Access Control Options

By default, all Google Cloud Platform Console projects come with a single user: the original project creator. No other users have access to the project, and therefore, access to Google Cloud Platform resources, until a user is added as a project team member. This page describes the different ways you can add new users to your project.

It also describes how Deployment Manager authenticates to other Cloud Platform APIs on your behalf to create resources.

Before you begin

Access control for users

To give your users access to your project so they can create configurations and deployments, add your users as a project team member and grant them the appropriate Identity and Access Management (IAM) roles. IAM supports two types of roles: predefined and primitive roles.

For information on how to add team members, read the documentation for adding team members.

Deployment Manager roles

Role Title Description Permissions Lowest resource
roles/deploymentmanager.editor Deployment Manager Editor Provides the permissions necessary to create and manage deployments.
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.deployments.cancelPreview
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.stop
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/deploymentmanager.typeEditor Deployment Manager Type Editor Provides read and write access to all Type Registry resources.
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.operations.get
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
Project
roles/deploymentmanager.typeViewer Deployment Manager Type Viewer Provides read-only access to all Type Registry resources.
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
Project
roles/deploymentmanager.viewer Deployment Manager Viewer Provides read-only access to all Deployment Manager-related resources.
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project

Access control for Deployment Manager

To create other Google Cloud Platform resources, Deployment Manager uses the credentials of the Google APIs service account to authenticate to other APIs. The Google APIs service account is designed specifically to run internal Google processes on your behalf. The service account is identifiable using the email:

[PROJECT_NUMBER]@cloudservices.gserviceaccount.com

The Google APIs service account is automatically granted editor permissions on the project and is listed in the IAM section of the Google Cloud Platform console. The service account exists indefinitely with the project and is only deleted when the project is deleted. Since Deployment Manager and other services such as managed instance groups rely on this service account to create, delete, and manage resources, it is not recommended that you modify this account's permissions.

What's next