Compute Engine IAM Permissions

Google Identity Access and Management (IAM) now offers the ability to create customized IAM roles. With this release, you can create custom IAM roles and assign the role one or more permissions. Then, you can grant the newly-created role to users who are part of your project. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles offered by Google.

This document lists all the API methods available for Compute Engine and the permissions required to call each method. To grant users the ability to call these methods, assign the appropriate permissions to create your custom role. Use this information to decide which permissions to grant to a custom role to enable users to call specific API methods.

This document does not describe how to create a custom role. You can find in-depth information about custom roles and step-by-step instructions to create custom a role, in Creating and Managing Custom Roles.

Before you begin

Cloud Platform Console permission

To use the Google Cloud Platform Console to access Compute Engine resources, you must grant or be granted the following permission on the project:

compute.projects.get

AcceleratorTypes Collection

Method Required Permissions
acceleratorTypes.aggregatedList compute.acceleratorTypes.list on the project
accelerators.get compute.accelerators.get on the accelerator type
acceleratorTypes.list compute.acceleratorTypes.list on the project

Addresses Collection

Method Required Permissions
addresses.aggregatedList compute.addresses.list on the project
addresses.delete compute.addresses.delete on the address
addresses.get compute.addresses.get on the address
addresses.insert
  • compute.addresses.create on the project
  • compute.subnetworks.use on the subnetwork
addresses.list compute.addresses.list on the project
addresses.testIamPermissions compute.addresses.list on the project

Autoscalers Collection

Method Required Permissions
autoscalers.aggregatedList compute.autoscalers.list on the project
autoscalers.delete compute.autoscalers.delete on the autoscaler
autoscalers.get compute.autoscalers.get on the autoscaler
autoscalers.insert
  • compute.autoscalers.create on the project
  • compute.instanceGroupManagers.use on the managed instance group
autoscalers.list compute.autoscalers.list on the project
autoscalers.patch
  • compute.autoscalers.update on the autoscaler
  • compute.instanceGroupManagers.use on the managed instance group
autoscalers.testIamPermissions compute.autoscalers.list on the project
autoscalers.update
  • compute.autoscalers.update on the autoscaler
  • compute.instanceGroupManagers.use on the managed instance group

BackendBuckets Collection

Method Required Permissions
backendBuckets.delete compute.backendBuckets.delete on the backend bucket
backendBuckets.get compute.backendServices.get on the backend bucket
backendBuckets.insert compute.backendBuckets.create on the project
backendBuckets.list compute.backendBuckets.list on the project
backendBuckets.patch
  • compute.backendBuckets.get on the backend bucket
  • compute.backendBuckets.update on the backend bucket
backendBuckets.update compute.backendBuckets.update on the backend bucket

BackendServices Collection

Method Required Permissions
backendServices.delete compute.backendServices.delete on the backend service
backendServices.get compute.backendServices.get on the backend service
backendServices.getHealth compute.backendServices.get on the backend service
backendServices.insert
  • compute.backendServices.create on the project
  • compute.httpHealthChecks.useReadOnly on the HTTP health check, if using an HTTP health check
  • compute.httpsHealthChecks.useReadOnly on the HTTP health check, if using a HTTPS health check
  • compute.healthChecks.useReadOnly, on the health check, if using a generic health check
backendServices.list compute.backendServices.list on the project
backendServices.patch
  • compute.backendServices.get on the backend service
  • compute.backendServices.update on the backend service
backendServices.testIamPermissions compute.backendServices.list on the project
backendServices.update
  • compute.backendServices.update on the backend service
  • compute.httpHealthChecks.useReadOnly on the HTTP health check, if using an HTTP health check
  • compute.httpsHealthChecks.useReadOnly on the HTTP health check, if using a HTTPS health check
  • compute.healthChecks.useReadOnly on the health check, if using a generic health check

DiskTypes Collection

Method Required Permissions
diskTypes.aggregatedList compute.diskTypes.list on the project
diskTypes.get compute.diskTypes.get
diskTypes.list compute.diskTypes.list on the project

Disks Collection

Method Required Permissions
disks.aggregatedList compute.disks.list on the project
disks.createSnapshot
  • compute.disks.createSnapshot on the disk
  • compute.snapshots.create on the project
  • compute.snapshots.setLabels if you specify labels on the new snapshot
disks.delete compute.disks.delete
disks.get compute.disks.get
disks.insert
  • compute.disks.create on the project
  • One of:
    • compute.snapshots.useReadOnly on the snapshot
    • compute.images.useReadOnly on the images
  • compute.disks.setLabels if you specify labels on the new disk
disks.list compute.disks.list on the project
disks.resize compute.disks.resize on the disk
disks.setLabels compute.disks.setLabels
disks.testIamPermissions compute.disks.list on the project

Firewalls Collection

Method Required Permissions
firewall.delete compute.firewalls.delete on the firewall
firewall.get compute.firewalls.get on the firewall
firewalls.insert
  • compute.firewalls.create on the project
  • compute.networks.updatePolicy on the network
firewalls.list compute.firewalls.list on the project
firewalls.patch
  • compute.firewalls.get on the firewall
  • compute.firewalls.update on the firewall
firewalls.testIamPermissions compute.firewalls.list on the project
firewalls.update
  • compute.firewalls.update on the firewall
  • compute.networks.updatePolicy on the network

ForwardingRules Collection

Method Required Permissions
forwardingRules.aggregatedList compute.forwardingRules.list on the project
forwardingRules.delete compute.forwardingRules.delete on the forwarding rule
forwardingRules.get compute.forwardingRules.get on the forwarding rule
forwardingRules.insert
  • compute.forwardingRules.create on the project
  • compute.addresses.use on an address if using a static external IP address
  • One of:
    • compute.targetPools.use on the target pool
    • compute.targetInstances.use on the target instance
    • compute.targetVpnGateways.use on the target VPN gateway
forwardingRules.list compute.forwardingRules.list on the project
forwardingRules.setTarget
  • compute.forwardingRules.setTarget on the project
  • compute.addresses.use on an address if changing a static external IP address
  • One of:
    • compute.targetPools.use on the target pool
    • compute.targetInstances.use on the target instance
    • compute.targetVpnGateways.use on the target VPN gateway
forwardingRules.testIamPermissions compute.forwardingRules.list on the project

GlobalAddresses Collection

Method Required Permissions
globalAddresses.delete compute.globalAddresses.delete on the global address
globalAddresses.get compute.globalAddresses.get on the global address
globalAddresses.insert compute.globalAddresses.create on the project
globalAddresses.list compute.globalAddreses.list on the project
globalAddresses.testIamPermissions compute.globalAddresses.list on the project

GlobalForwardingRules Collection

Method Required Permissions
globalForwardingRules.delete compute.globalForwardingRules.delete on the forwarding rule
globalForwardingRules.get compute.globalForwardingRules.get on the forwarding rule
globalForwardingRules.insert
  • compute.globalForwardingRules.create on the project
  • compute.globalAddresses.use if using a static external IP address
  • One of:
    • compute.targetHttpProxies.use on the target HTTP proxy
    • compute.targetHttpsProxies.use on the target HTTPS proxy
globalForwardingRules.list compute.globalForwardingRules.list on the project
globalForwardingRules.setTarget
  • compute.globalForwardingRules.setTarget on the forwarding rule
  • One of:
    • compute.targetHttpProxies.use on the target HTTP proxy
    • compute.targetHttpsProxies.use on the target HTTPS proxy
globalForwardingRules.testIamPermissions compute.globalForwardingRules.list on the project

GlobalOperations Collection

Method Required Permissions
globalOperations.aggregatedList compute.globalOperations.list on the project
globalOperations.delete compute.globalOperations.delete on the operation
globalOperations.get compute.globalOperations.get on the operation
globalOperations.list compute.globalOperations.list on the project

HealthChecks Collection

Method Required Permissions
healthChecks.delete compute.healthChecks.delete on the HTTP health check
healthChecks.get compute.healthChecks.get on the HTTP health check
healthChecks.insert compute.healthChecks.create on the project
healthChecks.list compute.healthChecks.list on the project
healthChecks.patch
  • compute.healthChecks.get on the health check
  • compute.healthChecks.update on the health check
healthChecks.testIamPermissions compute.healtChecks.list on the project
healthChecks.update compute.healthChecks.update on the HTTP health check

HttpHealthChecks Collection

Method Required Permissions
httpHealthChecks.delete compute.httpHealthChecks.delete on the HTTP health check
httpHealthChecks.get compute.httpHealthChecks.get on the HTTP health check
httpHealthChecks.insert compute.httpHealthChecks.create on the project
httpHealthChecks.list compute.httpHealthChecks.list on the project
httpHealthChecks.patch
  • compute.httpHealthChecks.get on the HTTP health check
  • compute.httpHealthChecks.update on the HTTP health check
httpHealthChecks.testIamPermissions compute.httpHealthChecks.list on the project
httpHealthChecks.update compute.httpHealthChecks.update on the HTTP health check

HttpsHealthChecks Collection

Method Required Permissions
httpsHealthChecks.delete compute.httpsHealthChecks.delete on the HTTP health check
httpsHealthChecks.get compute.httpsHealthChecks.get on the HTTP health check
httpsHealthChecks.insert compute.httpsHealthChecks.create on the project
httpsHealthChecks.list compute.httpsHealthChecks.list on the project
httpsHealthChecks.patch
  • compute.httpsHealthChecks.get on the HTTPS health check
  • compute.httpsHealthChecks.update on the HTTPS health check
httpsHealthChecks.testIamPermissions compute.httpsHealthChecks.list on the project
httpsHealthChecks.update compute.httpsHealthChecks.update on the HTTP health check

Images Collection

Method Required Permissions
images.delete compute.images.delete on the image
images.deprecate compute.images.deprecate on the image
images.get compute.images.get on the image
images.getFromFamily compute.images.getFromFamily on the image
images.insert
  • compute.images.create on the project
  • compute.disks.useReadOnly on the source disk if creating an image based on a disk
  • compute.images.useReadOnly on the source image if creating an image based on another image
  • compute.images.setLabels if you specify labels on the new image
images.list compute.images.list on the project
images.setLabels compute.images.setLabels on the image
images.testIamPermissions compute.images.list on the project

InstanceGroupManagers Collection

Method Required Permissions
instanceGroupManagers.abandonInstances compute.instanceGroupManagers.update on the managed instance group
instanceGroupManagers.aggregatedList compute.instanceGroupManagers.list on the project
instanceGroupManagers.delete compute.instanceGroupManagers.delete on the managed instance group
instanceGroupManagers.deleteInstances compute.instanceGroupManagers.update on the managed instance group
instanceGroupManagers.get compute.instanceGroupManagers.get on the managed instance group
instanceGroupManagers.insert
  • compute.instanceGroupManagers.create on the project
  • compute.instanceTemplates.useReadOnly on the instance template
  • Grant the following permissions to both the Google APIs service account and the client or user making this request.
    • compute.networks.use on the network for this instance group, if using a legacy network
    • compute.subnetworks.use on the subnetwork for this instance group, if using a subnetwork
    • compute.images.useReadOnly on the boot image
    • compute.disks.create on the project to create new root persistent disks
    • compute.disks.get on any additional disks, if applicable
    • compute.targetPools.get on any target pools, if adding this instance group to a target pool
    • compute.httpHealthChecks.use on the HTTP health check, if using autohealing with HTTP health check
    • compute.httpsHealthChecks.use on the HTTPS health check, if using autohealing with HTTPS health check
    • compute.healthChecks.use on the generic health check, if using autohealing with generic health check
    • compute.instances.setMetadata on the project if setting metadata
    • compute.instances.setTags on the project if setting tags
    • compute.instances.setLabels on the project if setting labels
    • If you intend for the VM instances in the group to be able to use a service account, you must also grant the iam.serviceAccounts.actAs permission on the service account resource
instanceGroupManagers.list compute.instanceGroupManagers.list on the project
instanceGroupManagers.listManagedInstances compute.instanceGroupManagers.get on the managed instance group
instanceGroupManagers.recreateInstances compute.instanceGroupManagers.update on the managed instance group
instanceGroupManagers.resize compute.instanceGroupManagers.update on the managed instance group
instanceGroupManagers.resizeAdvanced compute.instanceGroupManagers.update on the managed instance group
instanceGroupManagers.setAutoHealingPolicies
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.httpHealthChecks.use on the HTTP health check
instanceGroupManagers.setInstanceTemplate
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.instanceTemplates.useReadOnly on the instance template
  • Grant the following permissions to both the Google APIs service account and the client or user making this request.
    • compute.networks.use on the network for this instance group, if using a legacy network
    • compute.subnetworks.use on the subnetwork for this instance group, if using a subnetwork
    • compute.images.useReadOnly on the boot image
    • compute.disks.create on the project to create new root persistent disks
    • compute.disks.get on any additional disks, if applicable
    • compute.instances.setMetadata on the project if setting metadata
    • compute.instances.setTags on the project if setting tags
    • compute.instances.setLabels on the project if setting labels
    • If you intend for the VM instances in the group to be able to use a service account, you must also grant the iam.serviceAccounts.actAs permission on the service account resource
instanceGroupManagers.setTargetPools
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.targetPools.get on the target pool
instanceGroupManagers.testIamPermissions compute.instanceGroupManagers.list on the project

InstanceGroups Collection

Method Required Permissions
instanceGroups.addInstances
  • compute.instanceGroups.update on the instance group
  • compute.instances.use on the instances you want to add
instanceGroups.aggregatedList compute.instanceGroups.list on the project
instanceGroups.delete compute.instanceGroups.delete on the instance group
instanceGroups.get compute.instanceGroups.get on the instance group
instanceGroups.insert
  • compute.instanceGroups.create on the project
  • compute.networks.get on the network
instanceGroups.list compute.instanceGroups.list on the project
instanceGroups.listInstances compute.instanceGroups.get on the instance group
instanceGroups.removeInstances compute.instanceGroups.update on the instance group
instanceGroups.setNamedPorts compute.instanceGroups.update on the instance group
instanceGroups.testIamPermissions compute.instanceGroups.list on the project

InstanceTemplates Collection

Method Required Permissions
instanceTemplates.delete compute.instanceTemplates.delete on the instance template
instanceTemplates.get compute.instanceTemplates.get on the instance template
instanceTemplates.insert compute.instanceTemplates.create on the project
instanceTemplates.list compute.instanceTemplates.list on the project
instanceTemplates.testIamPermissions compute.instanceTemplates.list on the project

Instances Collection

Method Required Permissions
instances.addAccessConfig
  • compute.instances.addAccessConfig on the instance
  • compute.addresses.use on a static external IP address, if specifying one
  • One of:
    • compute.networks.useExternalIp on the network if planning to assign an external IP address to the instance (either ephemeral or static)
    • compute.subnetworks.useExternalIp on the subnetwork if planning to assign an external IP address to the instance (either ephemeral or static)
instances.aggregatedList compute.instances.list on the project
instances.attachDisk
  • compute.instances.attachDisk on the instance
  • compute.disks.use on the disk
instances.delete compute.instances.delete on the instance
instances.deleteAccessConfig compute.instances.deleteAccessConfig on the instance
instances.detachDisk compute.instances.detachDisk on the instance
instances.get compute.instances.get on the instance
instances.getSerialPortOutput compute.instances.getSerialPortOutput on the instance
instances.insert
  • compute.instances.create on the project
  • compute.networks.use on the network if using a legacy network (such as the default network)
  • compute.subnetworks.use on the subnetwork, if using a subnetwork
  • compute.networks.useExternalIp on the network if planning to assign an external IP address to the instance (either ephemeral or static)
  • compute.subnetworks.useExternalIp on the subnetwork if planning to assign an external IP address to the instance (either ephemeral or static)
  • compute.addresses.use on a static external IP address, if specifying one
  • compute.instances.setMetadata on the project if setting metadata
  • compute.instances.setTags on the project if setting tags
  • compute.instances.setLabels on the project of setting labels
  • compute.images.useReadOnly on the image if using the image to create a new root persistent disk
  • compute.disks.create on the project if creating a new root persistent disk with this instance
  • compute.disks.useReadOnly on the disk, if attaching an existing persistent disk in read-only mode
  • compute.disks.use on the disk, if attaching an existing persistent disk in read-write mode
  • If you intend for the VM instance to be able to use a service account, you must also grant the iam.serviceAccounts.actAs permission on the service account resource
  • Both compute.instances.setServiceAccount and iam.serviceAccounts.actAs if you specify a service account for the new instance
instances.list compute.instances.list on the project
instances.listReferrers
  • compute.instances.listReferrers on the instance if listing referrers for a specific instance
  • compute.instances.listReferrers on the project if listing referrers for a group of instances in a specific zone
instances.reset compute.instances.reset on the instance
instances.setDiskAutoDelete
  • compute.instances.setDiskAutoDelete on the instance
  • compute.disks.update on the disk
instances.setLabels compute.instances.setLabels on the instance
instances.setMachineResources compute.instances.setMachineResources on the instance
instances.setMachineType compute.instances.setMachineType on the instance
instances.setMetadata
  • compute.instances.setMetadata on the instance
  • If the instance runs as a service account, you must also grant the iam.serviceAccounts.actAs permission on the service account resource.
instances.setMinCpuPlatform compute.instances.setMinCpuPlatform on the instance
instances.setScheduling compute.instances.setScheduling on the instance
instances.setTags compute.instances.setTags on the instance
instances.start compute.instances.start on the instance
instances.startWithEncryptionKey compute.instances.startWithEncryptionKey on the instance
instances.stop compute.instances.stop on the instance
instances.testIamPermissions compute.instances.list on the project

InterconnectAttachment Collection

Method Required Permissions
interconnectAttachments.aggregatedList compute.interconnectAttachments.list on the project
interconnectAttachments.delete compute.interconnectAttachments.delete on the attachment
interconnectAttachments.get compute.interconnectAttachments.get on the attachment
interconnectAttachments.insert
  • compute.interconnectAttachments.create on the project
  • compute.interconnects.use on the associated interconnect
  • compute.routers.use on the associated Cloud Router
interconnectAttachments.list compute.interconnectAttachments.list on the project
interconnectAttachments.testIamPermissions compute.interconnectAttachments.list on the project

InterconnectLocations Collection

Method Required Permissions
interconnectLocations.get compute.interconnectLocations.get on the project
interconnectLocations.list compute.interconnectLocations.list on the project

Interconnects Collection

Method Required Permissions
interconnects.delete compute.interconnects.delete on the interconnect
interconnects.get compute.interconnects.get on the interconnect
interconnects.insert compute.interconnects.create on the project
interconnects.list compute.interconnects.list on the project
interconnects.patch
  • compute.interconnects.get on the interconnect
  • compute.interconnects.update on the interconnect
interconnects.testiamPermissions compute.interconnects.list on the project

Licenses Collection

Method Required Permissions
licenses.get compute.licenses.get on the license

MachineTypes Collection

Method Required Permissions
machineTypes.aggregatedList compute.machineTypes.list on the project
machineTypes.get compute.machineTypes.get on the machine type
machineTypes.list compute.machineTypes.list on the project

Networks Collection

Method Required Permissions
networks.delete compute.networks.delete on the network
networks.get compute.networks.get on the network
networks.insert compute.networks.create on the project
networks.list compute.networks.list on the project
networks.addPeering compute.networks.addPeering on the network
networks.removePeering compute.networks.removePeering on the network
networks.switchToCustomMode compute.networks.switchToCustomMod on the network
networks.testIamPermissions compute.networks.list on the project

Projects Collection

Method Required Permissions
projects.disableXpnHosts
  • compute.organizations.disableXpnHost on the organization
  • compute.projects.get on the project
  • resourcemanager.projects.get on the project
  • compute.globalOperations.get on the project
projects.disableXpnResource
  • compute.organizations.disableXpnResource on the organization
  • compute.projects.get on the project and the service project
  • resourcemanager.projects.get on the project and the service project
  • compute.globalOperations.get on the project
projects.enableXpnHosts
  • compute.organizations.enableXpnHost on the organization
  • compute.projects.get on the project
  • resourcemanager.projects.get on the project
  • compute.globalOperations.get on the project
projects.enableXpnResource
  • compute.organizations.enableXpnResource on the organization
  • compute.projects.get on the project and the service project
  • resourcemanager.projects.get on the project and the service project
  • compute.globalOperations.get on the project
projects.get compute.projects.get on the project
projects.getXpnHost compute.projects.get on the project
projects.getXpnResources compute.projects.get on the project
projects.listXpnHosts
  • compute.projects.get on the project
  • resourcemanager.projects.get on the project
projects.moveDisk
  • compute.disks.get on the disk
  • compute.disks.create on the project
  • compute.disks.delete on the disk
  • compute.disks.createSnapshot on the disk
  • compute.snapshots.create on the project
  • compute.snapshots.useReadOnly on the project
  • compute.snapshots.delete on the project
  • compute.projects.get on the project
  • compute.regions.get on the destination region
projects.moveInstance
  • compute.addresses.create on the project if moving within a region
  • compute.addresses.delete on the project if moving within a region
  • compute.addresses.list on the project if moving within a region
  • compute.addresses.use on the project if moving within a region
  • compute.disks.create on the project
  • compute.disks.createSnapshot on each source disk
  • compute.disks.delete on each source disk
  • compute.disks.get on each source disk
  • compute.disks.update on each source disk
  • compute.disks.use on the project if a source disk is in read-write mode
  • compute.disks.useReadOnly on the project if a source disk is in read-only mode
  • compute.instances.create on the project
  • compute.instances.delete on the source instance
  • compute.instances.get on the source instance
  • compute.instances.list on the project
  • compute.instances.setDiskAutoDelete on the source instance
  • compute.instances.setLabels on the project if the source instance has labels
  • compute.instances.setMetadata on the project if the source instance has custom metadata
  • compute.instances.setTags on the project if the source instance has tags
  • compute.instances.stop on the source instance
  • compute.networks.use on each network the source instance is connected to
  • compute.networks.useExternalIp on each network the source instance belongs to if it has an external IP on that network
  • compute.projects.get on the project
  • compute.regions.get on the destination region
  • compute.snapshots.create on the project
  • compute.snapshots.useReadOnly on the project
  • compute.snapshots.delete on the project
  • compute.subnetworks.use on each subnetwork the source instance belongs to
  • compute.subnetworks.useExternalIp on each subnetwork the source instance belongs to if it has an external IP on that subnetwork
projects.setCommonInstanceMetadata
  • compute.projects.setCommonInstanceMetadata on the project
  • iam.serviceAccounts.actAs on the project
projects.setUsageExportBucket compute.projects.setUsageExportBucket on the project

RegionAutoscalers Collection

Method Required Permissions
regionAutoscalers.delete compute.autoscalers.delete on the autoscaler
regionAutoscalers.get compute.autoscalers.get on the autoscaler
regionAutoscalers.insert
  • compute.autoscalers.create on the project
  • compute.instanceGroupManagers.use on the managed instance group
regionAutoscalers.list compute.autoscalers.list on the project
regionAutoscalers.patch
  • compute.autoscalers.update on the autoscaler
  • compute.instanceGroupManagers.use on the managed instance group
regionAutoscalers.testIamPermissions compute.autoscalers.list on the project
regionAutoscalers.update
  • compute.autoscalers.update on the autoscaler
  • compute.instanceGroupManagers.use on the managed instance group

RegionInstanceGroupManagers Collection

Method Required Permissions
regionInstanceGroupManagers.abandonInstances compute.instanceGroupManagers.update on the managed instance group
regionInstanceGroupManagers.delete compute.instanceGroupManagers.delete on the managed instance group
regionInstanceGroupManagers.deleteInstances compute.instanceGroupManagers.update on the managed instance group
regionInstanceGroupManagers.get compute.instanceGroupManagers.get on the managed instance group
regionInstanceGroupManagers.insert
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.instanceTemplates.useReadOnly on the instance template
  • Grant the following permissions to both the