Access control with IAM

By default, all Google Cloud console projects come with a single user: the original project creator. No other users have access to the project, and therefore, access to Google Cloud resources, until a user is added as a project team member. This page describes the different ways you can add new users to your project.

It also describes how Deployment Manager authenticates to other Google Cloud APIs on your behalf to create resources.

Before you begin

Access control for users

To give your users access to your project so they can create configurations and deployments, add your users as a project team member and grant them the appropriate Identity and Access Management (IAM) roles.

For information on how to add team members, read the documentation for adding team members.

Deployment Manager roles

Role Permissions

(roles/deploymentmanager.editor)

Provides the permissions necessary to create and manage deployments.

Lowest-level resources where you can grant this role:

  • Project

deploymentmanager.compositeTypes.*

  • deploymentmanager.compositeTypes.create
  • deploymentmanager.compositeTypes.delete
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.compositeTypes.update

deploymentmanager.deployments.cancelPreview

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.stop

deploymentmanager.deployments.update

deploymentmanager.manifests.*

  • deploymentmanager.manifests.get
  • deploymentmanager.manifests.list

deploymentmanager.operations.*

  • deploymentmanager.operations.get
  • deploymentmanager.operations.list

deploymentmanager.resources.*

  • deploymentmanager.resources.get
  • deploymentmanager.resources.list

deploymentmanager.typeProviders.*

  • deploymentmanager.typeProviders.create
  • deploymentmanager.typeProviders.delete
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.typeProviders.update

deploymentmanager.types.*

  • deploymentmanager.types.create
  • deploymentmanager.types.delete
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • deploymentmanager.types.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/deploymentmanager.typeEditor)

Provides read and write access to all Type Registry resources.

Lowest-level resources where you can grant this role:

  • Project

deploymentmanager.compositeTypes.*

  • deploymentmanager.compositeTypes.create
  • deploymentmanager.compositeTypes.delete
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.compositeTypes.update

deploymentmanager.operations.get

deploymentmanager.typeProviders.*

  • deploymentmanager.typeProviders.create
  • deploymentmanager.typeProviders.delete
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.typeProviders.update

deploymentmanager.types.*

  • deploymentmanager.types.create
  • deploymentmanager.types.delete
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • deploymentmanager.types.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

(roles/deploymentmanager.typeViewer)

Provides read-only access to all Type Registry resources.

Lowest-level resources where you can grant this role:

  • Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

(roles/deploymentmanager.viewer)

Provides read-only access to all Deployment Manager-related resources.

Lowest-level resources where you can grant this role:

  • Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.manifests.*

  • deploymentmanager.manifests.get
  • deploymentmanager.manifests.list

deploymentmanager.operations.*

  • deploymentmanager.operations.get
  • deploymentmanager.operations.list

deploymentmanager.resources.*

  • deploymentmanager.resources.get
  • deploymentmanager.resources.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Access control for Deployment Manager

To create other Google Cloud resources, Deployment Manager uses the credentials of the Google APIs Service Agent to authenticate to other APIs. The Google APIs Service Agent is designed specifically to run internal Google processes on your behalf. This service account is identifiable using the email:

[PROJECT_NUMBER]@cloudservices.gserviceaccount.com

The Google APIs Service Agent is automatically granted the Editor role at the project level and is listed in the IAM section of the Google Cloud console. This service account exists indefinitely with the project, and is only deleted when the project is deleted. Since Deployment Manager and other services, such as managed instance groups, rely on this service account to create, delete, and manage resources, it is not recommended that you modify this account's permissions.

What's next