IAM permissions for Config Connector

This topic describes how to limit the types of Google Cloud resources Config Connector can create and manage by limiting the Identity and Access Management (IAM) permissions assigned to your Google service account.

IAM permissions for Config Connector

IAM authorizes your Config Connector installation to take action on specific resources. By limiting the permissions assigned to your Config Connector service account, you have greater control over what kinds of resources Config Connector can create.

Selecting permissions for your Config Connector installation

Before you install Config Connector, you select the roles that Config Connector can use to create and manage Google Cloud resources. You then apply the role to the service account that you configure Config Connector with during installation.

Project Owner permissions

If you want to use Config Connector to create and manage most kinds of Google Cloud resources, you can assign IAM Project Owner permissions.

Limited permissions

If you prefer to grant more limited permissions to Config Connector, you can assign one or more IAM permissions to your Config Connector installation. The following roles are commonly assigned to the Config Connector service account.


Granting the editor role allows most Config Connector functionality except Project or Organization wide configurations such as IAM modifications.

IAM service account admin

Granting the roles/iam.serviceAccountAdmin permissions allows Config Connector to configure IAM service accounts.

Resource Manager

Granting a Resource Manager role such as roles/resourcemanager.folderCreator allows Config Connector to manage folders and organizations.

Custom roles

IAM also provides the ability to create customized roles. You can create a custom role with one or more permissions and then grant that custom role to Config Connector. For more information, see Understanding IAM custom roles.

What's next

Install Config Connector