The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:
- Name: The name of a role displayed in the user interface (UI).
- Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
- Level: The specification of whether this role is scoped by the organization or a project.
- Type: The type of this role. For example, some possible values are
Role,ProjectRole,ClusterRole, orProjectClusterRole. - Binding type: The type of binding that you must apply to this role.
- Management API server or Kubernetes cluster permissions: The permissions that this role has for the Management API server or the Kubernetes cluster. For example, some possible values are read, write, read and write, or not applicable (N/A).
- Escalates to: The specification of whether this role escalates to other roles or not.
AO persona, predefined identity and access roles
| AO persona | ||||
|---|---|---|---|---|
| Name | Kubernetes resource name | Initial admin | Level | Type |
| Project IAM Admin | project-iam-admin |
True | Project | Role |
| AI OCR Developer | ai-ocr-developer |
False | Project | Role |
| AI Platform Viewer | ai-platform-viewer |
False | Project | Role |
| AI Speech Developer | ai-speech-developer |
False | Project | Role |
| AI Translation Developer | ai-translation-developer |
False | Project | Role |
| Artifact Management Admin | artifact-management-admin |
False | Project | Role |
| Artifact Management Editor | artifact-management-editor |
False | Project | Role |
| Certificate Authority Service Admin | certificate-authority-service-admin |
False | Project | Role |
| Certificate Service Admin | certificate-service-admin |
False | Project | Role |
| Dashboard Editor | dashboard-editor |
False | Project | Role |
| Dashboard Viewer | dashboard-viewer |
False | Project | Role |
| Harbor Instance Admin | harbor-instance-admin |
False | Project | Role |
| Harbor Instance Viewer | harbor-instance-viewer |
False | Project | Role |
| Harbor Project Creator | harbor-project-creator |
False | Project | Role |
| K8s Network Policy Admin | k8s-networkpolicy-admin |
False | Project | ProjectRole |
| Load Balancer Admin | load-balancer-admin |
False | Project | ProjectRole |
| LoggingRule Creator | loggingrule-creator |
False | Project | Role |
| LoggingRule Editor | loggingrule-editor |
False | Project | Role |
| LoggingRule Viewer | loggingrule-viewer |
False | Project | Role |
| LoggingTarget Creator | loggingtarget-creator |
False | Project | Role |
| LoggingTarget Editor | loggingtarget-editor |
False | Project | Role |
| LoggingTarget Viewer | loggingtarget-viewer |
False | Project | Role |
| MonitoringRule Editor | monitoringrule-editor |
False | Project | Role |
| MonitoringRule Viewer | monitoringrule-viewer |
False | Project | Role |
| MonitoringTarget Editor | monitoringtarget-editor |
False | Project | Role |
| MonitoringTarget Viewer | monitoringtarget-viewer |
False | Project | Role |
| Namespace Admin | namespace-admin |
False | Project | ProjectRole |
| NAT Viewer | nat-viewer |
False | Project | ProjectRole |
| ObservabilityPipeline Editor | observabilitypipeline-editor |
False | Project | Role |
| ObservabilityPipeline Viewer | observabilitypipeline-viewer |
False | Project | Role |
| Project Bucket Admin | project-bucket-admin |
False | Project | Role |
| Project Bucket Object Admin | project-bucket-object-admin |
False | Project | Role |
| Project Bucket Object Viewer | project-bucket-object-viewer |
False | Project | Role |
| Project Cortex Alertmanager Editor | project-cortex-alertmanager-editor |
False | Project | Role |
| Project Cortex Alertmanager Viewer | project-cortex-alertmanager-viewer |
False | Project | Role |
| Project Cortex Prometheus Viewer | project-cortex-prometheus-viewer |
False | Project | Role |
| Project Grafana Viewer | project-grafana-viewer |
False | Project | Role |
| Project NetworkPolicy Admin | project-networkpolicy-admin |
False | Project | Role |
| Project Viewer | project-viewer |
False | Project | Role |
| Project VirtualMachine Admin | project-vm-admin |
False | Project | Role |
| Project VirtualMachine Image Admin | project-vm-image-admin |
False | Project | Role |
| Secret Admin | secret-admin |
False | Project | Role |
| Secret Viewer | secret-viewer |
False | Project | Role |
| Service Configuration Admin | service-configuration-admin |
False | Project | Role |
| Service Configuration Viewer | service-configuration-viewer |
False | Project | Role |
| Workbench Notebooks Admin | workbench-notebooks-admin |
False | Project | Role |
| Volume Replication Admin | app-volume-replication-admin |
False | Cluster | Role |
| Workbench Notebooks Viewer | workbench-notebooks-viewer |
False | Project | Role |
| Workload Viewer | workload-viewer |
False | Project | Role |
AO persona, predefined identity, and access roles
| AO persona | ||||
|---|---|---|---|---|
| Name | Binding type | Management API server permissions | Kubernetes cluster permissions | Escalates to |
| Project IAM Admin | RoleBinding |
|
N/A | All other AO roles |
| AI OCR Developer | RoleBinding |
OCR resources: Read and write | N/A | N/A |
| AI Speech Developer | RoleBinding |
Speech resources: Read and write | N/A | N/A |
| AI Translation Developer | RoleBinding |
Translation resources: Read and write | N/A | N/A |
| Artifact Management Admin | RoleBinding |
HarborProjects: Admin, create, read, write, delete, and view |
N/A | N/A |
| Artifact Management Editor | RoleBinding |
HarborProjects: Read, write, and view |
N/A | N/A |
| Certificate Authority Service Admin | RoleBinding |
Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch | N/A | N/A |
| Certificate Service Admin | RoleBinding |
Certificates and certificate issuers: Get, list, watch, update, create, delete, and patch | N/A | N/A |
| Dashboard Editor | RoleBinding |
Dashboard custom resources: Get, read, create, update, delete, and patch |
N/A | N/A |
| Dashboard Viewer | RoleBinding |
Dashboard: Get and read |
N/A | N/A |
| Harbor Instance Admin | RoleBinding |
Harbor instances: Create, read, update, delete, and patch | N/A | N/A |
| Harbor Instance Viewer | RoleBinding |
Harbor instances: Read | N/A | N/A |
| Harbor Project Creator | RoleBinding |
Harbor instance projects: Create, get, and watch | N/A | N/A |
| K8s NetworkPolicy Admin | ProjectRoleBinding |
N/A | NetworkPolicy resources: Create, read, get, update, delete, and patch |
N/A |
| Load Balancer Admin | RoleBinding |
N/A |
|
N/A |
| LoggingRule Creator | RoleBinding |
LoggingRule custom resources: Create, read, update, delete, and patch |
N/A | N/A |
| LoggingRule Editor | RoleBinding |
LoggingRule custom resources: Create, read, update, delete, and patch |
N/A | N/A |
| LoggingRule Viewer | RoleBinding |
LoggingRule custom resources: Read |
N/A | N/A |
| LoggingTarget Creator | RoleBinding |
LoggingTarget custom resources: Create, read, update, delete, and patch |
N/A | N/A |
| LoggingTarget Editor | RoleBinding |
LoggingTarget custom resources: Create, read, update, delete, and patch |
N/A | N/A |
| LoggingTarget Viewer | RoleBinding |
LoggingTarget custom resources: Read |
N/A | N/A |
| MonitoringRule Editor | RoleBinding |
MonitoringRule custom resources: Create, read, update, delete, and patch |
N/A | N/A |
| MonitoringRule Viewer | RoleBinding |
MonitoringRule custom resources: Read |
N/A | N/A |
| MonitoringTarget Editor | RoleBinding |
MonitoringTarget custom resources: Create, read, update, delete, and patch |
N/A | N/A |
| MonitoringTarget Viewer | RoleBinding |
MonitoringTarget custom resources: Read |
N/A | N/A |
| Namespace Admin | ProjectRoleBinding |
N/A | All resources: Read and write access in the project namespace | N/A |
| NAT Viewer | ProjectRoleBinding |
N/A | Deployments: Get and read | N/A |
| ObservabilityPipeline Editor | RoleBinding |
ObservabilityPipeline resources: Get, read, create, update, delete, and patch |
N/A | N/A |
| ObservabilityPipeline Viewer | RoleBinding |
ObservabilityPipeline resources: Get and read |
N/A | N/A |
| Project Bucket Admin | RoleBinding |
Bucket: Read and write in the project namespace | N/A | N/A |
| Project Bucket Object Admin | RoleBinding |
|
N/A | N/A |
| Project Bucket Object Viewer | RoleBinding |
Bucket and objects: Read | N/A | N/A |
| Project Cortex Alertmanager Editor | RoleBinding |
Cortex system and Cortex Alertmanager: Read and write | N/A | N/A |
| Project Cortex Alertmanager Viewer | RoleBinding |
Cortex system and Cortex Alertmanager: Read | N/A | N/A |
| Project Cortex Prometheus Viewer | RoleBinding |
Cortex system and Cortex Prometheus: Read | N/A | N/A |
| Project Grafana Viewer | RoleBinding |
Grafana system and Grafana: Read and write | N/A | N/A |
| Project NetworkPolicy Admin | RoleBinding |
Project network policies: Read and write in the project namespace | N/A | N/A |
| Project Viewer | RoleBinding |
All resources in the project namespace: Read | N/A | N/A |
| Project VirtualMachine Admin | RoleBinding |
|
N/A | N/A |
| Project VirtualMachine Image Admin | RoleBinding |
|
N/A | N/A |
| Secret Admin | RoleBinding |
Kubernetes secrets: Read, create, update, delete, and patch | N/A | N/A |
| Secret Viewer | RoleBinding |
Kubernetes secrets: Read | N/A | N/A |
| Service Configuration Admin | RoleBinding |
ServiceConfigurations: Read and write
|
N/A | N/A |
| Service Configuration Viewer | RoleBinding |
ServiceConfigurations: Read
|
N/A | N/A |
| Volume Replication Admin | ClusterRoleBinding |
Volume failovers, volume relationship replicas:
Create, get, list, watch, delete
|
N/A | N/A |
| Workbench Notebooks Admin | RoleBinding |
N/A |
|
N/A |
| Workbench Notebooks Viewer | RoleBinding |
N/A |
|
N/A |
| Workload Viewer | ProjectRoleBinding |
N/A |
|
N/A |
Common predefined identity and access roles
| Common roles | ||||
|---|---|---|---|---|
| Name | Kubernetes resource name | Initial admin | Level | Type |
| AI Platform Viewer | ai-platform-viewer |
False | Project | Role |
| DNS Suffix Viewer | dnssuffix-viewer |
False | Organization | Role |
| Flow Log Admin | flowlog-admin |
False | Organization | ClusterRole |
| Flow Log Viewer | flowlog-viewer |
False | Project | ClusterRole |
| Project Discovery Viewer | projectdiscovery-viewer |
False | Project | ClusterRole |
| Public Image Viewer | public-image-viewer |
False | Organization | Role |
| System Artifact Registry anthos-creds secret Monitor | sar-anthos-creds-secret-monitor |
False | Organization | Role |
| System Artifact Registry gpc-system secret Monitor | sar-gpc-system-secret-monitor |
False | Organization | Role |
| System Artifact Registry harbor-system secret Monitor | sar-harbor-system-secret-monitor |
False | Organization | Role |
| Virtual Machine Type Viewer | virtualmachinetype-viewer |
False | Organization | OrganizationRole |
| VM Type Viewer | vmtype-viewer |
False | Organization | Role |
Common predefined identity and access roles
| Common roles | ||||
|---|---|---|---|---|
| Name | Binding type | Admin cluster permissions | Kubernetes cluster permissions | Escalates to |
| AI Platform Viewer | RoleBinding |
Pre-trained services: Read | N/A | N/A |
| DNS Suffix Viewer | ClusterRoleBinding |
DNS suffix config maps: Read | N/A | N/A |
| Flow Log Admin | ClusterRoleBinding |
Flow log resources: Get and read | Flow log resources: Get and read | N/A |
| Flow Log Viewer | ClusterRoleBinding |
Flow log resources: Create, get, read, patch, update, and delete | Flow log resources: Create, get, read, patch, update, and delete | N/A |
| Project Discovery Viewer | ClusterRoleBinding |
Projects: Read | N/A | N/A |
| Public Image Viewer | RoleBinding |
VM images: Read | N/A | N/A |
| System Artifact Registry anthos-creds secret Monitor | RoleBinding |
anthos-creds secrets: Get and read |
anthos-creds secrets: Get and read |
N/A |
| System Artifact Registry gpc-system secret Monitor | RoleBinding |
gpc-system secrets: Get and read |
gpc-system secrets: Get and read |
N/A |
| System Artifact Registry harbor-system secret Monitor | RoleBinding |
harbor-system secrets: Get and read |
harbor-system secrets: Get and read |
N/A |
| Virtual Machine Type Viewer | OrganizationRoleBinding |
N/A | VM types: Read | N/A |
| VM Type Viewer | ClusterRoleBinding |
VM types: Read | N/A | N/A |