Stay organized with collections
Save and categorize content based on your preferences.
Before you perform tasks on virtual machines (VM) in
Google Distributed Cloud (GDC) air-gapped, you must have the proper identity and access
(IAM) roles and permissions.
Before you begin
To use gdcloud CLI commands, complete the required steps from the
gdcloud command-line interface (CLI)
sections. All commands for Google Distributed Cloud air-gapped use the
gdcloud or kubectl CLI, and require an operating system (OS) environment.
Get the kubeconfig file path
To run commands against the Management API server, ensure you have the following
resources:
Sign in and generate the
kubeconfig file for the Management API server if you don't have one.
Use the path to the kubeconfig file of the Management API server to replace
MANAGEMENT_API_SERVER in these instructions.
About IAM
Distributed Cloud offers Identity and Access Management (IAM) for
granular access to specific Distributed Cloud resources and prevents
unwanted access to other resources. IAM operates on the security
principle of least privilege and provides control over who has permission
to given resources using IAM roles and permissions.
Read the IAM documentation in
Sign in, which provides
instructions for signing in to the GDC console or the
gdcloud CLI and using kubectl to access your workloads.
Predefined roles to VM resources
To create VMs and VM disks in a project, request the appropriate permissions
from your Project IAM Admin for a given project. All VM roles must bind to the
namespace of the project where the VM resides. To manage virtual machines,
your Project IAM Admin can assign you the following predefined roles:
Project VirtualMachine Adminproject-vm-admin: Manages VMs in the
project namespace.
Project VirtualMachine Image Adminproject-vm-image-admin: Manages VM
images in the project namespace.
For a list of all predefined roles for Application Operators (AO), see
Role descriptions.
The following are predefined common roles for VMs. For details on common roles,
see
Common roles.
VM type viewervm-type-viewer: has read access to predefined VM types.
Public image viewerpublic-image-viewer: has read access to images
GDC provides.
Replace the variables by using the following definitions.
Variable
Replacement
MANAGEMENT_API_SERVER
The system kubeconfig file
from gdcloud auth login.
PROJECT
The project name to create VM images.
If the output is yes, you have permissions to create a VM in the
project PROJECT.
If the output is no, you don't have permissions. Contact your Project
IAM Admin and request assignment to the Project VirtualMachine Admin
(project-vm-admin) role in the namespace of the project where the VM
resides.
Optional: Verify whether users have access to project-level VM images. For
example, run the following commands to verify if they can create and use
VirtualMachineImage resources at the project level:
Replace the variables by using the following definitions.
Variable
Replacement
MANAGEMENT_API_SERVER
The Management API server kubeconfig file.
PROJECT
The project name where VM images are created.
If the output is yes, the user has permissions to access custom VM images
in the project PROJECT.
If the output is no, you don't have permissions. Contact your Project
IAM Admin role and request assignment to the Project VirtualMachine Image
Admin (project-vm-image-admin) role in the namespace of the project
where the VM resides.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eProper Identity and Access Management (IAM) roles and permissions are required before performing tasks on virtual machines (VMs) in Google Distributed Cloud (GDC) air-gapped.\u003c/p\u003e\n"],["\u003cp\u003eTo manage virtual machines in a project, a Project IAM Admin can assign the "Project VirtualMachine Admin" role, while managing VM images require the "Project VirtualMachine Image Admin" role.\u003c/p\u003e\n"],["\u003cp\u003eUsers can verify their permissions to create VMs or access VM images within a specific project using \u003ccode\u003ekubectl\u003c/code\u003e commands and checking for a "yes" or "no" output.\u003c/p\u003e\n"],["\u003cp\u003eGDC offers IAM for granular access control to resources, ensuring that only authorized users can access specific resources, adhering to the principle of least privilege.\u003c/p\u003e\n"]]],[],null,["# IAM permissions preparation\n\nBefore you perform tasks on virtual machines (VM) in\nGoogle Distributed Cloud (GDC) air-gapped, you must have the proper identity and access\n(IAM) roles and permissions.\n\nBefore you begin\n----------------\n\nTo use gdcloud CLI commands, complete the required steps from the\n[gdcloud command-line interface (CLI)](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview)\nsections. All commands for Google Distributed Cloud air-gapped use the\n`gdcloud` or `kubectl` CLI, and require an operating system (OS) environment.\n\n### Get the kubeconfig file path\n\nTo run commands against the Management API server, ensure you have the following\nresources:\n\n1. [Sign in and generate](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/sign-in#cli) the\n kubeconfig file for the Management API server if you don't have one.\n\n2. Use the path to the kubeconfig file of the Management API server to replace\n \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e in these instructions.\n\nAbout IAM\n---------\n\nDistributed Cloud offers Identity and Access Management (IAM) for\ngranular access to specific Distributed Cloud resources and prevents\nunwanted access to other resources. IAM operates on the security\nprinciple of least privilege and provides control over who has permission\nto given resources using IAM roles and permissions.\n\nRead the IAM documentation in\n[Sign in](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/sign-in), which provides\ninstructions for signing in to the GDC console or the\ngdcloud CLI and using `kubectl` to access your workloads.\n\n### Predefined roles to VM resources\n\nTo create VMs and VM disks in a project, request the appropriate permissions\nfrom your Project IAM Admin for a given project. All VM roles must bind to the\nnamespace of the project where the VM resides. To manage virtual machines,\nyour Project IAM Admin can assign you the following predefined roles:\n\n- **Project VirtualMachine Admin** `project-vm-admin`: Manages VMs in the project namespace.\n- **Project VirtualMachine Image Admin** `project-vm-image-admin`: Manages VM images in the project namespace.\n\nFor a list of all predefined roles for Application Operators (AO), see\n[Role descriptions](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/role-descriptions).\n\nThe following are predefined common roles for VMs. For details on common roles,\nsee\n[Common roles](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/role-descriptions#common_roles).\n\n- **VM type viewer** `vm-type-viewer`: has read access to predefined VM types.\n- **Public image viewer** `public-image-viewer`: has read access to images GDC provides.\n\nTo grant or receive access to VM resources, see\n[Grant access to project resources](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/role-bindings).\n\nVerify user access to VM resources\n----------------------------------\n\n1. [Log in](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/sign-in#cli) as the\n user requesting or verifying permissions.\n\n2. Verify whether you, or the user, can create virtual machines:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e auth can-i create virtualmachines.virtualmachine.gdc.goog -n \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n Replace the variables by using the following definitions.\n\n - If the output is `yes`, you have permissions to create a VM in the project \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e.\n - If the output is `no`, you don't have permissions. Contact your Project IAM Admin and request assignment to the Project VirtualMachine Admin (`project-vm-admin`) role in the namespace of the project where the VM resides.\n3. Optional: Verify whether users have access to project-level VM images. For\n example, run the following commands to verify if they can create and use\n `VirtualMachineImage` resources at the project level:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e auth can-i get virtualmachineimages.virtualmachine.gdc.goog -n \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e auth can-i create virtualmachineimageimports.virtualmachine.gdc.goog -n \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n Replace the variables by using the following definitions.\n\n - If the output is `yes`, the user has permissions to access custom VM images in the project \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e.\n - If the output is `no`, you don't have permissions. Contact your Project IAM Admin role and request assignment to the Project VirtualMachine Image Admin (`project-vm-image-admin`) role in the namespace of the project where the VM resides."]]