Configuring Access Control

Access control in Google Cloud Platform is controlled using Google Cloud Identity and Access Management (IAM). IAM allows you to set permissions specifying who has what kind of access to which resources in your project. IAM provides primitive and predefined roles that you can grant to users on certain resources. It also allows you to create custom roles.

Container Builder uses IAM for access control. You can use IAM to add team members to your project and to grant them permissions to create, view, and cancel builds. Users require the necessary Cloud IAM permissions to call Container Builder API methods.

This page explains describes the IAM permissions and roles necessary to call Container Builder method and explains how to use IAM to configure permissions for your project's team members and service accounts.


The following table lists the permissions that the caller must have to call each method:

API Method Required Permission Role Title
create cloudbuild.builds.create Cloud Container Builder Editor
cancel cloudbuild.builds.update Cloud Container Builder Editor
get cloudbuild.builds.get Cloud Container Builder Editor, Cloud Container Builder Viewer
list cloudbuild.builds.list Cloud Container Builder Editor, Cloud Container Builder Viewer


With IAM, every API method in Container Builder requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by granting roles, which includes that permission. In addition to the primitive roles owner, editor, and viewer, you can grant Container Builder roles to the users of your project.

The table below lists the Container Builder IAM roles and the permissions that they include:

Role Role Title includes permissions:
role/cloudbuild.builds.viewer Cloud Container Builder Viewer cloudbuild.builds.get
role/cloudbuild.builds.editor Cloud Container Builder Editor All of the above, and:

The table below lists the primitive roles that existed prior to Cloud IAM, and the Container Builder IAM roles that they include.

Role Role Title includes role
role/viewer Viewer role/cloudbuild.builds.viewer
role/editor or role/owner Editor or Owner role/cloudbuild.builds.editor

Managing IAM roles via the GCP Console

To grant IAM roles for a new team member or service account:

  1. Open the Identity and Access Management page in the Google Cloud Platform Console.
  2. Select your project, and click Continue.
  3. Click Add.
  4. Enter the team member's or service account's email address.
  5. Select the desired Role Title from the drop-down menu. Container Builder roles are found under Container Builder.
  6. Click Add.

Creating IAM custom roles

To create an Cloud IAM custom role with Container Builder permissions:

  1. Go to the Roles page in the GCP Console.

    Open the Roles page

  2. Select your project and organization.
  3. Click Create Role.
  4. Enter a Name, and Description for the role.
  5. Click Add Permissions.
  6. In the All services drop-down, select cloudbuild.
  7. Select the one or more permissions and click Add Permissions.
  8. Click Create.

For more instructions on using Cloud IAM custom roles, see Creating and Managing Custom Roles.

Container Builder service account

Container Builder uses a special service account to execute builds on your behalf.

When you enable the Container Builder API, the service account is automatically created and granted the Cloud Container Builder role for your project. This role is sufficient for several tasks, however it does not allow the account to perform certain actions, such as deploying to App Engine, managing Compute Engine or Kubernetes Engine resources, or accessing a Cloud Storage bucket. You can enable your service account to perform these actions by granting the account additional IAM roles. Use the IAM & Admin section in the GCP Console and add the appropriate roles to the service account's list of roles.

For instructions on granting access to Container Builder service accounts see Granting additional access.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Container Builder