The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:
- Name: The name of a role displayed in the user interface (UI).
- Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
- Level: The specification of whether this role is scoped by the organization or a project.
- Type: The type of this role. For example, some possible values are
Role
,ProjectRole
,ClusterRole
, orProjectClusterRole
. - Binding type: The type of binding that you must apply to this role.
- Management API server or Kubernetes cluster permissions: The permissions that this role has for the Management API server or the Kubernetes cluster. For example, some possible values are read, write, read and write, or not applicable (N/A).
- Escalates to: The specification of whether this role escalates to other roles or not.
AO persona, predefined identity and access roles
AO persona | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
Project IAM Admin | project-iam-admin |
True | Project | Role |
AI OCR Developer | ai-ocr-developer |
False | Project | Role |
AI Platform Viewer | ai-platform-viewer |
False | Project | Role |
AI Speech Developer | ai-speech-developer |
False | Project | Role |
AI Translation Developer | ai-translation-developer |
False | Project | Role |
Artifact Management Admin | artifact-management-admin |
False | Project | Role |
Artifact Management Editor | artifact-management-editor |
False | Project | Role |
Certificate Authority Service Admin | certificate-authority-service-admin |
False | Project | Role |
Certificate Service Admin | certificate-service-admin |
False | Project | Role |
Dashboard Editor | dashboard-editor |
False | Project | Role |
Dashboard Viewer | dashboard-viewer |
False | Project | Role |
Harbor Instance Admin | harbor-instance-admin |
False | Project | Role |
Harbor Instance Viewer | harbor-instance-viewer |
False | Project | Role |
Harbor Project Creator | harbor-project-creator |
False | Project | Role |
K8s Network Policy Admin | k8s-networkpolicy-admin |
False | Project | ProjectRole |
Load Balancer Admin | load-balancer-admin |
False | Project | ProjectRole |
LoggingRule Creator | loggingrule-creator |
False | Project | Role |
LoggingRule Editor | loggingrule-editor |
False | Project | Role |
LoggingRule Viewer | loggingrule-viewer |
False | Project | Role |
LoggingTarget Creator | loggingtarget-creator |
False | Project | Role |
LoggingTarget Editor | loggingtarget-editor |
False | Project | Role |
LoggingTarget Viewer | loggingtarget-viewer |
False | Project | Role |
MonitoringRule Editor | monitoringrule-editor |
False | Project | Role |
MonitoringRule Viewer | monitoringrule-viewer |
False | Project | Role |
MonitoringTarget Editor | monitoringtarget-editor |
False | Project | Role |
MonitoringTarget Viewer | monitoringtarget-viewer |
False | Project | Role |
Namespace Admin | namespace-admin |
False | Project | ProjectRole |
NAT Viewer | nat-viewer |
False | Project | ProjectRole |
ObservabilityPipeline Editor | observabilitypipeline-editor |
False | Project | Role |
ObservabilityPipeline Viewer | observabilitypipeline-viewer |
False | Project | Role |
Project Bucket Admin | project-bucket-admin |
False | Project | Role |
Project Bucket Object Admin | project-bucket-object-admin |
False | Project | Role |
Project Bucket Object Viewer | project-bucket-object-viewer |
False | Project | Role |
Project Cortex Alertmanager Editor | project-cortex-alertmanager-editor |
False | Project | Role |
Project Cortex Alertmanager Viewer | project-cortex-alertmanager-viewer |
False | Project | Role |
Project Cortex Prometheus Viewer | project-cortex-prometheus-viewer |
False | Project | Role |
Project Grafana Viewer | project-grafana-viewer |
False | Project | Role |
Project NetworkPolicy Admin | project-networkpolicy-admin |
False | Project | Role |
Project Viewer | project-viewer |
False | Project | Role |
Project VirtualMachine Admin | project-vm-admin |
False | Project | Role |
Project VirtualMachine Image Admin | project-vm-image-admin |
False | Project | Role |
Secret Admin | secret-admin |
False | Project | Role |
Secret Viewer | secret-viewer |
False | Project | Role |
Service Configuration Admin | service-configuration-admin |
False | Project | Role |
Service Configuration Viewer | service-configuration-viewer |
False | Project | Role |
Workbench Notebooks Admin | workbench-notebooks-admin |
False | Project | Role |
Volume Replication Admin | app-volume-replication-admin |
False | Cluster | Role |
Workbench Notebooks Viewer | workbench-notebooks-viewer |
False | Project | Role |
Workload Viewer | workload-viewer |
False | Project | Role |
AO persona, predefined identity, and access roles
AO persona | ||||
---|---|---|---|---|
Name | Binding type | Management API server permissions | Kubernetes cluster permissions | Escalates to |
Project IAM Admin | RoleBinding |
|
N/A | All other AO roles |
AI OCR Developer | RoleBinding |
OCR resources: Read and write | N/A | N/A |
AI Speech Developer | RoleBinding |
Speech resources: Read and write | N/A | N/A |
AI Translation Developer | RoleBinding |
Translation resources: Read and write | N/A | N/A |
Artifact Management Admin | RoleBinding |
HarborProjects : Admin, create, read, write, delete, and view |
N/A | N/A |
Artifact Management Editor | RoleBinding |
HarborProjects : Read, write, and view |
N/A | N/A |
Certificate Authority Service Admin | RoleBinding |
Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch | N/A | N/A |
Certificate Service Admin | RoleBinding |
Certificates and certificate issuers: Get, list, watch, update, create, delete, and patch | N/A | N/A |
Dashboard Editor | RoleBinding |
Dashboard custom resources: Get, read, create, update, delete, and patch |
N/A | N/A |
Dashboard Viewer | RoleBinding |
Dashboard : Get and read |
N/A | N/A |
Harbor Instance Admin | RoleBinding |
Harbor instances: Create, read, update, delete, and patch | N/A | N/A |
Harbor Instance Viewer | RoleBinding |
Harbor instances: Read | N/A | N/A |
Harbor Project Creator | RoleBinding |
Harbor instance projects: Create, get, and watch | N/A | N/A |
K8s NetworkPolicy Admin | ProjectRoleBinding |
N/A | NetworkPolicy resources: Create, read, get, update, delete, and patch |
N/A |
Load Balancer Admin | RoleBinding |
N/A |
|
N/A |
LoggingRule Creator | RoleBinding |
LoggingRule custom resources: Create, read, update, delete, and patch |
N/A | N/A |
LoggingRule Editor | RoleBinding |
LoggingRule custom resources: Create, read, update, delete, and patch |
N/A | N/A |
LoggingRule Viewer | RoleBinding |
LoggingRule custom resources: Read |
N/A | N/A |
LoggingTarget Creator | RoleBinding |
LoggingTarget custom resources: Create, read, update, delete, and patch |
N/A | N/A |
LoggingTarget Editor | RoleBinding |
LoggingTarget custom resources: Create, read, update, delete, and patch |
N/A | N/A |
LoggingTarget Viewer | RoleBinding |
LoggingTarget custom resources: Read |
N/A | N/A |
MonitoringRule Editor | RoleBinding |
MonitoringRule custom resources: Create, read, update, delete, and patch |
N/A | N/A |
MonitoringRule Viewer | RoleBinding |
MonitoringRule custom resources: Read |
N/A | N/A |
MonitoringTarget Editor | RoleBinding |
MonitoringTarget custom resources: Create, read, update, delete, and patch |
N/A | N/A |
MonitoringTarget Viewer | RoleBinding |
MonitoringTarget custom resources: Read |
N/A | N/A |
Namespace Admin | ProjectRoleBinding |
N/A | All resources: Read and write access in the project namespace | N/A |
NAT Viewer | ProjectRoleBinding |
N/A | Deployments: Get and read | N/A |
ObservabilityPipeline Editor | RoleBinding |
ObservabilityPipeline resources: Get, read, create, update, delete, and patch |
N/A | N/A |
ObservabilityPipeline Viewer | RoleBinding |
ObservabilityPipeline resources: Get and read |
N/A | N/A |
Project Bucket Admin | RoleBinding |
Bucket: Read and write in the project namespace | N/A | N/A |
Project Bucket Object Admin | RoleBinding |
|
N/A | N/A |
Project Bucket Object Viewer | RoleBinding |
Bucket and objects: Read | N/A | N/A |
Project Cortex Alertmanager Editor | RoleBinding |
Cortex system and Cortex Alertmanager: Read and write | N/A | N/A |
Project Cortex Alertmanager Viewer | RoleBinding |
Cortex system and Cortex Alertmanager: Read | N/A | N/A |
Project Cortex Prometheus Viewer | RoleBinding |
Cortex system and Cortex Prometheus: Read | N/A | N/A |
Project Grafana Viewer | RoleBinding |
Grafana system and Grafana: Read and write | N/A | N/A |
Project NetworkPolicy Admin | RoleBinding |
Project network policies: Read and write in the project namespace | N/A | N/A |
Project Viewer | RoleBinding |
All resources in the project namespace: Read | N/A | N/A |
Project VirtualMachine Admin | RoleBinding |
|
N/A | N/A |
Project VirtualMachine Image Admin | RoleBinding |
|
N/A | N/A |
Secret Admin | RoleBinding |
Kubernetes secrets: Read, create, update, delete, and patch | N/A | N/A |
Secret Viewer | RoleBinding |
Kubernetes secrets: Read | N/A | N/A |
Service Configuration Admin | RoleBinding |
ServiceConfigurations : Read and write
|
N/A | N/A |
Service Configuration Viewer | RoleBinding |
ServiceConfigurations : Read
|
N/A | N/A |
Volume Replication Admin | ClusterRoleBinding |
Volume failovers, volume relationship replicas :
Create, get, list, watch, delete
|
N/A | N/A |
Workbench Notebooks Admin | RoleBinding |
N/A |
|
N/A |
Workbench Notebooks Viewer | RoleBinding |
N/A |
|
N/A |
Workload Viewer | ProjectRoleBinding |
N/A |
|
N/A |
Common predefined identity and access roles
Common roles | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
AI Platform Viewer | ai-platform-viewer |
False | Project | Role |
DNS Suffix Viewer | dnssuffix-viewer |
False | Organization | Role |
Flow Log Admin | flowlog-admin |
False | Organization | ClusterRole |
Flow Log Viewer | flowlog-viewer |
False | Project | ClusterRole |
Project Discovery Viewer | projectdiscovery-viewer |
False | Project | ClusterRole |
Public Image Viewer | public-image-viewer |
False | Organization | Role |
System Artifact Registry anthos-creds secret Monitor | sar-anthos-creds-secret-monitor |
False | Organization | Role |
System Artifact Registry gpc-system secret Monitor | sar-gpc-system-secret-monitor |
False | Organization | Role |
System Artifact Registry harbor-system secret Monitor | sar-harbor-system-secret-monitor |
False | Organization | Role |
Virtual Machine Type Viewer | virtualmachinetype-viewer |
False | Organization | OrganizationRole |
VM Type Viewer | vmtype-viewer |
False | Organization | Role |
Common predefined identity and access roles
Common roles | ||||
---|---|---|---|---|
Name | Binding type | Admin cluster permissions | Kubernetes cluster permissions | Escalates to |
AI Platform Viewer | RoleBinding |
Pre-trained services: Read | N/A | N/A |
DNS Suffix Viewer | ClusterRoleBinding |
DNS suffix config maps: Read | N/A | N/A |
Flow Log Admin | ClusterRoleBinding |
Flow log resources: Get and read | Flow log resources: Get and read | N/A |
Flow Log Viewer | ClusterRoleBinding |
Flow log resources: Create, get, read, patch, update, and delete | Flow log resources: Create, get, read, patch, update, and delete | N/A |
Project Discovery Viewer | ClusterRoleBinding |
Projects: Read | N/A | N/A |
Public Image Viewer | RoleBinding |
VM images: Read | N/A | N/A |
System Artifact Registry anthos-creds secret Monitor | RoleBinding |
anthos-creds secrets: Get and read |
anthos-creds secrets: Get and read |
N/A |
System Artifact Registry gpc-system secret Monitor | RoleBinding |
gpc-system secrets: Get and read |
gpc-system secrets: Get and read |
N/A |
System Artifact Registry harbor-system secret Monitor | RoleBinding |
harbor-system secrets: Get and read |
harbor-system secrets: Get and read |
N/A |
Virtual Machine Type Viewer | OrganizationRoleBinding |
N/A | VM types: Read | N/A |
VM Type Viewer | ClusterRoleBinding |
VM types: Read | N/A | N/A |