Roles and permissions

This page lists the permissions required by Google Distributed Cloud connected and the Identity and Access Management (IAM) roles that encapsulate them.

Roles

This section lists the IAM roles that encapsulate Distributed Cloud connected permissions.

Google Cloud project roles for Distributed Cloud connected

The following table lists the Google Cloud project roles and the Distributed Cloud connected permissions that they encapsulate.

Role Resources Permissions
Edge Container Viewer

roles/edgecontainer.viewer		 zones, nodes, node pools, clusters, VPN connections
  • edgecontainer.clusters.list
  • edgecontainer.clusters.get
  • edgecontainer.clusters.generateAccessToken
  • edgecontainer.clusters.getIamPolicy
  • edgecontainer.nodePools.list
  • edgecontainer.nodePools.get
  • edgecontainer.nodePools.getIamPolicy
  • edgecontainer.machines.list
  • edgecontainer.machines.get
  • edgecontainer.machines.getIamPolicy
  • edgecontainer.vpnConnections.list
  • edgecontainer.vpnConnections.get
  • edgecontainer.vpnConnections.getIamPolicy
  • edgecontainer.locations.list
  • edgecontainer.locations.get
  • edgecontainer.operations.list
  • edgecontainer.operations.get
  • edgecontainer.serverconfig.get
Edge Container Admin

roles/edgecontainer.admin		 zones, nodes, node pools, clusters, VPN connections Includes all permissions from the Edge Container Viewer role, plus the following:
  • edgecontainer.clusters.create
  • edgecontainer.clusters.update
  • edgecontainer.clusters.upgrade
  • edgecontainer.clusters.delete
  • edgecontainer.clusters.setIamPolicy
  • edgecontainer.clusters.generateOfflineCredential
  • edgecontainer.nodePools.create
  • edgecontainer.nodePools.update
  • edgecontainer.nodePools.delete
  • edgecontainer.nodePools.setIamPolicy
  • edgecontainer.machines.create
  • edgecontainer.machines.update
  • edgecontainer.machines.delete
  • edgecontainer.machines.use
  • edgecontainer.machines.setIamPolicy
  • edgecontainer.vpnConnections.create
  • edgecontainer.vpnConnections.update
  • edgecontainer.vpnConnections.delete
  • edgecontainer.vpnConnections.setIamPolicy
  • edgecontainer.operations.cancel
  • edgecontainer.operations.delete
Edge Container Machine User

roles/edgecontainer.machineUser		 machines
  • edgecontainer.machines.use
Edge Container Offline Credential User

roles/edgecontainer.offlineCredentialUser		 clusters
  • edgecontainer.clusters.generateOfflineCredential
Edge Network Viewer

roles/edgenetwork.viewer		 zones, networks, subnets, interconnects, interconnect attachments, routers, locations, operations
  • edgenetwork.networks.list
  • edgenetwork.networks.get
  • edgenetwork.networks.getStatus
  • edgenetwork.networks.getIamPolicy
  • edgenetwork.subnetworks.list
  • edgenetwork.subnetworks.get
  • edgenetwork.subnetworks.getIamPolicy
  • edgenetwork.interconnects.list
  • edgenetwork.interconnects.get
  • edgenetwork.interconnects.getDiagnostics
  • edgenetwork.interconnects.getIamPolicy
  • edgenetwork.interconnectAttachments.list
  • edgenetwork.interconnectAttachments.get
  • edgenetwork.interconnectAttachments.getIamPolicy
  • edgenetwork.routers.list
  • edgenetwork.routers.get
  • edgenetwork.routers.getRouterStatus
  • edgenetwork.routers.getIamPolicy
  • edgenetwork.zones.list
  • edgenetwork.zones.get
  • edgenetwork.locations.list
  • edgenetwork.locations.get
  • edgenetwork.operations.list
  • edgenetwork.operations.get
Edge Network Admin

roles/edgenetwork.admin		 zones, networks, subnets, interconnects, interconnect attachments, routers, operations Includes all permissions from the Edge Network Viewer role, plus the following:
  • edgenetwork.networks.create
  • edgenetwork.networks.delete
  • edgenetwork.networks.setIamPolicy
  • edgenetwork.subnetworks.create
  • edgenetwork.subnetworks.delete
  • edgenetwork.subnetworks.setIamPolicy
  • edgenetwork.interconnects.setIamPolicy
  • edgenetwork.interconnectAttachments.create
  • edgenetwork.interconnectAttachments.delete
  • edgenetwork.interconnectAttachments.setIamPolicy
  • edgenetwork.routers.create
  • edgenetwork.routers.update
  • edgenetwork.routers.patch
  • edgenetwork.routers.delete
  • edgenetwork.routers.setIamPolicy
  • edgenetwork.zones.initialize
  • edgenetwork.operations.cancel
  • edgenetwork.operations.delete

Custom roles

Google Cloud also allows you to create custom roles that encapsulate permissions specific to your business needs, such as the principle of least privilege. For instructions, see Create and manage custom roles.

Permissions

This section lists the permissions required to perform specific operations on Distributed Cloud connected resources.

Operation and method Resource Permission
List regions in the Google Cloud project.

locations.list		 regions edgecontainer.locations.list
on the target Google Cloud project
Get information about a region.

locations.get		 regions edgecontainer.locations.get
on the target Google Cloud project
Create a cluster.

clusters.create		 clusters edgecontainer.clusters.create
on the target Google Cloud project
List clusters in the Google Cloud project.

clusters.list		 clusters edgecontainer.clusters.list
on the target Google Cloud project
Obtain credentials for the cluster.

clusters.get		 clusters edgecontainer.clusters.get
on the target Google Cloud project
Generate an access token for the cluster.

clusters.generateAccessToken		 clusters edgecontainer.clusters.generateAccessToken
on the target Google Cloud project
Modify a cluster.

clusters.update		 clusters edgecontainer.clusters.update
on the target Google Cloud project
Upgrade, downgrade, or pin a cluster to a specific Distributed Cloud software stack version.

clusters.upgrade		 clusters edgecontainer.clusters.upgrade
on the target Google Cloud project
Generate an offline access credential for a cluster.

clusters.generateOfflineCredential		 clusters edgecontainer.clusters.generateOfflineCredential
on the target Google Cloud project
Delete a cluster.

clusters.delete		 clusters edgecontainer.clusters.delete
on the target Google Cloud project
Create a node pool.

nodePools.create		 node pools edgecontainer.nodePools.create
on the target Google Cloud project
List node pools in the Google Cloud project.

nodePools.list		 node pools edgecontainer.nodePools.list
on the target Google Cloud project
Get information about a node pool.

nodePools.get		 node pools edgecontainer.nodePools.get
on the target Google Cloud project
Modify a node pool.

nodePools.update		 node pools edgecontainer.nodePools.update
on the target Google Cloud project
Delete a node pool.

nodePools.delete		 node pools edgecontainer.nodePools.delete
on the target Google Cloud project
Create a node (machine).

machines.create		 nodes edgecontainer.machines.create
on the target Google Cloud project
List nodes (machines) in the Google Cloud project.

machines.list		 nodes edgecontainer.machines.list
on the target Google Cloud project
Get information about a node (machine).

machines.get		 nodes edgecontainer.machines.get
on the target Google Cloud project
Modify a node (machine).

machines.update		 nodes edgecontainer.machines.update
on the target Google Cloud project
Deploy a workload to a node (machine).

machines.use		 nodes edgecontainer.machines.use
on the target Google Cloud project
Delete a node (machine).

machines.delete		 nodes edgecontainer.machines.delete
on the target Google Cloud project
List workloads deployed in a zone.

operations.list		 operations edgecontainer.operations.list
on the target Google Cloud project
Get information about a workload.

operations.get		 operations edgecontainer.operations.get
on the target Google Cloud project
Cancel a workload in progress.

operations.cancel		 operations edgecontainer.operations.cancel
on the target Google Cloud project
Delete a workload.

operations.delete		 operations edgecontainer.operations.delete
on the target Google Cloud project
Get the server configuration for a cluster.

serverconfig.get		 serverconfig edgecontainer.serverconfig.get
on the target Google Cloud project
Create a VPN connection.

vpnConnections.create		 VPN connections edgecontainer.vpnConnections.create
on the target Google Cloud project
List VPN connections in the Google Cloud project.

vpnConnections.list		 VPN connections edgecontainer.vpnConnections.list
on the target Google Cloud project
Get information about a VPN connection.

vpnConnections.get		 VPN connections edgecontainer.vpnConnections.get
on the target Google Cloud project
Modify a VPN connection.

vpnConnections.update		 VPN connections edgecontainer.vpnConnections.update
on the target Google Cloud project
Delete a VPN connection.

vpnConnections.delete		 VPN connections edgecontainer.vpnConnections.delete
on the target Google Cloud project
List zones in the Google Cloud project.

zones.list		 zones edgenetwork.zones.list
on the target machine Google Cloud project
Get information about a zone.

zones.get		 zones edgenetwork.zones.get
on the target machine Google Cloud project
Initialize a zone.

zones.initialize		 zones edgenetwork.zones.initialize
on the target machine Google Cloud project
Create a network.

networks.create		 networks edgenetwork.networks.create
on the target machine Google Cloud project
List networks in the Google Cloud project.

networks.list		 networks edgenetwork.networks.list
on the target machine Google Cloud project
Get information about a network.

networks.get		 networks edgenetwork.networks.get
on the target machine Google Cloud project
Get status about a network.

networks.getStatus		 networks edgenetwork.networks.getStatus
on the target machine Google Cloud project
Delete a network.

networks.delete		 networks edgenetwork.networks.delete
on the target machine Google Cloud project
Create a subnet.

subnetworks.create		 subnets edgenetwork.subnetworks.create
on the target machine Google Cloud project
List subnets in the Google Cloud project.

subnetworks.list		 subnets edgenetwork.subnetworks.list
on the target machine Google Cloud project
Get information about a subnet.

subnetworks.get		 subnets edgenetwork.subnetworks.get
on the target machine Google Cloud project
Delete a subnet.

subnetworks.delete		 subnets edgenetwork.subnetworks.delete
on the target machine Google Cloud project
List interconnects in the Google Cloud project.

interconnects.list		 interconnects edgenetwork.interconnects.list
on the target machine Google Cloud project
Get information about an interconnect.

interconnects.get		 interconnects edgenetwork.interconnects.get
on the target machine Google Cloud project
Get diagnostic information about an interconnect.

interconnects.getDiagnostics		 interconnects edgenetwork.interconnects.getDiagnostics
on the target machine Google Cloud project
Create an interconnect attachment.

interconnectAttachments.create		 interconnect attachments edgenetwork.interconnectAttachments.create
on the target machine Google Cloud project
List interconnect attachments in the Google Cloud project.

interconnectAttachments.list		 interconnect attachments edgenetwork.interconnectAttachments.list
on the target machine Google Cloud project
Get information about an interconnect attachment.

interconnectAttachments.get		 interconnect attachments edgenetwork.interconnectAttachments.get
on the target machine Google Cloud project
Delete an interconnect attachment.

interconnectAttachments.delete		 interconnect attachments edgenetwork.interconnectAttachments.delete
on the target machine Google Cloud project
Create a router.

routers.create		 routers edgenetwork.routers.create
on the target machine Google Cloud project
List routers in the Google Cloud project.

routers.list		 routers edgenetwork.routers.list
on the target machine Google Cloud project
Get status about a router.

routers.getRouterStatus		 routers edgenetwork.routers.getRouterStatus
on the target machine Google Cloud project
Get information about a router.

routers.get		 routers edgenetwork.routers.get
on the target machine Google Cloud project
Modify a router.

routers.update		 routers edgenetwork.routers.update
on the target machine Google Cloud project
Delete a router.

routers.delete		 routers edgenetwork.routers.delete
on the target machine Google Cloud project
List workloads deployed in a zone.

operations.list		 operations edgenetwork.operations.list
on the target machine Google Cloud project
Get information about a workload.

operations.get		 operations edgenetwork.operations.get
on the target machine Google Cloud project
Cancel a workload in progress.

operations.cancel		 operations edgenetwork.operations.cancel
on the target machine Google Cloud project
Delete a workload.

operations.delete		 operations edgenetwork.operations.delete
on the target machine Google Cloud project
List locations in the machine Google Cloud project.

locations.list		 locations edgenetwork.locations.list
on the target machine Google Cloud project
Get information about a location.

locations.get		 locations edgenetwork.locations.get
on the target machine Google Cloud project