This page describes Compute Engine
Identity and Access Management (IAM), including
predefined roles and the permissions contained in each predefined
Compute Engine IAM role.
When you add a new member to your project, use IAM policies to assign IAM roles
to the new member in order to give that member access to specific resources.
Google Cloud Platform offers Identity and Access Management (IAM),
which lets you give more granular access to specific
Google Cloud Platform resources and prevents unwanted access to other resources.
IAM lets you adopt the
security principle of least privilege,
so you grant only the necessary access to your resources.
IAM lets you control who (identity) has what (roles) permission to
which resources by setting IAM policies. IAM policies grant specific role(s)
to a project member, giving the identity certain permissions. For example, for a
given resource, such as a project, you can assign the
roles/compute.networkAdmin role to a Google account and that account can
control network-related resources in the project, but cannot manage other
resources, like instances and disks. You can also use IAM to manage the
GCP Console legacy roles
granted to project team members.
Predefined Compute Engine IAM roles
With IAM, every API method in Compute Engine requires that the identity
making the API request has the appropriate permissions to use the resource.
Permissions are granted by setting policies that grant roles to a member
(user, group, or service account) of your project.
In addition to legacy roles
(viewer, editor, owner),
and custom roles
you can assign the following Compute Engine predefined roles to the
members of your project.
You can grant multiple roles to a project member on the same resource. For
example, if your networking team also manages firewall rules, you can grant both
roles/compute.networkAdmin and roles/compute.securityAdmin to the networking
team's Google group.
The following tables describe the predefined Compute Engine IAM roles,
as well as the permissions contained within each role. Each role contains a set
of permissions that is suitable for a specific task. For example, the first two
roles grant permissions to manage instances, the network-related roles include
permissions to manage network-related resources, and the security role includes
permissions to manage security-related resources, like firewalls and SSL
certificates.
Instance Admin role
Role Name
Description
Permissions
roles/compute.instanceAdmin.v1
Permissions to create, modify, and delete virtual machine instances.
This includes permissions to create, modify, and delete disks.
If the user will be managing virtual machine instances that are
configured to run as a service account, you must also grant the
iam.serviceAccountUser role.
For example, if your company has someone who manages groups of virtual
machine instances but does not manage network or security settings and
does not manage instances that run as service accounts, grant this role.
If you grant a user this role only at an instance level, then that
user cannot create new instances.
compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.clientSslPolicies.get
compute.clientSslPolicies.list
compute.disks.*
compute.diskTypes.get
compute.diskTypes.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instances.*
compute.instanceTemplates.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnects.get
compute.interconnects.list
compute.licenses.*
compute.licenseCodes.*
compute.machineTypes.get
compute.machineTypes.list
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.regionOperations.get
compute.regionOperations.list
compute.regions.get
compute.regions.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.get
compute.zones.list
compute.projects.get
compute.projects.setCommonInstanceMetadata
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Compute Admin role
Role Name
Description
Permissions
roles/compute.admin
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are
configured to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
compute.*
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
DNS Admin role
Role Name
Description
Permissions
roles/dns.admin
Full control of all Cloud DNS resources.
dns.changes.create
dns.changes.get
dns.changes.list
dns.dnsKeys.get
dns.dnsKeys.list
dns.managedZoneOperations.get
dns.managedZoneOperations.list
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.managedZones.update
dns.projects.get
dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.list
dns.resourceRecordSets.update
DNS Reader role
Role Name
Description
Permissions
roles/dns.reader
View permissions for Cloud DNS resources.
dns.changes.get
dns.changes.list
dns.dnsKeys.get
dns.dnsKeys.list
dns.managedZoneOperations.get
dns.managedZoneOperations.list
dns.managedZones.get
dns.managedZones.list
dns.projects.get
dns.resourceRecordSets.list
Service Account User role
Role Name
Description
Permissions
roles/iam.serviceAccountUser
When granted alongside instanceAdmin.v1, grants
access to create VMs, attach disks to, and update metadata on VM
instances that can run as a service account.
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Image User Role
Role Name
Description
Permissions
roles/compute.imageUser
Permission to list and read images without having other image
permissions such as create or delete. Granting this role at the project
level gives members the ability to list all images in the project and
is a prerequisite to create resources, such as instances and persistent
disks, based on images in the project.
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Load Balancer Admin role
Role Name
Description
Permissions
roles/compute.loadBalancerAdmin
Full control of Compute Engine resources related to load balancer.
compute.addresses.*
compute.globalAddresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.regionBackendServices.*
compute.forwardingRules.*
compute.globalForwardingRules.*
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.instances.use
compute.instances.useReadOnly
compute.networks.get
compute.networks.list
compute.networks.use
compute.sslCertificates.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.sslPolicies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.services.list
serviceusage.quotas.get
Network Viewer role
Role Name
Description
Permissions
roles/compute.networkViewer
Read-only access to all networking resources
For example, if you have software that inspects your network
configuration, you could grant that software's service account the
networkViewer role.
compute.addresses.get
compute.addresses.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.networks.get
compute.networks.list
compute.packetMirroringConfigs.get
compute.packetMirroringConfigs.list
compute.routes.get
compute.routes.list
compute.routers.get
compute.routers.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpns.get
compute.vpns.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.scopes.get
compute.scopes.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
compute.projects.get
resourcemanager.projects.get
servicemanagement.projectSettings.get
Network Admin role
Role Name
Description
Permissions
roles/compute.networkAdmin
Permissions to create, modify, and delete networking resources, except
for firewall rules and SSL certificates. The networkAdmin
role allows read-only access to firewall rules, SSL certificates, and
instances (to view their ephemeral IP addresses). The role does not
allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant the networking teams group the
networkAdmin role.
compute.addresses.*
compute.globalAddresses.*
compute.backendBuckets.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.backendServices.*
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalForwardingRules.*
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.packetMirrorings.use
compute.routes.*
compute.routers.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.clientSslPolicies.*
compute.sslPolicies.*
compute.subnetworks.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.instances.use
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.use
compute.instanceGroups.update
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.use
compute.instanceGroupManagers.update
compute.vpns.*
compute.vpnTunnels.*
compute.scopes.get
compute.scopes.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
compute.globalOperations.get
compute.globalOperations.list
compute.regionOperations.get
compute.regionOperations.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Security Admin role
Role Name
Description
Permissions
roles/compute.securityAdmin
Permissions to create, modify, and delete firewall rules and SSL
certificates.
For example, if your company has a security team that manages
firewalls and SSL certificates and a networking team that manages
the rest of the networking resources, then grant the security teams
group the securityAdmin role.
compute.firewalls.*
compute.packetMirrorings.*
compute.sslCertificates.*
compute.clientSslPolicies.*
compute.securityPolicies.*
compute.sslPolicies.*
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.updateSecurity
compute.instances.updateShieldedVmConfig
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.updatePolicy
compute.scopes.get
compute.scopes.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
compute.globalOperations.get
compute.globalOperations.list
compute.regionOperations.get
compute.regionOperations.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Compute Viewer role
Role Name
Description
Permissions
roles/compute.viewer
Read-only access to get and list Compute Engine resources,
without being able to read the data stored on them.
For example, an account with this role at the project level could
inventory all of the disks in a project, but it could not read any of
the data on those disks.
compute.*.get
compute.*.getIamPolicy
compute.*.list
compute.forwardingRules.externalGet
compute.images.getFromFamily
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.listReferrers
compute.networks.listIpOwners
compute.networks.listUsableSubnets
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.listIpOwners
compute.urlMaps.validate
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Storage Admin role
Role Name
Description
Permissions
roles/compute.storageAdmin
Permissions to create, modify, and delete disks, images, and
snapshots.
For example, if your company has someone who manages project images
and you do not want them to have the editor role on the project,
then grant their account the storageAdmin role at the
project level.
compute.disks.*
compute.diskTypes.get
compute.diskTypes.list
compute.images.*
compute.licenses.*
compute.licenseCodes.*
compute.snapshots.*
compute.scopes.get
compute.scopes.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
compute.globalOperations.get
compute.globalOperations.list
compute.regionOperations.get
compute.regionOperations.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Shared VPC Admin role
Role Name
Description
Permissions
roles/compute.xpnAdmin
Permissions to administer
shared VPC: specifying the shared
VPC host projects and associating the shared VPC service projects to
the host project network.
Google Cloud Platform recommends that the Shared VPC Admin be the
owner of the shared VPC host project. The Shared VPC Admin is
responsible for granting compute.networkUser role to
service owners, and the shared VPC
host project owner controls the project itself. Managing the project
is easier if a single principal (individual or group) can fulfill both
roles.
compute.globalOperations.get
compute.globalOperations.list
compute.organizations.administerXpn
compute.organizations.enableXpnHost
compute.organizations.disableXpnHost
compute.organizations.enableXpnResource
compute.organizations.disableXpnResource
compute.projects.get
compute.subnetworks.getIamPolicy
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.projects.getIamPolicy
Network User role
Role Name
Description
Permissions
roles/compute.networkUser
Permissions to use a shared VPC network. Specifically, grant this
role to Service owners that need to create resources in the
shared VPC host project network.
compute.addresses.get
compute.addresses.list
compute.firewalls.get
compute.firewalls.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networks.get
compute.networks.list
compute.networks.listIpOwners
compute.networks.listUsableSubnets
compute.networks.use
compute.networks.useExternalIp
compute.routes.get
compute.routes.list
compute.routers.get
compute.routers.list
compute.subnetworks.list
compute.subnetworks.listIpOwners
compute.subnetworks.get
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpns.get
compute.vpns.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.scopes.get
compute.scopes.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
OS Admin Login role
Role Name
Description
Permissions
roles/compute.osAdminLogin
Access to log in to a Compute Engine instance as an
administrator user.
compute.instances.get
compute.instances.list
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
OS Login role
Role Name
Description
Permissions
roles/compute.osLogin
Access to log in to a Compute Engine instance as a standard
(non-administrator) user.
compute.instances.get
compute.instances.list
compute.instances.osLogin
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
OS Login External User role
Role Name
Description
Permissions
roles/compute.osLoginExternalUser
Available only at the organization level.
Access for an external user to set OS Login information associated
with this organization. This role does not grant access to instances.
External users must be granted one of the required
OS Login IAM roles
in order to allow access to instances using SSH.
compute.oslogin.updateExternalUser
The serviceAccountUser role
When granted together with roles/compute.instanceAdmin.v1,
roles/iam.serviceAccountUser gives members the ability to create and
manage instances that use a service account. Specifically, granting
roles/iam.serviceAccountUser and roles/compute.instanceAdmin.v1 together
gives members permission to:
Attach a persistent disk to an instance that runs as a service account.
Set instance metadata on an instance that runs as a service account.
Use SSH to connect to an instance that runs as a service account.
Reconfigure an instance to run as a service account.
You can grant roles/iam.serviceAccountUser one of two ways:
[Recommended] Grant the role to a member on a
specific service account.
This gives a member access to the service account for which they are an
iam.serviceAccountUser but prevents access to other service accounts for
which the member is not an iam.serviceAccountUser.
Grant the role to a member on the
project level. The member has access to all
service accounts in the project, including service accounts that are created
in the future.
After you grant a project member the roles/compute.instanceAdmin.v1 role, they
can connect to virtual machine instances using the standard Google Cloud
Platform tools, like the gcloud tool or
SSH from the Browser.
When a member uses the gcloud command-line tool or SSH from the browser, the
tools will automatically generate a public/private keypair and add the public
key to the project metadata. If the member does not have permissions to edit
project metadata, the tool will add the member's public key to the instance
metadata instead.
Create new custom service accounts and grant IAM roles to service
accounts to limit the access of your instances. Use IAM roles with custom
service accounts to:
Limit the access your instances have to Cloud Platform APIs using granular
IAM roles.
Give each instance, or set of instances, a unique identity.
Managed instance groups, especially when
configured to be autoscaled, are resources that
perform actions on your behalf without direct user interaction. Managed instance
groups use a service account identity to create, delete, and manage
instances in the instance group. For more information, read the
managed instance groups and IAM
documentation.
Unsupported operations
You cannot grant access to perform
rolling updates
on instance groups using IAM roles.
To grant permission to perform these operations, use the broader
owner, editor, or viewer roles.
