This page describes Identity and Access Management (IAM)
roles and the permissions granted to each Compute Engine IAM role. When
you add a new project member to your project, you can assign IAM roles to the
new member using IAM policies. To learn how to set policies, read
Managing Policies in the IAM documentation. To
learn how to assign roles to a Compute Engine service account, read
the
Creating and Enabling Service Accounts for Instances
documentation.
You might also be interested in a full list of IAM permissions
for individual API methods.
Google Cloud Platform offers Identity and Access Management (IAM),
which lets you give more granular access to specific
Google Cloud Platform resources and prevents unwanted access to other resources.
IAM lets you adopt the
security principle of least privilege,
so you grant only the necessary access to your resources.
IAM lets you control who (identity) has what (roles) permission to
which resources by setting IAM policies. IAM policies grant specific role(s)
to a project member, giving the identity certain permissions. For example, you can
assign the compute.networkAdmin role to a Google account and the account can
control network-related resources in the project, but cannot manage other
resources, like instances and disks. You can also use IAM to apply the
GCP Console legacy roles
granted to project team members.
Compute Engine IAM roles
With IAM, every API method in Compute Engine requires that the identity
making the API request has the appropriate permissions to use the resource.
Permissions are granted by setting policies that grant roles to a user, group,
or service account as a member of your project. In addition to the legacy
roles, owner, editor, and viewer,
you can assign the following Compute Engine roles to the members of
your project.
The following table lists the IAM roles available to Compute Engine
users. The table is divided into different roles. For example, the
first two roles in the table grant permissions to manage instances, followed by
roles that grant permissions to manage network-related resources. Lastly,
the security roles grant permissions to manage security-related resources, like
firewalls and SSL certificates.
Instance Admin role
Role Name
Description
Permissions
roles/compute.instanceAdmin.v1
Permissions to create, modify, and delete virtual machine instances.
This includes permissions to create, modify, and delete disks.
If the user will be managing virtual machine instances that are
configured to run as a service account, you must also grant the
iam.serviceAccountUser role.
For example, if your company has someone who manages groups of virtual
machine instances but does not manage network or security settings and
does not manage instances that run as service accounts, grant this role.
compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.clientSslPolicies.get
compute.clientSslPolicies.list
compute.disks.*
compute.diskTypes.get
compute.diskTypes.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instances.*
compute.instanceTemplates.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnects.get
compute.interconnects.list
compute.licenses.*
compute.licenseCodes.*
compute.machineTypes.get
compute.machineTypes.list
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.regionOperations.get
compute.regionOperations.list
compute.regions.get
compute.regions.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.get
compute.zones.list
compute.projects.get
compute.projects.setCommonInstanceMetadata
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Compute Admin role
Role Name
Description
Permissions
roles/compute.admin
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are
configured to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
compute.*
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Service Account User role
Role Name
Description
Permissions
roles/iam.serviceAccountUser
When granted alongside instanceAdmin.v1, grants
access to create VMs, attach disks to, and update metadata on VM
instances that can run as a service account.
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Image User Role
Role Name
Description
Permissions
roles/compute.imageUser
Permission to list and read images without having other permissions to
resources in the project. Granting the compute.imageUser
role gives members the ability to list all images in the project and
create resources, such as instances and persistent disks, based on
images in the project.
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Network Viewer role
Role Name
Description
Permissions
roles/compute.networkViewer
Read-only access to all networking resources
For example, if you have software that inspects your network
configuration, you could grant that software's service account the
networkViewer role.
compute.addresses.get
compute.addresses.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.networks.get
compute.networks.list
compute.packetMirroringConfigs.get
compute.packetMirroringConfigs.list
compute.routes.get
compute.routes.list
compute.routers.get
compute.routers.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpns.get
compute.vpns.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.scopes.get
compute.scopes.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
compute.projects.get
resourcemanager.projects.get
servicemanagement.projectSettings.get
Network Admin role
Role Name
Description
Permissions
roles/compute.networkAdmin
Permissions to create, modify, and delete networking resources, except
for firewall rules and SSL certificates. The networkAdmin
role allows read-only access to firewall rules, SSL certificates, and
instances (to view their ephemeral IP addresses). The role does not
allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant the networking teams group the
networkAdmin role.
compute.addresses.*
compute.globalAddresses.*
compute.backendBuckets.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.backendServices.*
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalForwardingRules.*
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.packetMirrorings.use
compute.routes.*
compute.routers.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.clientSslPolicies.*
compute.sslPolicies.*
compute.subnetworks.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.instances.use
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.use
compute.instanceGroups.update
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.use
compute.instanceGroupManagers.update
compute.vpns.*
compute.vpnTunnels.*
compute.scopes.get
compute.scopes.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
compute.globalOperations.get
compute.globalOperations.list
compute.regionOperations.get
compute.regionOperations.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Security Admin role
Role Name
Description
Permissions
roles/compute.securityAdmin
Permissions to create, modify, and delete firewall rules and SSL
certificates.
For example, if your company has a security team that manages
firewalls and SSL certificates and a networking team that manages
the rest of the networking resources, then grant the security teams
group the securityAdmin role.
compute.firewalls.*
compute.packetMirrorings.*
compute.sslCertificates.*
compute.clientSslPolicies.*
compute.securityPolicies.*
compute.sslPolicies.*
compute.instances.updateSecurity
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.updatePolicy
compute.scopes.get
compute.scopes.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
compute.globalOperations.get
compute.globalOperations.list
compute.regionOperations.get
compute.regionOperations.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Compute Viewer role
Role Name
Description
Permissions
roles/compute.viewer
Read-only access to get and list Compute Engine resources,
without being able to read the data stored on them.
For example, an account with this role could inventory all of the
disks in a project, but it could not read any of the data on those
disks.
compute.*.get
compute.*.getIamPolicy
compute.*.list
compute.forwardingRules.externalGet
compute.images.getFromFamily
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.listReferrers
compute.networks.listIpOwners
compute.networks.listUsableSubnets
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.listIpOwners
compute.urlMaps.validate
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Storage Admin role (Beta)
Role Name
Description
Permissions
roles/compute.storageAdmin (Beta)
Permissions to create, modify, and delete disks, images, and
snapshots.
For example, if your company has someone who manages images and you
do not want them to have the editor role on the project, then grant
their account the storageAdmin role.
compute.disks.*
compute.diskTypes.get
compute.diskTypes.list
compute.images.*
compute.licenses.*
compute.licenseCodes.*
compute.snapshots.*
compute.scopes.get
compute.scopes.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
compute.globalOperations.get
compute.globalOperations.list
compute.regionOperations.get
compute.regionOperations.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
Shared VPC Admin role
Role Name
Description
Permissions
roles/compute.xpnAdmin
Permissions to administer
shared VPC: specifying the shared
VPC host projects and associating the shared VPC service projects to
the host project network.
Google Cloud Platform recommends that the Shared VPC Admin be the
owner of the shared VPC host project. The Shared VPC Admin is
responsible for granting compute.networkUser role to
service owners, and the shared VPC
host project owner controls the project itself. Managing the project
is easier if a single principal (individual or group) can fulfill both
roles.
compute.globalOperations.get
compute.globalOperations.list
compute.organizations.administerXpn
compute.organizations.enableXpnHost
compute.organizations.disableXpnHost
compute.organizations.enableXpnResource
compute.organizations.disableXpnResource
compute.projects.get
compute.subnetworks.getIamPolicy
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.projects.getIamPolicy
Network User role
Role Name
Description
Permissions
roles/compute.networkUser
Permissions to use a shared VPC network. Specifically, grant this
role to Service owners that need to create resources in the
shared VPC host project network.
compute.addresses.get
compute.addresses.list
compute.firewalls.get
compute.firewalls.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networks.get
compute.networks.list
compute.networks.listIpOwners
compute.networks.listUsableSubnets
compute.networks.use
compute.networks.useExternalIp
compute.routes.get
compute.routes.list
compute.routers.get
compute.routers.list
compute.subnetworks.list
compute.subnetworks.listIpOwners
compute.subnetworks.get
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpns.get
compute.vpns.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.scopes.get
compute.scopes.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.projectSettings.get
serviceusage.services.get
serviceusage.quotas.get
You can grant multiple roles to a project member on the same project. For
example, if your networking team manages firewall rules instead of leaving those
to a separate security team, you can grant the compute.networkAdmin and
compute.securityAdmin roles to the networking team’s
Google group.
The serviceAccountUser role
When granted together with the compute.instanceAdmin.v1 role, the
iam.serviceAccountUser role gives members the ability to create and
manage instances that use a service account. Specifically, granting
the iam.serviceAccountUser and the compute.instanceAdmin.v1 roles together
gives members permission to:
Attach a persistent disk to an instance that runs as a service account.
Set instance metadata on an instance that runs as a service account.
Use SSH to connect to an instance that runs as a service account.
Reconfigure an instance to run as a service account.
You can grant the iam.serviceAccountUser role one of two ways:
[Recommended] Grant the role to a member on a
specific service account.
This gives a member access to the service account for which they are an
iam.serviceAccountUser but prevents access to other service accounts for
which the member is not an iam.serviceAccountUser.
Grant the role to a member on the
project level. The member has access to all
service accounts in the project, including service accounts that are created
in the future.
After you grant a project member the roles/compute.instanceAdmin.v1 role, they
can connect to virtual machine instances using the standard Google Cloud
Platform tools, like the gcloud tool or
SSH from the Browser.
When a member uses the gcloud command-line tool or SSH from the browser, the
tools will automatically generate a public/private keypair and add the public
key to the project metadata. If the member does not have permissions to edit
project metadata, the tool will add the member's public key to the instance
metadata instead.
Create new custom service accounts and grant IAM roles to service
accounts to limit the access of your instances. Use IAM roles with custom
service accounts to:
Limit the access your instances have to Cloud Platform APIs using granular
IAM roles.
Give each instance, or set of instances, a unique identity.
Managed instance groups, especially when
configured to be autoscaled, are resources that
perform actions on your behalf without direct user interaction. Managed instance
groups use a service account identity to create, delete, and manage
instances in the instance group. For more information, read the
managed instance groups and IAM
documentation.
Unsupported operations
You cannot grant access to perform
rolling updates
on instance groups using IAM roles.
To grant permission to perform these operations, use the broader
owner, editor, or viewer roles.
Known issues
Some IAM roles are still in Beta so IAM might not be supported by all
available clients. We recommend using the gcloud command-line tool or the
Google Cloud Platform APIs directly to use IAM.
