Stay organized with collections
Save and categorize content based on your preferences.
By default, all Google Cloud console projects come with a single user:
the original project creator. No other users have access to the project, and
therefore, access to Google Cloud resources, until a user is added as
a project team member. This page describes the different ways you can add new
users to your project.
It also describes how Deployment Manager authenticates to other
Google Cloud APIs on your behalf to create resources.
To give your users access to your project so they can create configurations and
deployments, add your users as a project team member and grant them the
appropriate Identity and Access Management (IAM) roles.
For information on how to add team members, read the
documentation for adding team members.
Deployment Manager roles
Role
Permissions
Deployment Manager Editor
(roles/deploymentmanager.editor)
Provides the permissions necessary to create and manage deployments.
Lowest-level resources where you can grant this role:
Project
deploymentmanager.compositeTypes.*
deploymentmanager.compositeTypes.create
deploymentmanager.compositeTypes.delete
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.compositeTypes.update
deploymentmanager.deployments.cancelPreview
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.stop
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.manifests.get
deploymentmanager.manifests.list
deploymentmanager.operations.*
deploymentmanager.operations.get
deploymentmanager.operations.list
deploymentmanager.resources.*
deploymentmanager.resources.get
deploymentmanager.resources.list
deploymentmanager.typeProviders.*
deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.delete
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.typeProviders.update
deploymentmanager.types.*
deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Deployment Manager Type Editor
(roles/deploymentmanager.typeEditor)
Provides read and write access to all Type Registry resources.
Lowest-level resources where you can grant this role:
Project
deploymentmanager.compositeTypes.*
deploymentmanager.compositeTypes.create
deploymentmanager.compositeTypes.delete
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.compositeTypes.update
deploymentmanager.operations.get
deploymentmanager.typeProviders.*
deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.delete
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.typeProviders.update
deploymentmanager.types.*
deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Deployment Manager Type Viewer
(roles/deploymentmanager.typeViewer)
Provides read-only access to all Type Registry resources.
Lowest-level resources where you can grant this role:
Project
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Deployment Manager Viewer
(roles/deploymentmanager.viewer)
Provides read-only access to all Deployment Manager-related
resources.
Lowest-level resources where you can grant this role:
Project
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.manifests.*
deploymentmanager.manifests.get
deploymentmanager.manifests.list
deploymentmanager.operations.*
deploymentmanager.operations.get
deploymentmanager.operations.list
deploymentmanager.resources.*
deploymentmanager.resources.get
deploymentmanager.resources.list
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Access control for Deployment Manager
To create other Google Cloud resources, Deployment Manager uses the
credentials of the Google APIs Service Agent to authenticate to other
APIs. The Google APIs Service Agent is designed specifically to run internal
Google processes on your behalf. This service account is identifiable using the
email:
The Google APIs Service Agent is automatically granted the Editor role at the
project level and is listed in the IAM section of the
Google Cloud console. This service account exists indefinitely with the
project, and is only deleted when the project is deleted. Since
Deployment Manager and other services, such as
managed instance groups,
rely on this service account to create, delete, and manage resources, it is
not recommended that you modify this account's permissions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-12-19 UTC."],[],[]]