Compute Engine IAM roles and permissions

When you add a new member to your project, you can use an Identity and Access Management (IAM) policy to give that member one or more IAM roles. Each IAM role contains permissions that grant the member access to specific resources.

Compute Engine has a set of predefined IAM roles that are described on this page. You can also create custom roles that contain subsets of permissions that map directly to your needs.

To learn which permissions are required for each method, see the Compute Engine API reference documentation:

For information about granting access, see the following pages.

To set IAM policies at a project level, see Granting, changing, and revoking access to resources in the IAM documentation.
To set policies on specific Compute Engine resources, read Granting access to Compute Engine resources.
To assign roles to a Compute Engine service account, read Creating and enabling service accounts for instances.

Before you begin

Read the IAM documentation.

What is IAM?

Google Cloud offers IAM, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (identity) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a project member, giving that identity certain permissions. For example, for a given resource, such as a project, you can assign the roles/compute.networkAdmin role to a Google Account and that account can control network-related resources in the project, but cannot manage other resources, like instances and disks. You can also use IAM to manage the Google Cloud console legacy roles granted to project team members.

The serviceAccountUser role

When granted together with roles/compute.instanceAdmin.v1, roles/iam.serviceAccountUser gives members the ability to create and manage instances that use a service account. Specifically, granting roles/iam.serviceAccountUser and roles/compute.instanceAdmin.v1 together gives members permission to:

Create an instance that runs as a service account.
Attach a persistent disk to an instance that runs as a service account.
Set instance metadata on an instance that runs as a service account.
Use SSH to connect to an instance that runs as a service account.
Reconfigure an instance to run as a service account.

You can grant roles/iam.serviceAccountUser one of two ways:

Recommended. Grant the role to a member on a specific service account. This gives a member access to the service account for which they are an iam.serviceAccountUser but prevents access to other service accounts for which the member is not an iam.serviceAccountUser.
Grant the role to a member on the project level. The member has access to all service accounts in the project, including service accounts that are created in the future.

If you aren't familiar with service accounts, learn more about service accounts.

Google Cloud Console permission

To use the Google Cloud console to access Compute Engine resources, you must have a role that contains the following permission on the project:

compute.projects.get

Connecting to an instance as an instanceAdmin

After you grant a project member the roles/compute.instanceAdmin.v1 role, they can connect to virtual machine (VM) instances by using standard Google Cloud tools, like the gcloud CLI or SSH-in-browser.

When a member uses the gcloud CLI or SSH-in-browser, the tools automatically generate a public/private key pair and add the public key to the project metadata. If the member does not have permissions to edit project metadata, the tool adds the member's public key to the instance metadata instead.

If the member has an existing key pair they want to use, they can manually add their public key to the instance's metadata. Learn more about adding SSH keys to an instance.

IAM with service accounts

Create new custom service accounts and grant IAM roles to service accounts to limit the access of your instances. Use IAM roles with custom service accounts to:

Limit the access your instances have to Google Cloud APIs using granular IAM roles.
Give each instance, or set of instances, a unique identity.
Limit the access of your default service account.

Learn more about service accounts.

Managed instance groups and IAM

Managed instance groups (MIGs) are resources that perform actions on your behalf without direct user interaction. For example, the MIG can add and remove VMs from the group.

All of the operations performed by Compute Engine as part of the MIG are performed by the Google APIs Service Agent for your project, which has an email address like the following: PROJECT_ID@cloudservices.gserviceaccount.com

By default, the Google APIs Service Agent is granted the Editor role (roles/editor) at the project level, which gives enough privileges to create resources based on the MIG's configuration. If you're customizing access for the Google APIs Service Agent, then grant the Compute Instance Admin (v1) role (roles/compute.instanceAdmin.v1) and, optionally, the Service Account User role (roles/iam.serviceAccountUser). The Service Account User role is required only if the MIG creates VMs that can run as a service account.

Note that the Google APIs Service Agent is also used by other processes, including Deployment Manager.

When you create a MIG or update its instance template, Compute Engine validates that the Google APIs Service Agent has the following role and permissions:

Service Account User role, which is important if you plan to create instances that can run as a service account
Permissions to all the resources referenced from instance templates, such as images, disks, VPC networks, and subnets

Predefined Compute Engine IAM roles

With IAM, every API method in Compute Engine API requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a member (user, group, or service account) of your project.

In addition to basic roles (viewer, editor, owner) and custom roles, you can assign the following Compute Engine predefined roles to the members of your project.

You can grant multiple roles to a project member on the same resource. For example, if your networking team also manages firewall rules, you can grant both roles/compute.networkAdmin and roles/compute.securityAdmin to the networking team's Google group.

The following tables describe the predefined Compute Engine IAM roles, as well as the permissions contained within each role. Each role contains a set of permissions that is suitable for a specific task. For example, the Instance Admin roles grant permissions to manage instances, the network-related roles include permissions to manage network-related resources, and the security role includes permissions to manage security-related resources, like firewalls and SSL certificates.

Compute Admin role

Details Permissions

Details	Permissions
Compute Admin (`roles/compute.admin`) Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role. Lowest-level resources where you can grant this role: Disk Image Instance Instance template Node group Node template Snapshot ^Beta	compute.* compute.acceleratorTypes.get compute.acceleratorTypes.list compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.setLabels compute.addresses.use compute.addresses.useInternal compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get compute.autoscalers.list compute.autoscalers.update compute.backendBuckets.addSignedUrlKey compute.backendBuckets.create compute.backendBuckets.delete compute.backendBuckets.deleteSignedUrlKey compute.backendBuckets.get compute.backendBuckets.getIamPolicy compute.backendBuckets.list compute.backendBuckets.setIamPolicy compute.backendBuckets.setSecurityPolicy compute.backendBuckets.update compute.backendBuckets.use compute.backendServices.addSignedUrlKey compute.backendServices.create compute.backendServices.delete compute.backendServices.deleteSignedUrlKey compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.backendServices.setIamPolicy compute.backendServices.setSecurityPolicy compute.backendServices.update compute.backendServices.use compute.commitments.create compute.commitments.get compute.commitments.list compute.commitments.update compute.commitments.updateReservations compute.diskTypes.get compute.diskTypes.list compute.disks.addResourcePolicies compute.disks.create compute.disks.createSnapshot compute.disks.createTagBinding compute.disks.delete compute.disks.deleteTagBinding compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.disks.removeResourcePolicies compute.disks.resize compute.disks.setIamPolicy compute.disks.setLabels compute.disks.startAsyncReplication compute.disks.stopAsyncReplication compute.disks.stopGroupAsyncReplication compute.disks.update compute.disks.use compute.disks.useReadOnly compute.externalVpnGateways.create compute.externalVpnGateways.delete compute.externalVpnGateways.get compute.externalVpnGateways.list compute.externalVpnGateways.setLabels compute.externalVpnGateways.use compute.firewallPolicies.addAssociation compute.firewallPolicies.cloneRules compute.firewallPolicies.copyRules compute.firewallPolicies.create compute.firewallPolicies.delete compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewallPolicies.move compute.firewallPolicies.removeAssociation compute.firewallPolicies.setIamPolicy compute.firewallPolicies.update compute.firewallPolicies.use compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.list compute.firewalls.update compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute.forwardingRules.list compute.forwardingRules.pscCreate compute.forwardingRules.pscDelete compute.forwardingRules.pscSetLabels compute.forwardingRules.pscSetTarget compute.forwardingRules.pscUpdate compute.forwardingRules.setLabels compute.forwardingRules.setTarget compute.forwardingRules.update compute.forwardingRules.use compute.globalAddresses.create compute.globalAddresses.createInternal compute.globalAddresses.delete compute.globalAddresses.deleteInternal compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.setLabels compute.globalAddresses.use compute.globalForwardingRules.create compute.globalForwardingRules.delete compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscCreate compute.globalForwardingRules.pscDelete compute.globalForwardingRules.pscGet compute.globalForwardingRules.pscSetLabels compute.globalForwardingRules.pscSetTarget compute.globalForwardingRules.pscUpdate compute.globalForwardingRules.setLabels compute.globalForwardingRules.setTarget compute.globalForwardingRules.update compute.globalNetworkEndpointGroups.attachNetworkEndpoints compute.globalNetworkEndpointGroups.create compute.globalNetworkEndpointGroups.delete compute.globalNetworkEndpointGroups.detachNetworkEndpoints compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalNetworkEndpointGroups.use compute.globalOperations.delete compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.globalPublicDelegatedPrefixes.create compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.globalPublicDelegatedPrefixes.use compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.list compute.healthChecks.update compute.healthChecks.use compute.healthChecks.useReadOnly compute.httpHealthChecks.create compute.httpHealthChecks.delete compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpHealthChecks.update compute.httpHealthChecks.use compute.httpHealthChecks.useReadOnly compute.httpsHealthChecks.create compute.httpsHealthChecks.delete compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.httpsHealthChecks.update compute.httpsHealthChecks.use compute.httpsHealthChecks.useReadOnly compute.images.create compute.images.createTagBinding compute.images.delete compute.images.deleteTagBinding compute.images.deprecate compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.images.setIamPolicy compute.images.setLabels compute.images.update compute.images.useReadOnly compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instanceTemplates.setIamPolicy compute.instanceTemplates.useReadOnly compute.instances.addAccessConfig compute.instances.addMaintenancePolicies compute.instances.addResourcePolicies compute.instances.attachDisk compute.instances.create compute.instances.createTagBinding compute.instances.delete compute.instances.deleteAccessConfig compute.instances.deleteTagBinding compute.instances.detachDisk compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.instances.osAdminLogin compute.instances.osLogin compute.instances.removeMaintenancePolicies compute.instances.removeResourcePolicies compute.instances.reset compute.instances.resume compute.instances.sendDiagnosticInterrupt compute.instances.setDeletionProtection compute.instances.setDiskAutoDelete compute.instances.setIamPolicy compute.instances.setLabels compute.instances.setMachineResources compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setName compute.instances.setScheduling compute.instances.setSecurityPolicy compute.instances.setServiceAccount compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.setTags compute.instances.simulateMaintenanceEvent compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.suspend compute.instances.update compute.instances.updateAccessConfig compute.instances.updateDisplayDevice compute.instances.updateNetworkInterface compute.instances.updateSecurity compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.instances.use compute.instances.useReadOnly compute.instantSnapshots.create compute.instantSnapshots.delete compute.instantSnapshots.export compute.instantSnapshots.get compute.instantSnapshots.getIamPolicy compute.instantSnapshots.list compute.instantSnapshots.setIamPolicy compute.instantSnapshots.setLabels compute.instantSnapshots.useReadOnly compute.interconnectAttachments.create compute.interconnectAttachments.delete compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectAttachments.setLabels compute.interconnectAttachments.update compute.interconnectAttachments.use compute.interconnectLocations.get compute.interconnectLocations.list compute.interconnectRemoteLocations.get compute.interconnectRemoteLocations.list compute.interconnects.create compute.interconnects.delete compute.interconnects.get compute.interconnects.list compute.interconnects.setLabels compute.interconnects.update compute.interconnects.use compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenseCodes.setIamPolicy compute.licenseCodes.update compute.licenseCodes.use compute.licenses.create compute.licenses.delete compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.licenses.setIamPolicy compute.machineImages.create compute.machineImages.delete compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineImages.setIamPolicy compute.machineImages.useReadOnly compute.machineTypes.get compute.machineTypes.list compute.maintenancePolicies.create compute.maintenancePolicies.delete compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.maintenancePolicies.setIamPolicy compute.maintenancePolicies.use compute.networkAttachments.create compute.networkAttachments.delete compute.networkAttachments.get compute.networkAttachments.list compute.networkEdgeSecurityServices.create compute.networkEdgeSecurityServices.delete compute.networkEdgeSecurityServices.get compute.networkEdgeSecurityServices.list compute.networkEdgeSecurityServices.update compute.networkEndpointGroups.attachNetworkEndpoints compute.networkEndpointGroups.create compute.networkEndpointGroups.delete compute.networkEndpointGroups.detachNetworkEndpoints compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.setIamPolicy compute.networkEndpointGroups.use compute.networks.access compute.networks.addPeering compute.networks.create compute.networks.delete compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.mirror compute.networks.removePeering compute.networks.setFirewallPolicy compute.networks.switchToCustomMode compute.networks.update compute.networks.updatePeering compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.nodeGroups.addNodes compute.nodeGroups.create compute.nodeGroups.delete compute.nodeGroups.deleteNodes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeGroups.setIamPolicy compute.nodeGroups.setNodeTemplate compute.nodeGroups.simulateMaintenanceEvent compute.nodeGroups.update compute.nodeTemplates.create compute.nodeTemplates.delete compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTemplates.setIamPolicy compute.nodeTypes.get compute.nodeTypes.list compute.organizations.administerXpn compute.organizations.disableXpnHost compute.organizations.disableXpnResource compute.organizations.enableXpnHost compute.organizations.enableXpnResource compute.organizations.listAssociations compute.organizations.setFirewallPolicy compute.organizations.setSecurityPolicy compute.oslogin.updateExternalUser compute.packetMirrorings.create compute.packetMirrorings.delete compute.packetMirrorings.get compute.packetMirrorings.list compute.packetMirrorings.update compute.projects.get compute.projects.setCommonInstanceMetadata compute.projects.setDefaultNetworkTier compute.projects.setDefaultServiceAccount compute.projects.setUsageExportBucket compute.publicAdvertisedPrefixes.create compute.publicAdvertisedPrefixes.delete compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicAdvertisedPrefixes.update compute.publicAdvertisedPrefixes.updatePolicy compute.publicAdvertisedPrefixes.use compute.publicDelegatedPrefixes.create compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.publicDelegatedPrefixes.use compute.regionBackendServices.create compute.regionBackendServices.delete compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionBackendServices.setIamPolicy compute.regionBackendServices.setSecurityPolicy compute.regionBackendServices.update compute.regionBackendServices.use compute.regionFirewallPolicies.cloneRules compute.regionFirewallPolicies.create compute.regionFirewallPolicies.delete compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionFirewallPolicies.setIamPolicy compute.regionFirewallPolicies.update compute.regionFirewallPolicies.use compute.regionHealthCheckServices.create compute.regionHealthCheckServices.delete compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthCheckServices.update compute.regionHealthCheckServices.use compute.regionHealthChecks.create compute.regionHealthChecks.delete compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionHealthChecks.update compute.regionHealthChecks.use compute.regionHealthChecks.useReadOnly compute.regionNetworkEndpointGroups.create compute.regionNetworkEndpointGroups.delete compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNetworkEndpointGroups.use compute.regionNotificationEndpoints.create compute.regionNotificationEndpoints.delete compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionNotificationEndpoints.update compute.regionNotificationEndpoints.use compute.regionOperations.delete compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionOperations.setIamPolicy compute.regionSecurityPolicies.create compute.regionSecurityPolicies.delete compute.regionSecurityPolicies.get compute.regionSecurityPolicies.list compute.regionSecurityPolicies.update compute.regionSecurityPolicies.use compute.regionSslCertificates.create compute.regionSslCertificates.delete compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionSslPolicies.create compute.regionSslPolicies.delete compute.regionSslPolicies.get compute.regionSslPolicies.list compute.regionSslPolicies.listAvailableFeatures compute.regionSslPolicies.update compute.regionSslPolicies.use compute.regionTargetHttpProxies.create compute.regionTargetHttpProxies.delete compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpProxies.setUrlMap compute.regionTargetHttpProxies.update compute.regionTargetHttpProxies.use compute.regionTargetHttpsProxies.create compute.regionTargetHttpsProxies.delete compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionTargetHttpsProxies.setSslCertificates compute.regionTargetHttpsProxies.setUrlMap compute.regionTargetHttpsProxies.update compute.regionTargetHttpsProxies.use compute.regionTargetTcpProxies.create compute.regionTargetTcpProxies.delete compute.regionTargetTcpProxies.get compute.regionTargetTcpProxies.list compute.regionTargetTcpProxies.use compute.regionUrlMaps.create compute.regionUrlMaps.delete compute.regionUrlMaps.get compute.regionUrlMaps.invalidateCache compute.regionUrlMaps.list compute.regionUrlMaps.update compute.regionUrlMaps.use compute.regionUrlMaps.validate compute.regions.get compute.regions.list compute.reservations.create compute.reservations.delete compute.reservations.get compute.reservations.list compute.reservations.resize compute.reservations.update compute.resourcePolicies.create compute.resourcePolicies.delete compute.resourcePolicies.get compute.resourcePolicies.getIamPolicy compute.resourcePolicies.list compute.resourcePolicies.setIamPolicy compute.resourcePolicies.update compute.resourcePolicies.use compute.resourcePolicies.useReadOnly compute.routers.create compute.routers.delete compute.routers.get compute.routers.list compute.routers.update compute.routers.use compute.routes.create compute.routes.delete compute.routes.get compute.routes.list compute.securityPolicies.addAssociation compute.securityPolicies.copyRules compute.securityPolicies.create compute.securityPolicies.delete compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.securityPolicies.move compute.securityPolicies.removeAssociation compute.securityPolicies.setIamPolicy compute.securityPolicies.setLabels compute.securityPolicies.update compute.securityPolicies.use compute.serviceAttachments.create compute.serviceAttachments.delete compute.serviceAttachments.get compute.serviceAttachments.getIamPolicy compute.serviceAttachments.list compute.serviceAttachments.setIamPolicy compute.serviceAttachments.update compute.serviceAttachments.use compute.snapshots.create compute.snapshots.createTagBinding compute.snapshots.delete compute.snapshots.deleteTagBinding compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.snapshots.setIamPolicy compute.snapshots.setLabels compute.snapshots.useReadOnly compute.sslCertificates.create compute.sslCertificates.delete compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.create compute.sslPolicies.delete compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.sslPolicies.update compute.sslPolicies.use compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.expandIpCidrRange compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.mirror compute.subnetworks.setIamPolicy compute.subnetworks.setPrivateIpGoogleAccess compute.subnetworks.update compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.create compute.targetGrpcProxies.delete compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetGrpcProxies.update compute.targetGrpcProxies.use compute.targetHttpProxies.create compute.targetHttpProxies.delete compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpProxies.setUrlMap compute.targetHttpProxies.update compute.targetHttpProxies.use compute.targetHttpsProxies.create compute.targetHttpsProxies.delete compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetHttpsProxies.setCertificateMap compute.targetHttpsProxies.setQuicOverride compute.targetHttpsProxies.setSslCertificates compute.targetHttpsProxies.setSslPolicy compute.targetHttpsProxies.setUrlMap compute.targetHttpsProxies.update compute.targetHttpsProxies.use compute.targetInstances.create compute.targetInstances.delete compute.targetInstances.get compute.targetInstances.list compute.targetInstances.setSecurityPolicy compute.targetInstances.use compute.targetPools.addHealthCheck compute.targetPools.addInstance compute.targetPools.create compute.targetPools.delete compute.targetPools.get compute.targetPools.list compute.targetPools.removeHealthCheck compute.targetPools.removeInstance compute.targetPools.setSecurityPolicy compute.targetPools.update compute.targetPools.use compute.targetSslProxies.create compute.targetSslProxies.delete compute.targetSslProxies.get compute.targetSslProxies.list compute.targetSslProxies.setBackendService compute.targetSslProxies.setCertificateMap compute.targetSslProxies.setProxyHeader compute.targetSslProxies.setSslCertificates compute.targetSslProxies.setSslPolicy compute.targetSslProxies.update compute.targetSslProxies.use compute.targetTcpProxies.create compute.targetTcpProxies.delete compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetTcpProxies.update compute.targetTcpProxies.use compute.targetVpnGateways.create compute.targetVpnGateways.delete compute.targetVpnGateways.get compute.targetVpnGateways.list compute.targetVpnGateways.setLabels compute.targetVpnGateways.use compute.urlMaps.create compute.urlMaps.delete compute.urlMaps.get compute.urlMaps.invalidateCache compute.urlMaps.list compute.urlMaps.update compute.urlMaps.use compute.urlMaps.validate compute.vpnGateways.create compute.vpnGateways.delete compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.setLabels compute.vpnGateways.use compute.vpnTunnels.create compute.vpnTunnels.delete compute.vpnTunnels.get compute.vpnTunnels.list compute.vpnTunnels.setLabels compute.zoneOperations.delete compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zoneOperations.setIamPolicy compute.zones.get compute.zones.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Compute Admin

(roles/compute.admin)

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

Lowest-level resources where you can grant this role:

Disk
Image
Instance
Instance template
Node group
Node template
Snapshot ^Beta

compute.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update
compute.backendBuckets.addSignedUrlKey
compute.backendBuckets.create
compute.backendBuckets.delete
compute.backendBuckets.deleteSignedUrlKey
compute.backendBuckets.get
compute.backendBuckets.getIamPolicy
compute.backendBuckets.list
compute.backendBuckets.setIamPolicy
compute.backendBuckets.setSecurityPolicy
compute.backendBuckets.update
compute.backendBuckets.use
compute.backendServices.addSignedUrlKey
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.deleteSignedUrlKey
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.backendServices.setIamPolicy
compute.backendServices.setSecurityPolicy
compute.backendServices.update
compute.backendServices.use
compute.commitments.create
compute.commitments.get
compute.commitments.list
compute.commitments.update
compute.commitments.updateReservations
compute.diskTypes.get
compute.diskTypes.list
compute.disks.addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.disks.removeResourcePolicies
compute.disks.resize
compute.disks.setIamPolicy
compute.disks.setLabels
compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.setLabels
compute.externalVpnGateways.use
compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.list
compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.forwardingRules.pscSetLabels
compute.forwardingRules.pscSetTarget
compute.forwardingRules.pscUpdate
compute.forwardingRules.setLabels
compute.forwardingRules.setTarget
compute.forwardingRules.update
compute.forwardingRules.use
compute.globalAddresses.create
compute.globalAddresses.createInternal
compute.globalAddresses.delete
compute.globalAddresses.deleteInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.setLabels
compute.globalAddresses.use
compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscCreate
compute.globalForwardingRules.pscDelete
compute.globalForwardingRules.pscGet
compute.globalForwardingRules.pscSetLabels
compute.globalForwardingRules.pscSetTarget
compute.globalForwardingRules.pscUpdate
compute.globalForwardingRules.setLabels
compute.globalForwardingRules.setTarget
compute.globalForwardingRules.update
compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.globalOperations.delete
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.globalPublicDelegatedPrefixes.create
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.globalPublicDelegatedPrefixes.use
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.healthChecks.useReadOnly
compute.httpHealthChecks.create
compute.httpHealthChecks.delete
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpHealthChecks.update
compute.httpHealthChecks.use
compute.httpHealthChecks.useReadOnly
compute.httpsHealthChecks.create
compute.httpsHealthChecks.delete
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.httpsHealthChecks.update
compute.httpsHealthChecks.use
compute.httpsHealthChecks.useReadOnly
compute.images.create
compute.images.createTagBinding
compute.images.delete
compute.images.deleteTagBinding
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.images.setIamPolicy
compute.images.setLabels
compute.images.update
compute.images.useReadOnly
compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly
compute.instances.addAccessConfig
compute.instances.addMaintenancePolicies
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.removeMaintenancePolicies
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly
compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.export
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly
compute.interconnectAttachments.create
compute.interconnectAttachments.delete
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectAttachments.setLabels
compute.interconnectAttachments.update
compute.interconnectAttachments.use
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list
compute.interconnects.create
compute.interconnects.delete
compute.interconnects.get
compute.interconnects.list
compute.interconnects.setLabels
compute.interconnects.update
compute.interconnects.use
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.setIamPolicy
compute.licenseCodes.update
compute.licenseCodes.use
compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly
compute.machineTypes.get
compute.machineTypes.list
compute.maintenancePolicies.create
compute.maintenancePolicies.delete
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.maintenancePolicies.setIamPolicy
compute.maintenancePolicies.use
compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
compute.networkAttachments.list
compute.networkEdgeSecurityServices.create
compute.networkEdgeSecurityServices.delete
compute.networkEdgeSecurityServices.get
compute.networkEdgeSecurityServices.list
compute.networkEdgeSecurityServices.update
compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networkEndpointGroups.use
compute.networks.access
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.mirror
compute.networks.removePeering
compute.networks.setFirewallPolicy
compute.networks.switchToCustomMode
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.addNodes
compute.nodeGroups.create
compute.nodeGroups.delete
compute.nodeGroups.deleteNodes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeGroups.setIamPolicy
compute.nodeGroups.setNodeTemplate
compute.nodeGroups.simulateMaintenanceEvent
compute.nodeGroups.update
compute.nodeTemplates.create
compute.nodeTemplates.delete
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTemplates.setIamPolicy
compute.nodeTypes.get
compute.nodeTypes.list
compute.organizations.administerXpn
compute.organizations.disableXpnHost
compute.organizations.disableXpnResource
compute.organizations.enableXpnHost
compute.organizations.enableXpnResource
compute.organizations.listAssociations
compute.organizations.setFirewallPolicy
compute.organizations.setSecurityPolicy
compute.oslogin.updateExternalUser
compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.packetMirrorings.update
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.projects.setDefaultNetworkTier
compute.projects.setDefaultServiceAccount
compute.projects.setUsageExportBucket
compute.publicAdvertisedPrefixes.create
compute.publicAdvertisedPrefixes.delete
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicAdvertisedPrefixes.update
compute.publicAdvertisedPrefixes.updatePolicy
compute.publicAdvertisedPrefixes.use
compute.publicDelegatedPrefixes.create
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.publicDelegatedPrefixes.use
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionBackendServices.setIamPolicy
compute.regionBackendServices.setSecurityPolicy
compute.regionBackendServices.update
compute.regionBackendServices.use
compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use
compute.regionHealthCheckServices.create
compute.regionHealthCheckServices.delete
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthCheckServices.update
compute.regionHealthCheckServices.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionNotificationEndpoints.create
compute.regionNotificationEndpoints.delete
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionNotificationEndpoints.update
compute.regionNotificationEndpoints.use
compute.regionOperations.delete
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
compute.regionSecurityPolicies.create
compute.regionSecurityPolicies.delete
compute.regionSecurityPolicies.get
compute.regionSecurityPolicies.list
compute.regionSecurityPolicies.update
compute.regionSecurityPolicies.use
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionSslPolicies.create
compute.regionSslPolicies.delete
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionSslPolicies.update
compute.regionSslPolicies.use
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.update
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.update
compute.regionTargetHttpsProxies.use
compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate
compute.regions.get
compute.regions.list
compute.reservations.create
compute.reservations.delete
compute.reservations.get
compute.reservations.list
compute.reservations.resize
compute.reservations.update
compute.resourcePolicies.create
compute.resourcePolicies.delete
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.resourcePolicies.setIamPolicy
compute.resourcePolicies.update
compute.resourcePolicies.use
compute.resourcePolicies.useReadOnly
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.update
compute.routers.use
compute.routes.create
compute.routes.delete
compute.routes.get
compute.routes.list
compute.securityPolicies.addAssociation
compute.securityPolicies.copyRules
compute.securityPolicies.create
compute.securityPolicies.delete
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.securityPolicies.move
compute.securityPolicies.removeAssociation
compute.securityPolicies.setIamPolicy
compute.securityPolicies.setLabels
compute.securityPolicies.update
compute.securityPolicies.use
compute.serviceAttachments.create
compute.serviceAttachments.delete
compute.serviceAttachments.get
compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.list
compute.serviceAttachments.setIamPolicy
compute.serviceAttachments.update
compute.serviceAttachments.use
compute.snapshots.create
compute.snapshots.createTagBinding
compute.snapshots.delete
compute.snapshots.deleteTagBinding
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.create
compute.sslPolicies.delete
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.sslPolicies.update
compute.sslPolicies.use
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.expandIpCidrRange
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.mirror
compute.subnetworks.setIamPolicy
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.update
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use
compute.targetHttpProxies.create
compute.targetHttpProxies.delete
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpProxies.setUrlMap
compute.targetHttpProxies.update
compute.targetHttpProxies.use
compute.targetHttpsProxies.create
compute.targetHttpsProxies.delete
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetHttpsProxies.setCertificateMap
compute.targetHttpsProxies.setQuicOverride
compute.targetHttpsProxies.setSslCertificates
compute.targetHttpsProxies.setSslPolicy
compute.targetHttpsProxies.setUrlMap
compute.targetHttpsProxies.update
compute.targetHttpsProxies.use
compute.targetInstances.create
compute.targetInstances.delete
compute.targetInstances.get
compute.targetInstances.list
compute.targetInstances.setSecurityPolicy
compute.targetInstances.use
compute.targetPools.addHealthCheck
compute.targetPools.addInstance
compute.targetPools.create
compute.targetPools.delete
compute.targetPools.get
compute.targetPools.list
compute.targetPools.removeHealthCheck
compute.targetPools.removeInstance
compute.targetPools.setSecurityPolicy
compute.targetPools.update
compute.targetPools.use
compute.targetSslProxies.create
compute.targetSslProxies.delete
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetSslProxies.setBackendService
compute.targetSslProxies.setCertificateMap
compute.targetSslProxies.setProxyHeader
compute.targetSslProxies.setSslCertificates
compute.targetSslProxies.setSslPolicy
compute.targetSslProxies.update
compute.targetSslProxies.use
compute.targetTcpProxies.create
compute.targetTcpProxies.delete
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetTcpProxies.update
compute.targetTcpProxies.use
compute.targetVpnGateways.create
compute.targetVpnGateways.delete
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.targetVpnGateways.setLabels
compute.targetVpnGateways.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.invalidateCache
compute.urlMaps.list
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.setLabels
compute.vpnGateways.use
compute.vpnTunnels.create
compute.vpnTunnels.delete
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.vpnTunnels.setLabels
compute.zoneOperations.delete
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zoneOperations.setIamPolicy
compute.zones.get
compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Image User role

Details Permissions

Details	Permissions
Compute Image User (`roles/compute.imageUser`) Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project. Lowest-level resources where you can grant this role: Image^Beta	compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Compute Image User

(roles/compute.imageUser)

Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

Lowest-level resources where you can grant this role:

Image^Beta

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Instance Admin (beta) role

Details Permissions

Details	Permissions
Compute Instance Admin (beta) (`roles/compute.instanceAdmin`) Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role. For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances. Lowest-level resources where you can grant this role: Disk Image Instance Instance template Snapshot ^Beta	compute.acceleratorTypes.* compute.acceleratorTypes.get compute.acceleratorTypes.list compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get compute.autoscalers.list compute.autoscalers.update compute.diskTypes.* compute.diskTypes.get compute.diskTypes.list compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.startAsyncReplication compute.disks.stopAsyncReplication compute.disks.stopGroupAsyncReplication compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalNetworkEndpointGroups.* compute.globalNetworkEndpointGroups.attachNetworkEndpoints compute.globalNetworkEndpointGroups.create compute.globalNetworkEndpointGroups.delete compute.globalNetworkEndpointGroups.detachNetworkEndpoints compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalNetworkEndpointGroups.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.* compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instanceTemplates.* compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instanceTemplates.setIamPolicy compute.instanceTemplates.useReadOnly compute.instances.* compute.instances.addAccessConfig compute.instances.addMaintenancePolicies compute.instances.addResourcePolicies compute.instances.attachDisk compute.instances.create compute.instances.createTagBinding compute.instances.delete compute.instances.deleteAccessConfig compute.instances.deleteTagBinding compute.instances.detachDisk compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.instances.osAdminLogin compute.instances.osLogin compute.instances.removeMaintenancePolicies compute.instances.removeResourcePolicies compute.instances.reset compute.instances.resume compute.instances.sendDiagnosticInterrupt compute.instances.setDeletionProtection compute.instances.setDiskAutoDelete compute.instances.setIamPolicy compute.instances.setLabels compute.instances.setMachineResources compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setName compute.instances.setScheduling compute.instances.setSecurityPolicy compute.instances.setServiceAccount compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.setTags compute.instances.simulateMaintenanceEvent compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.suspend compute.instances.update compute.instances.updateAccessConfig compute.instances.updateDisplayDevice compute.instances.updateNetworkInterface compute.instances.updateSecurity compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.instances.use compute.instances.useReadOnly compute.licenses.get compute.licenses.list compute.machineImages.* compute.machineImages.create compute.machineImages.delete compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineImages.setIamPolicy compute.machineImages.useReadOnly compute.machineTypes.* compute.machineTypes.get compute.machineTypes.list compute.networkEndpointGroups.* compute.networkEndpointGroups.attachNetworkEndpoints compute.networkEndpointGroups.create compute.networkEndpointGroups.delete compute.networkEndpointGroups.detachNetworkEndpoints compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.setIamPolicy compute.networkEndpointGroups.use compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionNetworkEndpointGroups.* compute.regionNetworkEndpointGroups.create compute.regionNetworkEndpointGroups.delete compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNetworkEndpointGroups.use compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.regions.get compute.regions.list compute.reservations.get compute.reservations.list compute.resourcePolicies.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* compute.zones.get compute.zones.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Compute Instance Admin (beta)

(roles/compute.instanceAdmin)

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

Lowest-level resources where you can grant this role:

Disk
Image
Instance
Instance template
Snapshot ^Beta

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use

compute.instanceGroups.*

compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use

compute.instanceTemplates.*

compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly

compute.instances.*

compute.instances.addAccessConfig
compute.instances.addMaintenancePolicies
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.removeMaintenancePolicies
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly

compute.licenses.get

compute.licenses.list

compute.machineImages.*

compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networkEndpointGroups.*

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regionNetworkEndpointGroups.*

compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.useReadOnly

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Instance Admin (v1) role

Details Permissions

Details	Permissions
Compute Instance Admin (v1) (`roles/compute.instanceAdmin.v1`) Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances.	compute.acceleratorTypes.* compute.acceleratorTypes.get compute.acceleratorTypes.list compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get compute.autoscalers.list compute.autoscalers.update compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.diskTypes.get compute.diskTypes.list compute.disks.* compute.disks.addResourcePolicies compute.disks.create compute.disks.createSnapshot compute.disks.createTagBinding compute.disks.delete compute.disks.deleteTagBinding compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.disks.removeResourcePolicies compute.disks.resize compute.disks.setIamPolicy compute.disks.setLabels compute.disks.startAsyncReplication compute.disks.stopAsyncReplication compute.disks.stopGroupAsyncReplication compute.disks.update compute.disks.use compute.disks.useReadOnly compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.* compute.globalNetworkEndpointGroups.attachNetworkEndpoints compute.globalNetworkEndpointGroups.create compute.globalNetworkEndpointGroups.delete compute.globalNetworkEndpointGroups.detachNetworkEndpoints compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalNetworkEndpointGroups.use compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.images.create compute.images.createTagBinding compute.images.delete compute.images.deleteTagBinding compute.images.deprecate compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.images.setIamPolicy compute.images.setLabels compute.images.update compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.* compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instanceTemplates.* compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instanceTemplates.setIamPolicy compute.instanceTemplates.useReadOnly compute.instances.* compute.instances.addAccessConfig compute.instances.addMaintenancePolicies compute.instances.addResourcePolicies compute.instances.attachDisk compute.instances.create compute.instances.createTagBinding compute.instances.delete compute.instances.deleteAccessConfig compute.instances.deleteTagBinding compute.instances.detachDisk compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.instances.osAdminLogin compute.instances.osLogin compute.instances.removeMaintenancePolicies compute.instances.removeResourcePolicies compute.instances.reset compute.instances.resume compute.instances.sendDiagnosticInterrupt compute.instances.setDeletionProtection compute.instances.setDiskAutoDelete compute.instances.setIamPolicy compute.instances.setLabels compute.instances.setMachineResources compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setName compute.instances.setScheduling compute.instances.setSecurityPolicy compute.instances.setServiceAccount compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.setTags compute.instances.simulateMaintenanceEvent compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.suspend compute.instances.update compute.instances.updateAccessConfig compute.instances.updateDisplayDevice compute.instances.updateNetworkInterface compute.instances.updateSecurity compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.instances.use compute.instances.useReadOnly compute.instantSnapshots.* compute.instantSnapshots.create compute.instantSnapshots.delete compute.instantSnapshots.export compute.instantSnapshots.get compute.instantSnapshots.getIamPolicy compute.instantSnapshots.list compute.instantSnapshots.setIamPolicy compute.instantSnapshots.setLabels compute.instantSnapshots.useReadOnly compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnectLocations.get compute.interconnectLocations.list compute.interconnectRemoteLocations.* compute.interconnectRemoteLocations.get compute.interconnectRemoteLocations.list compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenseCodes.setIamPolicy compute.licenseCodes.update compute.licenseCodes.use compute.licenses.* compute.licenses.create compute.licenses.delete compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.licenses.setIamPolicy compute.machineImages.* compute.machineImages.create compute.machineImages.delete compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineImages.setIamPolicy compute.machineImages.useReadOnly compute.machineTypes.* compute.machineTypes.get compute.machineTypes.list compute.networkAttachments.get compute.networkAttachments.list compute.networkEndpointGroups.* compute.networkEndpointGroups.attachNetworkEndpoints compute.networkEndpointGroups.create compute.networkEndpointGroups.delete compute.networkEndpointGroups.detachNetworkEndpoints compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.setIamPolicy compute.networkEndpointGroups.use compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.* compute.regionNetworkEndpointGroups.create compute.regionNetworkEndpointGroups.delete compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNetworkEndpointGroups.use compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionSslPolicies.get compute.regionSslPolicies.list compute.regionSslPolicies.listAvailableFeatures compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionTargetTcpProxies.get compute.regionTargetTcpProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.regions.get compute.regions.list compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.resourcePolicies.create compute.resourcePolicies.delete compute.resourcePolicies.get compute.resourcePolicies.getIamPolicy compute.resourcePolicies.list compute.resourcePolicies.setIamPolicy compute.resourcePolicies.update compute.resourcePolicies.use compute.resourcePolicies.useReadOnly compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.* compute.snapshots.create compute.snapshots.createTagBinding compute.snapshots.delete compute.snapshots.deleteTagBinding compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.snapshots.setIamPolicy compute.snapshots.setLabels compute.snapshots.useReadOnly compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* compute.zones.get compute.zones.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Compute Instance Admin (v1)

(roles/compute.instanceAdmin.v1)

Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.

If you grant a user this role only at an instance level, then that user cannot create new instances.

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.list

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.*

compute.disks.addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.disks.removeResourcePolicies
compute.disks.resize
compute.disks.setIamPolicy
compute.disks.setLabels
compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.*

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.*

compute.images.create
compute.images.createTagBinding
compute.images.delete
compute.images.deleteTagBinding
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.images.setIamPolicy
compute.images.setLabels
compute.images.update
compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use

compute.instanceGroups.*

compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use

compute.instanceTemplates.*

compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly

compute.instances.*

compute.instances.addAccessConfig
compute.instances.addMaintenancePolicies
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.removeMaintenancePolicies
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly

compute.instantSnapshots.*

compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.export
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectLocations.get
compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.*

compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.setIamPolicy
compute.licenseCodes.update
compute.licenseCodes.use

compute.licenses.*

compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy

compute.machineImages.*

compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEndpointGroups.*

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.*

compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute.resourcePolicies.create
compute.resourcePolicies.delete
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.resourcePolicies.setIamPolicy
compute.resourcePolicies.update
compute.resourcePolicies.use
compute.resourcePolicies.useReadOnly

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.*

compute.snapshots.create
compute.snapshots.createTagBinding
compute.snapshots.delete
compute.snapshots.deleteTagBinding
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.snapshots.useReadOnly

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Load Balancer Admin role

Details	Permissions