IAM roles and permissions

This page describes Developer Connect roles and permissions.

Access control in Developer Connect is controlled using Identity and Access Management (IAM). IAM lets you create and manage permissions for Google Cloud resources. Developer Connect provides a specific set of predefined IAM roles where each role contains a set of permissions suited to a particular type of access or action. We recommend that you adopt the security principle of least privilege, and grant only the necessary access to your resources.

Predefined Developer Connect roles

You assign permissions to accounts through the use of roles. The following table lists the roles available for Developer Connect and the permissions that they include:

Role Permissions

Name: developerconnect.admin

Title: Developer Connect Admin

Grants full access to Developer Connect resources.

developerconnect.operations.delete

developerconnect.operations.cancel

developerconnect.connections.create

developerconnect.connections.update

developerconnect.connections.delete

developerconnect.connections.constructGitHubAppManifest

developerconnect.connections.processGitHubOAuthCallback

developerconnect.connections.processGitHubAppCreationCallback

developerconnect.connections.generateGitHubStateToken

developerconnect.gitRepositoryLinks.create

developerconnect.gitRepositoryLinks.delete

Name: developerconnect.readTokenAccessor

Title: Developer Connect Read Token Accessor

Grants access to read-only tokens. Also grants access to view the Git repository link.

developerconnect.connections.get

developerconnect.gitRepositoryLinks.get

developerconnect.gitRepositoryLinks.fetchReadToken

Name: developerconnect.tokenAccessor

Title: Developer Connect Token Accessor

Grants access to read/write and read-only tokens. Also grants access to view the Git repository link.

developerconnect.connections.get

developerconnect.gitRepositoryLinks.get

developerconnect.gitRepositoryLinks.fetchReadToken

developerconnect.gitRepositoryLinks.fetchReadWriteToken

Name: developerconnect.user

Title: Developer Connect User

Grants access to view the connection and access to the features that interact with the Git repository, such as reading content from the Git repository, or linking to the Git repository.

developerconnect.connections.fetchGitHubInstallations

developerconnect.connections.fetchLinkableGitRepositories

developerconnect.gitRepositoryLinks.fetchGitRefs

Name: developerconnect.viewer

Title: Developer Connect Viewer

Grants read-only access to Developer Connect resources.

resourcemanager.projects.get

resourcemanager.projects.list

developerconnect.operations.list

developerconnect.operations.get

developerconnect.locations.list

developerconnect.locations.get

developerconnect.connections.list

developerconnect.connections.get

developerconnect.gitRepositoryLinks.list

developerconnect.gitRepositoryLinks.get

Name: developerconnect.gitProxyReader

Title: Developer Connect Git Proxy Reader

Grants read-only access to repositories through the Git proxy.

developerconnect.gitRepositoryLinks.gitProxyRead

Name: developerconnect.gitProxyUser

Title: Developer Connect Git Proxy User

Grants read and write access to repositories through the Git proxy.

developerconnect.gitRepositoryLinks.gitProxyRead

developerconnect.gitRepositoryLinks.gitProxyWrite

Developer Connect service account

Developer Connect uses a service account to execute tasks on your behalf when communicating with other services.

The identifier for the Developer Connect service agent is as follows, where PROJECT_NUMBER is your Google Cloud project number.

service-PROJECT_NUMBER@gcp-sa-devconnect.iam.gserviceaccount.com

You use this identifier to grant or modify IAM roles and permissions.

Configure access to resources

For specific steps on granting roles, see Granting, changing, and revoking access to resources.

What's next