Compute Engine IAM 역할 및 권한


프로젝트에 새 구성원을 추가할 때 ID 및 액세스 관리(IAM) 정책을 사용하여 해당 구성원에게 하나 이상의 IAM 역할을 부여할 수 있습니다. 각 IAM 역할에는 구성원에게 특정 리소스에 대한 액세스 권한을 부여하는 권한이 포함됩니다.

Compute Engine에는 이 페이지에서 설명하는 사전 정의된 IAM 역할 집합이 있습니다. 요구사항에 맞는 권한 하위 집합이 포함된 커스텀 역할을 만들 수도 있습니다.

각 방식에 필요한 권한을 알아보려면 Compute Engine API 참조 문서를 확인하세요.

액세스 권한 부여에 대한 자세한 내용은 다음 페이지를 참조하세요.

IAM이란?

Google Cloud는 사용자가 특정 Google Cloud 리소스에 대한 세부적인 액세스 권한을 부여하고 다른 리소스에 대한 무단 액세스를 방지할 수 있는 IAM을 제공합니다. IAM은 최소 권한의 보안 원칙을 채택하여 리소스에 대해 필요한 액세스 권한만 부여할 수 있게 해줍니다.

IAM을 사용하면 IAM 정책을 설정하여 누가(ID) 어떤 리소스에 무슨(역할) 권한을 갖는지를 제어할 수 있습니다. IAM 정책은 프로젝트 구성원에게 특정 역할을 부여하고 ID 관련 권한을 제공합니다. 예를 들어 프로젝트와 같은 특정 리소스에 대한 roles/compute.networkAdmin 역할을 Google 계정에 할당하면 해당 계정이 프로젝트에 있는 네트워크 관련 리소스는 제어할 수 있어도 인스턴스 및 디스크와 같은 다른 리소스는 관리할 수 없습니다. IAM을 사용하여 프로젝트 팀 구성원에게 부여된 Google Cloud 콘솔의 기존 역할을 관리할 수도 있습니다.

serviceAccountUser 역할

roles/compute.instanceAdmin.v1roles/iam.serviceAccountUser 역할을 함께 부여받은 구성원은 서비스 계정을 사용하는 인스턴스를 만들고 관리할 수 있습니다. 구체적으로 roles/iam.serviceAccountUserroles/compute.instanceAdmin.v1 역할을 함께 부여받은 구성원에게는 다음 작업을 수행할 수 있는 권한이 제공됩니다.

  • 서비스 계정으로 실행되는 인스턴스를 만들 수 있습니다.
  • 서비스 계정으로 실행되는 인스턴스에 영구 디스크를 연결할 수 있습니다.
  • 서비스 계정으로 실행되는 인스턴스에서 인스턴스 메타데이터를 설정할 수 있습니다.
  • SSH를 사용하여 서비스 계정으로 실행되는 인스턴스에 연결할 수 있습니다.
  • 인스턴스가 서비스 계정으로 실행되도록 다시 구성할 수 있습니다.

다음 2가지 방법 중 하나로 roles/iam.serviceAccountUser를 부여할 수 있습니다.

  • 권장사항. 특정 서비스 계정의 구성원에게 역할을 부여합니다. 이렇게 하면 이 구성원은 iam.serviceAccountUser 역할을 부여받은 서비스 계정에는 액세스할 수 있지만, iam.serviceAccountUser 역할을 부여받지 않은 다른 서비스 계정에는 액세스할 수 없습니다.

  • 프로젝트 수준에서 구성원에게 역할을 부여합니다. 구성원은 이후에 생성되는 서비스 계정을 포함하여 해당 프로젝트의 모든 서비스 계정에 액세스할 수 있습니다.

서비스 계정에 대해 잘 모른다면 서비스 계정에 대해 자세히 알아보세요.

Google Cloud 콘솔 권한

Google Cloud 콘솔을 사용하여 Compute Engine 리소스에 액세스하려면 프로젝트에 대해 다음 권한을 갖는 역할이 할당되어 있어야 합니다.

compute.projects.get

인스턴스에 instanceAdmin으로 연결

roles/compute.instanceAdmin.v1 역할을 부여받은 프로젝트 구성원은 gcloud CLI 또는 SSH-in-browser와 같은 표준 Google Cloud 도구를 사용하여 가상 머신(VM) 인스턴스에 연결할 수 있습니다.

구성원이 gcloud CLI 또는 브라우저에서 SSH를 통해 연결 기능을 사용하면 도구에서 공개 키/비공개 키 쌍을 자동으로 생성하여 공개 키를 프로젝트 메타데이터에 추가합니다. 구성원에게 프로젝트 메타데이터를 수정할 권한이 없으면 구성원의 공개 키가 인스턴스 메타데이터에 자동으로 추가됩니다.

구성원에게 사용하려는 키 쌍이 이미 있는 경우에는 공개 키를 인스턴스의 메타데이터에 직접 추가할 수 있습니다. 인스턴스에 SSH 키를 추가하는 방법에 대해 자세히 알아보세요.

서비스 계정과 IAM

새로운 커스텀 서비스 계정을 만들고 서비스 계정에 IAM 역할을 부여하여 인스턴스의 액세스 권한을 제한할 수 있습니다. 커스텀 서비스 계정과 함께 IAM 역할을 사용하면 다음을 수행할 수 있습니다.

  • 세분화된 IAM 역할을 사용하여 Google Cloud APIs에 대한 인스턴스의 액세스 권한을 제한할 수 있습니다.
  • 각 인스턴스 또는 인스턴스 집합에 고유한 ID를 제공할 수 있습니다.
  • 기본 서비스 계정의 액세스 권한을 제한할 수 있습니다.

서비스 계정에 대해 자세히 알아보세요.

관리형 인스턴스 그룹 및 IAM

관리형 인스턴스 그룹(MIG)은 직접 사용자 상호작용 없이 사용자 대신 작업을 수행하는 리소스입니다. 예를 들어 MIG는 그룹에서 VM을 추가 및 삭제할 수 있습니다.

MIG의 일부로 Compute Engine에서 수행되는 모든 작업은 프로젝트의 Google API 서비스 에이전트에서 수행됩니다. 이 프로젝트에는 PROJECT_ID@cloudservices.gserviceaccount.com과 같은 이메일 주소가 있습니다.

기본적으로 Google API 서비스 에이전트에는 프로젝트 수준에서 편집자 역할(roles/editor)이 부여되어 MIG의 구성에 따라 리소스를 만들 수 있는 충분한 권한이 부여됩니다. Google API 서비스 에이전트에 대한 액세스를 맞춤설정하는 경우 Compute 인스턴스 관리자(v1) 역할(roles/compute.instanceAdmin.v1), 그리고 필요한 경우 서비스 계정 사용자 역할(roles/iam.serviceAccountUser)을 부여하고, MIG가 서비스 계정으로 실행될 수 있는 VM을 만드는 경우에만 서비스 계정 사용자 역할이 필요합니다.

Google API 서비스 에이전트는 Deployment Manager를 비롯한 다른 프로세스에서도 사용됩니다.

MIG를 만들거나 해당 인스턴스 템플릿을 업데이트할 때 Compute Engine은 Google API 서비스 에이전트에 다음 역할 및 권한이 있는지 확인합니다.

  • 서비스 계정으로 실행될 수 있는 인스턴스를 만들려는 경우 중요한 서비스 계정 사용자 역할
  • 이미지, 디스크, VPC 네트워크, 서브넷 등 인스턴스 템플릿에서 참조되는 모든 리소스에 대한 권한이 있는지 여부

사전 정의된 Compute Engine IAM 역할

IAM을 사용할 때 Compute Engine API의 모든 API 메서드를 사용하려면 API 요청을 실행하는 ID에 해당 리소스를 사용하는 데 필요한 적절한 권한이 있어야 합니다. 권한을 부여하기 위해서는 프로젝트의 구성원(사용자, 그룹 또는 서비스 계정)에게 역할을 부여하는 정책을 설정하면 됩니다.

기본 역할(소유자, 편집자, 뷰어)과 커스텀 역할 외에도 다음과 같은 사전 정의된 Compute Engine 역할을 프로젝트 구성원에게 할당할 수 있습니다.

한 프로젝트 구성원에게 동일한 리소스에 대한 여러 역할을 부여할 수 있습니다. 예를 들어 네트워킹팀에서 방화벽 규칙도 관리하는 경우 네트워킹팀의 Google 그룹roles/compute.networkAdminroles/compute.securityAdmin 역할을 모두 부여할 수 있습니다.

다음 표는 사전 정의된 Compute Engine IAM 역할과 각 역할에 포함된 권한을 설명합니다. 각 역할에는 특정 작업에 적합한 권한 집합이 포함되어 있습니다. 예를 들어 인스턴스 관리자 역할은 인스턴스 관리를 위한 권한을 부여하고, 네트워크 관련 역할에는 네트워크 관련 리소스 관리를 위한 권한이 포함되며, 보안 역할에는 방화벽 및 SSL 인증서와 같은 보안 관련 리소스 관리를 위한 권한이 포함되어 있습니다.

Compute Admin role

Details Permissions

(roles/compute.admin)

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Node group
  • Node template
  • Snapshot

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.list

backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlans.useForComputeInstance

compute.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list
  • compute.addresses.create
  • compute.addresses.createInternal
  • compute.addresses.createTagBinding
  • compute.addresses.delete
  • compute.addresses.deleteInternal
  • compute.addresses.deleteTagBinding
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.listEffectiveTags
  • compute.addresses.listTagBindings
  • compute.addresses.setLabels
  • compute.addresses.use
  • compute.addresses.useInternal
  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.autoscalers.update
  • compute.backendBuckets.addSignedUrlKey
  • compute.backendBuckets.create
  • compute.backendBuckets.createTagBinding
  • compute.backendBuckets.delete
  • compute.backendBuckets.deleteSignedUrlKey
  • compute.backendBuckets.deleteTagBinding
  • compute.backendBuckets.get
  • compute.backendBuckets.getIamPolicy
  • compute.backendBuckets.list
  • compute.backendBuckets.listEffectiveTags
  • compute.backendBuckets.listTagBindings
  • compute.backendBuckets.setIamPolicy
  • compute.backendBuckets.setSecurityPolicy
  • compute.backendBuckets.update
  • compute.backendBuckets.use
  • compute.backendServices.addSignedUrlKey
  • compute.backendServices.create
  • compute.backendServices.createTagBinding
  • compute.backendServices.delete
  • compute.backendServices.deleteSignedUrlKey
  • compute.backendServices.deleteTagBinding
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.backendServices.listEffectiveTags
  • compute.backendServices.listTagBindings
  • compute.backendServices.setIamPolicy
  • compute.backendServices.setSecurityPolicy
  • compute.backendServices.update
  • compute.backendServices.use
  • compute.commitments.create
  • compute.commitments.get
  • compute.commitments.list
  • compute.commitments.update
  • compute.commitments.updateReservations
  • compute.diskTypes.get
  • compute.diskTypes.list
  • compute.disks.addResourcePolicies
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.createTagBinding
  • compute.disks.delete
  • compute.disks.deleteTagBinding
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.disks.removeResourcePolicies
  • compute.disks.resize
  • compute.disks.setIamPolicy
  • compute.disks.setLabels
  • compute.disks.startAsyncReplication
  • compute.disks.stopAsyncReplication
  • compute.disks.stopGroupAsyncReplication
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.externalVpnGateways.create
  • compute.externalVpnGateways.createTagBinding
  • compute.externalVpnGateways.delete
  • compute.externalVpnGateways.deleteTagBinding
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.listEffectiveTags
  • compute.externalVpnGateways.listTagBindings
  • compute.externalVpnGateways.setLabels
  • compute.externalVpnGateways.use
  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.copyRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.createTagBinding
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.deleteTagBinding
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.listEffectiveTags
  • compute.firewallPolicies.listTagBindings
  • compute.firewallPolicies.move
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use
  • compute.firewalls.create
  • compute.firewalls.createTagBinding
  • compute.firewalls.delete
  • compute.firewalls.deleteTagBinding
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.firewalls.listEffectiveTags
  • compute.firewalls.listTagBindings
  • compute.firewalls.update
  • compute.forwardingRules.create
  • compute.forwardingRules.createTagBinding
  • compute.forwardingRules.delete
  • compute.forwardingRules.deleteTagBinding
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.forwardingRules.listEffectiveTags
  • compute.forwardingRules.listTagBindings
  • compute.forwardingRules.pscCreate
  • compute.forwardingRules.pscDelete
  • compute.forwardingRules.pscSetLabels
  • compute.forwardingRules.pscSetTarget
  • compute.forwardingRules.pscUpdate
  • compute.forwardingRules.setLabels
  • compute.forwardingRules.setTarget
  • compute.forwardingRules.update
  • compute.forwardingRules.use
  • compute.futureReservations.cancel
  • compute.futureReservations.create
  • compute.futureReservations.delete
  • compute.futureReservations.get
  • compute.futureReservations.getIamPolicy
  • compute.futureReservations.list
  • compute.futureReservations.setIamPolicy
  • compute.futureReservations.update
  • compute.globalAddresses.create
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.createTagBinding
  • compute.globalAddresses.delete
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.deleteTagBinding
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.listEffectiveTags
  • compute.globalAddresses.listTagBindings
  • compute.globalAddresses.setLabels
  • compute.globalAddresses.use
  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.createTagBinding
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.deleteTagBinding
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.listEffectiveTags
  • compute.globalForwardingRules.listTagBindings
  • compute.globalForwardingRules.pscCreate
  • compute.globalForwardingRules.pscDelete
  • compute.globalForwardingRules.pscGet
  • compute.globalForwardingRules.pscSetLabels
  • compute.globalForwardingRules.pscSetTarget
  • compute.globalForwardingRules.pscUpdate
  • compute.globalForwardingRules.setLabels
  • compute.globalForwardingRules.setTarget
  • compute.globalForwardingRules.update
  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.createTagBinding
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.deleteTagBinding
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.listEffectiveTags
  • compute.globalNetworkEndpointGroups.listTagBindings
  • compute.globalNetworkEndpointGroups.use
  • compute.globalOperations.delete
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.globalPublicDelegatedPrefixes.create
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.create
  • compute.healthChecks.createTagBinding
  • compute.healthChecks.delete
  • compute.healthChecks.deleteTagBinding
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.healthChecks.listEffectiveTags
  • compute.healthChecks.listTagBindings
  • compute.healthChecks.update
  • compute.healthChecks.use
  • compute.healthChecks.useReadOnly
  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.createTagBinding
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.deleteTagBinding
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpHealthChecks.listEffectiveTags
  • compute.httpHealthChecks.listTagBindings
  • compute.httpHealthChecks.update
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly
  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.createTagBinding
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.deleteTagBinding
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.httpsHealthChecks.listEffectiveTags
  • compute.httpsHealthChecks.listTagBindings
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly
  • compute.images.create
  • compute.images.createTagBinding
  • compute.images.delete
  • compute.images.deleteTagBinding
  • compute.images.deprecate
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.images.setIamPolicy
  • compute.images.setLabels
  • compute.images.update
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.createTagBinding
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.deleteTagBinding
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.listEffectiveTags
  • compute.instanceGroupManagers.listTagBindings
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.create
  • compute.instanceGroups.createTagBinding
  • compute.instanceGroups.delete
  • compute.instanceGroups.deleteTagBinding
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.listEffectiveTags
  • compute.instanceGroups.listTagBindings
  • compute.instanceGroups.update
  • compute.instanceGroups.use
  • compute.instanceSettings.get
  • compute.instanceSettings.update
  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instanceTemplates.useReadOnly
  • compute.instances.addAccessConfig
  • compute.instances.addResourcePolicies
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.createTagBinding
  • compute.instances.delete
  • compute.instances.deleteAccessConfig
  • compute.instances.deleteTagBinding
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.instances.pscInterfaceCreate
  • compute.instances.removeResourcePolicies
  • compute.instances.reset
  • compute.instances.resume
  • compute.instances.sendDiagnosticInterrupt
  • compute.instances.setDeletionProtection
  • compute.instances.setDiskAutoDelete
  • compute.instances.setIamPolicy
  • compute.instances.setLabels
  • compute.instances.setMachineResources
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setName
  • compute.instances.setScheduling
  • compute.instances.setSecurityPolicy
  • compute.instances.setServiceAccount
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.setTags
  • compute.instances.simulateMaintenanceEvent
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.suspend
  • compute.instances.update
  • compute.instances.updateAccessConfig
  • compute.instances.updateDisplayDevice
  • compute.instances.updateNetworkInterface
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.instantSnapshots.create
  • compute.instantSnapshots.delete
  • compute.instantSnapshots.export
  • compute.instantSnapshots.get
  • compute.instantSnapshots.getIamPolicy
  • compute.instantSnapshots.list
  • compute.instantSnapshots.setIamPolicy
  • compute.instantSnapshots.setLabels
  • compute.instantSnapshots.useReadOnly
  • compute.interconnectAttachments.create
  • compute.interconnectAttachments.createTagBinding
  • compute.interconnectAttachments.delete
  • compute.interconnectAttachments.deleteTagBinding
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.listEffectiveTags
  • compute.interconnectAttachments.listTagBindings
  • compute.interconnectAttachments.setLabels
  • compute.interconnectAttachments.update
  • compute.interconnectAttachments.use
  • compute.interconnectLocations.get
  • compute.interconnectLocations.list
  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list
  • compute.interconnects.create
  • compute.interconnects.createTagBinding
  • compute.interconnects.delete
  • compute.interconnects.deleteTagBinding
  • compute.interconnects.get
  • compute.interconnects.getMacsecConfig
  • compute.interconnects.list
  • compute.interconnects.listEffectiveTags
  • compute.interconnects.listTagBindings
  • compute.interconnects.setLabels
  • compute.interconnects.update
  • compute.interconnects.use
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenseCodes.setIamPolicy
  • compute.licenseCodes.update
  • compute.licenses.create
  • compute.licenses.delete
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.licenses.setIamPolicy
  • compute.machineImages.create
  • compute.machineImages.delete
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineImages.useReadOnly
  • compute.machineTypes.get
  • compute.machineTypes.list
  • compute.multiMig.create
  • compute.multiMig.delete
  • compute.multiMig.get
  • compute.multiMig.list
  • compute.networkAttachments.create
  • compute.networkAttachments.createTagBinding
  • compute.networkAttachments.delete
  • compute.networkAttachments.deleteTagBinding
  • compute.networkAttachments.get
  • compute.networkAttachments.getIamPolicy
  • compute.networkAttachments.list
  • compute.networkAttachments.listEffectiveTags
  • compute.networkAttachments.listTagBindings
  • compute.networkAttachments.setIamPolicy
  • compute.networkAttachments.update
  • compute.networkEdgeSecurityServices.create
  • compute.networkEdgeSecurityServices.createTagBinding
  • compute.networkEdgeSecurityServices.delete
  • compute.networkEdgeSecurityServices.deleteTagBinding
  • compute.networkEdgeSecurityServices.get
  • compute.networkEdgeSecurityServices.list
  • compute.networkEdgeSecurityServices.listEffectiveTags
  • compute.networkEdgeSecurityServices.listTagBindings
  • compute.networkEdgeSecurityServices.update
  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.createTagBinding
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.deleteTagBinding
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.listEffectiveTags
  • compute.networkEndpointGroups.listTagBindings
  • compute.networkEndpointGroups.use
  • compute.networkProfiles.get
  • compute.networkProfiles.list
  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.create
  • compute.networks.createTagBinding
  • compute.networks.delete
  • compute.networks.deleteTagBinding
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listEffectiveTags
  • compute.networks.listPeeringRoutes
  • compute.networks.listTagBindings
  • compute.networks.mirror
  • compute.networks.removePeering
  • compute.networks.setFirewallPolicy
  • compute.networks.switchToCustomMode
  • compute.networks.update
  • compute.networks.updatePeering
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.nodeGroups.addNodes
  • compute.nodeGroups.create
  • compute.nodeGroups.delete
  • compute.nodeGroups.deleteNodes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeGroups.performMaintenance
  • compute.nodeGroups.setIamPolicy
  • compute.nodeGroups.setNodeTemplate
  • compute.nodeGroups.simulateMaintenanceEvent
  • compute.nodeGroups.update
  • compute.nodeTemplates.create
  • compute.nodeTemplates.delete
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTemplates.setIamPolicy
  • compute.nodeTypes.get
  • compute.nodeTypes.list
  • compute.organizations.disableXpnHost
  • compute.organizations.disableXpnResource
  • compute.organizations.enableXpnHost
  • compute.organizations.enableXpnResource
  • compute.organizations.listAssociations
  • compute.organizations.setFirewallPolicy
  • compute.organizations.setSecurityPolicy
  • compute.oslogin.updateExternalUser
  • compute.packetMirrorings.create
  • compute.packetMirrorings.createTagBinding
  • compute.packetMirrorings.delete
  • compute.packetMirrorings.deleteTagBinding
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.packetMirrorings.listEffectiveTags
  • compute.packetMirrorings.listTagBindings
  • compute.packetMirrorings.update
  • compute.projects.get
  • compute.projects.setCloudArmorTier
  • compute.projects.setCommonInstanceMetadata
  • compute.projects.setDefaultNetworkTier
  • compute.projects.setDefaultServiceAccount
  • compute.projects.setManagedProtectionTier
  • compute.projects.setUsageExportBucket
  • compute.publicAdvertisedPrefixes.create
  • compute.publicAdvertisedPrefixes.delete
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicAdvertisedPrefixes.update
  • compute.publicAdvertisedPrefixes.updatePolicy
  • compute.publicDelegatedPrefixes.create
  • compute.publicDelegatedPrefixes.createTagBinding
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.deleteTagBinding
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.listEffectiveTags
  • compute.publicDelegatedPrefixes.listTagBindings
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.publicDelegatedPrefixes.use
  • compute.regionBackendServices.create
  • compute.regionBackendServices.createTagBinding
  • compute.regionBackendServices.delete
  • compute.regionBackendServices.deleteTagBinding
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionBackendServices.listEffectiveTags
  • compute.regionBackendServices.listTagBindings
  • compute.regionBackendServices.setIamPolicy
  • compute.regionBackendServices.setSecurityPolicy
  • compute.regionBackendServices.update
  • compute.regionBackendServices.use
  • compute.regionFirewallPolicies.cloneRules
  • compute.regionFirewallPolicies.create
  • compute.regionFirewallPolicies.createTagBinding
  • compute.regionFirewallPolicies.delete
  • compute.regionFirewallPolicies.deleteTagBinding
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.listEffectiveTags
  • compute.regionFirewallPolicies.listTagBindings
  • compute.regionFirewallPolicies.setIamPolicy
  • compute.regionFirewallPolicies.update
  • compute.regionFirewallPolicies.use
  • compute.regionHealthCheckServices.create
  • compute.regionHealthCheckServices.delete
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthCheckServices.update
  • compute.regionHealthCheckServices.use
  • compute.regionHealthChecks.create
  • compute.regionHealthChecks.createTagBinding
  • compute.regionHealthChecks.delete
  • compute.regionHealthChecks.deleteTagBinding
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionHealthChecks.listEffectiveTags
  • compute.regionHealthChecks.listTagBindings
  • compute.regionHealthChecks.update
  • compute.regionHealthChecks.use
  • compute.regionHealthChecks.useReadOnly
  • compute.regionNetworkEndpointGroups.attachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.createTagBinding
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.deleteTagBinding
  • compute.regionNetworkEndpointGroups.detachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.listEffectiveTags
  • compute.regionNetworkEndpointGroups.listTagBindings
  • compute.regionNetworkEndpointGroups.use
  • compute.regionNotificationEndpoints.create
  • compute.regionNotificationEndpoints.delete
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionNotificationEndpoints.update
  • compute.regionNotificationEndpoints.use
  • compute.regionOperations.delete
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionOperations.setIamPolicy
  • compute.regionSecurityPolicies.create
  • compute.regionSecurityPolicies.createTagBinding
  • compute.regionSecurityPolicies.delete
  • compute.regionSecurityPolicies.deleteTagBinding
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSecurityPolicies.listEffectiveTags
  • compute.regionSecurityPolicies.listTagBindings
  • compute.regionSecurityPolicies.update
  • compute.regionSecurityPolicies.use
  • compute.regionSslCertificates.create
  • compute.regionSslCertificates.createTagBinding
  • compute.regionSslCertificates.delete
  • compute.regionSslCertificates.deleteTagBinding
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionSslCertificates.listEffectiveTags
  • compute.regionSslCertificates.listTagBindings
  • compute.regionSslPolicies.create
  • compute.regionSslPolicies.createTagBinding
  • compute.regionSslPolicies.delete
  • compute.regionSslPolicies.deleteTagBinding
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionSslPolicies.listEffectiveTags
  • compute.regionSslPolicies.listTagBindings
  • compute.regionSslPolicies.update
  • compute.regionSslPolicies.use
  • compute.regionTargetHttpProxies.create
  • compute.regionTargetHttpProxies.createTagBinding
  • compute.regionTargetHttpProxies.delete
  • compute.regionTargetHttpProxies.deleteTagBinding
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpProxies.listEffectiveTags
  • compute.regionTargetHttpProxies.listTagBindings
  • compute.regionTargetHttpProxies.setUrlMap
  • compute.regionTargetHttpProxies.use
  • compute.regionTargetHttpsProxies.create
  • compute.regionTargetHttpsProxies.createTagBinding
  • compute.regionTargetHttpsProxies.delete
  • compute.regionTargetHttpsProxies.deleteTagBinding
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetHttpsProxies.listEffectiveTags
  • compute.regionTargetHttpsProxies.listTagBindings
  • compute.regionTargetHttpsProxies.setSslCertificates
  • compute.regionTargetHttpsProxies.setUrlMap
  • compute.regionTargetHttpsProxies.update
  • compute.regionTargetHttpsProxies.use
  • compute.regionTargetTcpProxies.create
  • compute.regionTargetTcpProxies.createTagBinding
  • compute.regionTargetTcpProxies.delete
  • compute.regionTargetTcpProxies.deleteTagBinding
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionTargetTcpProxies.listEffectiveTags
  • compute.regionTargetTcpProxies.listTagBindings
  • compute.regionTargetTcpProxies.use
  • compute.regionUrlMaps.create
  • compute.regionUrlMaps.createTagBinding
  • compute.regionUrlMaps.delete
  • compute.regionUrlMaps.deleteTagBinding
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.invalidateCache
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.listEffectiveTags
  • compute.regionUrlMaps.listTagBindings
  • compute.regionUrlMaps.update
  • compute.regionUrlMaps.use
  • compute.regionUrlMaps.validate
  • compute.regions.get
  • compute.regions.list
  • compute.reservations.create
  • compute.reservations.delete
  • compute.reservations.get
  • compute.reservations.list
  • compute.reservations.resize
  • compute.reservations.update
  • compute.resourcePolicies.create
  • compute.resourcePolicies.delete
  • compute.resourcePolicies.get
  • compute.resourcePolicies.getIamPolicy
  • compute.resourcePolicies.list
  • compute.resourcePolicies.setIamPolicy
  • compute.resourcePolicies.update
  • compute.resourcePolicies.use
  • compute.resourcePolicies.useReadOnly
  • compute.routers.create
  • compute.routers.createTagBinding
  • compute.routers.delete
  • compute.routers.deleteRoutePolicy
  • compute.routers.deleteTagBinding
  • compute.routers.get
  • compute.routers.getRoutePolicy
  • compute.routers.list
  • compute.routers.listBgpRoutes
  • compute.routers.listEffectiveTags
  • compute.routers.listRoutePolicies
  • compute.routers.listTagBindings
  • compute.routers.update
  • compute.routers.updateRoutePolicy
  • compute.routers.use
  • compute.routes.create
  • compute.routes.createTagBinding
  • compute.routes.delete
  • compute.routes.deleteTagBinding
  • compute.routes.get
  • compute.routes.list
  • compute.routes.listEffectiveTags
  • compute.routes.listTagBindings
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.copyRules
  • compute.securityPolicies.create
  • compute.securityPolicies.createTagBinding
  • compute.securityPolicies.delete
  • compute.securityPolicies.deleteTagBinding
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.listEffectiveTags
  • compute.securityPolicies.listTagBindings
  • compute.securityPolicies.move
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.setLabels
  • compute.securityPolicies.update
  • compute.securityPolicies.use
  • compute.serviceAttachments.create
  • compute.serviceAttachments.createTagBinding
  • compute.serviceAttachments.delete
  • compute.serviceAttachments.deleteTagBinding
  • compute.serviceAttachments.get
  • compute.serviceAttachments.getIamPolicy
  • compute.serviceAttachments.list
  • compute.serviceAttachments.listEffectiveTags
  • compute.serviceAttachments.listTagBindings
  • compute.serviceAttachments.setIamPolicy
  • compute.serviceAttachments.update
  • compute.serviceAttachments.use
  • compute.snapshotSettings.get
  • compute.snapshotSettings.update
  • compute.snapshots.create
  • compute.snapshots.createTagBinding
  • compute.snapshots.delete
  • compute.snapshots.deleteTagBinding
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.snapshots.setIamPolicy
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly
  • compute.sslCertificates.create
  • compute.sslCertificates.createTagBinding
  • compute.sslCertificates.delete
  • compute.sslCertificates.deleteTagBinding
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslCertificates.listEffectiveTags
  • compute.sslCertificates.listTagBindings
  • compute.sslPolicies.create
  • compute.sslPolicies.createTagBinding
  • compute.sslPolicies.delete
  • compute.sslPolicies.deleteTagBinding
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.sslPolicies.listEffectiveTags
  • compute.sslPolicies.listTagBindings
  • compute.sslPolicies.update
  • compute.sslPolicies.use
  • compute.storagePools.create
  • compute.storagePools.delete
  • compute.storagePools.get
  • compute.storagePools.getIamPolicy
  • compute.storagePools.list
  • compute.storagePools.setIamPolicy
  • compute.storagePools.update
  • compute.storagePools.use
  • compute.subnetworks.create
  • compute.subnetworks.createTagBinding
  • compute.subnetworks.delete
  • compute.subnetworks.deleteTagBinding
  • compute.subnetworks.expandIpCidrRange
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.subnetworks.listEffectiveTags
  • compute.subnetworks.listTagBindings
  • compute.subnetworks.mirror
  • compute.subnetworks.setIamPolicy
  • compute.subnetworks.setPrivateIpGoogleAccess
  • compute.subnetworks.update
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.create
  • compute.targetGrpcProxies.createTagBinding
  • compute.targetGrpcProxies.delete
  • compute.targetGrpcProxies.deleteTagBinding
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetGrpcProxies.listEffectiveTags
  • compute.targetGrpcProxies.listTagBindings
  • compute.targetGrpcProxies.update
  • compute.targetGrpcProxies.use
  • compute.targetHttpProxies.create
  • compute.targetHttpProxies.createTagBinding
  • compute.targetHttpProxies.delete
  • compute.targetHttpProxies.deleteTagBinding
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpProxies.listEffectiveTags
  • compute.targetHttpProxies.listTagBindings
  • compute.targetHttpProxies.setUrlMap
  • compute.targetHttpProxies.update
  • compute.targetHttpProxies.use
  • compute.targetHttpsProxies.create
  • compute.targetHttpsProxies.createTagBinding
  • compute.targetHttpsProxies.delete
  • compute.targetHttpsProxies.deleteTagBinding
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetHttpsProxies.listEffectiveTags
  • compute.targetHttpsProxies.listTagBindings
  • compute.targetHttpsProxies.setCertificateMap
  • compute.targetHttpsProxies.setQuicOverride
  • compute.targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.setSslPolicy
  • compute.targetHttpsProxies.setUrlMap
  • compute.targetHttpsProxies.update
  • compute.targetHttpsProxies.use
  • compute.targetInstances.create
  • compute.targetInstances.createTagBinding
  • compute.targetInstances.delete
  • compute.targetInstances.deleteTagBinding
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetInstances.listEffectiveTags
  • compute.targetInstances.listTagBindings
  • compute.targetInstances.setSecurityPolicy
  • compute.targetInstances.use
  • compute.targetPools.addHealthCheck
  • compute.targetPools.addInstance
  • compute.targetPools.create
  • compute.targetPools.createTagBinding
  • compute.targetPools.delete
  • compute.targetPools.deleteTagBinding
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetPools.listEffectiveTags
  • compute.targetPools.listTagBindings
  • compute.targetPools.removeHealthCheck
  • compute.targetPools.removeInstance
  • compute.targetPools.setSecurityPolicy
  • compute.targetPools.update
  • compute.targetPools.use
  • compute.targetSslProxies.create
  • compute.targetSslProxies.createTagBinding
  • compute.targetSslProxies.delete
  • compute.targetSslProxies.deleteTagBinding
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetSslProxies.listEffectiveTags
  • compute.targetSslProxies.listTagBindings
  • compute.targetSslProxies.setBackendService
  • compute.targetSslProxies.setCertificateMap
  • compute.targetSslProxies.setProxyHeader
  • compute.targetSslProxies.setSslCertificates
  • compute.targetSslProxies.setSslPolicy
  • compute.targetSslProxies.update
  • compute.targetSslProxies.use
  • compute.targetTcpProxies.create
  • compute.targetTcpProxies.createTagBinding
  • compute.targetTcpProxies.delete
  • compute.targetTcpProxies.deleteTagBinding
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetTcpProxies.listEffectiveTags
  • compute.targetTcpProxies.listTagBindings
  • compute.targetTcpProxies.update
  • compute.targetTcpProxies.use
  • compute.targetVpnGateways.create
  • compute.targetVpnGateways.createTagBinding
  • compute.targetVpnGateways.delete
  • compute.targetVpnGateways.deleteTagBinding
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.targetVpnGateways.listEffectiveTags
  • compute.targetVpnGateways.listTagBindings
  • compute.targetVpnGateways.setLabels
  • compute.targetVpnGateways.use
  • compute.urlMaps.create
  • compute.urlMaps.createTagBinding
  • compute.urlMaps.delete
  • compute.urlMaps.deleteTagBinding
  • compute.urlMaps.get
  • compute.urlMaps.invalidateCache
  • compute.urlMaps.list
  • compute.urlMaps.listEffectiveTags
  • compute.urlMaps.listTagBindings
  • compute.urlMaps.update
  • compute.urlMaps.use
  • compute.urlMaps.validate
  • compute.vpnGateways.create
  • compute.vpnGateways.createTagBinding
  • compute.vpnGateways.delete
  • compute.vpnGateways.deleteTagBinding
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.listEffectiveTags
  • compute.vpnGateways.listTagBindings
  • compute.vpnGateways.setLabels
  • compute.vpnGateways.use
  • compute.vpnTunnels.create
  • compute.vpnTunnels.createTagBinding
  • compute.vpnTunnels.delete
  • compute.vpnTunnels.deleteTagBinding
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.vpnTunnels.listEffectiveTags
  • compute.vpnTunnels.listTagBindings
  • compute.vpnTunnels.setLabels
  • compute.zoneOperations.delete
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zoneOperations.setIamPolicy
  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Future Reservation Admin role

Details Permissions

(roles/compute.futureReservationAdmin)

compute.acceleratorTypes.list

compute.futureReservations.cancel

compute.futureReservations.create

compute.futureReservations.delete

compute.futureReservations.get

compute.futureReservations.list

compute.futureReservations.update

compute.instanceTemplates.list

compute.machineTypes.list

compute.regions.list

compute.reservations.create

compute.zones.list

Compute Future Reservation User role

Details Permissions

(roles/compute.futureReservationUser)

compute.acceleratorTypes.list

compute.futureReservations.create

compute.futureReservations.delete

compute.futureReservations.get

compute.futureReservations.list

compute.futureReservations.update

compute.instanceTemplates.list

compute.machineTypes.list

compute.regions.list

compute.reservations.create

compute.zones.list

Compute Future Reservation Viewer role

Details Permissions

(roles/compute.futureReservationViewer)

compute.acceleratorTypes.list

compute.futureReservations.get

compute.futureReservations.list

compute.instanceTemplates.list

compute.machineTypes.list

compute.regions.list

compute.zones.list

Compute Image User role

Details Permissions

(roles/compute.imageUser)

Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

Lowest-level resources where you can grant this role:

  • Image

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Instance Admin (beta) role

Details Permissions

(roles/compute.instanceAdmin)

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Snapshot

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.list

backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlans.useForComputeInstance

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.autoscalers.update

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.createTagBinding
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.deleteTagBinding
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.listEffectiveTags
  • compute.globalNetworkEndpointGroups.listTagBindings
  • compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.createTagBinding
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.deleteTagBinding
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.listEffectiveTags
  • compute.instanceGroupManagers.listTagBindings
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use

compute.instanceGroups.*

  • compute.instanceGroups.create
  • compute.instanceGroups.createTagBinding
  • compute.instanceGroups.delete
  • compute.instanceGroups.deleteTagBinding
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.listEffectiveTags
  • compute.instanceGroups.listTagBindings
  • compute.instanceGroups.update
  • compute.instanceGroups.use

compute.instanceSettings.get

compute.instanceTemplates.*

  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instanceTemplates.useReadOnly

compute.instances.*

  • compute.instances.addAccessConfig
  • compute.instances.addResourcePolicies
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.createTagBinding
  • compute.instances.delete
  • compute.instances.deleteAccessConfig
  • compute.instances.deleteTagBinding
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.instances.pscInterfaceCreate
  • compute.instances.removeResourcePolicies
  • compute.instances.reset
  • compute.instances.resume
  • compute.instances.sendDiagnosticInterrupt
  • compute.instances.setDeletionProtection
  • compute.instances.setDiskAutoDelete
  • compute.instances.setIamPolicy
  • compute.instances.setLabels
  • compute.instances.setMachineResources
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setName
  • compute.instances.setScheduling
  • compute.instances.setSecurityPolicy
  • compute.instances.setServiceAccount
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.setTags
  • compute.instances.simulateMaintenanceEvent
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.suspend
  • compute.instances.update
  • compute.instances.updateAccessConfig
  • compute.instances.updateDisplayDevice
  • compute.instances.updateNetworkInterface
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.instances.use
  • compute.instances.useReadOnly

compute.licenses.get

compute.licenses.list

compute.machineImages.*

  • compute.machineImages.create
  • compute.machineImages.delete
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineImages.useReadOnly

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.multiMig.*

  • compute.multiMig.create
  • compute.multiMig.delete
  • compute.multiMig.get
  • compute.multiMig.list

compute.networkEndpointGroups.*

  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.createTagBinding
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.deleteTagBinding
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.listEffectiveTags
  • compute.networkEndpointGroups.listTagBindings
  • compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regionNetworkEndpointGroups.*

  • compute.regionNetworkEndpointGroups.attachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.createTagBinding
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.deleteTagBinding
  • compute.regionNetworkEndpointGroups.detachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.listEffectiveTags
  • compute.regionNetworkEndpointGroups.listTagBindings
  • compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.list

compute.resourcePolicies.useReadOnly

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Instance Admin (v1) role

Details Permissions

(roles/compute.instanceAdmin.v1)

Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.

If you grant a user this role only at an instance level, then that user cannot create new instances.

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.list

backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlans.useForComputeInstance

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.autoscalers.update

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.*

  • compute.disks.addResourcePolicies
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.createTagBinding
  • compute.disks.delete
  • compute.disks.deleteTagBinding
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.disks.removeResourcePolicies
  • compute.disks.resize
  • compute.disks.setIamPolicy
  • compute.disks.setLabels
  • compute.disks.startAsyncReplication
  • compute.disks.stopAsyncReplication
  • compute.disks.stopGroupAsyncReplication
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.listEffectiveTags

compute.externalVpnGateways.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalAddresses.use

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.*

  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.createTagBinding
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.deleteTagBinding
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.listEffectiveTags
  • compute.globalNetworkEndpointGroups.listTagBindings
  • compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.*

  • compute.images.create
  • compute.images.createTagBinding
  • compute.images.delete
  • compute.images.deleteTagBinding
  • compute.images.deprecate
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.images.setIamPolicy
  • compute.images.setLabels
  • compute.images.update
  • compute.images.useReadOnly

compute.instanceGroupManagers.*

  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.createTagBinding
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.deleteTagBinding
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.listEffectiveTags
  • compute.instanceGroupManagers.listTagBindings
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use

compute.instanceGroups.*

  • compute.instanceGroups.create
  • compute.instanceGroups.createTagBinding
  • compute.instanceGroups.delete
  • compute.instanceGroups.deleteTagBinding
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.listEffectiveTags
  • compute.instanceGroups.listTagBindings
  • compute.instanceGroups.update
  • compute.instanceGroups.use

compute.instanceSettings.*

  • compute.instanceSettings.get
  • compute.instanceSettings.update

compute.instanceTemplates.*

  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instanceTemplates.useReadOnly

compute.instances.*

  • compute.instances.addAccessConfig
  • compute.instances.addResourcePolicies
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.createTagBinding
  • compute.instances.delete
  • compute.instances.deleteAccessConfig
  • compute.instances.deleteTagBinding
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listEffectiveTags
  • compute.instances.listReferrers
  • compute.instances.listTagBindings
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.instances.pscInterfaceCreate
  • compute.instances.removeResourcePolicies
  • compute.instances.reset
  • compute.instances.resume
  • compute.instances.sendDiagnosticInterrupt
  • compute.instances.setDeletionProtection
  • compute.instances.setDiskAutoDelete
  • compute.instances.setIamPolicy
  • compute.instances.setLabels
  • compute.instances.setMachineResources
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setName
  • compute.instances.setScheduling
  • compute.instances.setSecurityPolicy
  • compute.instances.setServiceAccount
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.setTags
  • compute.instances.simulateMaintenanceEvent
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.suspend
  • compute.instances.update
  • compute.instances.updateAccessConfig
  • compute.instances.updateDisplayDevice
  • compute.instances.updateNetworkInterface
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.instances.use
  • compute.instances.useReadOnly

compute.instantSnapshots.*

  • compute.instantSnapshots.create
  • compute.instantSnapshots.delete
  • compute.instantSnapshots.export
  • compute.instantSnapshots.get
  • compute.instantSnapshots.getIamPolicy
  • compute.instantSnapshots.list
  • compute.instantSnapshots.setIamPolicy
  • compute.instantSnapshots.setLabels
  • compute.instantSnapshots.useReadOnly

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectAttachments.listEffectiveTags

compute.interconnectAttachments.listTagBindings

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.interconnects.listEffectiveTags

compute.interconnects.listTagBindings

compute.licenseCodes.*

  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenseCodes.setIamPolicy
  • compute.licenseCodes.update

compute.licenses.*

  • compute.licenses.create
  • compute.licenses.delete
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.licenses.setIamPolicy

compute.machineImages.*

  • compute.machineImages.create
  • compute.machineImages.delete
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineImages.useReadOnly

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.multiMig.*

  • compute.multiMig.create
  • compute.multiMig.delete
  • compute.multiMig.get
  • compute.multiMig.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkAttachments.listEffectiveTags

compute.networkAttachments.listTagBindings

compute.networkEndpointGroups.*

  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.createTagBinding
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.deleteTagBinding
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.listEffectiveTags
  • compute.networkEndpointGroups.listTagBindings
  • compute.networkEndpointGroups.use

compute.networkProfiles.*

  • compute.networkProfiles.get
  • compute.networkProfiles.list

compute.networks.get

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.*

  • compute.regionNetworkEndpointGroups.attachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.createTagBinding
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.deleteTagBinding
  • compute.regionNetworkEndpointGroups.detachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.listEffectiveTags
  • compute.regionNetworkEndpointGroups.listTagBindings
  • compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionSslPolicies.listEffectiveTags

compute.regionSslPolicies.listTagBindings

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionTargetTcpProxies.listEffectiveTags

compute.regionTargetTcpProxies.listTagBindings

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

  • compute.resourcePolicies.create
  • compute.resourcePolicies.delete
  • compute.resourcePolicies.get
  • compute.resourcePolicies.getIamPolicy
  • compute.resourcePolicies.list
  • compute.resourcePolicies.setIamPolicy
  • compute.resourcePolicies.update
  • compute.resourcePolicies.use
  • compute.resourcePolicies.useReadOnly

compute.routers.get

compute.routers.getRoutePolicy

compute.routers.list

compute.routers.listBgpRoutes

compute.routers.listEffectiveTags

compute.routers.listRoutePolicies

compute.routers.listTagBindings

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.serviceAttachments.listEffectiveTags

compute.serviceAttachments.listTagBindings

compute.snapshots.*

  • compute.snapshots.create
  • compute.snapshots.createTagBinding
  • compute.snapshots.delete
  • compute.snapshots.deleteTagBinding
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.snapshots.setIamPolicy
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetGrpcProxies.listEffectiveTags

compute.targetGrpcProxies.listTagBindings

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.targetVpnGateways.listEffectiveTags

compute.targetVpnGateways.listTagBindings

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.listEffectiveTags

compute.vpnGateways.listTagBindings

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.vpnTunnels.listEffectiveTags

compute.vpnTunnels.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Load Balancer Admin role

Details Permissions

(roles/compute.loadBalancerAdmin)

Permissions to create, modify, and delete load balancers and associate resources.

For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.

Lowest-level resources where you can grant this role:

  • Instance

certificatemanager.certmaps.get

certificatemanager.certmaps.list

certificatemanager.certmaps.use

compute.addresses.*

  • compute.addresses.create
  • compute.addresses.createInternal
  • compute.addresses.createTagBinding
  • compute.addresses.delete
  • compute.addresses.deleteInternal
  • compute.addresses.deleteTagBinding
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.listEffectiveTags
  • compute.addresses.listTagBindings
  • compute.addresses.setLabels
  • compute.addresses.use
  • compute.addresses.useInternal

compute.backendBuckets.*

  • compute.backendBuckets.addSignedUrlKey
  • compute.backendBuckets.create
  • compute.backendBuckets.createTagBinding
  • compute.backendBuckets.delete
  • compute.backendBuckets.deleteSignedUrlKey
  • compute.backendBuckets.deleteTagBinding
  • compute.backendBuckets.get
  • compute.backendBuckets.getIamPolicy
  • compute.backendBuckets.list
  • compute.backendBuckets.listEffectiveTags
  • compute.backendBuckets.listTagBindings
  • compute.backendBuckets.setIamPolicy
  • compute.backendBuckets.setSecurityPolicy
  • compute.backendBuckets.update
  • compute.backendBuckets.use

compute.backendServices.*

  • compute.backendServices.addSignedUrlKey
  • compute.backendServices.create
  • compute.backendServices.createTagBinding
  • compute.backendServices.delete
  • compute.backendServices.deleteSignedUrlKey
  • compute.backendServices.deleteTagBinding
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.backendServices.listEffectiveTags
  • compute.backendServices.listTagBindings
  • compute.backendServices.setIamPolicy
  • compute.backendServices.setSecurityPolicy
  • compute.backendServices.update
  • compute.backendServices.use

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.forwardingRules.*

  • compute.forwardingRules.create
  • compute.forwardingRules.createTagBinding
  • compute.forwardingRules.delete
  • compute.forwardingRules.deleteTagBinding
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.forwardingRules.listEffectiveTags
  • compute.forwardingRules.listTagBindings
  • compute.forwardingRules.pscCreate
  • compute.forwardingRules.pscDelete
  • compute.forwardingRules.pscSetLabels
  • compute.forwardingRules.pscSetTarget
  • compute.forwardingRules.pscUpdate
  • compute.forwardingRules.setLabels
  • compute.forwardingRules.setTarget
  • compute.forwardingRules.update
  • compute.forwardingRules.use

compute.globalAddresses.*

  • compute.globalAddresses.create
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.createTagBinding
  • compute.globalAddresses.delete
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.deleteTagBinding
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.listEffectiveTags
  • compute.globalAddresses.listTagBindings
  • compute.globalAddresses.setLabels
  • compute.globalAddresses.use

compute.globalForwardingRules.*

  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.createTagBinding
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.deleteTagBinding
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.listEffectiveTags
  • compute.globalForwardingRules.listTagBindings
  • compute.globalForwardingRules.pscCreate
  • compute.globalForwardingRules.pscDelete
  • compute.globalForwardingRules.pscGet
  • compute.globalForwardingRules.pscSetLabels
  • compute.globalForwardingRules.pscSetTarget
  • compute.globalForwardingRules.pscUpdate
  • compute.globalForwardingRules.setLabels
  • compute.globalForwardingRules.setTarget
  • compute.globalForwardingRules.update

compute.globalNetworkEndpointGroups.*

  • compute.globalNetworkEndpointGroups.attachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.create
  • compute.globalNetworkEndpointGroups.createTagBinding
  • compute.globalNetworkEndpointGroups.delete
  • compute.globalNetworkEndpointGroups.deleteTagBinding
  • compute.globalNetworkEndpointGroups.detachNetworkEndpoints
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.listEffectiveTags
  • compute.globalNetworkEndpointGroups.listTagBindings
  • compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.*

  • compute.healthChecks.create
  • compute.healthChecks.createTagBinding
  • compute.healthChecks.delete
  • compute.healthChecks.deleteTagBinding
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.healthChecks.listEffectiveTags
  • compute.healthChecks.listTagBindings
  • compute.healthChecks.update
  • compute.healthChecks.use
  • compute.healthChecks.useReadOnly

compute.httpHealthChecks.*

  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.createTagBinding
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.deleteTagBinding
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpHealthChecks.listEffectiveTags
  • compute.httpHealthChecks.listTagBindings
  • compute.httpHealthChecks.update
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.*

  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.createTagBinding
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.deleteTagBinding
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.httpsHealthChecks.listEffectiveTags
  • compute.httpsHealthChecks.listTagBindings
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroups.*

  • compute.instanceGroups.create
  • compute.instanceGroups.createTagBinding
  • compute.instanceGroups.delete
  • compute.instanceGroups.deleteTagBinding
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.listEffectiveTags
  • compute.instanceGroups.listTagBindings
  • compute.instanceGroups.update
  • compute.instanceGroups.use

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.use

compute.instances.useReadOnly

compute.networkEndpointGroups.*

  • compute.networkEndpointGroups.attachNetworkEndpoints
  • compute.networkEndpointGroups.create
  • compute.networkEndpointGroups.createTagBinding
  • compute.networkEndpointGroups.delete
  • compute.networkEndpointGroups.deleteTagBinding
  • compute.networkEndpointGroups.detachNetworkEndpoints
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.listEffectiveTags
  • compute.networkEndpointGroups.listTagBindings
  • compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.projects.get

compute.regionBackendServices.*

  • compute.regionBackendServices.create
  • compute.regionBackendServices.createTagBinding
  • compute.regionBackendServices.delete
  • compute.regionBackendServices.deleteTagBinding
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionBackendServices.listEffectiveTags
  • compute.regionBackendServices.listTagBindings
  • compute.regionBackendServices.setIamPolicy
  • compute.regionBackendServices.setSecurityPolicy
  • compute.regionBackendServices.update
  • compute.regionBackendServices.use

compute.regionHealthCheckServices.*

  • compute.regionHealthCheckServices.create
  • compute.regionHealthCheckServices.delete
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthCheckServices.update
  • compute.regionHealthCheckServices.use

compute.regionHealthChecks.*

  • compute.regionHealthChecks.create
  • compute.regionHealthChecks.createTagBinding
  • compute.regionHealthChecks.delete
  • compute.regionHealthChecks.deleteTagBinding
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionHealthChecks.listEffectiveTags
  • compute.regionHealthChecks.listTagBindings
  • compute.regionHealthChecks.update
  • compute.regionHealthChecks.use
  • compute.regionHealthChecks.useReadOnly

compute.regionNetworkEndpointGroups.*

  • compute.regionNetworkEndpointGroups.attachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.create
  • compute.regionNetworkEndpointGroups.createTagBinding
  • compute.regionNetworkEndpointGroups.delete
  • compute.regionNetworkEndpointGroups.deleteTagBinding
  • compute.regionNetworkEndpointGroups.detachNetworkEndpoints
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.listEffectiveTags
  • compute.regionNetworkEndpointGroups.listTagBindings
  • compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.*

  • compute.regionNotificationEndpoints.create
  • compute.regionNotificationEndpoints.delete
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionNotificationEndpoints.update
  • compute.regionNotificationEndpoints.use

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSecurityPolicies.use

compute.regionSslCertificates.*

  • compute.regionSslCertificates.create
  • compute.regionSslCertificates.createTagBinding
  • compute.regionSslCertificates.delete
  • compute.regionSslCertificates.deleteTagBinding
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionSslCertificates.listEffectiveTags
  • compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.*

  • compute.regionSslPolicies.create
  • compute.regionSslPolicies.createTagBinding
  • compute.regionSslPolicies.delete
  • compute.regionSslPolicies.deleteTagBinding
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionSslPolicies.listEffectiveTags
  • compute.regionSslPolicies.listTagBindings
  • compute.regionSslPolicies.update
  • compute.regionSslPolicies.use

compute.regionTargetHttpProxies.*

  • compute.regionTargetHttpProxies.create
  • compute.regionTargetHttpProxies.createTagBinding
  • compute.regionTargetHttpProxies.delete
  • compute.regionTargetHttpProxies.deleteTagBinding
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpProxies.listEffectiveTags
  • compute.regionTargetHttpProxies.listTagBindings
  • compute.regionTargetHttpProxies.setUrlMap
  • compute.regionTargetHttpProxies.use

compute.regionTargetHttpsProxies.*

  • compute.regionTargetHttpsProxies.create
  • compute.regionTargetHttpsProxies.createTagBinding
  • compute.regionTargetHttpsProxies.delete
  • compute.regionTargetHttpsProxies.deleteTagBinding
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetHttpsProxies.listEffectiveTags
  • compute.regionTargetHttpsProxies.listTagBindings
  • compute.regionTargetHttpsProxies.setSslCertificates
  • compute.regionTargetHttpsProxies.setUrlMap
  • compute.regionTargetHttpsProxies.update
  • compute.regionTargetHttpsProxies.use

compute.regionTargetTcpProxies.*

  • compute.regionTargetTcpProxies.create
  • compute.regionTargetTcpProxies.createTagBinding
  • compute.regionTargetTcpProxies.delete
  • compute.regionTargetTcpProxies.deleteTagBinding
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionTargetTcpProxies.listEffectiveTags
  • compute.regionTargetTcpProxies.listTagBindings
  • compute.regionTargetTcpProxies.use

compute.regionUrlMaps.*

  • compute.regionUrlMaps.create
  • compute.regionUrlMaps.createTagBinding
  • compute.regionUrlMaps.delete
  • compute.regionUrlMaps.deleteTagBinding
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.invalidateCache
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.listEffectiveTags
  • compute.regionUrlMaps.listTagBindings
  • compute.regionUrlMaps.update
  • compute.regionUrlMaps.use
  • compute.regionUrlMaps.validate

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.use

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.*

  • compute.sslCertificates.create
  • compute.sslCertificates.createTagBinding
  • compute.sslCertificates.delete
  • compute.sslCertificates.deleteTagBinding
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslCertificates.listEffectiveTags
  • compute.sslCertificates.listTagBindings

compute.sslPolicies.*

  • compute.sslPolicies.create
  • compute.sslPolicies.createTagBinding
  • compute.sslPolicies.delete
  • compute.sslPolicies.deleteTagBinding
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.sslPolicies.listEffectiveTags
  • compute.sslPolicies.listTagBindings
  • compute.sslPolicies.update
  • compute.sslPolicies.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.targetGrpcProxies.*

  • compute.targetGrpcProxies.create
  • compute.targetGrpcProxies.createTagBinding
  • compute.targetGrpcProxies.delete
  • compute.targetGrpcProxies.deleteTagBinding
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetGrpcProxies.listEffectiveTags
  • compute.targetGrpcProxies.listTagBindings
  • compute.targetGrpcProxies.update
  • compute.targetGrpcProxies.use

compute.targetHttpProxies.*

  • compute.targetHttpProxies.create
  • compute.targetHttpProxies.createTagBinding
  • compute.targetHttpProxies.delete
  • compute.targetHttpProxies.deleteTagBinding
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpProxies.listEffectiveTags
  • compute.targetHttpProxies.listTagBindings
  • compute.targetHttpProxies.setUrlMap
  • compute.targetHttpProxies.update
  • compute.targetHttpProxies.use

compute.targetHttpsProxies.*

  • compute.targetHttpsProxies.create
  • compute.targetHttpsProxies.createTagBinding
  • compute.targetHttpsProxies.delete
  • compute.targetHttpsProxies.deleteTagBinding
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetHttpsProxies.listEffectiveTags
  • compute.targetHttpsProxies.listTagBindings
  • compute.targetHttpsProxies.setCertificateMap
  • compute.targetHttpsProxies.setQuicOverride
  • compute.targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.setSslPolicy
  • compute.targetHttpsProxies.setUrlMap
  • compute.targetHttpsProxies.update
  • compute.targetHttpsProxies.use

compute.targetInstances.*

  • compute.targetInstances.create
  • compute.targetInstances.createTagBinding
  • compute.targetInstances.delete
  • compute.targetInstances.deleteTagBinding
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetInstances.listEffectiveTags
  • compute.targetInstances.listTagBindings
  • compute.targetInstances.setSecurityPolicy
  • compute.targetInstances.use

compute.targetPools.*

  • compute.targetPools.addHealthCheck
  • compute.targetPools.addInstance
  • compute.targetPools.create
  • compute.targetPools.createTagBinding
  • compute.targetPools.delete
  • compute.targetPools.deleteTagBinding
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetPools.listEffectiveTags
  • compute.targetPools.listTagBindings
  • compute.targetPools.removeHealthCheck
  • compute.targetPools.removeInstance
  • compute.targetPools.setSecurityPolicy
  • compute.targetPools.update
  • compute.targetPools.use

compute.targetSslProxies.*

  • compute.targetSslProxies.create
  • compute.targetSslProxies.createTagBinding
  • compute.targetSslProxies.delete
  • compute.targetSslProxies.deleteTagBinding
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetSslProxies.listEffectiveTags
  • compute.targetSslProxies.listTagBindings
  • compute.targetSslProxies.setBackendService
  • compute.targetSslProxies.setCertificateMap
  • compute.targetSslProxies.setProxyHeader
  • compute.targetSslProxies.setSslCertificates
  • compute.targetSslProxies.setSslPolicy
  • compute.targetSslProxies.update
  • compute.targetSslProxies.use

compute.targetTcpProxies.*

  • compute.targetTcpProxies.create
  • compute.targetTcpProxies.createTagBinding
  • compute.targetTcpProxies.delete
  • compute.targetTcpProxies.deleteTagBinding
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetTcpProxies.listEffectiveTags
  • compute.targetTcpProxies.listTagBindings
  • compute.targetTcpProxies.update
  • compute.targetTcpProxies.use

compute.urlMaps.*

  • compute.urlMaps.create
  • compute.urlMaps.createTagBinding
  • compute.urlMaps.delete
  • compute.urlMaps.deleteTagBinding
  • compute.urlMaps.get
  • compute.urlMaps.invalidateCache
  • compute.urlMaps.list
  • compute.urlMaps.listEffectiveTags
  • compute.urlMaps.listTagBindings
  • compute.urlMaps.update
  • compute.urlMaps.use
  • compute.urlMaps.validate

compute.zoneOperations.get

compute.zoneOperations.list

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.use

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Load Balancer Services User role

Details Permissions

(roles/compute.loadBalancerServiceUser)

Permissions to use services from a load balancer in other projects.

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendBuckets.use

compute.backendServices.get

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.backendServices.use

compute.projects.get

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionBackendServices.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Network Admin role

Details Permissions

(roles/compute.networkAdmin)

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group. Or, if you have a combined team that manages both security and networking, then grant this role as well as the roles/compute.securityAdmin role to the combined team's group.

Lowest-level resources where you can grant this role:

  • Instance

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.*

  • compute.addresses.create
  • compute.addresses.createInternal
  • compute.addresses.createTagBinding
  • compute.addresses.delete
  • compute.addresses.deleteInternal
  • compute.addresses.deleteTagBinding
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.listEffectiveTags
  • compute.addresses.listTagBindings
  • compute.addresses.setLabels
  • compute.addresses.use
  • compute.addresses.useInternal

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.*

  • compute.backendBuckets.addSignedUrlKey
  • compute.backendBuckets.create
  • compute.backendBuckets.createTagBinding
  • compute.backendBuckets.delete
  • compute.backendBuckets.deleteSignedUrlKey
  • compute.backendBuckets.deleteTagBinding
  • compute.backendBuckets.get
  • compute.backendBuckets.getIamPolicy
  • compute.backendBuckets.list
  • compute.backendBuckets.listEffectiveTags
  • compute.backendBuckets.listTagBindings
  • compute.backendBuckets.setIamPolicy
  • compute.backendBuckets.setSecurityPolicy
  • compute.backendBuckets.update
  • compute.backendBuckets.use

compute.backendServices.*

  • compute.backendServices.addSignedUrlKey
  • compute.backendServices.create
  • compute.backendServices.createTagBinding
  • compute.backendServices.delete
  • compute.backendServices.deleteSignedUrlKey
  • compute.backendServices.deleteTagBinding
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.backendServices.listEffectiveTags
  • compute.backendServices.listTagBindings
  • compute.backendServices.setIamPolicy
  • compute.backendServices.setSecurityPolicy
  • compute.backendServices.update
  • compute.backendServices.use

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.*

  • compute.externalVpnGateways.create
  • compute.externalVpnGateways.createTagBinding
  • compute.externalVpnGateways.delete
  • compute.externalVpnGateways.deleteTagBinding
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.listEffectiveTags
  • compute.externalVpnGateways.listTagBindings
  • compute.externalVpnGateways.setLabels
  • compute.externalVpnGateways.use

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewallPolicies.use

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.*

  • compute.forwardingRules.create
  • compute.forwardingRules.createTagBinding
  • compute.forwardingRules.delete
  • compute.forwardingRules.deleteTagBinding
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.forwardingRules.listEffectiveTags
  • compute.forwardingRules.listTagBindings
  • compute.forwardingRules.pscCreate
  • compute.forwardingRules.pscDelete
  • compute.forwardingRules.pscSetLabels
  • compute.forwardingRules.pscSetTarget
  • compute.forwardingRules.pscUpdate
  • compute.forwardingRules.setLabels
  • compute.forwardingRules.setTarget
  • compute.forwardingRules.update
  • compute.forwardingRules.use

compute.globalAddresses.*

  • compute.globalAddresses.create
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.createTagBinding
  • compute.globalAddresses.delete
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.deleteTagBinding
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.listEffectiveTags
  • compute.globalAddresses.listTagBindings
  • compute.globalAddresses.setLabels
  • compute.globalAddresses.use

compute.globalForwardingRules.*

  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.createTagBinding
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.deleteTagBinding
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.listEffectiveTags
  • compute.globalForwardingRules.listTagBindings
  • compute.globalForwardingRules.pscCreate
  • compute.globalForwardingRules.pscDelete
  • compute.globalForwardingRules.pscGet
  • compute.globalForwardingRules.pscSetLabels
  • compute.globalForwardingRules.pscSetTarget
  • compute.globalForwardingRules.pscUpdate
  • compute.globalForwardingRules.setLabels
  • compute.globalForwardingRules.setTarget
  • compute.globalForwardingRules.update

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.delete

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.globalPublicDelegatedPrefixes.updatePolicy

compute.healthChecks.*

  • compute.healthChecks.create
  • compute.healthChecks.createTagBinding
  • compute.healthChecks.delete
  • compute.healthChecks.deleteTagBinding
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.healthChecks.listEffectiveTags
  • compute.healthChecks.listTagBindings
  • compute.healthChecks.update
  • compute.healthChecks.use
  • compute.healthChecks.useReadOnly

compute.httpHealthChecks.*

  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.createTagBinding
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.deleteTagBinding
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpHealthChecks.listEffectiveTags
  • compute.httpHealthChecks.listTagBindings
  • compute.httpHealthChecks.update
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.*

  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.createTagBinding
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.deleteTagBinding
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.httpsHealthChecks.listEffectiveTags
  • compute.httpsHealthChecks.listTagBindings
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroupManagers.update

compute.instanceGroupManagers.use

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceGroups.listEffectiveTags

compute.instanceGroups.listTagBindings

compute.instanceGroups.update

compute.instanceGroups.use

compute.instanceSettings.get

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instances.updateSecurity

compute.instances.use

compute.instances.useReadOnly

compute.interconnectAttachments.*

  • compute.interconnectAttachments.create
  • compute.interconnectAttachments.createTagBinding
  • compute.interconnectAttachments.delete
  • compute.interconnectAttachments.deleteTagBinding
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectAttachments.listEffectiveTags
  • compute.interconnectAttachments.listTagBindings
  • compute.interconnectAttachments.setLabels
  • compute.interconnectAttachments.update
  • compute.interconnectAttachments.use

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list

compute.interconnects.*

  • compute.interconnects.create
  • compute.interconnects.createTagBinding
  • compute.interconnects.delete
  • compute.interconnects.deleteTagBinding
  • compute.interconnects.get
  • compute.interconnects.getMacsecConfig
  • compute.interconnects.list
  • compute.interconnects.listEffectiveTags
  • compute.interconnects.listTagBindings
  • compute.interconnects.setLabels
  • compute.interconnects.update
  • compute.interconnects.use

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networkAttachments.*

  • compute.networkAttachments.create
  • compute.networkAttachments.createTagBinding
  • compute.networkAttachments.delete
  • compute.networkAttachments.deleteTagBinding
  • compute.networkAttachments.get
  • compute.networkAttachments.getIamPolicy
  • compute.networkAttachments.list
  • compute.networkAttachments.listEffectiveTags
  • compute.networkAttachments.listTagBindings
  • compute.networkAttachments.setIamPolicy
  • compute.networkAttachments.update

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networkEndpointGroups.use

compute.networkProfiles.*

  • compute.networkProfiles.get
  • compute.networkProfiles.list

compute.networks.*

  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.create
  • compute.networks.createTagBinding
  • compute.networks.delete
  • compute.networks.deleteTagBinding
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.getRegionEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listEffectiveTags
  • compute.networks.listPeeringRoutes
  • compute.networks.listTagBindings
  • compute.networks.mirror
  • compute.networks.removePeering
  • compute.networks.setFirewallPolicy
  • compute.networks.switchToCustomMode
  • compute.networks.update
  • compute.networks.updatePeering
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.networks.useExternalIp

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.packetMirrorings.listEffectiveTags

compute.packetMirrorings.listTagBindings

compute.projects.get

compute.publicDelegatedPrefixes.delete

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.listEffectiveTags

compute.publicDelegatedPrefixes.listTagBindings

compute.publicDelegatedPrefixes.update

compute.publicDelegatedPrefixes.updatePolicy

compute.regionBackendServices.*

  • compute.regionBackendServices.create
  • compute.regionBackendServices.createTagBinding
  • compute.regionBackendServices.delete
  • compute.regionBackendServices.deleteTagBinding
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionBackendServices.listEffectiveTags
  • compute.regionBackendServices.listTagBindings
  • compute.regionBackendServices.setIamPolicy
  • compute.regionBackendServices.setSecurityPolicy
  • compute.regionBackendServices.update
  • compute.regionBackendServices.use

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionFirewallPolicies.use

compute.regionHealthCheckServices.*

  • compute.regionHealthCheckServices.create
  • compute.regionHealthCheckServices.delete
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthCheckServices.update
  • compute.regionHealthCheckServices.use

compute.regionHealthChecks.*

  • compute.regionHealthChecks.create
  • compute.regionHealthChecks.createTagBinding
  • compute.regionHealthChecks.delete
  • compute.regionHealthChecks.deleteTagBinding
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionHealthChecks.listEffectiveTags
  • compute.regionHealthChecks.listTagBindings
  • compute.regionHealthChecks.update
  • compute.regionHealthChecks.use
  • compute.regionHealthChecks.useReadOnly

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.*

  • compute.regionNotificationEndpoints.create
  • compute.regionNotificationEndpoints.delete
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionNotificationEndpoints.update
  • compute.regionNotificationEndpoints.use

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSecurityPolicies.use

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.*

  • compute.regionSslPolicies.create
  • compute.regionSslPolicies.createTagBinding
  • compute.regionSslPolicies.delete
  • compute.regionSslPolicies.deleteTagBinding
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionSslPolicies.listEffectiveTags
  • compute.regionSslPolicies.listTagBindings
  • compute.regionSslPolicies.update
  • compute.regionSslPolicies.use

compute.regionTargetHttpProxies.*

  • compute.regionTargetHttpProxies.create
  • compute.regionTargetHttpProxies.createTagBinding
  • compute.regionTargetHttpProxies.delete
  • compute.regionTargetHttpProxies.deleteTagBinding
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpProxies.listEffectiveTags
  • compute.regionTargetHttpProxies.listTagBindings
  • compute.regionTargetHttpProxies.setUrlMap
  • compute.regionTargetHttpProxies.use

compute.regionTargetHttpsProxies.*

  • compute.regionTargetHttpsProxies.create
  • compute.regionTargetHttpsProxies.createTagBinding
  • compute.regionTargetHttpsProxies.delete
  • compute.regionTargetHttpsProxies.deleteTagBinding
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetHttpsProxies.listEffectiveTags
  • compute.regionTargetHttpsProxies.listTagBindings
  • compute.regionTargetHttpsProxies.setSslCertificates
  • compute.regionTargetHttpsProxies.setUrlMap
  • compute.regionTargetHttpsProxies.update
  • compute.regionTargetHttpsProxies.use

compute.regionTargetTcpProxies.*

  • compute.regionTargetTcpProxies.create
  • compute.regionTargetTcpProxies.createTagBinding
  • compute.regionTargetTcpProxies.delete
  • compute.regionTargetTcpProxies.deleteTagBinding
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionTargetTcpProxies.listEffectiveTags
  • compute.regionTargetTcpProxies.listTagBindings
  • compute.regionTargetTcpProxies.use

compute.regionUrlMaps.*

  • compute.regionUrlMaps.create
  • compute.regionUrlMaps.createTagBinding
  • compute.regionUrlMaps.delete
  • compute.regionUrlMaps.deleteTagBinding
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.invalidateCache
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.listEffectiveTags
  • compute.regionUrlMaps.listTagBindings
  • compute.regionUrlMaps.update
  • compute.regionUrlMaps.use
  • compute.regionUrlMaps.validate

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.routers.*

  • compute.routers.create
  • compute.routers.createTagBinding
  • compute.routers.delete
  • compute.routers.deleteRoutePolicy
  • compute.routers.deleteTagBinding
  • compute.routers.get
  • compute.routers.getRoutePolicy
  • compute.routers.list
  • compute.routers.listBgpRoutes
  • compute.routers.listEffectiveTags
  • compute.routers.listRoutePolicies
  • compute.routers.listTagBindings
  • compute.routers.update
  • compute.routers.updateRoutePolicy
  • compute.routers.use

compute.routes.*

  • compute.routes.create
  • compute.routes.createTagBinding
  • compute.routes.delete
  • compute.routes.deleteTagBinding
  • compute.routes.get
  • compute.routes.list
  • compute.routes.listEffectiveTags
  • compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.use

compute.serviceAttachments.*

  • compute.serviceAttachments.create
  • compute.serviceAttachments.createTagBinding
  • compute.serviceAttachments.delete
  • compute.serviceAttachments.deleteTagBinding
  • compute.serviceAttachments.get
  • compute.serviceAttachments.getIamPolicy
  • compute.serviceAttachments.list
  • compute.serviceAttachments.listEffectiveTags
  • compute.serviceAttachments.listTagBindings
  • compute.serviceAttachments.setIamPolicy
  • compute.serviceAttachments.update
  • compute.serviceAttachments.use

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.*

  • compute.sslPolicies.create
  • compute.sslPolicies.createTagBinding
  • compute.sslPolicies.delete
  • compute.sslPolicies.deleteTagBinding
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.sslPolicies.listEffectiveTags
  • compute.sslPolicies.listTagBindings
  • compute.sslPolicies.update
  • compute.sslPolicies.use

compute.subnetworks.*

  • compute.subnetworks.create
  • compute.subnetworks.createTagBinding
  • compute.subnetworks.delete
  • compute.subnetworks.deleteTagBinding
  • compute.subnetworks.expandIpCidrRange
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.subnetworks.listEffectiveTags
  • compute.subnetworks.listTagBindings
  • compute.subnetworks.mirror
  • compute.subnetworks.setIamPolicy
  • compute.subnetworks.setPrivateIpGoogleAccess
  • compute.subnetworks.update
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp

compute.targetGrpcProxies.*

  • compute.targetGrpcProxies.create
  • compute.targetGrpcProxies.createTagBinding
  • compute.targetGrpcProxies.delete
  • compute.targetGrpcProxies.deleteTagBinding
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetGrpcProxies.listEffectiveTags
  • compute.targetGrpcProxies.listTagBindings
  • compute.targetGrpcProxies.update
  • compute.targetGrpcProxies.use

compute.targetHttpProxies.*

  • compute.targetHttpProxies.create
  • compute.targetHttpProxies.createTagBinding
  • compute.targetHttpProxies.delete
  • compute.targetHttpProxies.deleteTagBinding
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpProxies.listEffectiveTags
  • compute.targetHttpProxies.listTagBindings
  • compute.targetHttpProxies.setUrlMap
  • compute.targetHttpProxies.update
  • compute.targetHttpProxies.use

compute.targetHttpsProxies.*

  • compute.targetHttpsProxies.create
  • compute.targetHttpsProxies.createTagBinding
  • compute.targetHttpsProxies.delete
  • compute.targetHttpsProxies.deleteTagBinding
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetHttpsProxies.listEffectiveTags
  • compute.targetHttpsProxies.listTagBindings
  • compute.targetHttpsProxies.setCertificateMap
  • compute.targetHttpsProxies.setQuicOverride
  • compute.targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.setSslPolicy
  • compute.targetHttpsProxies.setUrlMap
  • compute.targetHttpsProxies.update
  • compute.targetHttpsProxies.use

compute.targetInstances.*

  • compute.targetInstances.create
  • compute.targetInstances.createTagBinding
  • compute.targetInstances.delete
  • compute.targetInstances.deleteTagBinding
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetInstances.listEffectiveTags
  • compute.targetInstances.listTagBindings
  • compute.targetInstances.setSecurityPolicy
  • compute.targetInstances.use

compute.targetPools.*

  • compute.targetPools.addHealthCheck
  • compute.targetPools.addInstance
  • compute.targetPools.create
  • compute.targetPools.createTagBinding
  • compute.targetPools.delete
  • compute.targetPools.deleteTagBinding
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetPools.listEffectiveTags
  • compute.targetPools.listTagBindings
  • compute.targetPools.removeHealthCheck
  • compute.targetPools.removeInstance
  • compute.targetPools.setSecurityPolicy
  • compute.targetPools.update
  • compute.targetPools.use

compute.targetSslProxies.*

  • compute.targetSslProxies.create
  • compute.targetSslProxies.createTagBinding
  • compute.targetSslProxies.delete
  • compute.targetSslProxies.deleteTagBinding
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetSslProxies.listEffectiveTags
  • compute.targetSslProxies.listTagBindings
  • compute.targetSslProxies.setBackendService
  • compute.targetSslProxies.setCertificateMap
  • compute.targetSslProxies.setProxyHeader
  • compute.targetSslProxies.setSslCertificates
  • compute.targetSslProxies.setSslPolicy
  • compute.targetSslProxies.update
  • compute.targetSslProxies.use

compute.targetTcpProxies.*

  • compute.targetTcpProxies.create
  • compute.targetTcpProxies.createTagBinding
  • compute.targetTcpProxies.delete
  • compute.targetTcpProxies.deleteTagBinding
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetTcpProxies.listEffectiveTags
  • compute.targetTcpProxies.listTagBindings
  • compute.targetTcpProxies.update
  • compute.targetTcpProxies.use

compute.targetVpnGateways.*

  • compute.targetVpnGateways.create
  • compute.targetVpnGateways.createTagBinding
  • compute.targetVpnGateways.delete
  • compute.targetVpnGateways.deleteTagBinding
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.targetVpnGateways.listEffectiveTags
  • compute.targetVpnGateways.listTagBindings
  • compute.targetVpnGateways.setLabels
  • compute.targetVpnGateways.use

compute.urlMaps.*

  • compute.urlMaps.create
  • compute.urlMaps.createTagBinding
  • compute.urlMaps.delete
  • compute.urlMaps.deleteTagBinding
  • compute.urlMaps.get
  • compute.urlMaps.invalidateCache
  • compute.urlMaps.list
  • compute.urlMaps.listEffectiveTags
  • compute.urlMaps.listTagBindings
  • compute.urlMaps.update
  • compute.urlMaps.use
  • compute.urlMaps.validate

compute.vpnGateways.*

  • compute.vpnGateways.create
  • compute.vpnGateways.createTagBinding
  • compute.vpnGateways.delete
  • compute.vpnGateways.deleteTagBinding
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.listEffectiveTags
  • compute.vpnGateways.listTagBindings
  • compute.vpnGateways.setLabels
  • compute.vpnGateways.use

compute.vpnTunnels.*

  • compute.vpnTunnels.create
  • compute.vpnTunnels.createTagBinding
  • compute.vpnTunnels.delete
  • compute.vpnTunnels.deleteTagBinding
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.vpnTunnels.listEffectiveTags
  • compute.vpnTunnels.listTagBindings
  • compute.vpnTunnels.setLabels

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

networkconnectivity.internalRanges.*

  • networkconnectivity.internalRanges.create
  • networkconnectivity.internalRanges.delete
  • networkconnectivity.internalRanges.get
  • networkconnectivity.internalRanges.getIamPolicy
  • networkconnectivity.internalRanges.list
  • networkconnectivity.internalRanges.setIamPolicy
  • networkconnectivity.internalRanges.update

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.*

  • networkconnectivity.policyBasedRoutes.create
  • networkconnectivity.policyBasedRoutes.delete
  • networkconnectivity.policyBasedRoutes.get
  • networkconnectivity.policyBasedRoutes.getIamPolicy
  • networkconnectivity.policyBasedRoutes.list
  • networkconnectivity.policyBasedRoutes.setIamPolicy

networkconnectivity.regionalEndpoints.*

  • networkconnectivity.regionalEndpoints.create
  • networkconnectivity.regionalEndpoints.delete
  • networkconnectivity.regionalEndpoints.get
  • networkconnectivity.regionalEndpoints.list

networkconnectivity.serviceClasses.*

  • networkconnectivity.serviceClasses.create
  • networkconnectivity.serviceClasses.delete
  • networkconnectivity.serviceClasses.get
  • networkconnectivity.serviceClasses.list
  • networkconnectivity.serviceClasses.update
  • networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

  • networkconnectivity.serviceConnectionMaps.create
  • networkconnectivity.serviceConnectionMaps.delete
  • networkconnectivity.serviceConnectionMaps.get
  • networkconnectivity.serviceConnectionMaps.list
  • networkconnectivity.serviceConnectionMaps.update

networkconnectivity.serviceConnectionPolicies.*

  • networkconnectivity.serviceConnectionPolicies.create
  • networkconnectivity.serviceConnectionPolicies.delete
  • networkconnectivity.serviceConnectionPolicies.get
  • networkconnectivity.serviceConnectionPolicies.list
  • networkconnectivity.serviceConnectionPolicies.update

networkmanagement.connectivitytests.get

networkmanagement.connectivitytests.list

networksecurity.addressGroups.*

  • networksecurity.addressGroups.create
  • networksecurity.addressGroups.delete
  • networksecurity.addressGroups.get
  • networksecurity.addressGroups.getIamPolicy
  • networksecurity.addressGroups.list
  • networksecurity.addressGroups.setIamPolicy
  • networksecurity.addressGroups.update
  • networksecurity.addressGroups.use

networksecurity.authorizationPolicies.*

  • networksecurity.authorizationPolicies.create
  • networksecurity.authorizationPolicies.delete
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.getIamPolicy
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.setIamPolicy
  • networksecurity.authorizationPolicies.update
  • networksecurity.authorizationPolicies.use

networksecurity.authzPolicies.*

  • networksecurity.authzPolicies.create
  • networksecurity.authzPolicies.delete
  • networksecurity.authzPolicies.get
  • networksecurity.authzPolicies.getIamPolicy
  • networksecurity.authzPolicies.list
  • networksecurity.authzPolicies.setIamPolicy
  • networksecurity.authzPolicies.update

networksecurity.clientTlsPolicies.*

  • networksecurity.clientTlsPolicies.create
  • networksecurity.clientTlsPolicies.delete
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.getIamPolicy
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.setIamPolicy
  • networksecurity.clientTlsPolicies.update
  • networksecurity.clientTlsPolicies.use

networksecurity.firewallEndpointAssociations.*

  • networksecurity.firewallEndpointAssociations.create
  • networksecurity.firewallEndpointAssociations.delete
  • networksecurity.firewallEndpointAssociations.get
  • networksecurity.firewallEndpointAssociations.list
  • networksecurity.firewallEndpointAssociations.update

networksecurity.firewallEndpoints.*

  • networksecurity.firewallEndpoints.create
  • networksecurity.firewallEndpoints.delete
  • networksecurity.firewallEndpoints.get
  • networksecurity.firewallEndpoints.list
  • networksecurity.firewallEndpoints.update
  • networksecurity.firewallEndpoints.use

networksecurity.gatewaySecurityPolicies.*

  • networksecurity.gatewaySecurityPolicies.create
  • networksecurity.gatewaySecurityPolicies.delete
  • networksecurity.gatewaySecurityPolicies.get
  • networksecurity.gatewaySecurityPolicies.list
  • networksecurity.gatewaySecurityPolicies.update
  • networksecurity.gatewaySecurityPolicies.use

networksecurity.gatewaySecurityPolicyRules.*

  • networksecurity.gatewaySecurityPolicyRules.create
  • networksecurity.gatewaySecurityPolicyRules.delete
  • networksecurity.gatewaySecurityPolicyRules.get
  • networksecurity.gatewaySecurityPolicyRules.list
  • networksecurity.gatewaySecurityPolicyRules.update
  • networksecurity.gatewaySecurityPolicyRules.use

networksecurity.locations.*

  • networksecurity.locations.get
  • networksecurity.locations.list

networksecurity.operations.*

  • networksecurity.operations.cancel
  • networksecurity.operations.delete
  • networksecurity.operations.get
  • networksecurity.operations.list

networksecurity.securityProfileGroups.*

  • networksecurity.securityProfileGroups.create
  • networksecurity.securityProfileGroups.delete
  • networksecurity.securityProfileGroups.get
  • networksecurity.securityProfileGroups.list
  • networksecurity.securityProfileGroups.update
  • networksecurity.securityProfileGroups.use

networksecurity.securityProfiles.*

  • networksecurity.securityProfiles.create
  • networksecurity.securityProfiles.delete
  • networksecurity.securityProfiles.get
  • networksecurity.securityProfiles.list
  • networksecurity.securityProfiles.update
  • networksecurity.securityProfiles.use

networksecurity.serverTlsPolicies.*

  • networksecurity.serverTlsPolicies.create
  • networksecurity.serverTlsPolicies.delete
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.getIamPolicy
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.setIamPolicy
  • networksecurity.serverTlsPolicies.update
  • networksecurity.serverTlsPolicies.use

networksecurity.tlsInspectionPolicies.*

  • networksecurity.tlsInspectionPolicies.create
  • networksecurity.tlsInspectionPolicies.delete
  • networksecurity.tlsInspectionPolicies.get
  • networksecurity.tlsInspectionPolicies.list
  • networksecurity.tlsInspectionPolicies.update
  • networksecurity.tlsInspectionPolicies.use

networksecurity.urlLists.*

  • networksecurity.urlLists.create
  • networksecurity.urlLists.delete
  • networksecurity.urlLists.get
  • networksecurity.urlLists.list
  • networksecurity.urlLists.update
  • networksecurity.urlLists.use

networkservices.*

  • networkservices.authzExtensions.create
  • networkservices.authzExtensions.delete
  • networkservices.authzExtensions.get
  • networkservices.authzExtensions.list
  • networkservices.authzExtensions.update
  • networkservices.authzExtensions.use
  • networkservices.endpointPolicies.create
  • networkservices.endpointPolicies.delete
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.list
  • networkservices.endpointPolicies.update
  • networkservices.gateways.create
  • networkservices.gateways.delete
  • networkservices.gateways.get
  • networkservices.gateways.list
  • networkservices.gateways.update
  • networkservices.gateways.use
  • networkservices.grpcRoutes.create
  • networkservices.grpcRoutes.delete
  • networkservices.grpcRoutes.get
  • networkservices.grpcRoutes.list
  • networkservices.grpcRoutes.update
  • networkservices.httpFilters.create
  • networkservices.httpFilters.delete
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpFilters.update
  • networkservices.httpRoutes.create
  • networkservices.httpRoutes.delete
  • networkservices.httpRoutes.get
  • networkservices.httpRoutes.list
  • networkservices.httpRoutes.update
  • networkservices.httpfilters.create
  • networkservices.httpfilters.delete
  • networkservices.httpfilters.get
  • networkservices.httpfilters.getIamPolicy
  • networkservices.httpfilters.list
  • networkservices.httpfilters.setIamPolicy
  • networkservices.httpfilters.update
  • networkservices.httpfilters.use
  • networkservices.lbRouteExtensions.create
  • networkservices.lbRouteExtensions.delete
  • networkservices.lbRouteExtensions.get
  • networkservices.lbRouteExtensions.list
  • networkservices.lbRouteExtensions.update
  • networkservices.lbTrafficExtensions.create
  • networkservices.lbTrafficExtensions.delete
  • networkservices.lbTrafficExtensions.get
  • networkservices.lbTrafficExtensions.list
  • networkservices.lbTrafficExtensions.update
  • networkservices.locations.get
  • networkservices.locations.list
  • networkservices.meshes.create
  • networkservices.meshes.delete
  • networkservices.meshes.get
  • networkservices.meshes.list
  • networkservices.meshes.update
  • networkservices.meshes.use
  • networkservices.operations.cancel
  • networkservices.operations.delete
  • networkservices.operations.get
  • networkservices.operations.list
  • networkservices.route_views.get
  • networkservices.route_views.list
  • networkservices.serviceBindings.create
  • networkservices.serviceBindings.delete
  • networkservices.serviceBindings.get
  • networkservices.serviceBindings.list
  • networkservices.serviceBindings.update
  • networkservices.serviceLbPolicies.create
  • networkservices.serviceLbPolicies.delete
  • networkservices.serviceLbPolicies.get
  • networkservices.serviceLbPolicies.list
  • networkservices.serviceLbPolicies.update
  • networkservices.tcpRoutes.create
  • networkservices.tcpRoutes.delete
  • networkservices.tcpRoutes.get
  • networkservices.tcpRoutes.list
  • networkservices.tcpRoutes.update
  • networkservices.tlsRoutes.create
  • networkservices.tlsRoutes.delete
  • networkservices.tlsRoutes.get
  • networkservices.tlsRoutes.list
  • networkservices.tlsRoutes.update
  • networkservices.wasmPlugins.create
  • networkservices.wasmPlugins.delete
  • networkservices.wasmPlugins.get
  • networkservices.wasmPlugins.list
  • networkservices.wasmPlugins.update
  • networkservices.wasmPlugins.use

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

servicenetworking.operations.get

servicenetworking.services.addPeering

servicenetworking.services.createPeeredDnsDomain

servicenetworking.services.deleteConnection

servicenetworking.services.deletePeeredDnsDomain

servicenetworking.services.disableVpcServiceControls

servicenetworking.services.enableVpcServiceControls

servicenetworking.services.get

servicenetworking.services.listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

trafficdirector.*

  • trafficdirector.networks.getConfigs
  • trafficdirector.networks.reportMetrics

Compute Network User role

Details Permissions

(roles/compute.networkUser)

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

Lowest-level resources where you can grant this role:

  • Project

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.addresses.useInternal

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.listEffectiveTags

compute.externalVpnGateways.listTagBindings

compute.externalVpnGateways.use

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.instanceSettings.get

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectAttachments.listEffectiveTags

compute.interconnectAttachments.listTagBindings

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.interconnects.listEffectiveTags

compute.interconnects.listTagBindings

compute.interconnects.use

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkAttachments.listEffectiveTags

compute.networkAttachments.listTagBindings

compute.networkProfiles.*

  • compute.networkProfiles.get
  • compute.networkProfiles.list

compute.networks.access

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.routers.get

compute.routers.getRoutePolicy

compute.routers.list

compute.routers.listBgpRoutes

compute.routers.listEffectiveTags

compute.routers.listRoutePolicies

compute.routers.listTagBindings

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.serviceAttachments.listEffectiveTags

compute.serviceAttachments.listTagBindings

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.targetVpnGateways.listEffectiveTags

compute.targetVpnGateways.listTagBindings

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.listEffectiveTags

compute.vpnGateways.listTagBindings

compute.vpnGateways.use

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.vpnTunnels.listEffectiveTags

compute.vpnTunnels.listTagBindings

compute.zones.*

  • compute.zones.get
  • compute.zones.list

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.get

networkconnectivity.policyBasedRoutes.list

networkmanagement.connectivitytests.get

networkmanagement.connectivitytests.list

networksecurity.addressGroups.get

networksecurity.addressGroups.list

networksecurity.addressGroups.use

networksecurity.authorizationPolicies.get

networksecurity.authorizationPolicies.list

networksecurity.authorizationPolicies.use

networksecurity.authzPolicies.get

networksecurity.authzPolicies.list

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.use

networksecurity.firewallEndpointAssociations.get

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.get

networksecurity.firewallEndpoints.list

networksecurity.firewallEndpoints.use

networksecurity.gatewaySecurityPolicies.get

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicies.use

networksecurity.gatewaySecurityPolicyRules.get

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.gatewaySecurityPolicyRules.use

networksecurity.locations.*

  • networksecurity.locations.get
  • networksecurity.locations.list

networksecurity.operations.get

networksecurity.operations.list

networksecurity.securityProfileGroups.get

networksecurity.securityProfileGroups.list

networksecurity.securityProfileGroups.use

networksecurity.securityProfiles.get

networksecurity.securityProfiles.list

networksecurity.securityProfiles.use

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.use

networksecurity.tlsInspectionPolicies.get

networksecurity.tlsInspectionPolicies.list

networksecurity.tlsInspectionPolicies.use

networksecurity.urlLists.get

networksecurity.urlLists.list

networksecurity.urlLists.use

networkservices.authzExtensions.get

networkservices.authzExtensions.list

networkservices.authzExtensions.use

networkservices.endpointPolicies.get

networkservices.endpointPolicies.list

networkservices.gateways.get

networkservices.gateways.list

networkservices.gateways.use

networkservices.grpcRoutes.get

networkservices.grpcRoutes.list

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpRoutes.get

networkservices.httpRoutes.list

networkservices.httpfilters.get

networkservices.httpfilters.list

networkservices.httpfilters.use

networkservices.lbRouteExtensions.get

networkservices.lbRouteExtensions.list

networkservices.lbTrafficExtensions.get

networkservices.lbTrafficExtensions.list

networkservices.locations.*

  • networkservices.locations.get
  • networkservices.locations.list

networkservices.meshes.get

networkservices.meshes.list

networkservices.meshes.use

networkservices.operations.get

networkservices.operations.list

networkservices.route_views.*

  • networkservices.route_views.get
  • networkservices.route_views.list

networkservices.serviceBindings.get

networkservices.serviceBindings.list

networkservices.serviceLbPolicies.get

networkservices.serviceLbPolicies.list

networkservices.tcpRoutes.get

networkservices.tcpRoutes.list

networkservices.tlsRoutes.get

networkservices.tlsRoutes.list

networkservices.wasmPlugins.get

networkservices.wasmPlugins.list

networkservices.wasmPlugins.use

resourcemanager.projects.get

resourcemanager.projects.list

servicenetworking.services.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Network Viewer role

Details Permissions

(roles/compute.networkViewer)

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.

Lowest-level resources where you can grant this role:

  • Instance

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.listEffectiveTags

compute.externalVpnGateways.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceGroups.listEffectiveTags

compute.instanceGroups.listTagBindings

compute.instanceSettings.get

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectAttachments.listEffectiveTags

compute.interconnectAttachments.listTagBindings

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.interconnects.listEffectiveTags

compute.interconnects.listTagBindings

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkAttachments.listEffectiveTags

compute.networkAttachments.listTagBindings

compute.networkProfiles.*

  • compute.networkProfiles.get
  • compute.networkProfiles.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.packetMirrorings.listEffectiveTags

compute.packetMirrorings.listTagBindings

compute.projects.get

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionSslPolicies.listEffectiveTags

compute.regionSslPolicies.listTagBindings

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionTargetTcpProxies.listEffectiveTags

compute.regionTargetTcpProxies.listTagBindings

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.routers.get

compute.routers.getRoutePolicy

compute.routers.list

compute.routers.listBgpRoutes

compute.routers.listEffectiveTags

compute.routers.listRoutePolicies

compute.routers.listTagBindings

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.serviceAttachments.listEffectiveTags

compute.serviceAttachments.listTagBindings

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetGrpcProxies.listEffectiveTags

compute.targetGrpcProxies.listTagBindings

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.targetVpnGateways.listEffectiveTags

compute.targetVpnGateways.listTagBindings

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.listEffectiveTags

compute.vpnGateways.listTagBindings

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.vpnTunnels.listEffectiveTags

compute.vpnTunnels.listTagBindings

compute.zones.*

  • compute.zones.get
  • compute.zones.list

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.get

networkconnectivity.policyBasedRoutes.list

networkmanagement.connectivitytests.get

networkmanagement.connectivitytests.list

networksecurity.addressGroups.get

networksecurity.addressGroups.list

networksecurity.authorizationPolicies.get

networksecurity.authorizationPolicies.list

networksecurity.authzPolicies.get

networksecurity.authzPolicies.list

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.firewallEndpointAssociations.get

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.get

networksecurity.firewallEndpoints.list

networksecurity.gatewaySecurityPolicies.get

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicyRules.get

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.locations.*

  • networksecurity.locations.get
  • networksecurity.locations.list

networksecurity.operations.get

networksecurity.operations.list

networksecurity.securityProfileGroups.get

networksecurity.securityProfileGroups.list

networksecurity.securityProfiles.get

networksecurity.securityProfiles.list

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.tlsInspectionPolicies.get

networksecurity.tlsInspectionPolicies.list

networksecurity.urlLists.get

networksecurity.urlLists.list

networkservices.authzExtensions.get

networkservices.authzExtensions.list

networkservices.endpointPolicies.get

networkservices.endpointPolicies.list

networkservices.gateways.get

networkservices.gateways.list

networkservices.grpcRoutes.get

networkservices.grpcRoutes.list

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpRoutes.get

networkservices.httpRoutes.list

networkservices.httpfilters.get

networkservices.httpfilters.list

networkservices.lbRouteExtensions.get

networkservices.lbRouteExtensions.list

networkservices.lbTrafficExtensions.get

networkservices.lbTrafficExtensions.list

networkservices.locations.*

  • networkservices.locations.get
  • networkservices.locations.list

networkservices.meshes.get

networkservices.meshes.list

networkservices.operations.get

networkservices.operations.list

networkservices.route_views.*

  • networkservices.route_views.get
  • networkservices.route_views.list

networkservices.serviceBindings.get

networkservices.serviceBindings.list

networkservices.serviceLbPolicies.get

networkservices.serviceLbPolicies.list

networkservices.tcpRoutes.get

networkservices.tcpRoutes.list

networkservices.tlsRoutes.get

networkservices.tlsRoutes.list

networkservices.wasmPlugins.get

networkservices.wasmPlugins.list

resourcemanager.projects.get

resourcemanager.projects.list

servicenetworking.services.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

trafficdirector.*

  • trafficdirector.networks.getConfigs
  • trafficdirector.networks.reportMetrics

Compute Organization Firewall Policy Admin role

Details Permissions

(roles/compute.orgFirewallPolicyAdmin)

Full control of Compute Engine Organization Firewall Policies.

compute.firewallPolicies.*

  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.copyRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.createTagBinding
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.deleteTagBinding
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.listEffectiveTags
  • compute.firewallPolicies.listTagBindings
  • compute.firewallPolicies.move
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.regionFirewallPolicies.*

  • compute.regionFirewallPolicies.cloneRules
  • compute.regionFirewallPolicies.create
  • compute.regionFirewallPolicies.createTagBinding
  • compute.regionFirewallPolicies.delete
  • compute.regionFirewallPolicies.deleteTagBinding
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.listEffectiveTags
  • compute.regionFirewallPolicies.listTagBindings
  • compute.regionFirewallPolicies.setIamPolicy
  • compute.regionFirewallPolicies.update
  • compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionOperations.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Firewall Policy User role

Details Permissions

(roles/compute.orgFirewallPolicyUser)

View or use Compute Engine Firewall Policies to associate with the organization or folders.

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.projects.get

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Security Policy Admin role

Details Permissions

(roles/compute.orgSecurityPolicyAdmin)

Full control of Compute Engine Organization Security Policies.

compute.firewallPolicies.*

  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.copyRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.createTagBinding
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.deleteTagBinding
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.listEffectiveTags
  • compute.firewallPolicies.listTagBindings
  • compute.firewallPolicies.move
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.securityPolicies.addAssociation

compute.securityPolicies.copyRules

compute.securityPolicies.create

compute.securityPolicies.createTagBinding

compute.securityPolicies.delete

compute.securityPolicies.deleteTagBinding

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.move

compute.securityPolicies.removeAssociation

compute.securityPolicies.update

compute.securityPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Security Policy User role

Details Permissions

(roles/compute.orgSecurityPolicyUser)

View or use Compute Engine Security Policies to associate with the organization or folders.

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.securityPolicies.addAssociation

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.removeAssociation

compute.securityPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Resource Admin role

Details Permissions

(roles/compute.orgSecurityResourceAdmin)

Full control of Compute Engine Firewall Policy associations to the organization or folders.

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.organizations.listAssociations

compute.organizations.setFirewallPolicy

compute.organizations.setSecurityPolicy

compute.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute OS Admin Login role

Details Permissions

(roles/compute.osAdminLogin)

Access to log in to a Compute Engine instance as an administrator user.

Lowest-level resources where you can grant this role:

  • Instance

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceSettings.get

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.osAdminLogin

compute.instances.osLogin

compute.projects.get

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute OS Login role

Details Permissions

(roles/compute.osLogin)

Access to log in to a Compute Engine instance as a standard user.

Lowest-level resources where you can grant this role:

  • Instance

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceSettings.get

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.osLogin

compute.projects.get

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute OS Login External User role

Details Permissions

(roles/compute.osLoginExternalUser)

Available only at the organization level.

Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

Lowest-level resources where you can grant this role:

  • Organization

compute.oslogin.updateExternalUser

Compute packet mirroring admin role

Details Permissions

(roles/compute.packetMirroringAdmin)

Specify resources to be mirrored.

compute.instances.updateSecurity

compute.networks.mirror

compute.projects.get

compute.subnetworks.mirror

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute packet mirroring user role

Details Permissions

(roles/compute.packetMirroringUser)

Use Compute Engine packet mirrorings.

compute.packetMirrorings.*

  • compute.packetMirrorings.create
  • compute.packetMirrorings.createTagBinding
  • compute.packetMirrorings.delete
  • compute.packetMirrorings.deleteTagBinding
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.packetMirrorings.listEffectiveTags
  • compute.packetMirrorings.listTagBindings
  • compute.packetMirrorings.update

compute.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Public IP Admin role

Details Permissions

(roles/compute.publicIpAdmin)

Full control of public IP address management for Compute Engine.

compute.addresses.*

  • compute.addresses.create
  • compute.addresses.createInternal
  • compute.addresses.createTagBinding
  • compute.addresses.delete
  • compute.addresses.deleteInternal
  • compute.addresses.deleteTagBinding
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.listEffectiveTags
  • compute.addresses.listTagBindings
  • compute.addresses.setLabels
  • compute.addresses.use
  • compute.addresses.useInternal

compute.globalAddresses.*

  • compute.globalAddresses.create
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.createTagBinding
  • compute.globalAddresses.delete
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.deleteTagBinding
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.listEffectiveTags
  • compute.globalAddresses.listTagBindings
  • compute.globalAddresses.setLabels
  • compute.globalAddresses.use

compute.globalPublicDelegatedPrefixes.*

  • compute.globalPublicDelegatedPrefixes.create
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.updatePolicy

compute.publicAdvertisedPrefixes.*

  • compute.publicAdvertisedPrefixes.create
  • compute.publicAdvertisedPrefixes.delete
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicAdvertisedPrefixes.update
  • compute.publicAdvertisedPrefixes.updatePolicy

compute.publicDelegatedPrefixes.*

  • compute.publicDelegatedPrefixes.create
  • compute.publicDelegatedPrefixes.createTagBinding
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.deleteTagBinding
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.listEffectiveTags
  • compute.publicDelegatedPrefixes.listTagBindings
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.publicDelegatedPrefixes.use

resourcemanager.projects.get

resourcemanager.projects.list

Compute Security Admin role

Details Permissions

(roles/compute.securityAdmin)

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group.

Lowest-level resources where you can grant this role:

  • Instance

compute.backendBuckets.list

compute.backendServices.list

compute.firewallPolicies.*

  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.copyRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.createTagBinding
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.deleteTagBinding
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.listEffectiveTags
  • compute.firewallPolicies.listTagBindings
  • compute.firewallPolicies.move
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use

compute.firewalls.*

  • compute.firewalls.create
  • compute.firewalls.createTagBinding
  • compute.firewalls.delete
  • compute.firewalls.deleteTagBinding
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.firewalls.listEffectiveTags
  • compute.firewalls.listTagBindings
  • compute.firewalls.update

compute.globalOperations.get

compute.globalOperations.list

compute.instanceSettings.get

compute.instances.getEffectiveFirewalls

compute.instances.list

compute.instances.setShieldedInstanceIntegrityPolicy

compute.instances.setShieldedVmIntegrityPolicy

compute.instances.updateSecurity

compute.instances.updateShieldedInstanceConfig

compute.instances.updateShieldedVmConfig

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.updatePolicy

compute.packetMirrorings.*

  • compute.packetMirrorings.create
  • compute.packetMirrorings.createTagBinding
  • compute.packetMirrorings.delete
  • compute.packetMirrorings.deleteTagBinding
  • compute.packetMirrorings.get
  • compute.packetMirrorings.list
  • compute.packetMirrorings.listEffectiveTags
  • compute.packetMirrorings.listTagBindings
  • compute.packetMirrorings.update

compute.projects.get

compute.regionBackendServices.list

compute.regionFirewallPolicies.*

  • compute.regionFirewallPolicies.cloneRules
  • compute.regionFirewallPolicies.create
  • compute.regionFirewallPolicies.createTagBinding
  • compute.regionFirewallPolicies.delete
  • compute.regionFirewallPolicies.deleteTagBinding
  • compute.regionFirewallPolicies.get
  • compute.regionFirewallPolicies.getIamPolicy
  • compute.regionFirewallPolicies.list
  • compute.regionFirewallPolicies.listEffectiveTags
  • compute.regionFirewallPolicies.listTagBindings
  • compute.regionFirewallPolicies.setIamPolicy
  • compute.regionFirewallPolicies.update
  • compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.*

  • compute.regionSecurityPolicies.create
  • compute.regionSecurityPolicies.createTagBinding
  • compute.regionSecurityPolicies.delete
  • compute.regionSecurityPolicies.deleteTagBinding
  • compute.regionSecurityPolicies.get
  • compute.regionSecurityPolicies.list
  • compute.regionSecurityPolicies.listEffectiveTags
  • compute.regionSecurityPolicies.listTagBindings
  • compute.regionSecurityPolicies.update
  • compute.regionSecurityPolicies.use

compute.regionSslCertificates.*

  • compute.regionSslCertificates.create
  • compute.regionSslCertificates.createTagBinding
  • compute.regionSslCertificates.delete
  • compute.regionSslCertificates.deleteTagBinding
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionSslCertificates.listEffectiveTags
  • compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.*

  • compute.regionSslPolicies.create
  • compute.regionSslPolicies.createTagBinding
  • compute.regionSslPolicies.delete
  • compute.regionSslPolicies.deleteTagBinding
  • compute.regionSslPolicies.get
  • compute.regionSslPolicies.list
  • compute.regionSslPolicies.listAvailableFeatures
  • compute.regionSslPolicies.listEffectiveTags
  • compute.regionSslPolicies.listTagBindings
  • compute.regionSslPolicies.update
  • compute.regionSslPolicies.use

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.routers.get

compute.routers.getRoutePolicy

compute.routers.list

compute.routers.listBgpRoutes

compute.routers.listEffectiveTags

compute.routers.listRoutePolicies

compute.routers.listTagBindings

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.*

  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.copyRules
  • compute.securityPolicies.create
  • compute.securityPolicies.createTagBinding
  • compute.securityPolicies.delete
  • compute.securityPolicies.deleteTagBinding
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.listEffectiveTags
  • compute.securityPolicies.listTagBindings
  • compute.securityPolicies.move
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.setLabels
  • compute.securityPolicies.update
  • compute.securityPolicies.use

compute.sslCertificates.*

  • compute.sslCertificates.create
  • compute.sslCertificates.createTagBinding
  • compute.sslCertificates.delete
  • compute.sslCertificates.deleteTagBinding
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslCertificates.listEffectiveTags
  • compute.sslCertificates.listTagBindings

compute.sslPolicies.*

  • compute.sslPolicies.create
  • compute.sslPolicies.createTagBinding
  • compute.sslPolicies.delete
  • compute.sslPolicies.deleteTagBinding
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.sslPolicies.listEffectiveTags
  • compute.sslPolicies.listTagBindings
  • compute.sslPolicies.update
  • compute.sslPolicies.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetInstances.list

compute.targetPools.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Sole Tenant Viewer role

Details Permissions

(roles/compute.soleTenantViewer)

Permissions to view sole tenancy node groups

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

  • compute.nodeTypes.get
  • compute.nodeTypes.list

Compute Storage Admin role

Details Permissions

(roles/compute.storageAdmin)

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Snapshot

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.*

  • compute.disks.addResourcePolicies
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.createTagBinding
  • compute.disks.delete
  • compute.disks.deleteTagBinding
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.listEffectiveTags
  • compute.disks.listTagBindings
  • compute.disks.removeResourcePolicies
  • compute.disks.resize
  • compute.disks.setIamPolicy
  • compute.disks.setLabels
  • compute.disks.startAsyncReplication
  • compute.disks.stopAsyncReplication
  • compute.disks.stopGroupAsyncReplication
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly

compute.globalOperations.get

compute.globalOperations.list

compute.images.*

  • compute.images.create
  • compute.images.createTagBinding
  • compute.images.delete
  • compute.images.deleteTagBinding
  • compute.images.deprecate
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.listEffectiveTags
  • compute.images.listTagBindings
  • compute.images.setIamPolicy
  • compute.images.setLabels
  • compute.images.update
  • compute.images.useReadOnly

compute.instanceSettings.get

compute.instantSnapshots.*

  • compute.instantSnapshots.create
  • compute.instantSnapshots.delete
  • compute.instantSnapshots.export
  • compute.instantSnapshots.get
  • compute.instantSnapshots.getIamPolicy
  • compute.instantSnapshots.list
  • compute.instantSnapshots.setIamPolicy
  • compute.instantSnapshots.setLabels
  • compute.instantSnapshots.useReadOnly

compute.licenseCodes.*

  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenseCodes.setIamPolicy
  • compute.licenseCodes.update

compute.licenses.*

  • compute.licenses.create
  • compute.licenses.delete
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.licenses.setIamPolicy

compute.projects.get

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.resourcePolicies.*

  • compute.resourcePolicies.create
  • compute.resourcePolicies.delete
  • compute.resourcePolicies.get
  • compute.resourcePolicies.getIamPolicy
  • compute.resourcePolicies.list
  • compute.resourcePolicies.setIamPolicy
  • compute.resourcePolicies.update
  • compute.resourcePolicies.use
  • compute.resourcePolicies.useReadOnly

compute.snapshots.*

  • compute.snapshots.create
  • compute.snapshots.createTagBinding
  • compute.snapshots.delete
  • compute.snapshots.deleteTagBinding
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.listEffectiveTags
  • compute.snapshots.listTagBindings
  • compute.snapshots.setIamPolicy
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly

compute.storagePools.*

  • compute.storagePools.create
  • compute.storagePools.delete
  • compute.storagePools.get
  • compute.storagePools.getIamPolicy
  • compute.storagePools.list
  • compute.storagePools.setIamPolicy
  • compute.storagePools.update
  • compute.storagePools.use

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Viewer role

Details Permissions

(roles/compute.viewer)

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them.

For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Node group
  • Node template
  • Snapshot

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.listEffectiveTags

compute.externalVpnGateways.listTagBindings

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceGroups.listEffectiveTags

compute.instanceGroups.listTagBindings

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectAttachments.listEffectiveTags

compute.interconnectAttachments.listTagBindings

compute.interconnectLocations.*

  • compute.interconnectLocations.get
  • compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

  • compute.interconnectRemoteLocations.get
  • compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.interconnects.listEffectiveTags

compute.interconnects.listTagBindings

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.multiMig.get

compute.multiMig.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkAttachments.listEffectiveTags

compute.networkAttachments.listTagBindings

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEdgeSecurityServices.listEffectiveTags

compute.networkEdgeSecurityServices.listTagBindings

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networkProfiles.*

  • compute.networkProfiles.get
  • compute.networkProfiles.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

  • compute.nodeTypes.get
  • compute.nodeTypes.list

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.packetMirrorings.listEffectiveTags

compute.packetMirrorings.listTagBindings

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.listEffectiveTags

compute.publicDelegatedPrefixes.listTagBindings

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionSslPolicies.listEffectiveTags

compute.regionSslPolicies.listTagBindings

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionTargetTcpProxies.listEffectiveTags

compute.regionTargetTcpProxies.listTagBindings

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.getRoutePolicy

compute.routers.list

compute.routers.listBgpRoutes

compute.routers.listEffectiveTags

compute.routers.listRoutePolicies

compute.routers.listTagBindings

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.serviceAttachments.listEffectiveTags

compute.serviceAttachments.listTagBindings

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetGrpcProxies.listEffectiveTags

compute.targetGrpcProxies.listTagBindings

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.targetVpnGateways.listEffectiveTags

compute.targetVpnGateways.listTagBindings

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.listEffectiveTags

compute.vpnGateways.listTagBindings

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.vpnTunnels.listEffectiveTags

compute.vpnTunnels.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Shared VPC Admin role

Details Permissions

(roles/compute.xpnAdmin)

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

At the organization level, this role can only be granted by an organization admin.

Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (roles/compute.networkUser) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

Lowest-level resources where you can grant this role:

  • Folder

compute.globalOperations.get

compute.globalOperations.list

compute.organizations.disableXpnHost

compute.organizations.disableXpnResource

compute.organizations.enableXpnHost

compute.organizations.enableXpnResource

compute.projects.get

compute.subnetworks.getIamPolicy

compute.subnetworks.setIamPolicy

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

OS Config Admin role

Details Permissions

(roles/osconfig.admin)

Full access to OS Config resources

osconfig.*

  • osconfig.guestPolicies.create
  • osconfig.guestPolicies.delete
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • osconfig.guestPolicies.update
  • osconfig.instanceOSPoliciesCompliances.get
  • osconfig.instanceOSPoliciesCompliances.list
  • osconfig.inventories.get
  • osconfig.inventories.list
  • osconfig.locations.get
  • osconfig.locations.list
  • osconfig.operations.cancel
  • osconfig.operations.delete
  • osconfig.operations.get
  • osconfig.operations.list
  • osconfig.osPolicyAssignmentReports.get
  • osconfig.osPolicyAssignmentReports.list
  • osconfig.osPolicyAssignmentReports.searchSummaries
  • osconfig.osPolicyAssignments.create
  • osconfig.osPolicyAssignments.delete
  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • osconfig.osPolicyAssignments.searchPolicies
  • osconfig.osPolicyAssignments.update
  • osconfig.patchDeployments.create
  • osconfig.patchDeployments.delete
  • osconfig.patchDeployments.execute
  • osconfig.patchDeployments.get
  • osconfig.patchDeployments.list
  • osconfig.patchDeployments.pause
  • osconfig.patchDeployments.resume
  • osconfig.patchDeployments.update
  • osconfig.patchJobs.exec
  • osconfig.patchJobs.get
  • osconfig.patchJobs.list
  • osconfig.policyOrchestrators.create
  • osconfig.policyOrchestrators.delete
  • osconfig.policyOrchestrators.get
  • osconfig.policyOrchestrators.list
  • osconfig.policyOrchestrators.update
  • osconfig.projectFeatureSettings.get
  • osconfig.projectFeatureSettings.update
  • osconfig.upgradeReports.get
  • osconfig.upgradeReports.getSummary
  • osconfig.upgradeReports.list
  • osconfig.upgradeReports.searchSummaries
  • osconfig.vulnerabilityReports.get
  • osconfig.vulnerabilityReports.list

GuestPolicy Admin role

Details Permissions

(roles/osconfig.guestPolicyAdmin)

Full admin access to GuestPolicies

osconfig.guestPolicies.*

  • osconfig.guestPolicies.create
  • osconfig.guestPolicies.delete
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • osconfig.guestPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

GuestPolicy Editor role

Details Permissions

(roles/osconfig.guestPolicyEditor)

Editor of GuestPolicy resources

osconfig.guestPolicies.get

osconfig.guestPolicies.list

osconfig.guestPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

GuestPolicy Viewer role

Details Permissions

(roles/osconfig.guestPolicyViewer)

Viewer of GuestPolicy resources

osconfig.guestPolicies.get

osconfig.guestPolicies.list

resourcemanager.projects.get

resourcemanager.projects.list

InstanceOSPoliciesCompliance Viewer role

Details Permissions

(roles/osconfig.instanceOSPoliciesComplianceViewer)

Viewer of OS Policies Compliance of VM instances

osconfig.instanceOSPoliciesCompliances.*

  • osconfig.instanceOSPoliciesCompliances.get
  • osconfig.instanceOSPoliciesCompliances.list

resourcemanager.projects.get

resourcemanager.projects.list

OS Inventory Viewer role

Details Permissions

(roles/osconfig.inventoryViewer)

Viewer of OS Inventories

osconfig.inventories.*

  • osconfig.inventories.get
  • osconfig.inventories.list

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignment Admin role

Details Permissions

(roles/osconfig.osPolicyAssignmentAdmin)

Full admin access to OS Policy Assignments

osconfig.osPolicyAssignments.*

  • osconfig.osPolicyAssignments.create
  • osconfig.osPolicyAssignments.delete
  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • osconfig.osPolicyAssignments.searchPolicies
  • osconfig.osPolicyAssignments.update

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignment Editor role

Details Permissions

(roles/osconfig.osPolicyAssignmentEditor)

Editor of OS Policy Assignments

osconfig.osPolicyAssignments.get

osconfig.osPolicyAssignments.list

osconfig.osPolicyAssignments.searchPolicies

osconfig.osPolicyAssignments.update

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignmentReport Viewer role

Details Permissions

(roles/osconfig.osPolicyAssignmentReportViewer)

Viewer of OS policy assignment reports for VM instances

osconfig.osPolicyAssignmentReports.*

  • osconfig.osPolicyAssignmentReports.get
  • osconfig.osPolicyAssignmentReports.list
  • osconfig.osPolicyAssignmentReports.searchSummaries

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignment Viewer role

Details Permissions

(roles/osconfig.osPolicyAssignmentViewer)

Viewer of OS Policy Assignments

osconfig.osPolicyAssignments.get

osconfig.osPolicyAssignments.list

osconfig.osPolicyAssignments.searchPolicies

resourcemanager.projects.get

resourcemanager.projects.list

PatchDeployment Admin role

Details Permissions

(roles/osconfig.patchDeploymentAdmin)

Full admin access to PatchDeployments

osconfig.patchDeployments.*

  • osconfig.patchDeployments.create
  • osconfig.patchDeployments.delete
  • osconfig.patchDeployments.execute
  • osconfig.patchDeployments.get
  • osconfig.patchDeployments.list
  • osconfig.patchDeployments.pause
  • osconfig.patchDeployments.resume
  • osconfig.patchDeployments.update

resourcemanager.projects.get

resourcemanager.projects.list

PatchDeployment Viewer role

Details Permissions

(roles/osconfig.patchDeploymentViewer)

Viewer of PatchDeployment resources

osconfig.patchDeployments.get

osconfig.patchDeployments.list

resourcemanager.projects.get

resourcemanager.projects.list

Patch Job Executor role

Details Permissions

(roles/osconfig.patchJobExecutor)

Access to execute Patch Jobs.

osconfig.patchJobs.*

  • osconfig.patchJobs.exec
  • osconfig.patchJobs.get
  • osconfig.patchJobs.list

resourcemanager.projects.get

resourcemanager.projects.list

Patch Job Viewer role

Details Permissions

(roles/osconfig.patchJobViewer)

Get and list Patch Jobs.

osconfig.patchJobs.get

osconfig.patchJobs.list

resourcemanager.projects.get

resourcemanager.projects.list

PolicyOrchestrator Admin role

Details Permissions

(roles/osconfig.policyOrchestratorAdmin)

Admin of PolicyOrchestrator resources

osconfig.locations.*

  • osconfig.locations.get
  • osconfig.locations.list

osconfig.operations.get

osconfig.policyOrchestrators.*

  • osconfig.policyOrchestrators.create
  • osconfig.policyOrchestrators.delete
  • osconfig.policyOrchestrators.get
  • osconfig.policyOrchestrators.list
  • osconfig.policyOrchestrators.update

PolicyOrchestrator Viewer role

Details Permissions

(roles/osconfig.policyOrchestratorViewer)

Viewer of PolicyOrchestrator resources

osconfig.locations.*

  • osconfig.locations.get
  • osconfig.locations.list

osconfig.operations.get

osconfig.policyOrchestrators.get

osconfig.policyOrchestrators.list

Project Feature Settings Editor role

Details Permissions

(roles/osconfig.projectFeatureSettingsEditor)

Read/write access to project feature settings

osconfig.projectFeatureSettings.*

  • osconfig.projectFeatureSettings.get
  • osconfig.projectFeatureSettings.update

resourcemanager.projects.get

resourcemanager.projects.list

Project Feature Settings Viewer role

Details Permissions

(roles/osconfig.projectFeatureSettingsViewer)

Read access to project feature settings

osconfig.projectFeatureSettings.get

resourcemanager.projects.get

resourcemanager.projects.list

Upgrade Report Viewer role

Details Permissions

(roles/osconfig.upgradeReportViewer)

Provides read-only access to VM Manager Upgrade Reports

osconfig.upgradeReports.*

  • osconfig.upgradeReports.get
  • osconfig.upgradeReports.getSummary
  • osconfig.upgradeReports.list
  • osconfig.upgradeReports.searchSummaries

resourcemanager.projects.get

resourcemanager.projects.list

OS Config Viewer role

Details Permissions

(roles/osconfig.viewer)

Readonly access to OS Config resources

osconfig.guestPolicies.get

osconfig.guestPolicies.list

osconfig.instanceOSPoliciesCompliances.*

  • osconfig.instanceOSPoliciesCompliances.get
  • osconfig.instanceOSPoliciesCompliances.list

osconfig.inventories.*

  • osconfig.inventories.get
  • osconfig.inventories.list

osconfig.locations.*

  • osconfig.locations.get
  • osconfig.locations.list

osconfig.operations.get

osconfig.operations.list

osconfig.osPolicyAssignmentReports.*

  • osconfig.osPolicyAssignmentReports.get
  • osconfig.osPolicyAssignmentReports.list
  • osconfig.osPolicyAssignmentReports.searchSummaries

osconfig.osPolicyAssignments.get

osconfig.osPolicyAssignments.list

osconfig.osPolicyAssignments.searchPolicies

osconfig.patchDeployments.get

osconfig.patchDeployments.list

osconfig.patchJobs.get

osconfig.patchJobs.list

osconfig.policyOrchestrators.get

osconfig.policyOrchestrators.list

osconfig.projectFeatureSettings.get

osconfig.upgradeReports.*

  • osconfig.upgradeReports.get
  • osconfig.upgradeReports.getSummary
  • osconfig.upgradeReports.list
  • osconfig.upgradeReports.searchSummaries

osconfig.vulnerabilityReports.*

  • osconfig.vulnerabilityReports.get
  • osconfig.vulnerabilityReports.list

OS VulnerabilityReport Viewer role

Details Permissions

(roles/osconfig.vulnerabilityReportViewer)

Viewer of OS VulnerabilityReports

osconfig.vulnerabilityReports.*

  • osconfig.vulnerabilityReports.get
  • osconfig.vulnerabilityReports.list

resourcemanager.projects.get

resourcemanager.projects.list

DNS Administrator role

Details Permissions

(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

compute.networks.list

dns.changes.*

  • dns.changes.create
  • dns.changes.get
  • dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.gkeClusters.*

  • dns.gkeClusters.bindDNSResponsePolicy
  • dns.gkeClusters.bindPrivateDNSZone

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

  • dns.networks.bindDNSResponsePolicy
  • dns.networks.bindPrivateDNSPolicy
  • dns.networks.bindPrivateDNSZone
  • dns.networks.targetWithPeeringZone
  • dns.networks.useHealthSignals

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.getIamPolicy

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

dns.responsePolicies.*

  • dns.responsePolicies.create
  • dns.responsePolicies.delete
  • dns.responsePolicies.get
  • dns.responsePolicies.list
  • dns.responsePolicies.update

dns.responsePolicyRules.*

  • dns.responsePolicyRules.create
  • dns.responsePolicyRules.delete
  • dns.responsePolicyRules.get
  • dns.responsePolicyRules.list
  • dns.responsePolicyRules.update

resourcemanager.projects.get

resourcemanager.projects.list

DNS Peer role

Details Permissions

(roles/dns.peer)

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

DNS Reader role

Details Permissions

(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

dns.changes.get

dns.changes.list

dns.dnsKeys.*

  • dns.dnsKeys.get
  • dns.dnsKeys.list

dns.managedZoneOperations.*

  • dns.managedZoneOperations.get
  • dns.managedZoneOperations.list

dns.managedZones.get

dns.managedZones.list

dns.policies.get

dns.policies.list

dns.projects.get

dns.resourceRecordSets.get

dns.resourceRecordSets.list

dns.responsePolicies.get

dns.responsePolicies.list

dns.responsePolicyRules.get

dns.responsePolicyRules.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Account Admin role

Details Permissions

(roles/iam.serviceAccountAdmin)

Create and manage service accounts.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccounts.create

iam.serviceAccounts.createTagBinding

iam.serviceAccounts.delete

iam.serviceAccounts.deleteTagBinding

iam.serviceAccounts.disable

iam.serviceAccounts.enable

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

iam.serviceAccounts.listEffectiveTags

iam.serviceAccounts.listTagBindings

iam.serviceAccounts.setIamPolicy

iam.serviceAccounts.undelete

iam.serviceAccounts.update

resourcemanager.projects.get

resourcemanager.projects.list

Create Service Accounts role

Details Permissions

(roles/iam.serviceAccountCreator)

Access to create service accounts.

iam.serviceAccounts.create

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Delete Service Accounts role

Details Permissions

(roles/iam.serviceAccountDeleter)

Access to delete service accounts.

iam.serviceAccounts.delete

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Account Key Admin role

Details Permissions

(roles/iam.serviceAccountKeyAdmin)

Create and manage (and rotate) service account keys.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccountKeys.*

  • iam.serviceAccountKeys.create
  • iam.serviceAccountKeys.delete
  • iam.serviceAccountKeys.disable
  • iam.serviceAccountKeys.enable
  • iam.serviceAccountKeys.get
  • iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Service Account OpenID Connect Identity Token Creator role

Details Permissions

(roles/iam.serviceAccountOpenIdTokenCreator)

Create OpenID Connect (OIDC) identity tokens

iam.serviceAccounts.getOpenIdToken

Service Account Token Creator role

Details Permissions

(roles/iam.serviceAccountTokenCreator)

Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

resourcemanager.projects.get

resourcemanager.projects.list

Service Account User role

Details Permissions

(roles/iam.serviceAccountUser)

Run operations as the service account.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

View Service Accounts role

Details Permissions

(roles/iam.serviceAccountViewer)

Read access to service accounts, metadata, and keys.

iam.serviceAccountKeys.get

iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

iam.serviceAccounts.listEffectiveTags

iam.serviceAccounts.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

Workload Identity User role

Details Permissions

(roles/iam.workloadIdentityUser)

Impersonate service accounts from federated workloads.

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.list

다음 단계