Permissions and roles

This page lists the permissions required by Distributed Cloud Edge and the Identity and Access Management roles that encapsulate them.

Permissions

This section lists the permissions required to perform specific operations on Distributed Cloud Edge resources.

Operation and method Resource Permission
List Zones in the Cloud project

locations.list
Zones edgecontainer.locations.list on the target Cloud project.
Get information about a Zone

locations.get
Zones edgecontainer.locations.get on the target Cloud project.
Create a Cluster

clusters.create
Clusters edgecontainer.clusters.create on the target Cloud project.
List Clusters in the Cloud project

clusters.list
Clusters edgecontainer.clusters.list on the target Cloud project.
Obtain credentials for the Cluster

clusters.get
Clusters edgecontainer.clusters.get on the target Cloud project.
Generate an Access Token for the cluster

clusters.generateAccessToken
Clusters edgecontainer.clusters.generateAccessToken on the target Cloud project.
Modify a Cluster

clusters.update
Clusters edgecontainer.clusters.update on the target Cloud project.
Delete a Cluster

clusters.delete
Clusters edgecontainer.clusters.delete on the target Cloud project.
Create a NodePool

nodePools.create
NodePools edgecontainer.nodePools.create on the target Cloud project.
List NodePools in the Cloud project

nodePools.list
NodePools edgecontainer.nodePools.list on the target Cloud project.
Get information abut a NodePool

nodePools.get
NodePools edgecontainer.nodePools.get on the target Cloud project.
Modify a NodePool

nodePools.update
NodePools edgecontainer.nodePools.update on the target Cloud project.
Delete a NodePool

nodePools.delete
NodePools edgecontainer.nodePools.delete on the target Cloud project.
Create a Node (Machine)

machines.create
Nodes edgecontainer.machines.create on the target Cloud project.
List Nodes (Machines) in the Cloud project

machines.list
Nodes edgecontainer.machines.list on the target Cloud project.
Get information about a Node (Machine)

machines.get
Nodes edgecontainer.machines.get on the target Cloud project.
Modify a Node (Machine)

machines.update
Nodes edgecontainer.machines.update on the target Cloud project.
Deploy a workload to a Node (Machine)

machines.use
Nodes edgecontainer.machines.use on the target Cloud project.
Delete a Node (Machine)

machines.delete
Nodes edgecontainer.machines.delete on the target Cloud project.
List workloads deployed in a Zone

operations.list
Operations edgecontainer.operations.list on the target Cloud project.
Get information about a workload

operations.get
Operations edgecontainer.operations.get on the target Cloud project.
Cancel a workload in progress

operations.cancel
Operations edgecontainer.operations.cancel on the target Cloud project.
Delete a workload

operations.delete
Operations edgecontainer.operations.delete on the target Cloud project.
Create a VPN Connection

vpnConnections.create
VPN Connections edgecontainer.vpnConnections.create on the target Cloud project.
List VPN Connections in the Cloud project

vpnConnections.list
VPN Connections edgecontainer.vpnConnections.list on the target Cloud project.
Get information abut a VPN Connection

vpnConnections.get
VPN Connections edgecontainer.vpnConnections.get on the target Cloud project.
Modify a VPN Connection

vpnConnections.update
VPN Connections edgecontainer.vpnConnections.update on the target Cloud project.
Delete a VPN Connection

vpnConnections.delete
VPN Connections edgecontainer.vpnConnections.delete on the target Cloud project.

Roles

This section lists the IAM roles that encapsulate Distributed Cloud Edge permissions.

Cloud project roles for Distributed Cloud Edge

The following table lists the Cloud project roles and the Distributed Cloud Edge permissions they encapsulate.

Role Resources Permissions
GDCE Viewer

edgecontainer.viewer
Zones, Nodes, NodePools, Clusters, VPN Connections
  • edgecontainer.clusters.list
  • edgecontainer.clusters.get
  • edgecontainer.clusters.generateAccessToken
  • edgecontainer.clusters.getIamPolicy
  • edgecontainer.nodePools.list
  • edgecontainer.nodePools.get
  • edgecontainer.nodePools.getIamPolicy
  • edgecontainer.machines.list
  • edgecontainer.machines.get
  • edgecontainer.machines.getIamPolicy
  • edgecontainer.vpnConnections.list
  • edgecontainer.vpnConnections.get
  • edgecontainer.vpnConnections.getIamPolicy
  • edgecontainer.locations.list
  • edgecontainer.locations.get
  • edgecontainer.operations.list
  • edgecontainer.operations.get
GDCE Admin

edgecontainer.admin
Zones, Nodes, NodePools, Clusters, VPN Connections Includes all permissions from the GDCE Viewer role, plus the following:
  • edgecontainer.clusters.create
  • edgecontainer.clusters.update
  • edgecontainer.clusters.delete
  • edgecontainer.clusters.setIamPolicy
  • edgecontainer.nodePools.create
  • edgecontainer.nodePools.update
  • edgecontainer.nodePools.delete
  • edgecontainer.nodePools.setIamPolicy
  • edgecontainer.machines.create
  • edgecontainer.machines.update
  • edgecontainer.machines.delete
  • edgecontainer.machines.use
  • edgecontainer.machines.setIamPolicy
  • edgecontainer.vpnConnections.create
  • edgecontainer.vpnConnections.update
  • edgecontainer.vpnConnections.delete
  • edgecontainer.vpnConnections.setIamPolicy
  • edgecontainer.operations.cancel
  • edgecontainer.operations.delete
GDCE Machine User

edgecontainer.machineUser
Machines
  • edgecontainer.machines.use

Custom roles

Google Cloud also allows you to create custom roles that encapsulate permissions specific to your business needs, such as the principle of least privilege. For instructions, see Creating and managing custom roles.