Permissions and roles

This page lists the permissions required by Distributed Cloud Edge and the Identity and Access Management roles that encapsulate them.

Permissions

This section lists the permissions required to perform specific operations on Distributed Cloud Edge resources.

Operation and method Resource Permission
List Zones in the Cloud project

locations.list		 Zones edgecontainer.locations.list on the target Cloud project.
Get information about a Zone

locations.get		 Zones edgecontainer.locations.get on the target Cloud project.
Create a Cluster

clusters.create		 Clusters edgecontainer.clusters.create on the target Cloud project.
List Clusters in the Cloud project

clusters.list		 Clusters edgecontainer.clusters.list on the target Cloud project.
Obtain credentials for the Cluster

clusters.get		 Clusters edgecontainer.clusters.get on the target Cloud project.
Generate an Access Token for the cluster

clusters.generateAccessToken		 Clusters edgecontainer.clusters.generateAccessToken on the target Cloud project.
Modify a Cluster

clusters.update		 Clusters edgecontainer.clusters.update on the target Cloud project.
Delete a Cluster

clusters.delete		 Clusters edgecontainer.clusters.delete on the target Cloud project.
Create a NodePool

nodePools.create		 NodePools edgecontainer.nodePools.create on the target Cloud project.
List NodePools in the Cloud project

nodePools.list		 NodePools edgecontainer.nodePools.list on the target Cloud project.
Get information abut a NodePool

nodePools.get		 NodePools edgecontainer.nodePools.get on the target Cloud project.
Modify a NodePool

nodePools.update		 NodePools edgecontainer.nodePools.update on the target Cloud project.
Delete a NodePool

nodePools.delete		 NodePools edgecontainer.nodePools.delete on the target Cloud project.
Create a Node (Machine)

machines.create		 Nodes edgecontainer.machines.create on the target Cloud project.
List Nodes (Machines) in the Cloud project

machines.list		 Nodes edgecontainer.machines.list on the target Cloud project.
Get information about a Node (Machine)

machines.get		 Nodes edgecontainer.machines.get on the target Cloud project.
Modify a Node (Machine)

machines.update		 Nodes edgecontainer.machines.update on the target Cloud project.
Deploy a workload to a Node (Machine)

machines.use		 Nodes edgecontainer.machines.use on the target Cloud project.
Delete a Node (Machine)

machines.delete		 Nodes edgecontainer.machines.delete on the target Cloud project.
List workloads deployed in a Zone

operations.list		 Operations edgecontainer.operations.list on the target Cloud project.
Get information about a workload

operations.get		 Operations edgecontainer.operations.get on the target Cloud project.
Cancel a workload in progress

operations.cancel		 Operations edgecontainer.operations.cancel on the target Cloud project.
Delete a workload

operations.delete		 Operations edgecontainer.operations.delete on the target Cloud project.
Create a VPN Connection

vpnConnections.create		 VPN Connections edgecontainer.vpnConnections.create on the target Cloud project.
List VPN Connections in the Cloud project

vpnConnections.list		 VPN Connections edgecontainer.vpnConnections.list on the target Cloud project.
Get information abut a VPN Connection

vpnConnections.get		 VPN Connections edgecontainer.vpnConnections.get on the target Cloud project.
Modify a VPN Connection

vpnConnections.update		 VPN Connections edgecontainer.vpnConnections.update on the target Cloud project.
Delete a VPN Connection

vpnConnections.delete		 VPN Connections edgecontainer.vpnConnections.delete on the target Cloud project.

Roles

This section lists the IAM roles that encapsulate Distributed Cloud Edge permissions.

Cloud project roles for Distributed Cloud Edge

The following table lists the Cloud project roles and the Distributed Cloud Edge permissions they encapsulate.

Role Resources Permissions
GDCE Viewer

edgecontainer.viewer		 Zones, Nodes, NodePools, Clusters, VPN Connections
  • edgecontainer.clusters.list
  • edgecontainer.clusters.get
  • edgecontainer.clusters.generateAccessToken
  • edgecontainer.clusters.getIamPolicy
  • edgecontainer.nodePools.list
  • edgecontainer.nodePools.get
  • edgecontainer.nodePools.getIamPolicy
  • edgecontainer.machines.list
  • edgecontainer.machines.get
  • edgecontainer.machines.getIamPolicy
  • edgecontainer.vpnConnections.list
  • edgecontainer.vpnConnections.get
  • edgecontainer.vpnConnections.getIamPolicy
  • edgecontainer.locations.list
  • edgecontainer.locations.get
  • edgecontainer.operations.list
  • edgecontainer.operations.get
GDCE Admin

edgecontainer.admin		 Zones, Nodes, NodePools, Clusters, VPN Connections Includes all permissions from the GDCE Viewer role, plus the following:
  • edgecontainer.clusters.create
  • edgecontainer.clusters.update
  • edgecontainer.clusters.delete
  • edgecontainer.clusters.setIamPolicy
  • edgecontainer.nodePools.create
  • edgecontainer.nodePools.update
  • edgecontainer.nodePools.delete
  • edgecontainer.nodePools.setIamPolicy
  • edgecontainer.machines.create
  • edgecontainer.machines.update
  • edgecontainer.machines.delete
  • edgecontainer.machines.use
  • edgecontainer.machines.setIamPolicy
  • edgecontainer.vpnConnections.create
  • edgecontainer.vpnConnections.update
  • edgecontainer.vpnConnections.delete
  • edgecontainer.vpnConnections.setIamPolicy
  • edgecontainer.operations.cancel
  • edgecontainer.operations.delete
GDCE Machine User

edgecontainer.machineUser		 Machines
  • edgecontainer.machines.use

Custom roles

Google Cloud also allows you to create custom roles that encapsulate permissions specific to your business needs, such as the principle of least privilege. For instructions, see Creating and managing custom roles.