Access Control Options

By default, all Google Cloud Platform Console projects come with a single user: the original project creator. No other users have access to the project, and therefore, access to Google Cloud Platform resources, until a user is added as a project team member. This page describes the different ways you can add new users to your project.

It also describes how Deployment Manager authenticates to other Cloud Platform APIs on your behalf to create resources.

Before you begin

Access control for users

To give your users access to your project so they can create configurations and deployments, add your users as a project team member and grant them the appropriate Identity and Access Management (IAM) roles. IAM supports two types of roles: predefined and primitive roles.

For information on how to add team members, read the documentation for adding team members.

Predefined roles

Predefined roles grant a set of related permissions. The following table describes the predefined roles available to Deployment Manager.

Role Includes Permission (s) For resource type
roles/deploymentmanager.viewer deploymentmanager.deployments.get Deployment
deploymentmanager.manifests.get Manifest
deploymentmanager.manifests.list Project
deploymentmanager.resources.get Resource
deploymentmanager.resources.list Project
deploymentmanager.types.list Project
deploymentmanager.operations.get Operations
deploymentmanager.operations.list Project
roles/deploymentmanager.editor All of the permissions of deploymentmanager.viewer, plus:
deploymentmanager.deployments.cancelPreview Deployments
deploymentmanager.deployments.create Project
deploymentmanager.deployments.delete Deployments
deploymentmanager.deployments.stop Deployments
deploymentmanager.deployments.update Deployments
roles/deploymentmanager.typeViewer deploymentmanager.types.list Project
deploymentmanager.typeProviders.get Type Provider
deploymentmanager.typeProviders.list Project
deploymentmanager.compositeTypes.get Composite Type
deploymentmanager.compositeTypes.list Project
roles/deploymentmanager.typeEditor All the permissions of deploymentmanager.typeViewer, plus:
deploymentmanager.typeProviders.create Project
deploymentmanager.typeProviders.delete Type Provider
deploymentmanager.typeProviders.update Type Provider
deploymentmanager.compositeTypes.create Project
deploymentmanager.compositeTypes.delete Composite Type
deploymentmanager.compositeTypes.update Composite Type

Each API method requires a specific permission in order to be called. Use the table below to determine which permissions are necessary for the desired API method.

Method Required Permission(s) Roles that allow you to call this method
deployments.cancelPreview deploymentmanager.deployments.cancelPreview
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
deployments.delete deploymentmanager.deployments.delete
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
deployments.get deploymentmanager.deployments.get
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
deployments.insert deploymentmanager.deployments.create
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
deployments.list deploymentmanager.deployments.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
deployments.patch deploymentmanager.deployments.update
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
deployments.stop deploymentmanager.deployments.stop
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
deployments.update deploymentmanager.deployments.update
  • roles/deploymentmanager.editor
  • roles/owner
  • roles/editor
manifests.get deploymentmanager.manifests.get
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
manifests.list deploymentmanager.manifests.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
resources.get deploymentmanager.resources.get
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
resources.list deploymentmanager.resources.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/owner
  • roles/editor
  • roles/viewer
types.list deploymentmanager.types.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer
compositeTypes.delete deploymentmanager.compositeTypes.delete
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
compositeTypes.get deploymentmanager.compositeTypes.get
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer
compositeTypes.insert deploymentmanager.compositeTypes.create
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
compositeTypes.list deploymentmanager.compositeTypes.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer
compositeTypes.patch deploymentmanager.compositeTypes.patch
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
compositeTypes.list deploymentmanager.compositeTypes.update
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
typeProviders.delete deploymentmanager.typeProviders.delete
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
typeProviders.get deploymentmanager.typeProviders.get
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer
typeProviders.insert deploymentmanager.typeProviders.create
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
typeProviders.list deploymentmanager.typeProviders.list
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.viewer
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer
typeProviders.patch deploymentmanager.typeProviders.patch
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/owner
  • roles/editor
typeProviders.update deploymentmanager.typeProviders.update
  • roles/deploymentmanager.editor
  • roles/deploymentmanager.typeEditor
  • roles/deploymentmanager.typeViewer
  • roles/owner
  • roles/editor
  • roles/viewer

Primitive roles

Primitive IAM roles map directly to the legacy project owner, editor, and viewer roles. These roles give much wider access to services than predefined roles. Generally, you should use predefined roles whenever possible; however, in some cases, where IAM is not yet supported, you might need to use a primitive role to grant the correct permissions.

To learn more about primitive roles, read documentation for Primitive Roles.

Access control for Deployment Manager

To create other Google Cloud Platform resources, Deployment Manager uses the credentials of the Google APIs service account to authenticate to other APIs. The Google APIs service account is designed specifically to run internal Google processes on your behalf. The service account is identifiable using the email:

[PROJECT_NUMBER]@cloudservices.gserviceaccount.com

The Google APIs service account is automatically granted editor permissions on the project and is listed in the IAM section of the Google Cloud Platform console. The service account exists indefinitely with the project and is only deleted when the project is deleted. Since Deployment Manager and other services such as managed instance groups rely on this service account to create, delete, and manage resources, it is not recommended that you do modify this account's permissions.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Deployment Manager Documentation