Roles and permissions

This page lists the permissions required by Google Distributed Cloud connected and the Identity and Access Management (IAM) roles that encapsulate them.

Roles

This section lists the IAM roles that encapsulate Distributed Cloud connected permissions.

Google Cloud project roles for Distributed Cloud connected

The following table lists the Google Cloud project roles and the Distributed Cloud connected permissions that they encapsulate.

Role Resources Permissions
Edge Container Viewer

roles/edgecontainer.viewer
zones, nodes, node pools, clusters, VPN connections
  • edgecontainer.clusters.list
  • edgecontainer.clusters.get
  • edgecontainer.clusters.generateAccessToken
  • edgecontainer.clusters.getIamPolicy
  • edgecontainer.nodePools.list
  • edgecontainer.nodePools.get
  • edgecontainer.nodePools.getIamPolicy
  • edgecontainer.machines.list
  • edgecontainer.machines.get
  • edgecontainer.machines.getIamPolicy
  • edgecontainer.vpnConnections.list
  • edgecontainer.vpnConnections.get
  • edgecontainer.vpnConnections.getIamPolicy
  • edgecontainer.locations.list
  • edgecontainer.locations.get
  • edgecontainer.operations.list
  • edgecontainer.operations.get
  • edgecontainer.serverconfig.get
Edge Container Admin

roles/edgecontainer.admin
zones, nodes, node pools, clusters, VPN connections Includes all permissions from the Edge Container Viewer role, plus the following:
  • edgecontainer.clusters.create
  • edgecontainer.clusters.update
  • edgecontainer.clusters.upgrade
  • edgecontainer.clusters.delete
  • edgecontainer.clusters.setIamPolicy
  • edgecontainer.clusters.generateOfflineCredential
  • edgecontainer.nodePools.create
  • edgecontainer.nodePools.update
  • edgecontainer.nodePools.delete
  • edgecontainer.nodePools.setIamPolicy
  • edgecontainer.machines.create
  • edgecontainer.machines.update
  • edgecontainer.machines.delete
  • edgecontainer.machines.use
  • edgecontainer.machines.setIamPolicy
  • edgecontainer.vpnConnections.create
  • edgecontainer.vpnConnections.update
  • edgecontainer.vpnConnections.delete
  • edgecontainer.vpnConnections.setIamPolicy
  • edgecontainer.operations.cancel
  • edgecontainer.operations.delete
Edge Container Machine User

roles/edgecontainer.machineUser
machines
  • edgecontainer.machines.use
Edge Container Offline Credential User

roles/edgecontainer.offlineCredentialUser
clusters
  • edgecontainer.clusters.generateOfflineCredential
Edge Network Viewer

roles/edgenetwork.viewer
zones, networks, subnets, interconnects, interconnect attachments, routers, locations, operations
  • edgenetwork.networks.list
  • edgenetwork.networks.get
  • edgenetwork.networks.getStatus
  • edgenetwork.networks.getIamPolicy
  • edgenetwork.subnetworks.list
  • edgenetwork.subnetworks.get
  • edgenetwork.subnetworks.getIamPolicy
  • edgenetwork.interconnects.list
  • edgenetwork.interconnects.get
  • edgenetwork.interconnects.getDiagnostics
  • edgenetwork.interconnects.getIamPolicy
  • edgenetwork.interconnectAttachments.list
  • edgenetwork.interconnectAttachments.get
  • edgenetwork.interconnectAttachments.getIamPolicy
  • edgenetwork.routers.list
  • edgenetwork.routers.get
  • edgenetwork.routers.getRouterStatus
  • edgenetwork.routers.getIamPolicy
  • edgenetwork.zones.list
  • edgenetwork.zones.get
  • edgenetwork.locations.list
  • edgenetwork.locations.get
  • edgenetwork.operations.list
  • edgenetwork.operations.get
Edge Network Admin

roles/edgenetwork.admin
zones, networks, subnets, interconnects, interconnect attachments, routers, operations Includes all permissions from the Edge Network Viewer role, plus the following:
  • edgenetwork.networks.create
  • edgenetwork.networks.delete
  • edgenetwork.networks.setIamPolicy
  • edgenetwork.subnetworks.create
  • edgenetwork.subnetworks.delete
  • edgenetwork.subnetworks.setIamPolicy
  • edgenetwork.interconnects.setIamPolicy
  • edgenetwork.interconnectAttachments.create
  • edgenetwork.interconnectAttachments.delete
  • edgenetwork.interconnectAttachments.setIamPolicy
  • edgenetwork.routers.create
  • edgenetwork.routers.update
  • edgenetwork.routers.patch
  • edgenetwork.routers.delete
  • edgenetwork.routers.setIamPolicy
  • edgenetwork.zones.initialize
  • edgenetwork.operations.cancel
  • edgenetwork.operations.delete

Custom roles

Google Cloud also allows you to create custom roles that encapsulate permissions specific to your business needs, such as the principle of least privilege. For instructions, see Create and manage custom roles.

Permissions

This section lists the permissions required to perform specific operations on Distributed Cloud connected resources.

Operation and method Resource Permission
List regions in the Google Cloud project.

locations.list
regions edgecontainer.locations.list
on the target Google Cloud project
Get information about a region.

locations.get
regions edgecontainer.locations.get
on the target Google Cloud project
Create a cluster.

clusters.create
clusters edgecontainer.clusters.create
on the target Google Cloud project
List clusters in the Google Cloud project.

clusters.list
clusters edgecontainer.clusters.list
on the target Google Cloud project
Obtain credentials for the cluster.

clusters.get
clusters edgecontainer.clusters.get
on the target Google Cloud project
Generate an access token for the cluster.

clusters.generateAccessToken
clusters edgecontainer.clusters.generateAccessToken
on the target Google Cloud project
Modify a cluster.

clusters.update
clusters edgecontainer.clusters.update
on the target Google Cloud project
Upgrade, downgrade, or pin a cluster to a specific Distributed Cloud software stack version.

clusters.upgrade
clusters edgecontainer.clusters.upgrade
on the target Google Cloud project
Generate an offline access credential for a local control plane cluster.

clusters.generateOfflineCredential
clusters edgecontainer.clusters.generateOfflineCredential
on the target Google Cloud project
Delete a cluster.

clusters.delete
clusters edgecontainer.clusters.delete
on the target Google Cloud project
Create a node pool.

nodePools.create
node pools edgecontainer.nodePools.create
on the target Google Cloud project
List node pools in the Google Cloud project.

nodePools.list
node pools edgecontainer.nodePools.list
on the target Google Cloud project
Get information about a node pool.

nodePools.get
node pools edgecontainer.nodePools.get
on the target Google Cloud project
Modify a node pool.

nodePools.update
node pools edgecontainer.nodePools.update
on the target Google Cloud project
Delete a node pool.

nodePools.delete
node pools edgecontainer.nodePools.delete
on the target Google Cloud project
Create a node (machine).

machines.create
nodes edgecontainer.machines.create
on the target Google Cloud project
List nodes (machines) in the Google Cloud project.

machines.list
nodes edgecontainer.machines.list
on the target Google Cloud project
Get information about a node (machine).

machines.get
nodes edgecontainer.machines.get
on the target Google Cloud project
Modify a node (machine).

machines.update
nodes edgecontainer.machines.update
on the target Google Cloud project
Deploy a workload to a node (machine).

machines.use
nodes edgecontainer.machines.use
on the target Google Cloud project
Delete a node (machine).

machines.delete
nodes edgecontainer.machines.delete
on the target Google Cloud project
List workloads deployed in a zone.

operations.list
operations edgecontainer.operations.list
on the target Google Cloud project
Get information about a workload.

operations.get
operations edgecontainer.operations.get
on the target Google Cloud project
Cancel a workload in progress.

operations.cancel
operations edgecontainer.operations.cancel
on the target Google Cloud project
Delete a workload.

operations.delete
operations edgecontainer.operations.delete
on the target Google Cloud project
Get the server configuration for a cluster.

serverconfig.get
serverconfig edgecontainer.serverconfig.get
on the target Google Cloud project
Create a VPN connection.

vpnConnections.create
VPN connections edgecontainer.vpnConnections.create
on the target Google Cloud project
List VPN connections in the Google Cloud project.

vpnConnections.list
VPN connections edgecontainer.vpnConnections.list
on the target Google Cloud project
Get information about a VPN connection.

vpnConnections.get
VPN connections edgecontainer.vpnConnections.get
on the target Google Cloud project
Modify a VPN connection.

vpnConnections.update
VPN connections edgecontainer.vpnConnections.update
on the target Google Cloud project
Delete a VPN connection.

vpnConnections.delete
VPN connections edgecontainer.vpnConnections.delete
on the target Google Cloud project
List zones in the Google Cloud project.

zones.list
zones edgenetwork.zones.list
on the target machine Google Cloud project
Get information about a zone.

zones.get
zones edgenetwork.zones.get
on the target machine Google Cloud project
Initialize a zone.

zones.initialize
zones edgenetwork.zones.initialize
on the target machine Google Cloud project
Create a network.

networks.create
networks edgenetwork.networks.create
on the target machine Google Cloud project
List networks in the Google Cloud project.

networks.list
networks edgenetwork.networks.list
on the target machine Google Cloud project
Get information about a network.

networks.get
networks edgenetwork.networks.get
on the target machine Google Cloud project
Get status about a network.

networks.getStatus
networks edgenetwork.networks.getStatus
on the target machine Google Cloud project
Delete a network.

networks.delete
networks edgenetwork.networks.delete
on the target machine Google Cloud project
Create a subnet.

subnetworks.create
subnets edgenetwork.subnetworks.create
on the target machine Google Cloud project
List subnets in the Google Cloud project.

subnetworks.list
subnets edgenetwork.subnetworks.list
on the target machine Google Cloud project
Get information about a subnet.

subnetworks.get
subnets edgenetwork.subnetworks.get
on the target machine Google Cloud project
Delete a subnet.

subnetworks.delete
subnets edgenetwork.subnetworks.delete
on the target machine Google Cloud project
List interconnects in the Google Cloud project.

interconnects.list
interconnects edgenetwork.interconnects.list
on the target machine Google Cloud project
Get information about an interconnect.

interconnects.get
interconnects edgenetwork.interconnects.get
on the target machine Google Cloud project
Get diagnostic information about an interconnect.

interconnects.getDiagnostics
interconnects edgenetwork.interconnects.getDiagnostics
on the target machine Google Cloud project
Create an interconnect attachment.

interconnectAttachments.create
interconnect attachments edgenetwork.interconnectAttachments.create
on the target machine Google Cloud project
List interconnect attachments in the Google Cloud project.

interconnectAttachments.list
interconnect attachments edgenetwork.interconnectAttachments.list
on the target machine Google Cloud project
Get information about an interconnect attachment.

interconnectAttachments.get
interconnect attachments edgenetwork.interconnectAttachments.get
on the target machine Google Cloud project
Delete an interconnect attachment.

interconnectAttachments.delete
interconnect attachments edgenetwork.interconnectAttachments.delete
on the target machine Google Cloud project
Create a router.

routers.create
routers edgenetwork.routers.create
on the target machine Google Cloud project
List routers in the Google Cloud project.

routers.list
routers edgenetwork.routers.list
on the target machine Google Cloud project
Get status about a router.

routers.getRouterStatus
routers edgenetwork.routers.getRouterStatus
on the target machine Google Cloud project
Get information about a router.

routers.get
routers edgenetwork.routers.get
on the target machine Google Cloud project
Modify a router.

routers.update
routers edgenetwork.routers.update
on the target machine Google Cloud project
Delete a router.

routers.delete
routers edgenetwork.routers.delete
on the target machine Google Cloud project
List workloads deployed in a zone.

operations.list
operations edgenetwork.operations.list
on the target machine Google Cloud project
Get information about a workload.

operations.get
operations edgenetwork.operations.get
on the target machine Google Cloud project
Cancel a workload in progress.

operations.cancel
operations edgenetwork.operations.cancel
on the target machine Google Cloud project
Delete a workload.

operations.delete
operations edgenetwork.operations.delete
on the target machine Google Cloud project
List locations in the machine Google Cloud project.

locations.list
locations edgenetwork.locations.list
on the target machine Google Cloud project
Get information about a location.

locations.get
locations edgenetwork.locations.get
on the target machine Google Cloud project