Permissions and roles

Stay organized with collections Save and categorize content based on your preferences.

This page lists the permissions required by Distributed Cloud Edge and the Identity and Access Management roles that encapsulate them.

Permissions

This section lists the permissions required to perform specific operations on Distributed Cloud Edge resources.

Operation and method Resource Permission
List Regions in the Cloud project

locations.list		 Regions edgecontainer.locations.list on the target Cloud project.
Get information about a Region

locations.get		 Regions edgecontainer.locations.get on the target Cloud project.
Create a Cluster

clusters.create		 Clusters edgecontainer.clusters.create on the target Cloud project.
List Clusters in the Cloud project

clusters.list		 Clusters edgecontainer.clusters.list on the target Cloud project.
Obtain credentials for the Cluster

clusters.get		 Clusters edgecontainer.clusters.get on the target Cloud project.
Generate an Access Token for the cluster

clusters.generateAccessToken		 Clusters edgecontainer.clusters.generateAccessToken on the target Cloud project.
Modify a Cluster

clusters.update		 Clusters edgecontainer.clusters.update on the target Cloud project.
Delete a Cluster

clusters.delete		 Clusters edgecontainer.clusters.delete on the target Cloud project.
Create a NodePool

nodePools.create		 NodePools edgecontainer.nodePools.create on the target Cloud project.
List NodePools in the Cloud project

nodePools.list		 NodePools edgecontainer.nodePools.list on the target Cloud project.
Get information abut a NodePool

nodePools.get		 NodePools edgecontainer.nodePools.get on the target Cloud project.
Modify a NodePool

nodePools.update		 NodePools edgecontainer.nodePools.update on the target Cloud project.
Delete a NodePool

nodePools.delete		 NodePools edgecontainer.nodePools.delete on the target Cloud project.
Create a Node (Machine)

machines.create		 Nodes edgecontainer.machines.create on the target Cloud project.
List Nodes (Machines) in the Cloud project

machines.list		 Nodes edgecontainer.machines.list on the target Cloud project.
Get information about a Node (Machine)

machines.get		 Nodes edgecontainer.machines.get on the target Cloud project.
Modify a Node (Machine)

machines.update		 Nodes edgecontainer.machines.update on the target Cloud project.
Deploy a workload to a Node (Machine)

machines.use		 Nodes edgecontainer.machines.use on the target Cloud project.
Delete a Node (Machine)

machines.delete		 Nodes edgecontainer.machines.delete on the target Cloud project.
List workloads deployed in a Zone

operations.list		 Operations edgecontainer.operations.list on the target Cloud project.
Get information about a workload

operations.get		 Operations edgecontainer.operations.get on the target Cloud project.
Cancel a workload in progress

operations.cancel		 Operations edgecontainer.operations.cancel on the target Cloud project.
Delete a workload

operations.delete		 Operations edgecontainer.operations.delete on the target Cloud project.
Create a VPN Connection

vpnConnections.create		 VPN Connections edgecontainer.vpnConnections.create on the target Cloud project.
List VPN Connections in the Cloud project

vpnConnections.list		 VPN Connections edgecontainer.vpnConnections.list on the target Cloud project.
Get information abut a VPN Connection

vpnConnections.get		 VPN Connections edgecontainer.vpnConnections.get on the target Cloud project.
Modify a VPN Connection

vpnConnections.update		 VPN Connections edgecontainer.vpnConnections.update on the target Cloud project.
Delete a VPN Connection

vpnConnections.delete		 VPN Connections edgecontainer.vpnConnections.delete on the target Cloud project.
List Zones in the Cloud project

zones.list		 Zones edgenetwork.zones.list on the target machine Cloud project.
Get information about a Zone

zones.get		 Zones edgenetwork.zones.get on the target machine Cloud project.
Initialize a Zone

zones.initialize		 Zones edgenetwork.zones.initialize on the target machine Cloud project.
Create a Network

networks.create		 Networks edgenetwork.networks.create on the target machine Cloud project.
List Networks in the Cloud project

networks.list		 Networks edgenetwork.networks.list on the target machine Cloud project.
Get information about a Network

networks.get		 Networks edgenetwork.networks.get on the target machine Cloud project.
Get status about a Network

networks.getStatus		 Networks edgenetwork.networks.getStatus on the target machine Cloud project.
Delete a Network

networks.delete		 Networks edgenetwork.networks.delete on the target machine Cloud project.
Create a Subnet

subnetworks.create		 Subnets edgenetwork.subnetworks.create on the target machine Cloud project.
List Subnets in the Cloud project

subnetworks.list		 Subnets edgenetwork.subnetworks.list on the target machine Cloud project.
Get information about a Subnet

subnetworks.get		 Subnets edgenetwork.subnetworks.get on the target machine Cloud project.
Delete a Subnet

subnetworks.delete		 Subnets edgenetwork.subnetworks.delete on the target machine Cloud project.
List Interconnects in the Cloud project

interconnects.list		 Interconnects edgenetwork.interconnects.list on the target machine Cloud project.
Get information about an Interconnect

interconnects.get		 Interconnects edgenetwork.interconnects.get on the target machine Cloud project.
Get diagnostic information about an Interconnect

interconnects.getDiagnostics		 Interconnects edgenetwork.interconnects.getDiagnostics on the target machine Cloud project.
Create an InterconnectAttachment

interconnectAttachments.create		 InterconnectAttachments edgenetwork.interconnectAttachments.create on the target machine Cloud project.
List InterconnectAttachments in the Cloud project

interconnectAttachments.list		 InterconnectAttachments edgenetwork.interconnectAttachments.list on the target machine Cloud project.
Get information about an InterconnectAttachment

interconnectAttachments.get		 InterconnectAttachments edgenetwork.interconnectAttachments.get on the target machine Cloud project.
Delete an InterconnectAttachment

interconnectAttachments.delete		 InterconnectAttachments edgenetwork.interconnectAttachments.delete on the target machine Cloud project.
Create a Router

routers.create		 Routers edgenetwork.routers.create on the target machine Cloud project.
List Routers in the Cloud project

routers.list		 Routers edgenetwork.routers.list on the target machine Cloud project.
Get status about a Router

routers.getRouterStatus		 Routers edgenetwork.routers.getRouterStatus on the target machine Cloud project.
Get information about a Router

routers.get		 Routers edgenetwork.routers.get on the target machine Cloud project.
Modify a Router

routers.update		 Routers edgenetwork.routers.update on the target machine Cloud project.
Delete a Router

routers.delete		 Routers edgenetwork.routers.delete on the target machine Cloud project.
List workloads deployed in a Zone

operations.list		 Operations edgenetwork.operations.list on the target machine Cloud project.
Get information about a workload

operations.get		 Operations edgenetwork.operations.get on the target machine Cloud project.
Cancel a workload in progress

operations.cancel		 Operations edgenetwork.operations.cancel on the target machine Cloud project.
Delete a workload

operations.delete		 Operations edgenetwork.operations.delete on the target machine Cloud project.
List Locations in the machine Cloud project

locations.list		 Locations edgenetwork.locations.list on the target machine Cloud project.
Get information about a Location

locations.get		 Locations edgenetwork.locations.get on the target machine Cloud project.

Roles

This section lists the IAM roles that encapsulate Distributed Cloud Edge permissions.

Cloud project roles for Distributed Cloud Edge

The following table lists the Cloud project roles and the Distributed Cloud Edge permissions they encapsulate.

Role Resources Permissions
GDCE Viewer

edgecontainer.viewer		 Zones, Nodes, NodePools, Clusters, VPN Connections
  • edgecontainer.clusters.list
  • edgecontainer.clusters.get
  • edgecontainer.clusters.generateAccessToken
  • edgecontainer.clusters.getIamPolicy
  • edgecontainer.nodePools.list
  • edgecontainer.nodePools.get
  • edgecontainer.nodePools.getIamPolicy
  • edgecontainer.machines.list
  • edgecontainer.machines.get
  • edgecontainer.machines.getIamPolicy
  • edgecontainer.vpnConnections.list
  • edgecontainer.vpnConnections.get
  • edgecontainer.vpnConnections.getIamPolicy
  • edgecontainer.locations.list
  • edgecontainer.locations.get
  • edgecontainer.operations.list
  • edgecontainer.operations.get
GDCE Admin

edgecontainer.admin		 Zones, Nodes, NodePools, Clusters, VPN Connections Includes all permissions from the GDCE Viewer role, plus the following:
  • edgecontainer.clusters.create
  • edgecontainer.clusters.update
  • edgecontainer.clusters.delete
  • edgecontainer.clusters.setIamPolicy
  • edgecontainer.nodePools.create
  • edgecontainer.nodePools.update
  • edgecontainer.nodePools.delete
  • edgecontainer.nodePools.setIamPolicy
  • edgecontainer.machines.create
  • edgecontainer.machines.update
  • edgecontainer.machines.delete
  • edgecontainer.machines.use
  • edgecontainer.machines.setIamPolicy
  • edgecontainer.vpnConnections.create
  • edgecontainer.vpnConnections.update
  • edgecontainer.vpnConnections.delete
  • edgecontainer.vpnConnections.setIamPolicy
  • edgecontainer.operations.cancel
  • edgecontainer.operations.delete
GDCE Machine User

edgecontainer.machineUser		 Machines
  • edgecontainer.machines.use
GDCE Network Viewer

edgenetwork.viewer		 Zones, Networks, Subnets, Interconnects, InterconnectAttachments, Routers, Locations, Operations
  • edgenetwork.networks.list
  • edgenetwork.networks.get
  • edgenetwork.networks.getStatus
  • edgenetwork.networks.getIamPolicy
  • edgenetwork.subnetworks.list
  • edgenetwork.subnetworks.get
  • edgenetwork.subnetworks.getIamPolicy
  • edgenetwork.interconnects.list
  • edgenetwork.interconnects.get
  • edgenetwork.interconnects.getDiagnostics
  • edgenetwork.interconnects.getIamPolicy
  • edgenetwork.interconnectAttachments.list
  • edgenetwork.interconnectAttachments.get
  • edgenetwork.interconnectAttachments.getIamPolicy
  • edgenetwork.routers.list
  • edgenetwork.routers.get
  • edgenetwork.routers.getRouterStatus
  • edgenetwork.routers.getIamPolicy
  • edgenetwork.zones.list
  • edgenetwork.zones.get
  • edgenetwork.locations.list
  • edgenetwork.locations.get
  • edgenetwork.operations.list
  • edgenetwork.operations.get
GDCE Network Admin

edgenetwork.admin		 Zones, Networks, Subnets, Interconnects, InterconnectAttachments, Routers, Operations Includes all permissions from the GDCE Network Viewer role, plus the following:
  • edgenetwork.networks.create
  • edgenetwork.networks.delete
  • edgenetwork.networks.setIamPolicy
  • edgenetwork.subnetworks.create
  • edgenetwork.subnetworks.delete
  • edgenetwork.subnetworks.setIamPolicy
  • edgenetwork.interconnects.setIamPolicy
  • edgenetwork.interconnectAttachments.create
  • edgenetwork.interconnectAttachments.delete
  • edgenetwork.interconnectAttachments.setIamPolicy
  • edgenetwork.routers.create
  • edgenetwork.routers.update
  • edgenetwork.routers.patch
  • edgenetwork.routers.delete
  • edgenetwork.routers.setIamPolicy
  • edgenetwork.zones.initialize
  • edgenetwork.operations.cancel
  • edgenetwork.operations.delete

Custom roles

Google Cloud also allows you to create custom roles that encapsulate permissions specific to your business needs, such as the principle of least privilege. For instructions, see Creating and managing custom roles.