Compute Engine IAM Permissions

Google Identity Access and Management (IAM) now offers the ability to create customized IAM roles. With this release, you can create custom IAM roles and assign the role one or more permissions. Then, you can grant the newly-created role to users who are part of your project. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles offered by Google.

This document lists all the API methods available for Compute Engine and the permissions required to call each method. To grant users the ability to call these methods, assign the appropriate permissions to create your custom role. Use this information to decide which permissions to grant to a custom role to enable users to call specific API methods.

This document does not describe how to create a custom role. You can find in-depth information about custom roles and step-by-step instructions to create custom a role, in Creating and Managing Custom Roles.

Before you begin

Cloud Platform Console permission

To use the Google Cloud Platform Console to access Compute Engine resources, you must grant or be granted the following permission on the project:

compute.projects.get

AcceleratorTypes Collection

Method Required Permissions
acceleratorTypes.aggregatedList compute.acceleratorTypes.list on the project
accelerators.get compute.accelerators.get on the accelerator type
acceleratorTypes.list compute.acceleratorTypes.list on the project

Addresses Collection

Method Required Permissions
addresses.aggregatedList compute.addresses.list on the project
addresses.delete compute.addresses.delete on the address
addresses.get compute.addresses.get on the address
addresses.insert
  • compute.addresses.create on the project
  • compute.subnetworks.use on the subnetwork
addresses.list compute.addresses.list on the project
addresses.testIamPermissions compute.addresses.list on the project

Autoscalers Collection

Method Required Permissions
autoscalers.aggregatedList compute.autoscalers.list on the project
autoscalers.delete compute.autoscalers.delete on the autoscaler
autoscalers.get compute.autoscalers.get on the autoscaler
autoscalers.insert
  • compute.autoscalers.create on the project
  • compute.instanceGroupManagers.use on the managed instance group
autoscalers.list compute.autoscalers.list on the project
autoscalers.patch
  • compute.autoscalers.update on the autoscaler
  • compute.instanceGroupManagers.use on the managed instance group
autoscalers.testIamPermissions compute.autoscalers.list on the project
autoscalers.update
  • compute.autoscalers.update on the autoscaler
  • compute.instanceGroupManagers.use on the managed instance group

BackendBuckets Collection

Method Required Permissions
backendBuckets.delete compute.backendBuckets.delete on the backend bucket
backendBuckets.get compute.backendServices.get on the backend bucket
backendBuckets.insert compute.backendBuckets.create on the project
backendBuckets.list compute.backendBuckets.list on the project
backendBuckets.patch
  • compute.backendBuckets.get on the backend bucket
  • compute.backendBuckets.update on the backend bucket
backendBuckets.update compute.backendBuckets.update on the backend bucket

BackendServices Collection

Method Required Permissions
backendServices.delete compute.backendServices.delete on the backend service
backendServices.get compute.backendServices.get on the backend service
backendServices.getHealth compute.backendServices.get on the backend service
backendServices.insert
  • compute.backendServices.create on the project
  • compute.httpHealthChecks.useReadOnly on the HTTP health check, if using an HTTP health check
  • compute.httpsHealthChecks.useReadOnly on the HTTP health check, if using a HTTPS health check
  • compute.healthChecks.useReadOnly, on the health check, if using a generic health check
backendServices.list compute.backendServices.list on the project
backendServices.patch
  • compute.backendServices.get on the backend service
  • compute.backendServices.update on the backend service
backendServices.testIamPermissions compute.backendServices.list on the project
backendServices.update
  • compute.backendServices.update on the backend service
  • compute.httpHealthChecks.useReadOnly on the HTTP health check, if using an HTTP health check
  • compute.httpsHealthChecks.useReadOnly on the HTTP health check, if using a HTTPS health check
  • compute.healthChecks.useReadOnly on the health check, if using a generic health check

DiskTypes Collection

Method Required Permissions
diskTypes.aggregatedList compute.diskTypes.list on the project
diskTypes.get compute.diskTypes.get
diskTypes.list compute.diskTypes.list on the project

Disks Collection

Method Required Permissions
disks.aggregatedList compute.disks.list on the project
disks.createSnapshot
  • compute.disks.createSnapshot on the disk
  • compute.snapshots.create on the project
disks.delete compute.disks.delete
disks.get compute.disks.get
disks.insert
  • compute.disks.create on the project
  • One of:
    • compute.snapshots.useReadOnly on the snapshot
    • compute.images.useReadOnly on the images
disks.list compute.disks.list on the project
disks.resize compute.disks.resize on the disk
disks.setLabels compute.disks.setLabels
disks.testIamPermissions compute.disks.list on the project

Firewalls Collection

Method Required Permissions
firewall.delete compute.firewalls.delete on the firewall
firewall.get compute.firewalls.get on the firewall
firewalls.insert
  • compute.firewalls.create on the project
  • compute.networks.updatePolicy on the network
firewalls.list compute.firewalls.list on the project
firewalls.patch
  • compute.firewalls.get on the firewall
  • compute.firewalls.update on the firewall
firewalls.testIamPermissions compute.firewalls.list on the project
firewalls.update
  • compute.firewalls.update on the firewall
  • compute.networks.updatePolicy on the network

ForwardingRules Collection

Method Required Permissions
forwardingRules.aggregatedList compute.forwardingRules.list on the project
forwardingRules.delete compute.forwardingRules.delete on the forwarding rule
forwardingRules.get compute.forwardingRules.get on the forwarding rule
forwardingRules.insert
  • compute.forwardingRules.create on the project
  • compute.addresses.use on an address if using a static external IP address
  • One of:
    • compute.targetPools.use on the target pool
    • compute.targetInstances.use on the target instance
    • compute.targetVpnGateways.use on the target VPN gateway
forwardingRules.list compute.forwardingRules.list on the project
forwardingRules.setTarget
  • compute.forwardingRules.setTarget on the project
  • compute.addresses.use on an address if changing a static external IP address
  • One of:
    • compute.targetPools.use on the target pool
    • compute.targetInstances.use on the target instance
    • compute.targetVpnGateways.use on the target VPN gateway
forwardingRules.testIamPermissions compute.forwardingRules.list on the project

GlobalAddresses Collection

Method Required Permissions
globalAddresses.delete compute.globalAddresses.delete on the global address
globalAddresses.get compute.globalAddresses.get on the global address
globalAddresses.insert compute.globalAddresses.create on the project
globalAddresses.list compute.globalAddreses.list on the project
globalAddresses.testIamPermissions compute.globalAddresses.list on the project

GlobalForwardingRules Collection

Method Required Permissions
globalForwardingRules.delete compute.globalForwardingRules.delete on the forwarding rule
globalForwardingRules.get compute.globalForwardingRules.get on the forwarding rule
globalForwardingRules.insert
  • compute.globalForwardingRules.create on the project
  • compute.globalAddresses.use if using a static external IP address
  • One of:
    • compute.targetHttpProxies.use on the target HTTP proxy
    • compute.targetHttpsProxies.use on the target HTTPS proxy
globalForwardingRules.list compute.globalForwardingRules.list on the project
globalForwardingRules.setTarget
  • compute.globalForwardingRules.setTarget on the forwarding rule
  • One of:
    • compute.targetHttpProxies.use on the target HTTP proxy
    • compute.targetHttpsProxies.use on the target HTTPS proxy
globalForwardingRules.testIamPermissions compute.globalForwardingRules.list on the project

GlobalOperations Collection

Method Required Permissions
globalOperations.aggregatedList compute.globalOperations.list on the project
globalOperations.delete compute.globalOperations.delete on the operation
globalOperations.get compute.globalOperations.get on the operation
globalOperations.list compute.globalOperations.list on the project

HealthChecks Collection

Method Required Permissions
healthChecks.delete compute.healthChecks.delete on the HTTP health check
healthChecks.get compute.healthChecks.get on the HTTP health check
healthChecks.insert compute.healthChecks.create on the project
healthChecks.list compute.healthChecks.list on the project
healthChecks.patch
  • compute.healthChecks.get on the health check
  • compute.healthChecks.update on the health check
healthChecks.testIamPermissions compute.healtChecks.list on the project
healthChecks.update compute.healthChecks.update on the HTTP health check

HttpHealthChecks Collection

Method Required Permissions
httpHealthChecks.delete compute.httpHealthChecks.delete on the HTTP health check
httpHealthChecks.get compute.httpHealthChecks.get on the HTTP health check
httpHealthChecks.insert compute.httpHealthChecks.create on the project
httpHealthChecks.list compute.httpHealthChecks.list on the project
httpHealthChecks.patch
  • compute.httpHealthChecks.get on the HTTP health check
  • compute.httpHealthChecks.update on the HTTP health check
httpHealthChecks.testIamPermissions compute.httpHealthChecks.list on the project
httpHealthChecks.update compute.httpHealthChecks.update on the HTTP health check

HttpsHealthChecks Collection

Method Required Permissions
httpsHealthChecks.delete compute.httpsHealthChecks.delete on the HTTP health check
httpsHealthChecks.get compute.httpsHealthChecks.get on the HTTP health check
httpsHealthChecks.insert compute.httpsHealthChecks.create on the project
httpsHealthChecks.list compute.httpsHealthChecks.list on the project
httpsHealthChecks.patch
  • compute.httpsHealthChecks.get on the HTTPS health check
  • compute.httpsHealthChecks.update on the HTTPS health check
httpsHealthChecks.testIamPermissions compute.httpsHealthChecks.list on the project
httpsHealthChecks.update compute.httpsHealthChecks.update on the HTTP health check

Images Collection

Method Required Permissions
images.delete compute.images.delete on the image
images.deprecate compute.images.deprecate on the image
images.get compute.images.get on the image
images.getFromFamily compute.images.getFromFamily on the image
images.insert
  • compute.images.create on the project
  • compute.disks.useReadOnly on the source disk if creating an image based on a disk
  • compute.images.useReadOnly on the source image if creating an image based on another image
images.list compute.images.list on the project
images.setLabels compute.images.setLabels on the image
images.testIamPermissions compute.images.list on the project

InstanceGroupManagers Collection

Method Required Permissions
instanceGroupManagers.abandonInstances compute.instanceGroupManagers.update on the managed instance group
instanceGroupManagers.aggregatedList compute.instanceGroupManagers.list on the project
instanceGroupManagers.delete compute.instanceGroupManagers.delete on the managed instance group
instanceGroupManagers.deleteInstances compute.instanceGroupManagers.update on the managed instance group
instanceGroupManagers.get compute.instanceGroupManagers.get on the managed instance group
instanceGroupManagers.insert
  • compute.instanceGroupManagers.create on the project
  • compute.instanceTemplates.useReadOnly on the instance template
  • Grant the following permissions to both the Google APIs service account and the client or user making this request.
    • compute.networks.use on the network for this instance group, if using a legacy network
    • compute.subnetworks.use on the subnetwork for this instance group, if using a subnetwork
    • compute.images.useReadOnly on the boot image
    • compute.disks.create on the project to create new root persistent disks
    • compute.disks.get on any additional disks, if applicable
    • compute.targetPools.get on any target pools, if adding this instance group to a target pool
    • compute.httpHealthChecks.use on the HTTP health check, if using autohealing with HTTP health check
    • compute.httpsHealthChecks.use on the HTTPS health check, if using autohealing with HTTPS health check
    • compute.healthChecks.use on the generic health check, if using autohealing with generic health check
    • compute.instances.setMetadata on the project if setting metadata
    • compute.instances.setTags on the project if setting tags
    • compute.instances.setLabels on the project if setting labels
    • If you intend for the VM instances in the group to be able to use a service account, you must also grant the iam.serviceAccounts.actAs permission on the service account resource
instanceGroupManagers.list compute.instanceGroupManagers.list on the project
instanceGroupManagers.listManagedInstances compute.instanceGroupManagers.get on the managed instance group
instanceGroupManagers.recreateInstances compute.instanceGroupManagers.update on the managed instance group
instanceGroupManagers.resize compute.instanceGroupManagers.update on the managed instance group
instanceGroupManagers.resizeAdvanced compute.instanceGroupManagers.update on the managed instance group
instanceGroupManagers.setAutoHealingPolicies
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.httpHealthChecks.use on the HTTP health check
instanceGroupManagers.setInstanceTemplate
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.instanceTemplates.useReadOnly on the instance template
  • Grant the following permissions to both the Google APIs service account and the client or user making this request.
    • compute.networks.use on the network for this instance group, if using a legacy network
    • compute.subnetworks.use on the subnetwork for this instance group, if using a subnetwork
    • compute.images.useReadOnly on the boot image
    • compute.disks.create on the project to create new root persistent disks
    • compute.disks.get on any additional disks, if applicable
    • compute.instances.setMetadata on the project if setting metadata
    • compute.instances.setTags on the project if setting tags
    • compute.instances.setLabels on the project if setting labels
    • If you intend for the VM instances in the group to be able to use a service account, you must also grant the iam.serviceAccounts.actAs permission on the service account resource
instanceGroupManagers.setTargetPools
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.targetPools.get on the target pool
instanceGroupManagers.testIamPermissions compute.instanceGroupManagers.list on the project

InstanceGroups Collection

Method Required Permissions
instanceGroups.addInstances
  • compute.instanceGroups.update on the instance group
  • compute.instances.use on the instances you want to add
instanceGroups.aggregatedList compute.instanceGroups.list on the project
instanceGroups.delete compute.instanceGroups.delete on the instance group
instanceGroups.get compute.instanceGroups.get on the instance group
instanceGroups.insert
  • compute.instanceGroups.create on the project
  • compute.networks.get on the network
instanceGroups.list compute.instanceGroups.list on the project
instanceGroups.listInstances compute.instanceGroups.get on the instance group
instanceGroups.removeInstances compute.instanceGroups.update on the instance group
instanceGroups.setNamedPorts compute.instanceGroups.update on the instance group
instanceGroups.testIamPermissions compute.instanceGroups.list on the project

InstanceTemplates Collection

Method Required Permissions
instanceTemplates.delete compute.instanceTemplates.delete on the instance template
instanceTemplates.get compute.instanceTemplates.get on the instance template
instanceTemplates.insert compute.instanceTemplates.create on the project
instanceTemplates.list compute.instanceTemplates.list on the project
instanceTemplates.testIamPermissions compute.instanceTemplates.list on the project

Instances Collection

Method Required Permissions
instances.addAccessConfig
  • compute.instances.addAccessConfig on the instance
  • compute.addresses.use on a static external IP address, if specifying one
  • One of:
    • compute.networks.useExternalIp on the network if planning to assign an external IP address to the instance (either ephemeral or static)
    • compute.subnetworks.useExternalIp on the subnetwork if planning to assign an external IP address to the instance (either ephemeral or static)
instances.aggregatedList compute.instances.list on the project
instances.attachDisk
  • compute.instances.attachDisk on the instance
  • compute.disks.use on the disk
instances.delete compute.instances.delete on the instance
instances.deleteAccessConfig compute.instances.deleteAccessConfig on the instance
instances.detachDisk compute.instances.detachDisk on the instance
instances.get compute.instances.get on the instance
instances.getSerialPortOutput compute.instances.getSerialPortOutput on the instance
instances.insert
  • compute.instances.create on the project
  • compute.networks.use on the network if using a legacy network (such as the default network)
  • compute.subnetworks.use on the subnetwork, if using a subnetwork
  • compute.networks.useExternalIp on the network if planning to assign an external IP address to the instance (either ephemeral or static)
  • compute.subnetworks.useExternalIp on the subnetwork if planning to assign an external IP address to the instance (either ephemeral or static)
  • compute.addresses.use on a static external IP address, if specifying one
  • compute.instances.setMetadata on the project if setting metadata
  • compute.instances.setTags on the project if setting tags
  • compute.instances.setLabels on the project of setting labels
  • compute.images.useReadOnly on the image if using the image to create a new root persistent disk
  • compute.disks.create on the project if creating a new root persistent disk with this instance
  • compute.disks.useReadOnly on the disk, if attaching an existing persistent disk in read-only mode
  • compute.disks.use on the disk, if attaching an existing persistent disk in read-write mode
  • If you intend for the VM instance to be able to use a service account, you must also grant the iam.serviceAccounts.actAs permission on the service account resource
instances.list compute.instances.list on the project
instances.listReferrers
  • compute.instances.listReferrers on the instance if listing referrers for a specific instance
  • compute.instances.listReferrers on the project if listing referrers for a group of instances in a specific zone
instances.reset compute.instances.reset on the instance
instances.setDiskAutoDelete
  • compute.instances.setDiskAutoDelete on the instance
  • compute.disks.update on the disk
instances.setLabels compute.instances.setLabels on the instance
instances.setMachineResources compute.instances.setMachineResources on the instance
instances.setMachineType compute.instances.setMachineType on the instance
instances.setMetadata compute.instances.setMetadata on the instance
instances.setMinCpuPlatform compute.instances.setMinCpuPlatform on the instance
instances.setScheduling compute.instances.setScheduling on the instance
instances.setTags compute.instances.setTags on the instance
instances.start compute.instances.start on the instance
instances.startWithEncryptionKey compute.instances.startWithEncryptionKey on the instance
instances.stop compute.instances.stop on the instance
instances.testIamPermissions compute.instances.list on the project

InterconnectAttachment Collection

Method Required Permissions
interconnectAttachments.aggregatedList compute.interconnectAttachments.list on the project
interconnectAttachments.delete compute.interconnectAttachments.delete on the attachment
interconnectAttachments.get compute.interconnectAttachments.get on the attachment
interconnectAttachments.insert
  • compute.interconnectAttachments.create on the project
  • compute.interconnects.use on the associated interconnect
  • compute.routers.use on the associated Cloud Router
interconnectAttachments.list compute.interconnectAttachments.list on the project
interconnectAttachments.testIamPermissions compute.interconnectAttachments.list on the project

InterconnectLocations Collection

Method Required Permissions
interconnectLocations.get compute.interconnectLocations.get on the project
interconnectLocations.list compute.interconnectLocations.list on the project

Interconnects Collection

Method Required Permissions
interconnects.delete compute.interconnects.delete on the interconnect
interconnects.get compute.interconnects.get on the interconnect
interconnects.insert compute.interconnects.create on the project
interconnects.list compute.interconnects.list on the project
interconnects.patch
  • compute.interconnects.get on the interconnect
  • compute.interconnects.update on the interconnect
interconnects.testiamPermissions compute.interconnects.list on the project

Licenses Collection

Method Required Permissions
licenses.get compute.licenses.get on the license

MachineTypes Collection

Method Required Permissions
machineTypes.aggregatedList compute.machineTypes.list on the project
machineTypes.get compute.machineTypes.get on the machine type
machineTypes.list compute.machineTypes.list on the project

Networks Collection

Method Required Permissions
networks.delete compute.networks.delete on the network
networks.get compute.networks.get on the network
networks.insert compute.networks.create on the project
networks.list compute.networks.list on the project
networks.addPeering compute.networks.addPeering on the network
networks.removePeering compute.networks.removePeering on the network
networks.switchToCustomMode compute.networks.switchToCustomMod on the network
networks.testIamPermissions compute.networks.list on the project

Projects Collection

Method Required Permissions
projects.disableXpnHosts
  • compute.organizations.disableXpnHost on the organization
  • compute.projects.get on the project
  • resourcemanager.projects.get on the project
  • compute.globalOperations.get on the project
projects.disableXpnResource
  • compute.organizations.disableXpnResource on the organization
  • compute.projects.get on the project and the service project
  • resourcemanager.projects.get on the project and the service project
  • compute.globalOperations.get on the project
projects.enableXpnHosts
  • compute.organizations.enableXpnHost on the organization
  • compute.projects.get on the project
  • resourcemanager.projects.get on the project
  • compute.globalOperations.get on the project
projects.enableXpnResource
  • compute.organizations.enableXpnResource on the organization
  • compute.projects.get on the project and the service project
  • resourcemanager.projects.get on the project and the service project
  • compute.globalOperations.get on the project
projects.get compute.projects.get on the project
projects.getXpnHost compute.projects.get on the project
projects.getXpnResources compute.projects.get on the project
projects.listXpnHosts
  • compute.projects.get on the project
  • resourcemanager.projects.get on the project
projects.moveDisk
  • compute.disks.get on the disk
  • compute.disks.create on the project
  • compute.disks.delete on the disk
  • compute.disks.createSnapshot on the disk
  • compute.snapshots.create on the project
  • compute.snapshots.useReadOnly on the project
  • compute.snapshots.delete on the project
  • compute.projects.get on the project
  • compute.regions.get on the destination region
projects.moveInstance
  • compute.addresses.list on the project to be able to list addresses
  • compute.regions.get on the target region
  • compute.instances.setDiskAutoDelete on the source instance
  • compute.instances.stop on the source instance
  • compute.disks.create on the project to create new disks
  • compute.snapshots.create on the project
  • compute.snapshots.useReadOnly on the project
  • compute.instances.create on the project
  • compute.networks.use on the network the instance belongs to
  • compute.addresses.create on the project to temporarily promote any ephemeral external IP address to a static external IP addresses
  • compute.addresses.delete on the project to delete any static external IP addresses that were created temporarily (the address is returned to ephemeral)
  • compute.instances.delete on the source instance to delete
  • compute.disks.delete on the source disk(s)
projects.setCommonInstanceMetadata compute.projects.setCommonInstanceMetadata on the project
projects.setUsageExportBucket compute.projects.setUsageExportBucket on the project

RegionAutoscalers Collection

Method Required Permissions
regionAutoscalers.delete compute.autoscalers.delete on the autoscaler
regionAutoscalers.get compute.autoscalers.get on the autoscaler
regionAutoscalers.insert
  • compute.autoscalers.create on the project
  • compute.instanceGroupManagers.use on the managed instance group
regionAutoscalers.list compute.autoscalers.list on the project
regionAutoscalers.patch
  • compute.autoscalers.update on the autoscaler
  • compute.instanceGroupManagers.use on the managed instance group
regionAutoscalers.testIamPermissions compute.autoscalers.list on the project
regionAutoscalers.update
  • compute.autoscalers.update on the autoscaler
  • compute.instanceGroupManagers.use on the managed instance group

RegionInstanceGroupManagers Collection

Method Required Permissions
regionInstanceGroupManagers.abandonInstances compute.instanceGroupManagers.update on the managed instance group
regionInstanceGroupManagers.delete compute.instanceGroupManagers.delete on the managed instance group
regionInstanceGroupManagers.deleteInstances compute.instanceGroupManagers.update on the managed instance group
regionInstanceGroupManagers.get compute.instanceGroupManagers.get on the managed instance group
regionInstanceGroupManagers.insert
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.instanceTemplates.useReadOnly on the instance template
  • Grant the following permissions to both the Google APIs service account and the client or user making this request.
    • compute.networks.use on the network for this instance group, if using a legacy network
    • compute.subnetworks.use on the subnetwork for this instance group, if using a subnetwork
    • compute.images.useReadOnly on the boot image
    • compute.disks.create on the project to create new root persistent disks
    • compute.disks.get on any additional disks, if applicable
    • compute.targetPools.get on any target pools, if adding this instance group to a target pool
    • compute.httpHealthChecks.use on the HTTP health check, if using autohealing with HTTP health check
    • compute.httpsHealthChecks.use on the HTTPS health check, if using autohealing with HTTPS health check
    • compute.healthChecks.use on the generic health check, if using autohealing with generic health check
    • compute.instances.setMetadata on the project if setting metadata
    • compute.instances.setTags on the project if setting tags
    • compute.instances.setLabels on the project if setting labels
    • If you intend for the VM instances in the group to be able to use a service account, you must also grant the iam.serviceAccounts.actAs permission on the service account resource
regionInstanceGroupManagers.list compute.instanceGroupManagers.list on the project
regionInstanceGroupManagers.listManagedInstances compute.instanceGroupManagers.lgetist on the managed instance group
regionInstanceGroupManagers.recreateInstances compute.instanceGroupManagers.update on the managed instance group
regionInstanceGroupManagers.resize compute.instanceGroupManagers.update on the managed instance group
regionInstanceGroupManagers.setAutoHealingPolicies
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.httpHealthChecks.use on the HTTP health check
regionInstanceGroupManagers.setInstanceTemplate
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.instanceTemplates.useReadOnly on the instance template
  • Grant the following permissions to both the Google APIs service account and the client or user making this request.
    • compute.networks.use on the network for this instance group, if using a legacy network
    • compute.subnetworks.use on the subnetwork for this instance group, if using a subnetwork
    • compute.images.useReadOnly on the boot image
    • compute.disks.create on the project to create new root persistent disks
    • compute.disks.get on any additional disks, if applicable
    • compute.instances.setMetadata on the project if setting metadata
    • compute.instances.setTags on the project if setting tags
    • compute.instances.setLabels on the project if setting labels
    • If you intend for the VM instances in the group to be able to use a service account, you must also grant the iam.serviceAccounts.actAs permission on the service account resource
regionInstanceGroupManagers.setTargetPools
  • compute.instanceGroupManagers.update on the managed instance group
  • compute.targetPools.get on the target pool
regionInstanceGroupManagers.testIamPermission compute.instanceGroupManagers.list on the project

RegionInstanceGroups Collection

Method Required Permissions
regionInstanceGroups.get compute.instanceGroups.get on the instance group
regionInstanceGroups.list compute.instanceGroups.list on the project
regionInstanceGroups.listInstances compute.instanceGroups.get on the instance group
regionInstanceGroups.setNamedPorts compute.instanceGroups.update on the instance group
regionInstanceGroups.testIamPermission compute.instanceGroups.list on the project

RegionOperations Collection

Method Required Permissions
regionOperations.delete compute.regionOperations.delete on the operation
regionOperations.get compute.regionOperations.get on the operation
regionOperations.list compute.regionOperations.list on the project

Regions Collection

Method Required Permissions
regions.get compute.regions.get on the region
regions.list compute.regions.list on the project

Routers Collection

Method Required Permissions
routers.aggregatedList compute.routers.list on the project
routers.delete compute.routers.delete on the router
routers.get compute.routers.get on the router
routers.getRouterStatus compute.routers.get on the router
routers.insert
  • compute.routers.create on the project
  • compute.networks.updatePolicy on the network
routers.list compute.routers.list on the project
routers.patch
  • compute.routers.get on the router
  • compute.routers.update on the router
routers.preview compute.routers.get on the router
routers.testIamPermissions compute.routers.list on the project
routers.update
  • compute.routers.update on the router
  • compute.networks.updatePolicy on the network

Routes Collection

Method Required Permissions
routes.delete compute.routes.delete on the router
routes.get compute.routes.get on the router
routes.insert
  • compute.routes.update on the route
  • compute.networks.updatePolicy on the network
routes.list compute.routes.list on the project
routes.testIamPermissions compute.routes.list on the project

Snapshots Collection

Method Required Permissions
snapshots.delete compute.snapshots.delete on the snapshot
snapshots.get compute.snapshots.get on the snapshot
snapshots.list compute.snapshots.list on the project
snapshots.setLabels compute.snapshots.setLabels
snapshots.testIamPermissions compute.snapshots.list on the project

SslCertificates Collection

Method Required Permissions
sslCertificates.delete compute.sslCertificates.delete on the SSL certificate
sslCertificates.get compute.sslCertificates.get on the SSL certificate
sslCertificates.insert compute.sslCertificates.create on the project
sslCertificates.list compute.sslCertificates.list on the project
sslCertificates.testIamPermissions compute.sslCertificates.delete on the SSL certificate

Subnetworks Collection

Method Required Permissions
subnetworks.aggregatedList compute.subnetworks.list on the project
subnetworks.delete compute.subnetworks.delete on the subnetwork
subnetworks.expandCidrRange compute.subnetworks.expandCidrRange on the subnetwork
subnetworks.get compute.subnetworks.get on the subnetwork
subnetworks.insert compute.subnetworks.create on the project
subnetworks.list compute.sslCertificates.list on the project
subnetworks.setIamPermissions compute.subnetworks.setIamPermissions on the project
subnetworks.setPrivateIpGoogleAccess compute.subnetworks.setPrivateIpGoogleAccess on the project
subnetworks.testIamPermissions compute.subnetworks.list on the project

TargetHttpProxies Collection

Method Required Permissions
targetHttpProxies.delete compute.targetHttpProxies.delete on the target HTTP proxy
targetHttpProxies.get compute.targetHttpProxies.get on the target HTTP proxy
targetHttpProxies.insert
  • compute.targetHttpProxies.create on the project
  • compute.urlMaps.use on the URL map
targetHttpProxies.list compute.targetHttpProxies.list on the project
targetHttpProxies.setUrlMap
  • compute.targetHttpProxies.setUrlMap on the target HTTP proxy
  • compute.urlMaps.use on the URL map
targetHttpProxies.testIamPermissions compute.targetHttpProxies.list on the project

TargetHttpsProxies Collection

Method Required Permissions
targetHttpsProxies.delete compute.targetHttpsProxies.delete on the target HTTPS proxy
targetHttpsProxies.get compute.targetHttpsProxies.get on the target HTTPS proxy
targetHttpsProxies.insert
  • compute.targetHttpsProxies.create on the project
  • compute.urlMaps.use on the URL map
  • compute.sslCertificaticates.get on the SSL certificate
targetHttpsProxies.list compute.targetHttpsProxies.list on the project
targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.setSslCertificates on the target HTTP proxy
  • compute.sslCertificates.get on the SSL certificate
targetHttpsProxies.setUrlMap
  • compute.targetHttpsProxies.setUrlMap on the project
  • compute.urlMaps.use on the URL map
targetHttpsProxies.testIamPermissions compute.targetHttpsProxies.list on the project

TargetInstances Collection

Method Required Permissions
targetInstances.aggregatedList compute.targetInstances.list on the project
targetInstances.delete compute.targetInstances.delete on the target instance
targetInstances.get compute.targetInstances.get on the target instance
targetInstances.insert
  • compute.targetInstances.create on the project
  • compute.instances.use on the instance
targetInstances.list compute.targetInstances.list on the project
targetInstances.testIamPermissions compute.targetInstances.list on the project

TargetPools Collection

Method Required Permissions
targetPools.addHealthCheck
  • compute.targetPools.addHealthCheck on the target pool
  • compute.httpHealthChecks.useReadOnly on the HTTP health check
targetPools.addInstance
  • compute.targetPools.addInstance on the target pool
  • compute.instances.use on the instance
targetPools.aggregatedList compute.targetPools.list on the project
targetPools.delete compute.targetPools.delete on the targetpool
targetPools.get compute.targetPools.get on the target pool
targetPools.getHealth compute.targetPools.get on the target pool
targetPools.insert
  • compute.targetPools.create on the project
  • compute.targetPools.use on the backup target pool, if specifying a backup target pool
  • compute.httpHealthChecks.useReadOnly on the HTTP health check, if specifying an HTTP health check
targetPools.list compute.targetPools.list on the project
targetPools.removeHealthCheck
  • compute.targetPools.removeHealthCheck on the target pool
  • compute.httpHealthChecks.useReadOnly on the HTTP health check
targetPools.removeInstances
  • compute.targetPools.removeInstances on the target pool
  • compute.instances.use on the instance
targetPools.setBackup
  • compute.targetPools.update on the target pool
  • compute.targetPools.use on the backup target pool
targetPools.testIamPermissions compute.targetPools.list on the project

TargetSslProxies Collection

Method Required Permissions
targetSslProxies.delete compute.targetSslProxies.delete on the SSL proxy
targetSslProxies.get compute.targetSslProxies.get on the SSL proxy
targetSslProxies.insert
  • compute.targetSslProxies.create on the project
  • compute.sslCertificates.get on the SSL certificate
  • compute.backendServices.use on the backend service
targetSslProxies.list compute.targetSslProxies.list on the project
targetSslProxies.setBackendService
  • compute.targetSslProxies.setBackendService on the SSL proxy
  • compute.backendServices.use on the backend service
targetSslProxies.setProxyHeader compute.targetSslProxies.setProxyHeader on the SSL proxy
targetSslProxies.setSslCertificates
  • compute.targetSslProxies.setSslCertificates on the SSL proxy
  • compute.sslCertificates.get on the SSL certificate
targetSslProxies.testIamPermissions compute.targetSslProxies.list on the project

TargetTcpProxies Collection

Method Required Permissions
targetTcpProxies.delete compute.targetTcpProxies.delete on the SSL proxy
targetTcpProxies.get compute.targetTcpProxies.get on the SSL proxy
targetTcpProxies.insert
  • compute.targetTcpProxies.create on the project
  • compute.backendServices.use on the backend service
targetTcpProxies.list compute.targetTcpProxies.list on the project
targetTcpProxies.setBackendService
  • compute.targetTcpProxies.update on the TCP proxy
  • compute.backendServices.use on the backend service
targetTcpProxies.setProxyHeader compute.targetTcpProxies.update on the TCP proxy

TargetVpnGateways Collection

Method Required Permissions
targetVpnGateways.aggregatedList compute.targetVpnGateways.list on the project
targetVpnGateways.delete compute.targetVpnGateways.delete on the target VPN gateway
targetVpnGateways.get compute.targetVpnGateways.get on the target VPN gateway
targetVpnGateways.insert
  • compute.targetVpnGateways.create on the project
  • compute.networks.updatePolicy on the network
targetVpnGateways.list compute.targetVpnGateways.list on the project
targetVpnGateways.testIamPermissions compute.targetVpnGateways.list on the project

UrlMaps Collection

Method Required Permissions
urlMaps.delete compute.urlMaps.delete on the URL map
urlMaps.get compute.urlMaps.get on the URL map
urlMaps.insert
  • compute.urlMaps.create on the project
  • compute.backendServices.use on each backend service
urlMaps.invalidateCache compute.urlMaps.invalidateCache on the URL map
urlMaps.list compute.urlMaps.list on the project
urlMaps.patch
  • compute.urlMaps.get on the URL map
  • compute.urlMaps.update on the URL map
urlMaps.testIamPermissions compute.urlMaps.list on the project
urlMaps.update
  • compute.urlMaps.update on the URL map
  • compute.backendServices.use on each backend service you want to add or remove
urlMaps.validate compute.urlMaps.validate on the URL map

VpnTunnels Collection

Method Required Permissions
vpnTunnels.delete compute.vpnTunnels.delete on the VPN tunnel
vpnTunnels.aggregatedList compute.vpnTunnels.list on the project
vpnTunnels.get compute.vpnTunnels.get on the VPN tunnel
vpnTunnels.insert
  • compute.vpnTunnels.create on the project
  • compute.targetVpnGateways.use on the target VPN gateway
  • compute.routers.use on the router
vpnTunnels.list compute.vpnTunnels.list on the project
vpnTunnels.testIamPermissions compute.vpnTunnels.list on the project

ZoneOperations Collection

Method Required Permissions
zoneOperations.delete compute.zoneOperations.delete on the operation
zoneOperations.get compute.zoneOperations.get on the operation
zoneOperations.list compute.zoneOperations.list on the project

Zones Collection

Method Required Permissions
zones.get compute.zones.get on the zone
zones.list compute.zones.list on the project

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Compute Engine Documentation