When you add a new member to your project, you can use an
Identity and Access Management (IAM) policy to give that member one or
more IAM roles. Each IAM role contains permissions
that grant the member access to specific resources.
Compute Engine has a set of
predefined IAM roles that are described on
this page. You can also create custom roles
that contain subsets of permissions that map directly to your needs.
To learn which permissions are required for each method, see the
Compute Engine API reference documentation:
For information about granting access, see the following pages.
Before you begin
- Read the
IAM documentation.
What is IAM?
Google Cloud offers
IAM,
which lets you give more granular access to specific
Google Cloud resources and prevents unwanted access to other resources.
IAM lets you adopt the
security principle of least privilege,
so you grant only the necessary access to your resources.
IAM lets you control who (identity) has
what (roles) permission to which resources by setting
IAM policies. IAM policies grant specific role(s)
to a project member, giving that identity certain permissions. For example, for
a given resource, such as a project, you can assign the
roles/compute.networkAdmin
role to a Google Account
and that account can control network-related resources in the project, but
cannot manage other resources, like instances and disks. You can also use
IAM to manage the
console legacy roles
granted to project team members.
The serviceAccountUser role
When granted together with
roles/compute.instanceAdmin.v1
,
roles/iam.serviceAccountUser
gives members the
ability to create and manage instances that use a service account. Specifically,
granting roles/iam.serviceAccountUser
and roles/compute.instanceAdmin.v1
together gives members permission to:
- Create an instance that runs as a
service account.
- Attach a persistent disk to an instance that runs as a service account.
- Set instance metadata on an instance that runs as a service account.
- Use SSH to connect to an instance that runs as a service account.
- Reconfigure an instance to run as a service account.
You can grant roles/iam.serviceAccountUser
one of two ways:
Recommended. Grant the role to a member on a
specific service account.
This gives a member access to the service account for which they are an
iam.serviceAccountUser
but prevents access to other service accounts for
which the member is not an iam.serviceAccountUser
.
Grant the role to a member on the
project level. The member has access to all
service accounts in the project, including service accounts that are created
in the future.
If you aren't familiar with service accounts,
learn more about service accounts.
Google Cloud Console permission
To use the Google Cloud console to access Compute Engine resources, you
must have a role that contains the following permission on the project:
compute.projects.get
Connecting to an instance as an instanceAdmin
After you grant a project member the roles/compute.instanceAdmin.v1
role, they
can connect to virtual machine (VM) instances by using standard Google Cloud
tools, like the gcloud CLI or
SSH-in-browser.
When a member uses the gcloud CLI or SSH-in-browser, the
tools automatically generate a public/private key pair and add the public
key to the project metadata. If the member does not have permissions to edit
project metadata, the tool adds the member's public key to the instance
metadata instead.
If the member has an existing key pair they want to use, they
can manually add their public key to the instance's metadata.
Learn more about adding SSH keys to an instance.
IAM with service accounts
Create new custom service accounts and grant IAM roles to service
accounts to limit the access of your instances. Use IAM roles
with custom service accounts to:
- Limit the access your instances have to Google Cloud APIs using granular
IAM roles.
- Give each instance, or set of instances, a unique identity.
- Limit the access of your default service account.
Learn more about service accounts.
Managed instance groups and IAM
Managed instance groups (MIGs) are resources
that perform actions on your behalf without direct user interaction. For
example, the MIG can add and remove VMs from the group.
All of the operations performed by Compute Engine as part of the MIG are
performed by the
Google APIs Service Agent
for your project, which has an email address like the following:
PROJECT_ID@cloudservices.gserviceaccount.com
By default, the Google APIs Service Agent is granted the
Editor role (roles/editor
) at the project level, which gives enough privileges
to create resources based on the MIG's configuration. If you're customizing
access for the Google APIs Service Agent, then grant the Compute Instance Admin (v1) role
(roles/compute.instanceAdmin.v1
) and, optionally, the Service Account User role
(roles/iam.serviceAccountUser
). The Service Account User role is required
only if the MIG creates VMs that can run as a service account.
Note that the Google APIs Service Agent is also used by other processes,
including Deployment Manager.
When you create a MIG or update its instance template, Compute Engine
validates that the Google APIs Service Agent has the following role and permissions:
- Service Account User role, which is important if you plan to create instances
that can run as a service account
- Permissions to all the resources referenced from instance templates, such
as images, disks, VPC networks, and subnets
Predefined Compute Engine IAM roles
With IAM, every API method in Compute Engine API requires
that the identity
making the API request has the appropriate permissions to use the resource.
Permissions are granted by setting policies that grant roles to a
member (user, group, or service account) of your project.
In addition to basic roles
(viewer, editor, owner)
and custom roles,
you can assign the following Compute Engine predefined roles to the
members of your project.
You can grant multiple roles to a project member on the same resource. For
example, if your networking team also manages firewall rules, you can grant both
roles/compute.networkAdmin
and roles/compute.securityAdmin
to the networking
team's Google group.
The following tables describe the predefined Compute Engine
IAM roles,
as well as the permissions contained within each role. Each role contains a set
of permissions that is suitable for a specific task. For example, the Instance
Admin roles grant permissions to manage instances, the network-related roles
include permissions to manage network-related resources, and the security role
includes permissions to manage security-related resources, like firewalls and
SSL certificates.
Compute Admin role
Title and name |
Description |
Permissions |
Compute Admin
(roles/compute.admin )
|
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
Lowest-level resources where you can grant this role:
-
Disk
-
Image
-
Instance
-
Instance template
-
Node group
-
Node template
-
Snapshot Beta
|
compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Image User role
Title and name |
Description |
Permissions |
Compute Image User
(roles/compute.imageUser )
|
Permission to list and read images without having other permissions on the image. Granting this role
at the project level gives users the ability to list all images in the project and create resources,
such as instances and persistent disks, based on images in the project.
Lowest-level resources where you can grant this role:
|
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Instance Admin (beta) role
Title and name |
Description |
Permissions |
Compute Instance Admin (beta)
(roles/compute.instanceAdmin )
|
Permissions to create, modify, and delete virtual machine instances.
This includes permissions to create, modify, and delete disks, and also to
configure Shielded VM
settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
For example, if your company has someone who manages groups of virtual
machine instances but does not manage network or security settings and
does not manage instances that run as service accounts, you can grant this
role on the organization, folder, or project that contains the instances,
or you can grant it on individual instances.
Lowest-level resources where you can grant this role:
-
Disk
-
Image
-
Instance
-
Instance template
-
Snapshot Beta
|
compute.acceleratorTypes.*
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionNetworkEndpointGroups.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Instance Admin (v1) role
Compute Load Balancer Admin role
Title and name |
Description |
Permissions |
Compute Load Balancer Admin
(roles/compute.loadBalancerAdmin )
Beta
|
Permissions to create, modify, and delete load balancers and associate
resources.
For example, if your company has a load balancing team that manages load
balancers, SSL certificates for load balancers, SSL policies, and other
load balancing resources, and a separate networking team that manages
the rest of the networking resources, then grant this role to the load
balancing team's group.
Lowest-level resources where you can grant this role:
|
certificatemanager.certmaps.get
certificatemanager.certmaps.list
certificatemanager.certmaps.use
compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalNetworkEndpointGroups.*
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listTagBindings
compute.instances.use
compute.instances.useReadOnly
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.projects.get
compute.regionBackendServices.*
compute.regionHealthCheckServices.*
compute.regionHealthChecks.*
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.*
compute.regionSslCertificates.*
compute.regionTargetHttpProxies.*
compute.regionTargetHttpsProxies.*
compute.regionUrlMaps.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.use
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Load Balancer Services User role
Title and name |
Description |
Permissions |
Compute Load Balancer Services User
(roles/compute.loadBalancerServiceUser )
Beta
|
Permissions to use services from a load balancer in other projects.
|
compute.backendServices.get
compute.backendServices.list
compute.backendServices.use
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionBackendServices.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Network Admin role
Title and name |
Description |
Permissions |
Compute Network Admin
(roles/compute.networkAdmin )
|
Permissions to create, modify, and delete networking resources,
except for firewall rules and SSL certificates. The network admin role
allows read-only access to firewall rules, SSL certificates, and instances
(to view their ephemeral IP addresses). The network admin role does not
allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the networking team's group.
Or, if you have a combined team that manages both security and networking,
then grant this role as well as the
roles/compute.securityAdmin role to the combined team's group.
Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.globalOperations.get
compute.globalOperations.list
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.updateSecurity
compute.instances.use
compute.instances.useReadOnly
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.machineTypes.*
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.use
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.projects.get
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.regionBackendServices.*
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.use
compute.regionHealthCheckServices.*
compute.regionHealthChecks.*
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.*
compute.regionTargetHttpsProxies.*
compute.regionUrlMaps.*
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
networkconnectivity.locations.*
networkconnectivity.operations.*
networksecurity.*
networkservices.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.createPeeredDnsDomain
servicenetworking.services.deletePeeredDnsDomain
servicenetworking.services.get
servicenetworking.services.listPeeredDnsDomains
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*
|
Compute Network User role
Title and name |
Description |
Permissions |
Compute Network User
(roles/compute.networkUser )
|
Provides access to a shared VPC network
Once granted, service owners can use VPC networks and subnets that belong
to the host project. For example, a network user can create a VM instance
that belongs to a host project network but they cannot delete or create
new networks in the host project.
Lowest-level resources where you can grant this role:
|
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.useInternal
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.firewalls.get
compute.firewalls.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networks.access
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
networkconnectivity.locations.*
networkconnectivity.operations.get
networkconnectivity.operations.list
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.use
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.use
networksecurity.locations.*
networksecurity.operations.get
networksecurity.operations.list
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.use
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.list
networkservices.endpointConfigSelectors.use
networkservices.endpointPolicies.get
networkservices.endpointPolicies.list
networkservices.endpointPolicies.use
networkservices.gateways.get
networkservices.gateways.list
networkservices.gateways.use
networkservices.grpcRoutes.get
networkservices.grpcRoutes.list
networkservices.grpcRoutes.use
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpFilters.use
networkservices.httpRoutes.get
networkservices.httpRoutes.list
networkservices.httpRoutes.use
networkservices.httpfilters.get
networkservices.httpfilters.list
networkservices.httpfilters.use
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.use
networkservices.operations.get
networkservices.operations.list
networkservices.serviceBindings.get
networkservices.serviceBindings.list
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tcpRoutes.use
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.use
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Network Viewer role
Compute Organization Firewall Policy Admin role
Title and name |
Description |
Permissions |
Compute Organization Firewall Policy Admin
(roles/compute.orgFirewallPolicyAdmin )
|
Full control of Compute Engine Organization Firewall Policies.
|
compute.firewallPolicies.cloneRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.regionFirewallPolicies.*
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Organization Firewall Policy User role
Title and name |
Description |
Permissions |
Compute Organization Firewall Policy User
(roles/compute.orgFirewallPolicyUser )
|
View or use Compute Engine Firewall Policies to associate with the organization or folders.
|
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.use
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.projects.get
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.use
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Organization Security Policy Admin role
Title and name |
Description |
Permissions |
Compute Organization Security Policy Admin
(roles/compute.orgSecurityPolicyAdmin )
|
Full control of Compute Engine Organization Security Policies.
|
compute.firewallPolicies.*
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.securityPolicies.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Organization Security Policy User role
Title and name |
Description |
Permissions |
Compute Organization Security Policy User
(roles/compute.orgSecurityPolicyUser )
|
View or use Compute Engine Security Policies to associate with the organization or folders.
|
compute.firewallPolicies.addAssociation
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.use
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.securityPolicies.addAssociation
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.removeAssociation
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Organization Resource Admin role
Title and name |
Description |
Permissions |
Compute Organization Resource Admin
(roles/compute.orgSecurityResourceAdmin )
|
Full control of Compute Engine Firewall Policy associations to the organization or folders.
|
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.organizations.listAssociations
compute.organizations.setFirewallPolicy
compute.organizations.setSecurityPolicy
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute OS Admin Login role
Title and name |
Description |
Permissions |
Compute OS Admin Login
(roles/compute.osAdminLogin )
|
Access to log in to a Compute Engine instance as an administrator
user.
Lowest-level resources where you can grant this role:
|
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instances.get
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute OS Login role
Title and name |
Description |
Permissions |
Compute OS Login
(roles/compute.osLogin )
|
Access to log in to a Compute Engine instance as a standard user.
Lowest-level resources where you can grant this role:
|
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instances.get
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listTagBindings
compute.instances.osLogin
compute.projects.get
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute OS Login External User role
Title and name |
Description |
Permissions |
Compute OS Login External User
(roles/compute.osLoginExternalUser )
|
Available only at the organization level.
Access for an external user to set OS Login information associated with
this organization. This role does not grant access to instances. External
users must be granted one of the required
OS Login roles
in order to allow access to instances using SSH.
Lowest-level resources where you can grant this role:
|
compute.oslogin.updateExternalUser
|
Compute packet mirroring admin role
Title and name |
Description |
Permissions |
Compute packet mirroring admin
(roles/compute.packetMirroringAdmin )
|
Specify resources to be mirrored.
|
compute.instances.updateSecurity
compute.networks.mirror
compute.projects.get
compute.subnetworks.mirror
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute packet mirroring user role
Title and name |
Description |
Permissions |
Compute packet mirroring user
(roles/compute.packetMirroringUser )
|
Use Compute Engine packet mirrorings.
|
compute.packetMirrorings.*
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Public IP Admin role
Title and name |
Description |
Permissions |
Compute Public IP Admin
(roles/compute.publicIpAdmin )
|
Full control of public IP address management for Compute Engine.
|
compute.addresses.*
compute.globalAddresses.*
compute.globalPublicDelegatedPrefixes.*
compute.publicAdvertisedPrefixes.*
compute.publicDelegatedPrefixes.*
resourcemanager.projects.get
resourcemanager.projects.list
|
Compute Security Admin role
Title and name |
Description |
Permissions |
Compute Security Admin
(roles/compute.securityAdmin )
|
Permissions to create, modify, and delete firewall rules and SSL
certificates, and also to
configure Shielded VM
settings.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the security team's group.
Lowest-level resources where you can grant this role:
|
compute.firewallPolicies.*
compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instances.getEffectiveFirewalls
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.updatePolicy
compute.packetMirrorings.*
compute.projects.get
compute.regionFirewallPolicies.*
compute.regionOperations.get
compute.regionOperations.list
compute.regionSslCertificates.*
compute.regions.*
compute.routes.get
compute.routes.list
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Sole Tenant Viewer role
Title and name |
Description |
Permissions |
Compute Sole Tenant Viewer
(roles/compute.soleTenantViewer )
Beta
|
Permissions to view sole tenancy node groups
|
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
|
Compute Storage Admin role
Title and name |
Description |
Permissions |
Compute Storage Admin
(roles/compute.storageAdmin )
|
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and
you don't want them to have the editor role on the project, then grant
this role to their account on the project.
Lowest-level resources where you can grant this role:
|
compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
|
Compute Viewer role
Compute Shared VPC Admin role
Title and name |
Description |
Permissions |
Compute Shared VPC Admin
(roles/compute.xpnAdmin )
|
Permissions to administer shared VPC host projects,
specifically enabling the host projects and associating shared VPC service projects to the host
project's network.
At the organization level, this role can only be granted by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
(roles/compute.networkUser ) to service owners, and the shared VPC host project owner
controls the project itself. Managing the project is easier if a single principal (individual or
group) can fulfill both roles.
Lowest-level resources where you can grant this role:
|
compute.globalOperations.get
compute.globalOperations.list
compute.organizations.administerXpn
compute.organizations.disableXpnHost
compute.organizations.disableXpnResource
compute.organizations.enableXpnHost
compute.organizations.enableXpnResource
compute.projects.get
compute.subnetworks.getIamPolicy
compute.subnetworks.setIamPolicy
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
|
GuestPolicy Admin role
Title and name |
Description |
Permissions |
GuestPolicy Admin
(roles/osconfig.guestPolicyAdmin )
Beta
|
Full admin access to GuestPolicies
|
osconfig.guestPolicies.*
resourcemanager.projects.get
resourcemanager.projects.list
|
GuestPolicy Editor role
Title and name |
Description |
Permissions |
GuestPolicy Editor
(roles/osconfig.guestPolicyEditor )
Beta
|
Editor of GuestPolicy resources
|
osconfig.guestPolicies.get
osconfig.guestPolicies.list
osconfig.guestPolicies.update
resourcemanager.projects.get
resourcemanager.projects.list
|
GuestPolicy Viewer role
Title and name |
Description |
Permissions |
GuestPolicy Viewer
(roles/osconfig.guestPolicyViewer )
Beta
|
Viewer of GuestPolicy resources
|
osconfig.guestPolicies.get
osconfig.guestPolicies.list
resourcemanager.projects.get
resourcemanager.projects.list
|
InstanceOSPoliciesCompliance Viewer role
Title and name |
Description |
Permissions |
InstanceOSPoliciesCompliance Viewer
(roles/osconfig.instanceOSPoliciesComplianceViewer )
Beta
|
Viewer of OS Policies Compliance of VM instances
|
osconfig.instanceOSPoliciesCompliances.*
resourcemanager.projects.get
resourcemanager.projects.list
|
OS Inventory Viewer role
Title and name |
Description |
Permissions |
OS Inventory Viewer
(roles/osconfig.inventoryViewer )
|
Viewer of OS Inventories
|
osconfig.inventories.*
resourcemanager.projects.get
resourcemanager.projects.list
|
OSPolicyAssignment Admin role
Title and name |
Description |
Permissions |
OSPolicyAssignment Admin
(roles/osconfig.osPolicyAssignmentAdmin )
|
Full admin access to OS Policy Assignments
|
osconfig.osPolicyAssignments.*
resourcemanager.projects.get
resourcemanager.projects.list
|
OSPolicyAssignment Editor role
Title and name |
Description |
Permissions |
OSPolicyAssignment Editor
(roles/osconfig.osPolicyAssignmentEditor )
|
Editor of OS Policy Assignments
|
osconfig.osPolicyAssignments.get
osconfig.osPolicyAssignments.list
osconfig.osPolicyAssignments.update
resourcemanager.projects.get
resourcemanager.projects.list
|
OSPolicyAssignmentReport Viewer role
Title and name |
Description |
Permissions |
OSPolicyAssignmentReport Viewer
(roles/osconfig.osPolicyAssignmentReportViewer )
|
Viewer of OS policy assignment reports for VM instances
|
osconfig.osPolicyAssignmentReports.*
resourcemanager.projects.get
resourcemanager.projects.list
|
OSPolicyAssignment Viewer role
Title and name |
Description |
Permissions |
OSPolicyAssignment Viewer
(roles/osconfig.osPolicyAssignmentViewer )
|
Viewer of OS Policy Assignments
|
osconfig.osPolicyAssignments.get
osconfig.osPolicyAssignments.list
resourcemanager.projects.get
resourcemanager.projects.list
|
PatchDeployment Admin role
Title and name |
Description |
Permissions |
PatchDeployment Admin
(roles/osconfig.patchDeploymentAdmin )
|
Full admin access to PatchDeployments
|
osconfig.patchDeployments.*
resourcemanager.projects.get
resourcemanager.projects.list
|
PatchDeployment Viewer role
Title and name |
Description |
Permissions |
PatchDeployment Viewer
(roles/osconfig.patchDeploymentViewer )
|
Viewer of PatchDeployment resources
|
osconfig.patchDeployments.get
osconfig.patchDeployments.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Patch Job Executor role
Title and name |
Description |
Permissions |
Patch Job Executor
(roles/osconfig.patchJobExecutor )
|
Access to execute Patch Jobs.
|
osconfig.patchJobs.*
resourcemanager.projects.get
resourcemanager.projects.list
|
Patch Job Viewer role
Title and name |
Description |
Permissions |
Patch Job Viewer
(roles/osconfig.patchJobViewer )
|
Get and list Patch Jobs.
|
osconfig.patchJobs.get
osconfig.patchJobs.list
resourcemanager.projects.get
resourcemanager.projects.list
|
OS VulnerabilityReport Viewer role
Title and name |
Description |
Permissions |
OS VulnerabilityReport Viewer
(roles/osconfig.vulnerabilityReportViewer )
|
Viewer of OS VulnerabilityReports
|
osconfig.vulnerabilityReports.*
resourcemanager.projects.get
resourcemanager.projects.list
|
DNS Administrator role
Title and name |
Description |
Permissions |
DNS Administrator
(roles/dns.admin )
|
Provides read-write access to all Cloud DNS resources.
Lowest-level resources where you can grant this role:
|
compute.networks.get
compute.networks.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get
resourcemanager.projects.list
|
DNS Peer role
Title and name |
Description |
Permissions |
DNS Peer
(roles/dns.peer )
|
Access to target networks with DNS peering zones
|
dns.networks.targetWithPeeringZone
|
DNS Reader role
Title and name |
Description |
Permissions |
DNS Reader
(roles/dns.reader )
|
Provides read-only access to all Cloud DNS resources.
Lowest-level resources where you can grant this role:
|
compute.networks.get
dns.changes.get
dns.changes.list
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.projects.get
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicyRules.get
dns.responsePolicyRules.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Service Account Admin role
Title and name |
Description |
Permissions |
Service Account Admin
(roles/iam.serviceAccountAdmin )
|
Create and manage service accounts.
Lowest-level resources where you can grant this role:
|
iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iam.serviceAccounts.undelete
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Create Service Accounts role
Title and name |
Description |
Permissions |
Create Service Accounts
(roles/iam.serviceAccountCreator )
|
Access to create service accounts.
|
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Delete Service Accounts role
Title and name |
Description |
Permissions |
Delete Service Accounts
(roles/iam.serviceAccountDeleter )
|
Access to delete service accounts.
|
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Service Account Key Admin role
Title and name |
Description |
Permissions |
Service Account Key Admin
(roles/iam.serviceAccountKeyAdmin )
|
Create and manage (and rotate) service account keys.
Lowest-level resources where you can grant this role:
|
iam.serviceAccountKeys.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Service Account Token Creator role
Title and name |
Description |
Permissions |
Service Account Token Creator
(roles/iam.serviceAccountTokenCreator )
|
Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).
Lowest-level resources where you can grant this role:
|
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
|
Service Account User role
Title and name |
Description |
Permissions |
Service Account User
(roles/iam.serviceAccountUser )
|
Run operations as the service account.
Lowest-level resources where you can grant this role:
|
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
|
View Service Accounts role
Title and name |
Description |
Permissions |
View Service Accounts
(roles/iam.serviceAccountViewer )
|
Read access to service accounts, metadata, and keys.
|
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Workload Identity User role
Title and name |
Description |
Permissions |
Workload Identity User
(roles/iam.workloadIdentityUser )
|
Impersonate service accounts from GKE Workloads
|
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.list
|
What's next