Role definitions for projects

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

  • Name: The name of a role displayed in the user interface (UI).
  • Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
  • Level: The specification of whether this role is scoped by the organization or a project.
  • Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or ProjectClusterRole.
  • Binding type: The type of binding that you must apply to this role.
  • Management API server or Kubernetes cluster permissions: The permissions that this role has for the Management API server or the Kubernetes cluster. For example, some possible values are read, write, read and write, or not applicable (N/A).
  • Escalates to: The specification of whether this role escalates to other roles or not.

AO persona, predefined identity and access roles

AO persona
Name Kubernetes resource name Initial admin Level Type
Project IAM Admin project-iam-admin True Project Role
AI OCR Developer ai-ocr-developer False Project Role
AI Platform Viewer ai-platform-viewer False Project Role
AI Speech Developer ai-speech-developer False Project Role
AI Translation Developer ai-translation-developer False Project Role
Artifact Management Admin artifact-management-admin False Project Role
Artifact Management Editor artifact-management-editor False Project Role
Certificate Authority Service Admin certificate-authority-service-admin False Project Role
Certificate Service Admin certificate-service-admin False Project Role
Dashboard Editor dashboard-editor False Project Role
Dashboard Viewer dashboard-viewer False Project Role
Harbor Instance Admin harbor-instance-admin False Project Role
Harbor Instance Viewer harbor-instance-viewer False Project Role
Harbor Project Creator harbor-project-creator False Project Role
K8s Network Policy Admin k8s-networkpolicy-admin False Project ProjectRole
Load Balancer Admin load-balancer-admin False Project ProjectRole
LoggingRule Creator loggingrule-creator False Project Role
LoggingRule Editor loggingrule-editor False Project Role
LoggingRule Viewer loggingrule-viewer False Project Role
LoggingTarget Creator loggingtarget-creator False Project Role
LoggingTarget Editor loggingtarget-editor False Project Role
LoggingTarget Viewer loggingtarget-viewer False Project Role
MonitoringRule Editor monitoringrule-editor False Project Role
MonitoringRule Viewer monitoringrule-viewer False Project Role
MonitoringTarget Editor monitoringtarget-editor False Project Role
MonitoringTarget Viewer monitoringtarget-viewer False Project Role
Namespace Admin namespace-admin False Project ProjectRole
NAT Viewer nat-viewer False Project ProjectRole
ObservabilityPipeline Editor observabilitypipeline-editor False Project Role
ObservabilityPipeline Viewer observabilitypipeline-viewer False Project Role
Project Bucket Admin project-bucket-admin False Project Role
Project Bucket Object Admin project-bucket-object-admin False Project Role
Project Bucket Object Viewer project-bucket-object-viewer False Project Role
Project Cortex Alertmanager Editor project-cortex-alertmanager-editor False Project Role
Project Cortex Alertmanager Viewer project-cortex-alertmanager-viewer False Project Role
Project Cortex Prometheus Viewer project-cortex-prometheus-viewer False Project Role
Project Grafana Viewer project-grafana-viewer False Project Role
Project NetworkPolicy Admin project-networkpolicy-admin False Project Role
Project Viewer project-viewer False Project Role
Project VirtualMachine Admin project-vm-admin False Project Role
Project VirtualMachine Image Admin project-vm-image-admin False Project Role
Secret Admin secret-admin False Project Role
Secret Viewer secret-viewer False Project Role
Service Configuration Admin service-configuration-admin False Project Role
Service Configuration Viewer service-configuration-viewer False Project Role
Workbench Notebooks Admin workbench-notebooks-admin False Project Role
Volume Replication Admin app-volume-replication-admin False Cluster Role
Workbench Notebooks Viewer workbench-notebooks-viewer False Project Role
Workload Viewer workload-viewer False Project Role

AO persona, predefined identity, and access roles

AO persona
Name Binding type Management API server permissions Kubernetes cluster permissions Escalates to
Project IAM Admin RoleBinding
  • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, ProjectClusterRole, ProjectRoleBinding, and ProjectClusterRoleBinding: Create, read, update, delete, and bind
  • ProjectServiceAccount: Create, read, update, and delete
  • List project namespace
N/A All other AO roles
AI OCR Developer RoleBinding OCR resources: Read and write N/A N/A
AI Speech Developer RoleBinding Speech resources: Read and write N/A N/A
AI Translation Developer RoleBinding Translation resources: Read and write N/A N/A
Artifact Management Admin RoleBinding HarborProjects: Admin, create, read, write, delete, and view N/A N/A
Artifact Management Editor RoleBinding HarborProjects: Read, write, and view N/A N/A
Certificate Authority Service Admin RoleBinding Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch N/A N/A
Certificate Service Admin RoleBinding Certificates and certificate issuers: Get, list, watch, update, create, delete, and patch N/A N/A
Dashboard Editor RoleBinding Dashboard custom resources: Get, read, create, update, delete, and patch N/A N/A
Dashboard Viewer RoleBinding Dashboard: Get and read N/A N/A
Harbor Instance Admin RoleBinding Harbor instances: Create, read, update, delete, and patch N/A N/A
Harbor Instance Viewer RoleBinding Harbor instances: Read N/A N/A
Harbor Project Creator RoleBinding Harbor instance projects: Create, get, and watch N/A N/A
K8s NetworkPolicy Admin ProjectRoleBinding N/A NetworkPolicy resources: Create, read, get, update, delete, and patch N/A
Load Balancer Admin RoleBinding N/A
  • Backend: Get, watch, list, create, patch, update, and delete
  • HealthCheck: Get, watch, list, create, patch, update, and delete
  • BackendService: Get, watch, list, create, patch, update, and delete
  • ForwardingRuleExternal: Get, watch, list, create, patch, update, and delete
  • ForwardingRuleInternal: Get, watch, list, create, patch, update, and delete
N/A
LoggingRule Creator RoleBinding LoggingRule custom resources: Create, read, update, delete, and patch N/A N/A
LoggingRule Editor RoleBinding LoggingRule custom resources: Create, read, update, delete, and patch N/A N/A
LoggingRule Viewer RoleBinding LoggingRule custom resources: Read N/A N/A
LoggingTarget Creator RoleBinding LoggingTarget custom resources: Create, read, update, delete, and patch N/A N/A
LoggingTarget Editor RoleBinding LoggingTarget custom resources: Create, read, update, delete, and patch N/A N/A
LoggingTarget Viewer RoleBinding LoggingTarget custom resources: Read N/A N/A
MonitoringRule Editor RoleBinding MonitoringRule custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringRule Viewer RoleBinding MonitoringRule custom resources: Read N/A N/A
MonitoringTarget Editor RoleBinding MonitoringTarget custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringTarget Viewer RoleBinding MonitoringTarget custom resources: Read N/A N/A
Namespace Admin ProjectRoleBinding N/A All resources: Read and write access in the project namespace N/A
NAT Viewer ProjectRoleBinding N/A Deployments: Get and read N/A
ObservabilityPipeline Editor RoleBinding ObservabilityPipeline resources: Get, read, create, update, delete, and patch N/A N/A
ObservabilityPipeline Viewer RoleBinding ObservabilityPipeline resources: Get and read N/A N/A
Project Bucket Admin RoleBinding Bucket: Read and write in the project namespace N/A N/A
Project Bucket Object Admin RoleBinding
  • Bucket: Read
  • Objects: Read and write
N/A N/A
Project Bucket Object Viewer RoleBinding Bucket and objects: Read N/A N/A
Project Cortex Alertmanager Editor RoleBinding Cortex system and Cortex Alertmanager: Read and write N/A N/A
Project Cortex Alertmanager Viewer RoleBinding Cortex system and Cortex Alertmanager: Read N/A N/A
Project Cortex Prometheus Viewer RoleBinding Cortex system and Cortex Prometheus: Read N/A N/A
Project Grafana Viewer RoleBinding Grafana system and Grafana: Read and write N/A N/A
Project NetworkPolicy Admin RoleBinding Project network policies: Read and write in the project namespace N/A N/A
Project Viewer RoleBinding All resources in the project namespace: Read N/A N/A
Project VirtualMachine Admin RoleBinding
  • Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete
  • Virtual machine restart: Put
  • Virtual machine images, backup plans, and backup plan templates: Read
N/A N/A
Project VirtualMachine Image Admin RoleBinding
  • VM images: Read
  • VM image imports: Read and write
N/A N/A
Secret Admin RoleBinding Kubernetes secrets: Read, create, update, delete, and patch N/A N/A
Secret Viewer RoleBinding Kubernetes secrets: Read N/A N/A
Service Configuration Admin RoleBinding ServiceConfigurations: Read and write N/A N/A
Service Configuration Viewer RoleBinding ServiceConfigurations: Read N/A N/A
Volume Replication Admin ClusterRoleBinding Volume failovers, volume relationship replicas: Create, get, list, watch, delete N/A N/A
Workbench Notebooks Admin RoleBinding N/A
  • Notebook custom resources (CR) in the project namespace: Create, read, update, and delete
  • ClusterInfo objects: Read
N/A
Workbench Notebooks Viewer RoleBinding N/A
  • Notebook custom resources (CR) in the project namespace: Read
N/A
Workload Viewer ProjectRoleBinding N/A
  • Pod custom resources in the project namespace: Read
  • Deployment custom resources in the project namespace: Read
N/A

Common predefined identity and access roles

Common roles
Name Kubernetes resource name Initial admin Level Type
AI Platform Viewer ai-platform-viewer False Project Role
DNS Suffix Viewer dnssuffix-viewer False Organization Role
Flow Log Admin flowlog-admin False Organization ClusterRole
Flow Log Viewer flowlog-viewer False Project ClusterRole
Project Discovery Viewer projectdiscovery-viewer False Project ClusterRole
Public Image Viewer public-image-viewer False Organization Role
System Artifact Registry anthos-creds secret Monitor sar-anthos-creds-secret-monitor False Organization Role
System Artifact Registry gpc-system secret Monitor sar-gpc-system-secret-monitor False Organization Role
System Artifact Registry harbor-system secret Monitor sar-harbor-system-secret-monitor False Organization Role
Virtual Machine Type Viewer virtualmachinetype-viewer False Organization OrganizationRole
VM Type Viewer vmtype-viewer False Organization Role

Common predefined identity and access roles

Common roles
Name Binding type Admin cluster permissions Kubernetes cluster permissions Escalates to
AI Platform Viewer RoleBinding Pre-trained services: Read N/A N/A
DNS Suffix Viewer ClusterRoleBinding DNS suffix config maps: Read N/A N/A
Flow Log Admin ClusterRoleBinding Flow log resources: Get and read Flow log resources: Get and read N/A
Flow Log Viewer ClusterRoleBinding Flow log resources: Create, get, read, patch, update, and delete Flow log resources: Create, get, read, patch, update, and delete N/A
Project Discovery Viewer ClusterRoleBinding Projects: Read N/A N/A
Public Image Viewer RoleBinding VM images: Read N/A N/A
System Artifact Registry anthos-creds secret Monitor RoleBinding anthos-creds secrets: Get and read anthos-creds secrets: Get and read N/A
System Artifact Registry gpc-system secret Monitor RoleBinding gpc-system secrets: Get and read gpc-system secrets: Get and read N/A
System Artifact Registry harbor-system secret Monitor RoleBinding harbor-system secrets: Get and read harbor-system secrets: Get and read N/A
Virtual Machine Type Viewer OrganizationRoleBinding N/A VM types: Read N/A
VM Type Viewer ClusterRoleBinding VM types: Read N/A N/A