Roles and permissions

This page lists the permissions required by Google Distributed Cloud Edge and the Identity and Access Management (IAM) roles that encapsulate them.

Roles

This section lists the IAM roles that encapsulate Distributed Cloud Edge permissions.

Google Cloud project roles for Distributed Cloud Edge

The following table lists the Google Cloud project roles and the Distributed Cloud Edge permissions that they encapsulate.

Role	Resources	Permissions
Edge Container Viewer `roles/edgecontainer.viewer`	zones, nodes, node pools, clusters, VPN connections	`edgecontainer.clusters.list` `edgecontainer.clusters.get` `edgecontainer.clusters.generateAccessToken` `edgecontainer.clusters.getIamPolicy` `edgecontainer.nodePools.list` `edgecontainer.nodePools.get` `edgecontainer.nodePools.getIamPolicy` `edgecontainer.machines.list` `edgecontainer.machines.get` `edgecontainer.machines.getIamPolicy` `edgecontainer.vpnConnections.list` `edgecontainer.vpnConnections.get` `edgecontainer.vpnConnections.getIamPolicy` `edgecontainer.locations.list` `edgecontainer.locations.get` `edgecontainer.operations.list` `edgecontainer.operations.get` `edgecontainer.serverconfig.get`
Edge Container Admin `roles/edgecontainer.admin`	zones, nodes, node pools, clusters, VPN connections	Includes all permissions from the Edge Container Viewer role, plus the following: `edgecontainer.clusters.create` `edgecontainer.clusters.update` `edgecontainer.clusters.upgrade` `edgecontainer.clusters.delete` `edgecontainer.clusters.setIamPolicy` `edgecontainer.clusters.generateOfflineCredential` `edgecontainer.nodePools.create` `edgecontainer.nodePools.update` `edgecontainer.nodePools.delete` `edgecontainer.nodePools.setIamPolicy` `edgecontainer.machines.create` `edgecontainer.machines.update` `edgecontainer.machines.delete` `edgecontainer.machines.use` `edgecontainer.machines.setIamPolicy` `edgecontainer.vpnConnections.create` `edgecontainer.vpnConnections.update` `edgecontainer.vpnConnections.delete` `edgecontainer.vpnConnections.setIamPolicy` `edgecontainer.operations.cancel` `edgecontainer.operations.delete`
Edge Container Machine User `roles/edgecontainer.machineUser`	machines	`edgecontainer.machines.use`
Edge Container Offline Credential User `roles/edgecontainer.offlineCredentialUser`	clusters	`edgecontainer.clusters.generateOfflineCredential`
Edge Network Viewer `roles/edgenetwork.viewer`	zones, networks, subnets, interconnects, interconnect attachments, routers, locations, operations	`edgenetwork.networks.list` `edgenetwork.networks.get` `edgenetwork.networks.getStatus` `edgenetwork.networks.getIamPolicy` `edgenetwork.subnetworks.list` `edgenetwork.subnetworks.get` `edgenetwork.subnetworks.getIamPolicy` `edgenetwork.interconnects.list` `edgenetwork.interconnects.get` `edgenetwork.interconnects.getDiagnostics` `edgenetwork.interconnects.getIamPolicy` `edgenetwork.interconnectAttachments.list` `edgenetwork.interconnectAttachments.get` `edgenetwork.interconnectAttachments.getIamPolicy` `edgenetwork.routers.list` `edgenetwork.routers.get` `edgenetwork.routers.getRouterStatus` `edgenetwork.routers.getIamPolicy` `edgenetwork.zones.list` `edgenetwork.zones.get` `edgenetwork.locations.list` `edgenetwork.locations.get` `edgenetwork.operations.list` `edgenetwork.operations.get`
Edge Network Admin `roles/edgenetwork.admin`	zones, networks, subnets, interconnects, interconnect attachments, routers, operations	Includes all permissions from the Edge Network Viewer role, plus the following: `edgenetwork.networks.create` `edgenetwork.networks.delete` `edgenetwork.networks.setIamPolicy` `edgenetwork.subnetworks.create` `edgenetwork.subnetworks.delete` `edgenetwork.subnetworks.setIamPolicy` `edgenetwork.interconnects.setIamPolicy` `edgenetwork.interconnectAttachments.create` `edgenetwork.interconnectAttachments.delete` `edgenetwork.interconnectAttachments.setIamPolicy` `edgenetwork.routers.create` `edgenetwork.routers.update` `edgenetwork.routers.patch` `edgenetwork.routers.delete` `edgenetwork.routers.setIamPolicy` `edgenetwork.zones.initialize` `edgenetwork.operations.cancel` `edgenetwork.operations.delete`

Custom roles

Google Cloud also allows you to create custom roles that encapsulate permissions specific to your business needs, such as the principle of least privilege. For instructions, see Create and manage custom roles.

Permissions

This section lists the permissions required to perform specific operations on Distributed Cloud Edge resources.

Operation and method	Resource	Permission
List regions in the Google Cloud project. `locations.list`	regions	`edgecontainer.locations.list` on the target Google Cloud project
Get information about a region. `locations.get`	regions	`edgecontainer.locations.get` on the target Google Cloud project
Create a cluster. `clusters.create`	clusters	`edgecontainer.clusters.create` on the target Google Cloud project
List clusters in the Google Cloud project. `clusters.list`	clusters	`edgecontainer.clusters.list` on the target Google Cloud project
Obtain credentials for the cluster. `clusters.get`	clusters	`edgecontainer.clusters.get` on the target Google Cloud project
Generate an access token for the cluster. `clusters.generateAccessToken`	clusters	`edgecontainer.clusters.generateAccessToken` on the target Google Cloud project
Modify a cluster. `clusters.update`	clusters	`edgecontainer.clusters.update` on the target Google Cloud project
Upgrade, downgrade, or pin a cluster to a specific Distributed Cloud Edge software stack version. `clusters.upgrade`	clusters	`edgecontainer.clusters.upgrade` on the target Google Cloud project
Generate an offline access credential for a local control plane cluster. `clusters.generateOfflineCredential`	clusters	`edgecontainer.clusters.generateOfflineCredential` on the target Google Cloud project
Delete a cluster. `clusters.delete`	clusters	`edgecontainer.clusters.delete` on the target Google Cloud project
Create a node pool. `nodePools.create`	node pools	`edgecontainer.nodePools.create` on the target Google Cloud project
List node pools in the Google Cloud project. `nodePools.list`	node pools	`edgecontainer.nodePools.list` on the target Google Cloud project
Get information about a node pool. `nodePools.get`	node pools	`edgecontainer.nodePools.get` on the target Google Cloud project
Modify a node pool. `nodePools.update`	node pools	`edgecontainer.nodePools.update` on the target Google Cloud project
Delete a node pool. `nodePools.delete`	node pools	`edgecontainer.nodePools.delete` on the target Google Cloud project
Create a node (machine). `machines.create`	nodes	`edgecontainer.machines.create` on the target Google Cloud project
List nodes (machines) in the Google Cloud project. `machines.list`	nodes	`edgecontainer.machines.list` on the target Google Cloud project
Get information about a node (machine). `machines.get`	nodes	`edgecontainer.machines.get` on the target Google Cloud project
Modify a node (machine). `machines.update`	nodes	`edgecontainer.machines.update` on the target Google Cloud project
Deploy a workload to a node (machine). `machines.use`	nodes	`edgecontainer.machines.use` on the target Google Cloud project
Delete a node (machine). `machines.delete`	nodes	`edgecontainer.machines.delete` on the target Google Cloud project
List workloads deployed in a zone. `operations.list`	operations	`edgecontainer.operations.list` on the target Google Cloud project
Get information about a workload. `operations.get`	operations	`edgecontainer.operations.get` on the target Google Cloud project
Cancel a workload in progress. `operations.cancel`	operations	`edgecontainer.operations.cancel` on the target Google Cloud project
Delete a workload. `operations.delete`	operations	`edgecontainer.operations.delete` on the target Google Cloud project
Get the server configuration for a cluster. `serverconfig.get`	serverconfig	`edgecontainer.serverconfig.get` on the target Google Cloud project
Create a VPN connection. `vpnConnections.create`	VPN connections	`edgecontainer.vpnConnections.create` on the target Google Cloud project
List VPN connections in the Google Cloud project. `vpnConnections.list`	VPN connections	`edgecontainer.vpnConnections.list` on the target Google Cloud project
Get information about a VPN connection. `vpnConnections.get`	VPN connections	`edgecontainer.vpnConnections.get` on the target Google Cloud project
Modify a VPN connection. `vpnConnections.update`	VPN connections	`edgecontainer.vpnConnections.update` on the target Google Cloud project
Delete a VPN connection. `vpnConnections.delete`	VPN connections	`edgecontainer.vpnConnections.delete` on the target Google Cloud project
List zones in the Google Cloud project. `zones.list`	zones	`edgenetwork.zones.list` on the target machine Google Cloud project
Get information about a zone. `zones.get`	zones	`edgenetwork.zones.get` on the target machine Google Cloud project
Initialize a zone. `zones.initialize`	zones	`edgenetwork.zones.initialize` on the target machine Google Cloud project
Create a network. `networks.create`	networks	`edgenetwork.networks.create` on the target machine Google Cloud project
List networks in the Google Cloud project. `networks.list`	networks	`edgenetwork.networks.list` on the target machine Google Cloud project
Get information about a network. `networks.get`	networks	`edgenetwork.networks.get` on the target machine Google Cloud project
Get status about a network. `networks.getStatus`	networks	`edgenetwork.networks.getStatus` on the target machine Google Cloud project
Delete a network. `networks.delete`	networks	`edgenetwork.networks.delete` on the target machine Google Cloud project
Create a subnet. `subnetworks.create`	subnets	`edgenetwork.subnetworks.create` on the target machine Google Cloud project
List subnets in the Google Cloud project. `subnetworks.list`	subnets	`edgenetwork.subnetworks.list` on the target machine Google Cloud project
Get information about a subnet. `subnetworks.get`	subnets	`edgenetwork.subnetworks.get` on the target machine Google Cloud project
Delete a subnet. `subnetworks.delete`	subnets	`edgenetwork.subnetworks.delete` on the target machine Google Cloud project
List interconnects in the Google Cloud project. `interconnects.list`	interconnects	`edgenetwork.interconnects.list` on the target machine Google Cloud project
Get information about an interconnect. `interconnects.get`	interconnects	`edgenetwork.interconnects.get` on the target machine Google Cloud project
Get diagnostic information about an interconnect. `interconnects.getDiagnostics`	interconnects	`edgenetwork.interconnects.getDiagnostics` on the target machine Google Cloud project
Create an interconnect attachment. `interconnectAttachments.create`	interconnect attachments	`edgenetwork.interconnectAttachments.create` on the target machine Google Cloud project
List interconnect attachments in the Google Cloud project. `interconnectAttachments.list`	interconnect attachments	`edgenetwork.interconnectAttachments.list` on the target machine Google Cloud project
Get information about an interconnect attachment. `interconnectAttachments.get`	interconnect attachments	`edgenetwork.interconnectAttachments.get` on the target machine Google Cloud project
Delete an interconnect attachment. `interconnectAttachments.delete`	interconnect attachments	`edgenetwork.interconnectAttachments.delete` on the target machine Google Cloud project
Create a router. `routers.create`	routers	`edgenetwork.routers.create` on the target machine Google Cloud project
List routers in the Google Cloud project. `routers.list`	routers	`edgenetwork.routers.list` on the target machine Google Cloud project
Get status about a router. `routers.getRouterStatus`	routers	`edgenetwork.routers.getRouterStatus` on the target machine Google Cloud project
Get information about a router. `routers.get`	routers	`edgenetwork.routers.get` on the target machine Google Cloud project
Modify a router. `routers.update`	routers	`edgenetwork.routers.update` on the target machine Google Cloud project
Delete a router. `routers.delete`	routers	`edgenetwork.routers.delete` on the target machine Google Cloud project
List workloads deployed in a zone. `operations.list`	operations	`edgenetwork.operations.list` on the target machine Google Cloud project
Get information about a workload. `operations.get`	operations	`edgenetwork.operations.get` on the target machine Google Cloud project
Cancel a workload in progress. `operations.cancel`	operations	`edgenetwork.operations.cancel` on the target machine Google Cloud project
Delete a workload. `operations.delete`	operations	`edgenetwork.operations.delete` on the target machine Google Cloud project
List locations in the machine Google Cloud project. `locations.list`	locations	`edgenetwork.locations.list` on the target machine Google Cloud project
Get information about a location. `locations.get`	locations	`edgenetwork.locations.get` on the target machine Google Cloud project