations.list` `compute.resourcePolicies.` `compute.routers.get` `compute.routers.list` `compute.routes.get` `compute.routes.list` `compute.snapshots.` `compute.sslCertificates.get` `compute.sslCertificates.list` `compute.sslPolicies.get` `compute.sslPolicies.list` `compute.sslPolicies.listAvailableFeatures` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.targetHttpProxies.get` `compute.targetHttpProxies.list` `compute.targetHttpsProxies.get` `compute.targetHttpsProxies.list` `compute.targetInstances.get` `compute.targetInstances.list` `compute.targetPools.get` `compute.targetPools.list` `compute.targetSslProxies.get` `compute.targetSslProxies.list` `compute.targetTcpProxies.get` `compute.targetTcpProxies.list` `compute.targetVpnGateways.get` `compute.targetVpnGateways.list` `compute.urlMaps.get` `compute.urlMaps.list` `compute.vpnGateways.get` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.instanceAdmin.v1

Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.

If you grant a user this role only at an instance level, then that user cannot create new instances.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Load Balancer Admin role

Name Description Permissions

Name	Description	Permissions
`roles/compute.loadBalancerAdmin` ^Beta	Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.	`compute.addresses.` `compute.backendBuckets.` `compute.backendServices.` `compute.forwardingRules.` `compute.globalAddresses.` `compute.globalForwardingRules.` `compute.healthChecks.` `compute.httpHealthChecks.` `compute.httpsHealthChecks.` `compute.instanceGroups.` `compute.instances.get` `compute.instances.list` `compute.instances.use` `compute.instances.useReadOnly` `compute.networkEndpointGroups.` `compute.networks.get` `compute.networks.list` `compute.networks.use` `compute.projects.get` `compute.regionBackendServices.` `compute.regionHealthCheckServices.` `compute.regionNotificationEndpoints.` `compute.securityPolicies.get` `compute.securityPolicies.list` `compute.securityPolicies.use` `compute.sslCertificates.` `compute.sslPolicies.` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.use` `compute.targetHttpProxies.` `compute.targetHttpsProxies.` `compute.targetInstances.` `compute.targetPools.` `compute.targetSslProxies.` `compute.targetTcpProxies.` `compute.urlMaps.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.loadBalancerAdmin ^Beta

Permissions to create, modify, and delete load balancers and associate resources.

For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.

compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.instances.use
compute.instances.useReadOnly
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.projects.get
compute.regionBackendServices.*
compute.regionHealthCheckServices.*
compute.regionNotificationEndpoints.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Network Admin role

Name Description Permissions

Name	Description	Permissions
`roles/compute.networkAdmin`	Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group.	`compute.acceleratorTypes.` `compute.addresses.` `compute.autoscalers.get` `compute.autoscalers.list` `compute.backendBuckets.` `compute.backendServices.` `compute.externalVpnGateways.` `compute.firewalls.get` `compute.firewalls.list` `compute.forwardingRules.` `compute.globalAddresses.` `compute.globalForwardingRules.` `compute.globalOperations.get` `compute.globalOperations.list` `compute.globalPublicDelegatedPrefixes.delete` `compute.globalPublicDelegatedPrefixes.get` `compute.globalPublicDelegatedPrefixes.list` `compute.globalPublicDelegatedPrefixes.update` `compute.globalPublicDelegatedPrefixes.updatePolicy` `compute.healthChecks.` `compute.httpHealthChecks.` `compute.httpsHealthChecks.` `compute.instanceGroupManagers.get` `compute.instanceGroupManagers.list` `compute.instanceGroupManagers.update` `compute.instanceGroupManagers.use` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instanceGroups.update` `compute.instanceGroups.use` `compute.instances.get` `compute.instances.getGuestAttributes` `compute.instances.getScreenshot` `compute.instances.getSerialPortOutput` `compute.instances.list` `compute.instances.listReferrers` `compute.instances.use` `compute.instances.useReadOnly` `compute.interconnectAttachments.` `compute.interconnectLocations.` `compute.interconnects.` `compute.machineTypes.` `compute.networkEndpointGroups.get` `compute.networkEndpointGroups.list` `compute.networkEndpointGroups.use` `compute.networks.` `compute.projects.get` `compute.publicDelegatedPrefixes.delete` `compute.publicDelegatedPrefixes.get` `compute.publicDelegatedPrefixes.list` `compute.publicDelegatedPrefixes.update` `compute.publicDelegatedPrefixes.updatePolicy` `compute.regionBackendServices.` `compute.regionHealthCheckServices.` `compute.regionNotificationEndpoints.` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.routers.` `compute.routes.` `compute.securityPolicies.get` `compute.securityPolicies.list` `compute.securityPolicies.use` `compute.sslCertificates.get` `compute.sslCertificates.list` `compute.sslPolicies.` `compute.subnetworks.` `compute.targetHttpProxies.` `compute.targetHttpsProxies.` `compute.targetInstances.` `compute.targetPools.` `compute.targetSslProxies.` `compute.targetTcpProxies.` `compute.targetVpnGateways.` `compute.urlMaps.` `compute.vpnGateways.` `compute.vpnTunnels.` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.` `networksecurity.` `networkservices.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `servicenetworking.operations.get` `servicenetworking.services.addPeering` `servicenetworking.services.get` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.networkAdmin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group.

compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute.externalVpnGateways.*
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalOperations.get
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.instances.use
compute.instances.useReadOnly
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.machineTypes.*
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.use
compute.networks.*
compute.projects.get
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.regionBackendServices.*
compute.regionHealthCheckServices.*
compute.regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
networksecurity.*
networkservices.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Network User role

Name Description Permissions

Name	Description	Permissions
`roles/compute.networkUser`	Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.	`compute.addresses.createInternal` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.list` `compute.addresses.useInternal` `compute.externalVpnGateways.get` `compute.externalVpnGateways.list` `compute.externalVpnGateways.use` `compute.firewalls.get` `compute.firewalls.list` `compute.interconnectAttachments.get` `compute.interconnectAttachments.list` `compute.interconnectLocations.` `compute.interconnects.get` `compute.interconnects.list` `compute.interconnects.use` `compute.networks.access` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listPeeringRoutes` `compute.networks.use` `compute.networks.useExternalIp` `compute.projects.get` `compute.regions.` `compute.routers.get` `compute.routers.list` `compute.routes.get` `compute.routes.list` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.targetVpnGateways.get` `compute.targetVpnGateways.list` `compute.vpnGateways.get` `compute.vpnGateways.list` `compute.vpnGateways.use` `compute.vpnTunnels.get` `compute.vpnTunnels.list` `compute.zones.` `networksecurity.authorizationPolicies.get` `networksecurity.authorizationPolicies.list` `networksecurity.authorizationPolicies.use` `networksecurity.clientTlsPolicies.get` `networksecurity.clientTlsPolicies.list` `networksecurity.clientTlsPolicies.use` `networksecurity.locations.` `networksecurity.operations.get` `networksecurity.operations.list` `networksecurity.serverTlsPolicies.get` `networksecurity.serverTlsPolicies.list` `networksecurity.serverTlsPolicies.use` `networkservices.endpointConfigSelectors.get` `networkservices.endpointConfigSelectors.list` `networkservices.endpointConfigSelectors.use` `networkservices.httpFilters.get` `networkservices.httpFilters.list` `networkservices.httpFilters.use` `networkservices.httpfilters.get` `networkservices.httpfilters.list` `networkservices.httpfilters.use` `networkservices.locations.*` `networkservices.operations.get` `networkservices.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `servicenetworking.services.get` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.networkUser

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.useInternal
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.firewalls.get
compute.firewalls.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networks.access
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.use
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.use
networksecurity.locations.*
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.use
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.list
networkservices.endpointConfigSelectors.use
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpFilters.use
networkservices.httpfilters.get
networkservices.httpfilters.list
networkservices.httpfilters.use
networkservices.locations.*
networkservices.operations.get
networkservices.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Network Viewer role

Name Description Permissions

Name	Description	Permissions
`roles/compute.networkViewer`	Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.	`compute.acceleratorTypes.` `compute.addresses.get` `compute.addresses.list` `compute.autoscalers.get` `compute.autoscalers.list` `compute.backendBuckets.get` `compute.backendBuckets.list` `compute.backendServices.get` `compute.backendServices.list` `compute.firewalls.get` `compute.firewalls.list` `compute.forwardingRules.get` `compute.forwardingRules.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalForwardingRules.get` `compute.globalForwardingRules.list` `compute.healthChecks.get` `compute.healthChecks.list` `compute.httpHealthChecks.get` `compute.httpHealthChecks.list` `compute.httpsHealthChecks.get` `compute.httpsHealthChecks.list` `compute.instanceGroupManagers.get` `compute.instanceGroupManagers.list` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instances.get` `compute.instances.getGuestAttributes` `compute.instances.getScreenshot` `compute.instances.getSerialPortOutput` `compute.instances.list` `compute.instances.listReferrers` `compute.interconnectAttachments.get` `compute.interconnectAttachments.list` `compute.interconnectLocations.` `compute.interconnects.get` `compute.interconnects.list` `compute.machineTypes.` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listPeeringRoutes` `compute.projects.get` `compute.regionBackendServices.get` `compute.regionBackendServices.list` `compute.regionHealthCheckServices.get` `compute.regionHealthCheckServices.list` `compute.regionNotificationEndpoints.get` `compute.regionNotificationEndpoints.list` `compute.regions.` `compute.routers.get` `compute.routers.list` `compute.routes.get` `compute.routes.list` `compute.sslCertificates.get` `compute.sslCertificates.list` `compute.sslPolicies.get` `compute.sslPolicies.list` `compute.sslPolicies.listAvailableFeatures` `compute.subnetworks.get` `compute.subnetworks.list` `compute.targetHttpProxies.get` `compute.targetHttpProxies.list` `compute.targetHttpsProxies.get` `compute.targetHttpsProxies.list` `compute.targetInstances.get` `compute.targetInstances.list` `compute.targetPools.get` `compute.targetPools.list` `compute.targetSslProxies.get` `compute.targetSslProxies.list` `compute.targetTcpProxies.get` `compute.targetTcpProxies.list` `compute.targetVpnGateways.get` `compute.targetVpnGateways.list` `compute.urlMaps.get` `compute.urlMaps.list` `compute.vpnGateways.get` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list` `compute.zones.` `networksecurity.authorizationPolicies.get` `networksecurity.authorizationPolicies.list` `networksecurity.clientTlsPolicies.get` `networksecurity.clientTlsPolicies.list` `networksecurity.locations.` `networksecurity.operations.get` `networksecurity.operations.list` `networksecurity.serverTlsPolicies.get` `networksecurity.serverTlsPolicies.list` `networkservices.endpointConfigSelectors.get` `networkservices.endpointConfigSelectors.list` `networkservices.httpFilters.get` `networkservices.httpFilters.list` `networkservices.httpfilters.get` `networkservices.httpfilters.list` `networkservices.locations.*` `networkservices.operations.get` `networkservices.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `servicenetworking.services.get` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.networkViewer

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.machineTypes.*
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.list
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.locations.*
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.list
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpfilters.get
networkservices.httpfilters.list
networkservices.locations.*
networkservices.operations.get
networkservices.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Organization Security Policy Admin role

Name	Description	Permissions
`roles/compute.orgSecurityPolicyAdmin` ^Beta	Full control of Compute Engine Organization Security Policies.	`compute.globalOperations.get` `compute.globalOperations.getIamPolicy` `compute.globalOperations.list` `compute.globalOperations.setIamPolicy` `compute.projects.get` `compute.securityPolicies.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute Organization Security Policy User role

Name	Description	Permissions
`roles/compute.orgSecurityPolicyUser` ^Beta	View or use Compute Engine Security Policies to associate with the organization or folders.	`compute.globalOperations.get` `compute.globalOperations.getIamPolicy` `compute.globalOperations.list` `compute.globalOperations.setIamPolicy` `compute.projects.get` `compute.securityPolicies.addAssociation` `compute.securityPolicies.get` `compute.securityPolicies.list` `compute.securityPolicies.removeAssociation` `compute.securityPolicies.use` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute Organization Resource Admin role

Name	Description	Permissions
`roles/compute.orgSecurityResourceAdmin` ^Beta	Full control of Compute Engine Security Policy associations to the organization or folders.	`compute.globalOperations.get` `compute.globalOperations.getIamPolicy` `compute.globalOperations.list` `compute.globalOperations.setIamPolicy` `compute.organizations.listAssociations` `compute.organizations.setSecurityPolicy` `compute.projects.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute OS Admin Login role

Name	Description	Permissions
`roles/compute.osAdminLogin`	Access to log in to a Compute Engine instance as an administrator user.	`compute.instances.get` `compute.instances.list` `compute.instances.osAdminLogin` `compute.instances.osLogin` `compute.projects.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute OS Login role

Name	Description	Permissions
`roles/compute.osLogin`	Access to log in to a Compute Engine instance as a standard user.	`compute.instances.get` `compute.instances.list` `compute.instances.osLogin` `compute.projects.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute OS Login External User role

Name Description Permissions

Name	Description	Permissions
`roles/compute.osLoginExternalUser`	Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.	`compute.oslogin.*`

roles/compute.osLoginExternalUser

Available only at the organization level.

Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

compute.oslogin.*

Compute packet mirroring admin role

Name	Description	Permissions
`roles/compute.packetMirroringAdmin`	Specify resources to be mirrored.	`compute.networks.mirror` `compute.projects.get` `compute.subnetworks.mirror` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute packet mirroring user role

Name	Description	Permissions
`roles/compute.packetMirroringUser`	Use Compute Engine packet mirrorings.	`compute.packetMirrorings.*` `compute.projects.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Compute Public IP Admin role

Name	Description	Permissions
`roles/compute.publicIpAdmin` ^Beta	Full control of public IP address management for Compute Engine.	`compute.addresses.` `compute.globalAddresses.` `compute.globalPublicDelegatedPrefixes.` `compute.publicAdvertisedPrefixes.` `compute.publicDelegatedPrefixes.*` `resourcemanager.projects.get` `resourcemanager.projects.list`

Compute Security Admin role

Name Description Permissions

Name	Description	Permissions
`roles/compute.securityAdmin`	Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM^BETA settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group.	`compute.firewalls.` `compute.globalOperations.get` `compute.globalOperations.list` `compute.instances.getEffectiveFirewalls` `compute.instances.setShieldedInstanceIntegrityPolicy` `compute.instances.setShieldedVmIntegrityPolicy` `compute.instances.updateShieldedInstanceConfig` `compute.instances.updateShieldedVmConfig` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.updatePolicy` `compute.packetMirrorings.` `compute.projects.get` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.routes.get` `compute.routes.list` `compute.securityPolicies.` `compute.sslCertificates.` `compute.sslPolicies.` `compute.subnetworks.get` `compute.subnetworks.list` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.securityAdmin

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM^BETA settings.

compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instances.getEffectiveFirewalls
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.updatePolicy
compute.packetMirrorings.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routes.get
compute.routes.list
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Storage Admin role

Name Description Permissions

Name	Description	Permissions
`roles/compute.storageAdmin`	Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.	`compute.diskTypes.` `compute.disks.` `compute.globalOperations.get` `compute.globalOperations.list` `compute.images.` `compute.licenseCodes.` `compute.licenses.` `compute.projects.get` `compute.regionOperations.get` `compute.regionOperations.list` `compute.regions.` `compute.resourcePolicies.` `compute.snapshots.` `compute.zoneOperations.get` `compute.zoneOperations.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.storageAdmin

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.

compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Viewer role

Name Description Permissions

Name	Description	Permissions
`roles/compute.viewer`	Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.	`compute.acceleratorTypes.` `compute.addresses.get` `compute.addresses.list` `compute.autoscalers.get` `compute.autoscalers.list` `compute.backendBuckets.get` `compute.backendBuckets.list` `compute.backendServices.get` `compute.backendServices.list` `compute.commitments.get` `compute.commitments.list` `compute.diskTypes.` `compute.disks.get` `compute.disks.getIamPolicy` `compute.disks.list` `compute.externalVpnGateways.get` `compute.externalVpnGateways.list` `compute.firewalls.get` `compute.firewalls.list` `compute.forwardingRules.get` `compute.forwardingRules.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalForwardingRules.get` `compute.globalForwardingRules.list` `compute.globalOperations.get` `compute.globalOperations.getIamPolicy` `compute.globalOperations.list` `compute.globalPublicDelegatedPrefixes.get` `compute.globalPublicDelegatedPrefixes.list` `compute.healthChecks.get` `compute.healthChecks.list` `compute.httpHealthChecks.get` `compute.httpHealthChecks.list` `compute.httpsHealthChecks.get` `compute.httpsHealthChecks.list` `compute.images.get` `compute.images.getFromFamily` `compute.images.getIamPolicy` `compute.images.list` `compute.instanceGroupManagers.get` `compute.instanceGroupManagers.list` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instanceTemplates.get` `compute.instanceTemplates.getIamPolicy` `compute.instanceTemplates.list` `compute.instances.get` `compute.instances.getEffectiveFirewalls` `compute.instances.getGuestAttributes` `compute.instances.getIamPolicy` `compute.instances.getScreenshot` `compute.instances.getSerialPortOutput` `compute.instances.getShieldedInstanceIdentity` `compute.instances.getShieldedVmIdentity` `compute.instances.list` `compute.instances.listReferrers` `compute.interconnectAttachments.get` `compute.interconnectAttachments.list` `compute.interconnectLocations.` `compute.interconnects.get` `compute.interconnects.list` `compute.licenseCodes.get` `compute.licenseCodes.getIamPolicy` `compute.licenseCodes.list` `compute.licenses.get` `compute.licenses.getIamPolicy` `compute.licenses.list` `compute.machineImages.get` `compute.machineImages.getIamPolicy` `compute.machineImages.list` `compute.machineTypes.` `compute.maintenancePolicies.get` `compute.maintenancePolicies.getIamPolicy` `compute.maintenancePolicies.list` `compute.networkEndpointGroups.get` `compute.networkEndpointGroups.getIamPolicy` `compute.networkEndpointGroups.list` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listPeeringRoutes` `compute.nodeGroups.get` `compute.nodeGroups.getIamPolicy` `compute.nodeGroups.list` `compute.nodeTemplates.get` `compute.nodeTemplates.getIamPolicy` `compute.nodeTemplates.list` `compute.nodeTypes.` `compute.organizations.listAssociations` `compute.projects.get` `compute.publicAdvertisedPrefixes.get` `compute.publicAdvertisedPrefixes.list` `compute.publicDelegatedPrefixes.get` `compute.publicDelegatedPrefixes.list` `compute.regionBackendServices.get` `compute.regionBackendServices.list` `compute.regionHealthCheckServices.get` `compute.regionHealthCheckServices.list` `compute.regionNotificationEndpoints.get` `compute.regionNotificationEndpoints.list` `compute.regionOperations.get` `compute.regionOperations.getIamPolicy` `compute.regionOperations.list` `compute.regions.` `compute.reservations.get` `compute.reservations.list` `compute.resourcePolicies.get` `compute.resourcePolicies.list` `compute.routers.get` `compute.routers.list` `compute.routes.get` `compute.routes.list` `compute.securityPolicies.get` `compute.securityPolicies.getIamPolicy` `compute.securityPolicies.list` `compute.snapshots.get` `compute.snapshots.getIamPolicy` `compute.snapshots.list` `compute.sslCertificates.get` `compute.sslCertificates.list` `compute.sslPolicies.get` `compute.sslPolicies.list` `compute.sslPolicies.listAvailableFeatures` `compute.subnetworks.get` `compute.subnetworks.getIamPolicy` `compute.subnetworks.list` `compute.targetHttpProxies.get` `compute.targetHttpProxies.list` `compute.targetHttpsProxies.get` `compute.targetHttpsProxies.list` `compute.targetInstances.get` `compute.targetInstances.list` `compute.targetPools.get` `compute.targetPools.list` `compute.targetSslProxies.get` `compute.targetSslProxies.list` `compute.targetTcpProxies.get` `compute.targetTcpProxies.list` `compute.targetVpnGateways.get` `compute.targetVpnGateways.list` `compute.urlMaps.get` `compute.urlMaps.list` `compute.urlMaps.validate` `compute.vpnGateways.get` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list` `compute.zoneOperations.get` `compute.zoneOperations.getIamPolicy` `compute.zoneOperations.list` `compute.zones.*` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

roles/compute.viewer

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them.

For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.organizations.listAssociations
compute.projects.get
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Compute Shared VPC Admin role

Name Description Permissions

Name	Description	Permissions
`roles/compute.xpnAdmin`	Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin. Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (`roles/compute.networkUser`) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.	`compute.globalOperations.get` `compute.globalOperations.list` `compute.organizations.administerXpn` `compute.organizations.disableXpnHost` `compute.organizations.disableXpnResource` `compute.organizations.enableXpnHost` `compute.organizations.enableXpnResource` `compute.projects.get` `compute.subnetworks.getIamPolicy` `compute.subnetworks.setIamPolicy` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.getIamPolicy` `resourcemanager.projects.list`

roles/compute.xpnAdmin

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

At the organization level, this role can only be granted by an organization admin.

Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (roles/compute.networkUser) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

compute.globalOperations.get
compute.globalOperations.list
compute.organizations.administerXpn
compute.organizations.disableXpnHost
compute.organizations.disableXpnResource
compute.organizations.enableXpnHost
compute.organizations.enableXpnResource
compute.projects.get
compute.subnetworks.getIamPolicy
compute.subnetworks.setIamPolicy
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Assignment Admin role

Name	Description	Permissions
`roles/osconfig.assignmentAdmin`	Full admin access to Assignments	`resourcemanager.projects.get` `resourcemanager.projects.list`

Assignment Editor role

Name	Description	Permissions
`roles/osconfig.assignmentEditor`	Editor of Assignment resources	`resourcemanager.projects.get` `resourcemanager.projects.list`

Assignment Viewer role

Name	Description	Permissions
`roles/osconfig.assignmentViewer`	Viewer of Assignment resources	`resourcemanager.projects.get` `resourcemanager.projects.list`

GuestPolicy Admin role

Name	Description	Permissions
`roles/osconfig.guestPolicyAdmin` ^Beta	Full admin access to GuestPolicies	`osconfig.guestPolicies.*` `resourcemanager.projects.get` `resourcemanager.projects.list`

GuestPolicy Editor role

Name	Description	Permissions
`roles/osconfig.guestPolicyEditor` ^Beta	Editor of GuestPolicy resources	`osconfig.guestPolicies.get` `osconfig.guestPolicies.list` `osconfig.guestPolicies.update` `resourcemanager.projects.get` `resourcemanager.projects.list`

GuestPolicy Viewer role

Name	Description	Permissions
`roles/osconfig.guestPolicyViewer` ^Beta	Viewer of GuestPolicy resources	`osconfig.guestPolicies.get` `osconfig.guestPolicies.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

OsConfig Admin role

Name	Description	Permissions
`roles/osconfig.osConfigAdmin`	Full admin access to OsConfigs	`resourcemanager.projects.get` `resourcemanager.projects.list`

OsConfig Editor role

Name	Description	Permissions
`roles/osconfig.osConfigEditor`	Editor of OsConfig resources	`resourcemanager.projects.get` `resourcemanager.projects.list`

OsConfig Viewer role

Name	Description	Permissions
`roles/osconfig.osConfigViewer`	Viewer of OsConfig resources	`resourcemanager.projects.get` `resourcemanager.projects.list`

PatchDeployment Admin role

Name	Description	Permissions
`roles/osconfig.patchDeploymentAdmin`	Full admin access to PatchDeployments	`osconfig.patchDeployments.*` `resourcemanager.projects.get` `resourcemanager.projects.list`

PatchDeployment Viewer role

Name	Description	Permissions
`roles/osconfig.patchDeploymentViewer`	Viewer of PatchDeployment resources	`osconfig.patchDeployments.get` `osconfig.patchDeployments.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Patch Job Executor role

Name	Description	Permissions
`roles/osconfig.patchJobExecutor`	Access to execute Patch Jobs.	`osconfig.patchJobs.*` `resourcemanager.projects.get` `resourcemanager.projects.list`

Patch Job Viewer role

Name	Description	Permissions
`roles/osconfig.patchJobViewer`	Get and list Patch Jobs.	`osconfig.patchJobs.get` `osconfig.patchJobs.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

DNS Administrator role

Name	Description	Permissions
`roles/dns.admin`	Provides read-write access to all Cloud DNS resources.	`compute.networks.get` `compute.networks.list` `dns.changes.` `dns.dnsKeys.` `dns.managedZoneOperations.` `dns.managedZones.` `dns.networks.` `dns.policies.create` `dns.policies.delete` `dns.policies.get` `dns.policies.list` `dns.policies.update` `dns.projects.` `dns.resourceRecordSets.*` `resourcemanager.projects.get` `resourcemanager.projects.list`

DNS Peer role

Name	Description	Permissions
`roles/dns.peer`	Access to target networks with DNS peering zones	`dns.networks.targetWithPeeringZone`

DNS Reader role

Name	Description	Permissions
`roles/dns.reader`	Provides read-only access to all Cloud DNS resources.	`compute.networks.get` `dns.changes.get` `dns.changes.list` `dns.dnsKeys.` `dns.managedZoneOperations.` `dns.managedZones.get` `dns.managedZones.list` `dns.policies.get` `dns.policies.list` `dns.projects.*` `dns.resourceRecordSets.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Account Admin role

Name	Description	Permissions
`roles/iam.serviceAccountAdmin`	Create and manage service accounts.	`iam.serviceAccounts.create` `iam.serviceAccounts.delete` `iam.serviceAccounts.disable` `iam.serviceAccounts.enable` `iam.serviceAccounts.get` `iam.serviceAccounts.getIamPolicy` `iam.serviceAccounts.list` `iam.serviceAccounts.setIamPolicy` `iam.serviceAccounts.undelete` `iam.serviceAccounts.update` `resourcemanager.projects.get` `resourcemanager.projects.list`

Create Service Accounts role

Name	Description	Permissions
`roles/iam.serviceAccountCreator`	Access to create service accounts.	`iam.serviceAccounts.create` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Delete Service Accounts role

Name	Description	Permissions
`roles/iam.serviceAccountDeleter`	Access to delete service accounts.	`iam.serviceAccounts.delete` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Account Key Admin role

Name	Description	Permissions
`roles/iam.serviceAccountKeyAdmin`	Create and manage (and rotate) service account keys.	`iam.serviceAccountKeys.*` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Account Token Creator role

Name	Description	Permissions
`roles/iam.serviceAccountTokenCreator`	Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).	`iam.serviceAccounts.get` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `iam.serviceAccounts.implicitDelegation` `iam.serviceAccounts.list` `iam.serviceAccounts.signBlob` `iam.serviceAccounts.signJwt` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Account User role

Name	Description	Permissions
`roles/iam.serviceAccountUser`	Run operations as the service account.	`iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Workload Identity User role

Name	Description	Permissions
`roles/iam.workloadIdentityUser`	Impersonate service accounts from GKE Workloads	`iam.serviceAccounts.get` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `iam.serviceAccounts.list`

What's next

Learn more about IAM.
Learn how to create and manage custom IAM roles.
Grant IAM roles to project users.
Grant IAM roles for specific Compute Engine resources.
Grant IAM roles to service accounts.