This page describes IAM roles and lists the predefined roles that you can grant to your principals.
A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to principals, including users, groups, and service accounts, you grant roles to the principals.
Prerequisite for this guide
- Understand the basic concepts of IAM
Role types
There are three types of roles in IAM:
- Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
- Predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
- Custom roles, which provide granular access according to a user-specified list of permissions.
To determine if a permission is included in a basic, predefined, or custom role, you can use one of the following methods:
- Run the
gcloud iam roles describecommand to list the permissions in the role. - Call the
roles.get()REST API method to list the permissions in the role. - For basic and predefined roles only: Search the permissions reference to see if the permission is granted by the role.
- For predefined roles only: Search the predefined role descriptions on this page to see which permissions the role includes.
The sections below describe each role type and provide examples of how to use them.
Basic roles
There are several basic roles that existed prior to the introduction of IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role. They were originally known as "primitive roles."
The following table summarizes the permissions that the basic roles include across all Google Cloud services:
Basic role definitions
| Name | Title | Permissions |
|---|---|---|
roles/viewer |
Viewer | Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data. |
roles/editor |
Editor |
All viewer permissions, plus permissions for actions that modify
state, such as changing existing resources.
Note:
The Editor role contains permissions to create and delete resources for
most Google Cloud services. However, it does not contain
permissions to perform all actions for all services. For more
information about how to check whether a role has the permissions that
you need, see Role types on this page.
|
roles/owner |
Owner |
All Editor permissions and permissions for the following actions:
Note:
|
You can grant basic roles with the Google Cloud console, the API, and the gcloud CLI. To grant basic roles on a project, folder, or organization, see Manage access to projects, folders, and organizations. To grant basic roles on other resources, see Manage access to other resources.
Predefined roles
In addition to the basic roles, IAM provides additional predefined roles that give granular access to specific Google Cloud resources and prevent unwanted access to other resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.
The following tables list these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the Google Cloud resource hierarchy.
You can grant multiple roles to the same user, at any level of the resource hierarchy. For example, the same user can have the Compute Network Admin and Logs Viewer roles on a project, and also have the Pub/Sub Publisher role on a Pub/Sub topic within that project. To list the permissions contained in a role, see Getting the role metadata.
For help choosing the most appropriate predefined roles, see Choose predefined roles.
Access Approval roles
| Role | Permissions |
|---|---|
|
Access Approval Approver
Beta
Ability to view or act on access approval requests and view configuration |
|
|
Access Approval Config Editor
Beta
Ability to update the Access Approval configuration |
|
|
Access Approval Invalidator
Beta
Ability to invalidate existing approved approval requests |
|
|
Access Approval Viewer
Beta
Ability to view access approval requests and configuration |
|
Access Context Manager roles
| Role | Permissions |
|---|---|
|
Cloud Access Binding Admin
Create, edit, and change Cloud access bindings. |
|
|
Cloud Access Binding Reader
Read access to Cloud access bindings. |
|
|
Access Context Manager Admin
Full access to policies, access levels, and access zones |
|
|
Access Context Manager Editor
Edit access to policies. Create, edit, and change access levels and access zones. |
|
|
Access Context Manager Reader
Read access to policies, access levels, and access zones. |
|
|
VPC Service Controls Troubleshooter Viewer
|
|
Actions roles
| Role | Permissions |
|---|---|
|
Actions Admin
Access to edit and deploy an action |
|
|
Actions Viewer
Access to view an action |
|
AI Notebooks roles
| Role | Permissions |
|---|---|
|
Notebooks Admin
Full access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
|
|
Notebooks Legacy Admin
Full access to Notebooks all resources through compute API. |
|
|
Notebooks Legacy Viewer
Read-only access to Notebooks all resources through compute API. |
|
|
Notebooks Runner
Restricted access for running scheduled Notebooks. |
|
|
Notebooks Viewer
Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
|
AI Platform roles
| Role | Permissions |
|---|---|
|
AI Platform Admin
Provides full access to AI Platform resources, and its jobs, operations, models, and versions. Lowest-level resources where you can grant this role:
|
|
|
AI Platform Developer
Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Lowest-level resources where you can grant this role:
|
|
|
AI Platform Job Owner
Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Lowest-level resources where you can grant this role:
|
|
|
AI Platform Model Owner
Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Lowest-level resources where you can grant this role:
|
|
|
AI Platform Model User
Provides permissions to read the model and its versions, and use them for prediction. Lowest-level resources where you can grant this role:
|
|
|
AI Platform Operation Owner
Provides full access to all permissions for a particular operation resource. Lowest-level resources where you can grant this role:
|
|
|
AI Platform Viewer
Provides read-only access to AI Platform resources. Lowest-level resources where you can grant this role:
|
|
Analytics Hub roles
| Role | Permissions |
|---|---|
|
Analytics Hub Admin
Administer Data Exchanges and Listings |
|
|
Analytics Hub Listing Admin
Grants full control over the Listing, including updating, deleting and setting ACLs |
|
|
Analytics Hub Publisher
Can publish to Data Exchanges thus creating Listings |
|
|
Analytics Hub Subscriber
Can browse Data Exchanges and subscribe to Listings |
|
|
Analytics Hub Viewer
Can browse Data Exchanges and Listings |
|
Android Management roles
| Role | Permissions |
|---|---|
|
Android Management User
Full access to manage devices. |
|
Anthos Multi-cloud roles
| Role | Permissions |
|---|---|
|
Anthos Multi-cloud Admin
Admin access to Anthos Multi-cloud resources. |
|
|
Anthos Multi-cloud Telemetry Writer
Grant access to write cluster telemetry data such as logs, metrics, and resource metadata. |
|
|
Anthos Multi-cloud Viewer
Viewer access to Anthos Multi-cloud resources. |
|
API Gateway roles
| Role | Permissions |
|---|---|
|
ApiGateway Admin
Full access to ApiGateway and related resources. |
|
|
ApiGateway Viewer
Read-only access to ApiGateway and related resources. |
|
Apigee roles
| Role | Permissions |
|---|---|
|
Apigee Organization Admin
Full access to all apigee resource features |
|
|
Apigee Analytics Agent
Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization |
|
|
Apigee Analytics Editor
Analytics editor for an Apigee Organization |
|
|
Apigee Analytics Viewer
Analytics viewer for an Apigee Organization |
|
|
Apigee API Admin
Full read/write access to all apigee API resources |
|
|
Apigee API Reader
Reader of apigee resources |
|
|
Apigee Developer Admin
Developer admin of apigee resources |
|
|
Apigee Environment Admin
Full read/write access to apigee environment resources, including deployments. |
|
|
Apigee Monetization Admin
All permissions related to monetization |
|
|
Apigee Portal Admin
Portal admin for an Apigee Organization |
|
|
Apigee Read-only Admin
Viewer of all apigee resources |
|
|
Apigee Runtime Agent
Curated set of permissions for a runtime agent to access Apigee Organization resources |
|
|
Apigee Security Admin
Security admin for an Apigee Organization |
|
|
Apigee Security Viewer
Security viewer for an Apigee Organization |
|
|
Apigee Synchronizer Manager
Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization |
|
|
Apigee Connect Admin
Admin of Apigee Connect |
|
|
Apigee Connect Agent
Ability to set up Apigee Connect agent between external clusters and Google. |
|
Apigee Registry roles
| Role | Permissions |
|---|---|
|
Cloud Apigee Registry Admin
Beta
Full access to Cloud Apigee Registry Registry and Runtime resources. |
|
|
Cloud Apigee Registry Editor
Beta
Edit access to Cloud Apigee Registry Registry resources. |
|
|
Cloud Apigee Registry Viewer
Beta
Read-only access to Cloud Apigee Registry Registry resources. |
|
|
Cloud Apigee Registry Worker
Beta
The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts. |
|
App Engine roles
| Role | Permissions |
|---|---|
|
App Engine Admin
Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have the
Service Account User
( Lowest-level resources where you can grant this role:
|
|
|
App Engine Creator
Ability to create the App Engine resource for the project. Lowest-level resources where you can grant this role:
|
|
|
App Engine Viewer
Read-only access to all application configuration and settings. Lowest-level resources where you can grant this role:
|
|
|
App Engine Code Viewer
Read-only access to all application configuration, settings, and deployed source code. Lowest-level resources where you can grant this role:
|
|
|
App Engine Deployer
Read-only access to all application configuration and settings. To deploy new versions, you must also have the
Service Account User
( Cannot modify existing versions other than deleting versions that are not receiving traffic. Lowest-level resources where you can grant this role:
|
|
|
App Engine Memcache Data Admin
Can get, set, delete, and flush App Engine Memcache items. |
|
|
App Engine Service Admin
Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version. Lowest-level resources where you can grant this role:
|
|
Artifact Registry roles
| Role | Permissions |
|---|---|
|
Artifact Registry Administrator
Administrator access to create and manage repositories. |
|
|
Artifact Registry Reader
Access to read repository items. |
|
|
Artifact Registry Repository Administrator
Access to manage artifacts in repositories. |
|
|
Artifact Registry Writer
Access to read and write repository items. |
|
Assured Workloads roles
| Role | Permissions |
|---|---|
|
Assured Workloads Administrator
Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration |
|
|
Assured Workloads Editor
Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration |
|
|
Assured Workloads Reader
Grants read access to all Assured Workloads resources and CRM resources - project/folder |
|
AutoML roles
| Role | Permissions |
|---|---|
|
AutoML Admin
Beta
Full access to all AutoML resources Lowest-level resources where you can grant this role:
|
|
|
AutoML Editor
Beta
Editor of all AutoML resources Lowest-level resources where you can grant this role:
|
|
|
AutoML Predictor
Beta
Predict using models Lowest-level resources where you can grant this role:
|
|
|
AutoML Viewer
Beta
Viewer of all AutoML resources Lowest-level resources where you can grant this role:
|
|
Backup and DR roles
| Role | Permissions |
|---|---|
|
Backup and DR Admin
Full control of Backup and DR resources including ACL configuration via the management console. |
|
|
Backup and DR User
Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console. |
|
|
Backup and DR Viewer
Read-only access to Backup and DR resources. |
|
Backup for GKE roles
| Role | Permissions |
|---|---|
|
Backup for GKE Admin
Beta
Full access to all Backup for GKE resources. |
|
|
Backup for GKE Backup Admin
Beta
Allows administrators to manage all BackupPlan and Backup resources. |
|
|
Backup for GKE Delegated Backup Admin
Beta
Allows administrators to manage Backup resources for specific BackupPlans |
|
|
Backup for GKE Delegated Restore Admin
Beta
Allows administrators to manage Restore resources for specific RestorePlans |
|
|
Backup for GKE Restore Admin
Beta
Allows administrators to manage all RestorePlan and Restore resources. |
|
|
Backup for GKE Viewer
Beta
Read-only access to all Backup for GKE resources. |
|
BeyondCorp roles
| Role | Permissions |
|---|---|
|
Cloud BeyondCorp Admin
Beta
Full access to all Cloud BeyondCorp resources. |
|
|
Cloud BeyondCorp Client Connector Admin
Beta
Full access to all BeyondCorp Client Connector resources. |
|
|
Cloud BeyondCorp Client Connector Service User
Beta
Access Client Connector Service |
|
|
Cloud BeyondCorp Client Connector Viewer
Beta
Read-only access to all BeyondCorp Client Connector resources. |
|
|
Cloud BeyondCorp Viewer
Beta
Read-only access to all Cloud BeyondCorp resources. |
|
BigQuery roles
| Role | Permissions |
|---|---|
|
BigQuery Admin
Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role:
|
|
|
BigQuery Connection Admin
|
|
|
BigQuery Connection User
|
|
|
BigQuery Data Editor
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role:
|
|
|
BigQuery Data Owner
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role:
|
|
|
BigQuery Data Viewer
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role:
|
|
|
BigQuery Filtered Data Viewer
Access to view filtered table data defined by a row access policy |
|
|
BigQuery Job User
Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role:
|
|
|
BigQuery Metadata Viewer
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role provides permissions to:
Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role:
|
|
|
BigQuery Read Session User
Access to create and use read sessions |
|
|
BigQuery Resource Admin
Administer all BigQuery resources. |
|
|
BigQuery Resource Editor
Manage all BigQuery resources, but cannot make purchasing decisions. |
|
|
BigQuery Resource Viewer
View all BigQuery resources but cannot make changes or purchasing decisions. |
|
|
BigQuery User
When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role ( Lowest-level resources where you can grant this role:
|
|
|
Masked Reader
Beta
Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns |
|
Billing roles
| Role | Permissions |
|---|---|
|
Billing Account Administrator
Provides access to see and manage all aspects of billing accounts. Lowest-level resources where you can grant this role:
|
|
|
Billing Account Costs Manager
Manage budgets for a billing account, and view, analyze, and export cost information of a billing account. Lowest-level resources where you can grant this role:
|
|
|
Billing Account Creator
Provides access to create billing accounts. Lowest-level resources where you can grant this role:
|
|
|
Project Billing Manager
When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing. Lowest-level resources where you can grant this role:
|
|
|
Billing Account User
When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts. Lowest-level resources where you can grant this role:
|
|
|
Billing Account Viewer
View billing account cost and pricing information, transactions, and billing and commitment recommendations. Lowest-level resources where you can grant this role:
|
|
Binary Authorization roles
CA Service roles
| Role | Permissions |
|---|---|
|
CA Service Admin
Full access to all CA Service resources. |
|
|
CA Service Auditor
Read-only access to all CA Service resources. |
|
|
CA Service Operation Manager
Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources. |
|
|
CA Service Certificate Manager
Create certificates and read-only access for CA Service resources. |
|
|
CA Service Certificate Requester
Request certificates from CA Service. |
|
|
CA Service Certificate Template User
Read, list and use certificate templates. |
|
|
CA Service Workload Certificate Requester
Request certificates from CA Service with caller's identity. |
|
Certificate Manager roles
| Role | Permissions |
|---|---|
|
Certificate Manager Editor
Edit access to Certificate Manager all resources. |
|
|
Certificate Manager Owner
Full access to Certificate Manager all resources. |
|
|
Certificate Manager Viewer
Read-only access to Certificate Manager all resources. |
|
Cloud AlloyDB roles
| Role | Permissions |
|---|---|
|
Cloud AlloyDB Admin
Beta
Full access to Cloud AlloyDB all resources. |
|
|
Cloud AlloyDB Client
Beta
Connectivity access to Cloud AlloyDB instances. |
|
|
Cloud AlloyDB Viewer
Beta
Read-only access to Cloud AlloyDB all resources. |
|
Cloud Asset roles
| Role | Permissions |
|---|---|
|
Cloud Asset Owner
Full access to cloud assets metadata |
|
|
Cloud Asset Viewer
Read only access to cloud assets metadata |
|
Cloud Bigtable roles
| Role | Permissions |
|---|---|
|
Bigtable Administrator
Administers all Bigtable instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. Lowest-level resources where you can grant this role:
|
|
|
Bigtable Reader
Provides read-only access to the data stored within Bigtable tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. Lowest-level resources where you can grant this role:
|
|
|
Bigtable User
Provides read-write access to the data stored within Bigtable tables. Intended for application developers or service accounts. Lowest-level resources where you can grant this role:
|
|
|
Bigtable Viewer
Provides no data access. Intended as a minimal set of permissions to access the Google Cloud console for Bigtable. Lowest-level resources where you can grant this role:
|
|
Cloud Build roles
| Role | Permissions |
|---|---|
|
Cloud Build Approver
Can approve or reject pending builds. |
|
|
Cloud Build Service Account
Provides access to perform builds. |
|
|
Cloud Build Editor
Provides access to create and cancel builds. Lowest-level resources where you can grant this role:
|
|
|
Cloud Build Viewer
Provides access to view builds. Lowest-level resources where you can grant this role:
|
|
|
Cloud Build Integrations Editor
Can update Integrations |
|
|
Cloud Build Integrations Owner
Can create/delete Integrations |
|
|
Cloud Build Integrations Viewer
Can view Integrations |
|
|
Cloud Build WorkerPool Editor
Can update and view WorkerPools |
|
|
Cloud Build WorkerPool Owner
Can create, delete, update, and view WorkerPools |
|
|
Cloud Build WorkerPool User
Can run builds in the WorkerPool |
|
|
Cloud Build WorkerPool Viewer
Can view WorkerPools |
|
Cloud Composer roles
| Role | Permissions |
|---|---|
|
Cloud Composer v2 API Service Agent Extension
Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments. |
|
|
Composer Administrator
Provides full control of Cloud Composer resources. Lowest-level resources where you can grant this role:
|
|
|
Environment and Storage Object Administrator
Provides full control of Cloud Composer resources and of the objects in all project buckets. Lowest-level resources where you can grant this role:
|
|
|
Environment User and Storage Object Viewer
Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. Lowest-level resources where you can grant this role:
|
|
|
Composer Shared VPC Agent
Role that should be assigned to Composer Agent service account in Shared VPC host project |
|
|
Composer User
Provides the permissions necessary to list and get Cloud Composer environments and operations. Lowest-level resources where you can grant this role:
|
|
|
Composer Worker
Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. Lowest-level resources where you can grant this role:
|
|
Cloud Connectors roles
| Role | Permissions |
|---|---|
|
Connector Admin
Full access to all resources of Connectors Service. |
|
|
Connector Invoker
Full Access to invoke all operations on Connections. |
|
|
Connectors Viewer
Read-only access to Connectors all resources. |
|
Cloud Data Fusion roles
| Role | Permissions |
|---|---|
|
Cloud Data Fusion Admin
Beta
Full access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role:
|
|
|
Cloud Data Fusion Runner
Beta
Access to Cloud Data Fusion runtime resources. |
|
|
Cloud Data Fusion Viewer
Beta
Read-only access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role:
|
|
Cloud Data Labeling roles
| Role | Permissions |
|---|---|
|
Data Labeling Service Admin
Beta
Full access to all Data Labeling resources |
|
|
Data Labeling Service Editor
Beta
Editor of all Data Labeling resources |
|
|
Data Labeling Service Viewer
Beta
Viewer of all Data Labeling resources |
|
Cloud Dataplex roles
| Role | Permissions |
|---|---|
|
Dataplex Administrator
Full access to all Dataplex resources. |
|
|
Dataplex Data Owner
Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only. |
|
|
Dataplex Data Reader
Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only. |
|
|
Dataplex Data Writer
Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only. |
|
|
Dataplex Developer
Allows running data analytics workloads in a lake. |
|
|
Dataplex Editor
Write access to Dataplex resources. |
|
|
Dataplex Metadata Reader
Read only access to metadata. |
|
|
Dataplex Metadata Writer
Read and write access to metadata. |
|
|
Dataplex Storage Data Owner
Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc. |
|
|
Dataplex Storage Data Reader
Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc. |
|
|
Dataplex Storage Data Writer
Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc. |
|
|
Dataplex Viewer
Read access to Dataplex resources. |
|
Cloud Debugger roles
| Role | Permissions |
|---|---|
|
Cloud Debugger Agent
Beta
Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. Lowest-level resources where you can grant this role:
|
|
|
Cloud Debugger User
Beta
Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). Lowest-level resources where you can grant this role:
|
|
Cloud Deploy roles
| Role | Permissions |
|---|---|
|
Cloud Deploy Admin
Beta
Full control of Cloud Deploy resources. |
|
|
Cloud Deploy Approver
Beta
Permission to approve or reject rollouts. |
|
|
Cloud Deploy Developer
Beta
Permission to manage deployment configuration without permission to access operational resources, such as targets. |
|
|
Cloud Deploy Runner
Beta
Permission to execute Cloud Deploy work without permission to deliver to a target. |
|
|
Cloud Deploy Operator
Beta
Permission to manage deployment configuration. |
|
|
Cloud Deploy Releaser
Beta
Permission to create Cloud Deploy releases and rollouts. |
|
|
Cloud Deploy Viewer
Beta
Can view Cloud Deploy resources. |
|
Cloud DLP roles
| Role | Permissions |
|---|---|
|
DLP Administrator
Administer DLP including jobs and templates. |
|
|
DLP Analyze Risk Templates Editor
Edit DLP analyze risk templates. |
|
|
DLP Analyze Risk Templates Reader
Read DLP analyze risk templates. |
|
|
DLP Column Data Profiles Reader
Read DLP column profiles. |
|
|
DLP Data Profiles Reader
Read DLP profiles. |
|
|
DLP De-identify Templates Editor
Edit DLP de-identify templates. |
|
|
DLP De-identify Templates Reader
Read DLP de-identify templates. |
|
|
DLP Cost Estimation
Manage DLP Cost Estimates. |
|
|
DLP Inspect Findings Reader
Read DLP stored findings. |
|
|
DLP Inspect Templates Editor
Edit DLP inspect templates. |
|
|
DLP Inspect Templates Reader
Read DLP inspect templates. |
|
|
DLP Job Triggers Editor
Edit job triggers configurations. |
|
|
DLP Job Triggers Reader
Read job triggers. |
|
|
DLP Jobs Editor
Edit and create jobs |
|
|
DLP Jobs Reader
Read jobs |
|
|
DLP Organization Data Profiles Driver
Permissions needed by the DLP service account to generate data profiles within an organization or folder. |
|
|
DLP Project Data Profiles Reader
Read DLP project profiles. |
|
|
DLP Project Data Profiles Driver
Permissions needed by the DLP service account to generate data profiles within a project. |
|
|
DLP Reader
Read DLP entities, such as jobs and templates. |
|
|
DLP Stored InfoTypes Editor
Edit DLP stored info types. |
|
|
DLP Stored InfoTypes Reader
Read DLP stored info types. |
|
|
DLP Table Data Profiles Reader
Read DLP table profiles. |
|
|
DLP User
Inspect, Redact, and De-identify Content |
|
Cloud Domains roles
| Role | Permissions |
|---|---|
|
Cloud Domains Admin
Full access to Cloud Domains Registrations and related resources. |
|
|
Cloud Domains Viewer
Read-only access to Cloud Domains Registrations and related resources. |
|
Cloud Filestore roles
| Role | Permissions |
|---|---|
|
Cloud Filestore Editor
Beta
Read-write access to Filestore instances and related resources. |
|
|
Cloud Filestore Viewer
Beta
Read-only access to Filestore instances and related resources. |
|
Cloud Functions roles
| Role | Permissions |
|---|---|
|
Cloud Functions Admin
Full access to functions, operations and locations. |
|
|
Cloud Functions Developer
Read and write access to all functions-related resources. |
|
|
Cloud Functions Invoker
Ability to invoke HTTP functions with restricted access. |
|
|
Cloud Functions Viewer
Read-only access to functions and locations. |
|
Cloud Game Services roles
| Role | Permissions |
|---|---|
|
Game Services API Admin
Full access to Game Services API and related resources. |
|
|
Game Services API Viewer
Read-only access to Game Services API and related resources. |
|
Cloud Healthcare roles
| Role | Permissions |
|---|---|
|
Healthcare Annotation Editor
Create, delete, update, read and list annotations. |
|
|
Healthcare Annotation Reader
Read and list annotations in an Annotation store. |
|
|
Healthcare Annotation Administrator
Administer Annotation stores. |
|
|
Healthcare Annotation Store Viewer
List Annotation Stores in a dataset. |
|
|
Healthcare Attribute Definition Editor
Edit AttributeDefinition objects. |
|
|
Healthcare Attribute Definition Reader
Read AttributeDefinition objects in a consent store. |
|
|
Healthcare Consent Artifact Administrator
Administer ConsentArtifact objects. |
|
|
Healthcare Consent Artifact Editor
Edit ConsentArtifact objects. |
|
|
Healthcare Consent Artifact Reader
Read ConsentArtifact objects in a consent store. |
|
|
Healthcare Consent Editor
Edit Consent objects. |
|
|
Healthcare Consent Reader
Read Consent objects in a consent store. |
|
|
Healthcare Consent Store Administrator
Administer Consent stores. |
|
|
Healthcare Consent Store Viewer
List Consent Stores in a dataset. |
|
|
Healthcare Dataset Administrator
Administer Healthcare Datasets. |
|
|
Healthcare Dataset Viewer
List the Healthcare Datasets in a project. |
|
|
Healthcare DICOM Editor
Edit DICOM images individually and in bulk. |
|
|
Healthcare DICOM Store Administrator
Administer DICOM stores. |
|
|
Healthcare DICOM Store Viewer
List DICOM Stores in a dataset. |
|
|
Healthcare DICOM Viewer
Retrieve DICOM images from a DICOM store. |
|
|
Healthcare FHIR Resource Editor
Create, delete, update, read and search FHIR resources. |
|
|
Healthcare FHIR Resource Reader
Read and search FHIR resources. |
|
|
Healthcare FHIR Store Administrator
Administer FHIR resource stores. |
|
|
Healthcare FHIR Store Viewer
List FHIR Stores in a dataset. |
|
|
Healthcare HL7v2 Message Consumer
List and read HL7v2 messages, update message labels, and publish new messages. |
|
|
Healthcare HL7v2 Message Editor
Read, write, and delete access to HL7v2 messages. |
|
|
Healthcare HL7v2 Message Ingest
Ingest HL7v2 messages received from a source network. |
|
|
Healthcare HL7v2 Store Administrator
Administer HL7v2 Stores. |
|
|
Healthcare HL7v2 Store Viewer
View HL7v2 Stores in a dataset. |
|
|
Healthcare NLP Service Viewer
Beta
Extract and analyze medical entities from a given text. |
|
|
Healthcare User Data Mapping Editor
Edit UserDataMapping objects. |
|
|
Healthcare User Data Mapping Reader
Read UserDataMapping objects in a consent store. |
|
Cloud IAP roles
| Role | Permissions |
|---|---|
|
IAP Policy Admin
Provides full access to Identity-Aware Proxy resources. Lowest-level resources where you can grant this role:
|
|
|
IAP-secured Web App User
Provides permission to access HTTPS resources which use Identity-Aware Proxy. |
|
|
IAP Settings Admin
Administrator of IAP Settings. |
|
|
IAP-secured Tunnel Destination Group Editor
Edit Tunnel Destination Group resources which use Identity-Aware Proxy |
|
|
IAP-secured Tunnel Destination Group Viewer
View Tunnel Destination Group resources which use Identity-Aware Proxy |
|
|
IAP-secured Tunnel User
Access Tunnel resources which use Identity-Aware Proxy |
|
Cloud IDS roles
| Role | Permissions |
|---|---|
|
Cloud IDS Admin
Beta
Full access to Cloud IDS all resources. |
|
|
Cloud IDS Viewer
Beta
Read-only access to Cloud IDS all resources. |
|
Cloud IoT roles
| Role | Permissions |
|---|---|
|
Cloud IoT Admin
Full control of all Cloud IoT resources and permissions. Lowest-level resources where you can grant this role:
|
|
|
Cloud IoT Device Controller
Access to update the device configuration, but not to create or delete devices. Lowest-level resources where you can grant this role:
|
|
|
Cloud IoT Editor
Read-write access to all Cloud IoT resources. Lowest-level resources where you can grant this role:
|
|
|
Cloud IoT Provisioner
Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry. Lowest-level resources where you can grant this role:
|
|
|
Cloud IoT Viewer
Read-only access to all Cloud IoT resources. Lowest-level resources where you can grant this role:
|
|
Cloud KMS roles
| Role | Permissions |
|---|---|
|
Cloud KMS Admin
Provides full access to Cloud KMS resources, except encrypt and decrypt operations. Lowest-level resources where you can grant this role:
|
|
|
Cloud KMS CryptoKey Decrypter
Provides ability to use Cloud KMS resources for decrypt operations only. Lowest-level resources where you can grant this role:
|
|
|
Cloud KMS CryptoKey Decrypter Via Delegation
Enables Decrypt operations via other GCP services |
|
|
Cloud KMS CryptoKey Encrypter
Provides ability to use Cloud KMS resources for encrypt operations only. Lowest-level resources where you can grant this role:
|
|
|
Cloud KMS CryptoKey Encrypter/Decrypter
Provides ability to use Cloud KMS resources for encrypt and decrypt operations only. Lowest-level resources where you can grant this role:
|
|
|
Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation
Enables Encrypt and Decrypt operations via other GCP services |
|
|
Cloud KMS CryptoKey Encrypter Via Delegation
Enables Encrypt operations via other GCP services |
|
|
Cloud KMS Crypto Operator
Enables all Crypto Operations. |
|
|
Cloud KMS Expert Raw PKCS#1 Key Manager
Enables raw PKCS#1 keys management. |
|
|
Cloud KMS Importer
Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations |
|
|
Cloud KMS CryptoKey Public Key Viewer
Enables GetPublicKey operations |
|
|
Cloud KMS CryptoKey Signer
Enables Sign operations |
|
|
Cloud KMS CryptoKey Signer/Verifier
Enables Sign, Verify, and GetPublicKey operations |
|
|
Cloud KMS CryptoKey Verifier
Enables Verify and GetPublicKey operations |
|
|
Cloud KMS Viewer
Enables Get and List operations. |
|
Cloud Life Sciences roles
| Role | Permissions |
|---|---|
|
Cloud Life Sciences Admin
Beta
Full control of Cloud Life Sciences resources. |
|
|
Cloud Life Sciences Editor
Beta
Access to read and edit Cloud Life Sciences resources. |
|
|
Cloud Life Sciences Viewer
Beta
Access to read Cloud Life Sciences resources. |
|
|
Cloud Life Sciences Workflows Runner
Beta
Full access to operate on Cloud Life Sciences workflows. |
|
Cloud Managed Identities roles
| Role | Permissions |
|---|---|
|
Google Cloud Managed Identities Admin
Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level. |
|
|
Google Cloud Managed Identities Backup Admin
Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level |
|
|
Google Cloud Managed Identities Backup Viewer
Read-only access to Google Cloud Managed Identities Backup and related resources. |
|
|
Google Cloud Managed Identities Domain Admin
Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level. |
|
|
Google Cloud Managed Identities Peering Admin
Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level |
|
|
Google Cloud Managed Identities Peering Viewer
Read-only access to Google Cloud Managed Identities Peering and related resources. |
|
|
Google Cloud Managed Identities Viewer
Read-only access to Google Cloud Managed Identities Domains and related resources. |
|
Cloud Marketplace roles
| Role | Permissions |
|---|---|
|
Commerce Offer Catalog Offers Viewer
Beta
Allows viewing offers |
|
|
Commerce Price Management Private Offers Admin
Beta
Allows managing private offers |
|
|
Commerce Price Management Viewer
Beta
Allows viewing offers, free trials, skus |
|
|
Consumer Procurement Entitlement Manager
Beta
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project. |
|
|
Consumer Procurement Entitlement Viewer
Beta
Allows inspecting entitlements and service states for a consumer project. |
|
|
Consumer Procurement Order Administrator
Beta
Allows managing purchases. |
|
|
Consumer Procurement Order Viewer
Beta
Allows inspecting purchases. |
|
Cloud Migration roles
| Role | Permissions |
|---|---|
|
Velostrata Manager
Beta
Ability to create and manage Compute VMs to run Velostrata Infrastructure |
|
|
Velostrata Storage Access
Beta
Ability to access migration storage |
|
|
Velostrata Manager Connection Agent
Beta
Ability to set up connection between Velostrata Manager and Google |
|
|
VM Migration Administrator
Beta
Ability to view and edit all VM Migration objects |
|
|
VM Migration Viewer
Beta
Ability to view all VM Migration objects |
|
Cloud Private Catalog roles
| Role | Permissions |
|---|---|
|
Catalog Consumer
Beta
Can browse catalogs in the target resource context. |
|
|
Catalog Admin
Beta
Can manage catalog and view its associations. |
|
|
Catalog Manager
Beta
Can manage associations between a catalog and a target resource. |
|
|
Catalog Org Admin
Beta
Can manage catalog org settings. |
|
Cloud Profiler roles
| Role | Permissions |
|---|---|
|
Cloud Profiler Agent
Cloud Profiler agents are allowed to register and provide the profiling data. |
|
|
Cloud Profiler User
Cloud Profiler users are allowed to query and view the profiling data. |
|
Cloud Run roles
| Role | Permissions |
|---|---|
|
Cloud Run Admin
Full control over all Cloud Run resources. Lowest-level resources where you can grant this role:
|
|
|
Cloud Run Developer
Read and write access to all Cloud Run resources. |
|
|
Cloud Run Invoker
Can invoke a Cloud Run service. Lowest-level resources where you can grant this role:
|
|
|
Cloud Run Viewer
Can view the state of all Cloud Run resources, including IAM policies. Lowest-level resources where you can grant this role:
|
|
Cloud Scheduler roles
| Role | Permissions |
|---|---|
|
Cloud Scheduler Admin
Full access to jobs and executions. Note that a Cloud Scheduler Admin (or any custom role with the permission cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the project. |
|
|
Cloud Scheduler Job Runner
Access to run jobs. |
|
|
Cloud Scheduler Viewer
Get and list access to jobs, executions, and locations. |
|
Cloud Security Scanner roles
| Role | Permissions |
|---|---|
|
Web Security Scanner Editor
Full access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
|
Web Security Scanner Runner
Read access to Scan and ScanRun, plus the ability to start scans Lowest-level resources where you can grant this role:
|
|
|
Web Security Scanner Viewer
Read access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
|
Cloud Services roles
| Role | Permissions |
|---|---|
|
Service Broker Admin
Full access to ServiceBroker resources. |
|
|
Service Broker Operator
Operational access to the ServiceBroker resources. |
|
Cloud Spanner roles
| Role | Permissions |
|---|---|
|
Cloud Spanner Admin
Has complete access to all Cloud Spanner resources in a Google Cloud project. A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
|
Cloud Spanner Backup Admin
A principal with this role can:
This role cannot restore a database from a backup. Lowest-level resources where you can grant this role:
|
|
|
Cloud Spanner Backup Writer
This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them. Lowest-level resources where you can grant this role:
|
|
|
Cloud Spanner Database Admin
A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
|
Cloud Spanner Database Reader
A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
|
Cloud Spanner Database Role User
In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`. |
|
|
Cloud Spanner Database User
A principal with this role can:
Lowest-level resources where you can grant this role:
|
|
|
Cloud Spanner Fine-grained Access User
Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the Cloud Spanner Database Role User IAM role and its necessary conditions. |
|
|
Cloud Spanner Restore Admin
A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups. Lowest-level resources where you can grant this role:
|
|
|
Cloud Spanner Viewer
A principal with this role can:
For example, you can combine this role with the This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud console. Lowest-level resources where you can grant this role:
|
|
Cloud SQL roles
| Role | Permissions |
|---|---|
|
Cloud SQL Admin
Provides full control of Cloud SQL resources. Lowest-level resources where you can grant this role:
|
|
|
Cloud SQL Client
Provides connectivity access to Cloud SQL instances. Lowest-level resources where you can grant this role:
|
|
|
Cloud SQL Editor
Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. Lowest-level resources where you can grant this role:
|
|
|
Cloud SQL Instance User
Role allowing access to a Cloud SQL instance |
|
|
Cloud SQL Viewer
Provides read-only access to Cloud SQL resources. Lowest-level resources where you can grant this role:
|
|
Cloud Storage roles
| Role | Permissions |
|---|---|
|
Storage Admin
Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. Lowest-level resources where you can grant this role:
|
|
|
Storage HMAC Key Admin
Full control of Cloud Storage HMAC keys. |
|
|
Storage Object Admin
Grants full control of objects, including listing, creating, viewing, and deleting objects. Lowest-level resources where you can grant this role:
|
|
|
Storage Object Creator
Allows users to create objects. Does not give permission to view, delete, or overwrite objects. Lowest-level resources where you can grant this role:
|
|
|
Storage Object Viewer
Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket. Lowest-level resources where you can grant this role:
|
|
|
Storage Transfer Admin
Create, update and manage transfer jobs and operations. |
|
|
Storage Transfer Agent
Perform transfers from an agent. |
|
|
Storage Transfer User
Create and update storage transfer jobs and operations. |
|
|
Storage Transfer Viewer
Read access to storage transfer jobs and operations. |
|
Cloud Storage Legacy roles
| Role | Permissions |
|---|---|
|
Storage Legacy Bucket Owner
Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role:
|
|
|
Storage Legacy Bucket Reader
Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role:
|
|
|
Storage Legacy Bucket Writer
Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role:
|
|
|
Storage Legacy Object Owner
Grants permission to view and edit objects and their metadata, including ACLs. Lowest-level resources where you can grant this role:
|
|
|
Storage Legacy Object Reader
Grants permission to view objects and their metadata, excluding ACLs. Lowest-level resources where you can grant this role:
|
|
Cloud Talent Solution roles
| Role | Permissions |
|---|---|
|
Admin
Access to Cloud Talent Solution Self-Service Tools. |
|
|
Job Editor
Write access to all job data in Cloud Talent Solution. |
|
|
Job Viewer
Read access to all job data in Cloud Talent Solution. |
|
|
Profile Editor
Write access to all profile data in Cloud Talent Solution. |
|
|
Profile Viewer
Read access to all profile data in Cloud Talent Solution. |
|
Cloud Tasks roles
| Role | Permissions |
|---|---|
|
Cloud Tasks Admin
Beta
Full access to queues and tasks. |
|
|
Cloud Tasks Enqueuer
Beta
Access to create tasks. |
|
|
Cloud Tasks Queue Admin
Beta
Admin access to queues. |
|
|
Cloud Tasks Task Deleter
Beta
Access to delete tasks. |
|
|
Cloud Tasks Task Runner
Beta
Access to run tasks. |
|
|
Cloud Tasks Viewer
Beta
Get and list access to tasks, queues, and locations. |
|
Cloud TPU roles
| Role | Permissions |
|---|---|
|
TPU Admin
Full access to TPU nodes and related resources. |
|
|
TPU Viewer
Read-only access to TPU nodes and related resources. |
|
|
TPU Shared VPC Agent
Can use shared VPC network (XPN) for the TPU VMs. |
|
Cloud Trace roles
| Role | Permissions |
|---|---|
|
Cloud Trace Admin
Provides full access to the Trace console and read-write access to traces. Lowest-level resources where you can grant this role:
|
|
|
Cloud Trace Agent
For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace. Lowest-level resources where you can grant this role:
|
|
|
Cloud Trace User
Provides full access to the Trace console and read access to traces. Lowest-level resources where you can grant this role:
|
|
Cloud Translation roles
| Role | Permissions |
|---|---|
|
Cloud Translation API Admin
Full access to all Cloud Translation resources |
|
|
Cloud Translation API Editor
Editor of all Cloud Translation resources |
|
|
Cloud Translation API User
User of Cloud Translation and AutoML models |
|
|
Cloud Translation API Viewer
Viewer of all Translation resources |
|
Compute Engine roles
| Role | Permissions |
|---|---|
|
Compute Admin
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
Lowest-level resources where you can grant this role:
|
|
|
Compute Image User
Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project. Lowest-level resources where you can grant this role:
|
|
|
Compute Instance Admin (beta)
Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances. Lowest-level resources where you can grant this role:
|
|
|
Compute Instance Admin (v1)
Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances. |
|
|
Compute Load Balancer Admin
Beta
Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group. Lowest-level resources where you can grant this role:
|
|
|
Compute Load Balancer Services User
Beta
Permissions to use services from a load balancer in other projects. |
|
|
Compute Network Admin
Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the networking team's group.
Or, if you have a combined team that manages both security and networking,
then grant this role as well as the
Lowest-level resources where you can grant this role:
|
|
|
Compute Network User
Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project. Lowest-level resources where you can grant this role:
|
|
|
Compute Network Viewer
Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account. Lowest-level resources where you can grant this role:
|
|
|
Compute Organization Firewall Policy Admin
Full control of Compute Engine Organization Firewall Policies. |
|
|
Compute Organization Firewall Policy User
View or use Compute Engine Firewall Policies to associate with the organization or folders. |
|
|
Compute Organization Security Policy Admin
Full control of Compute Engine Organization Security Policies. |
|
|
Compute Organization Security Policy User
View or use Compute Engine Security Policies to associate with the organization or folders. |
|
|
Compute Organization Resource Admin
Full control of Compute Engine Firewall Policy associations to the organization or folders. |
|
|
Compute OS Admin Login
Access to log in to a Compute Engine instance as an administrator user. Lowest-level resources where you can grant this role:
|
|
|
Compute OS Login
Access to log in to a Compute Engine instance as a standard user. Lowest-level resources where you can grant this role:
|
|
|
Compute OS Login External User
Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH. Lowest-level resources where you can grant this role:
|
|
|
Compute packet mirroring admin
Specify resources to be mirrored. |
|
|
Compute packet mirroring user
Use Compute Engine packet mirrorings. |
|
|
Compute Public IP Admin
Full control of public IP address management for Compute Engine. |
|
|
Compute Security Admin
Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group. Lowest-level resources where you can grant this role:
|
|
|
Compute Sole Tenant Viewer
Beta
Permissions to view sole tenancy node groups |
|
|
Compute Storage Admin
Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project. Lowest-level resources where you can grant this role:
|
|
|
Compute Viewer
Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks. Lowest-level resources where you can grant this role:
|
|
|
Compute Shared VPC Admin
Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
( Lowest-level resources where you can grant this role:
|
|
|
GuestPolicy Admin
Beta
Full admin access to GuestPolicies |
|
|
GuestPolicy Editor
Beta
Editor of GuestPolicy resources |
|
|
GuestPolicy Viewer
Beta
Viewer of GuestPolicy resources |
|
|
InstanceOSPoliciesCompliance Viewer
Beta
Viewer of OS Policies Compliance of VM instances |
|
|
OS Inventory Viewer
Viewer of OS Inventories |
|
|
OSPolicyAssignment Admin
Full admin access to OS Policy Assignments |
|
|
OSPolicyAssignment Editor
Editor of OS Policy Assignments |
|
|
OSPolicyAssignmentReport Viewer
Viewer of OS policy assignment reports for VM instances |
|
|
OSPolicyAssignment Viewer
Viewer of OS Policy Assignments |
|
|
PatchDeployment Admin
Full admin access to PatchDeployments |
|
|
PatchDeployment Viewer
Viewer of PatchDeployment resources |
|
|
Patch Job Executor
Access to execute Patch Jobs. |
|
|
Patch Job Viewer
Get and list Patch Jobs. |
|
|
OS VulnerabilityReport Viewer
Viewer of OS VulnerabilityReports |
|
Container Analysis roles
| Role | Permissions |
|---|---|
|
Container Analysis Admin
Access to all Container Analysis resources. |
|
|
Container Analysis Notes Attacher
Can attach Container Analysis Occurrences to Notes. |
|
|
Container Analysis Notes Editor
Can edit Container Analysis Notes. |
|
|
Container Analysis Occurrences for Notes Viewer
Can view all Container Analysis Occurrences attached to a Note. |
|
|
Container Analysis Notes Viewer
Can view Container Analysis Notes. |
|
|
Container Analysis Occurrences Editor
Can edit Container Analysis Occurrences. |
|
|
Container Analysis Occurrences Viewer
Can view Container Analysis Occurrences. |
|
Data Catalog roles
| Role | Permissions |
|---|---|
|
Data Catalog Admin
Full access to all DataCatalog resources |
|
|
Policy Tag Admin
Manage taxonomies |
|
|
Fine-Grained Reader
Read access to sub-resources tagged by a policy tag, for example, BigQuery columns |
|
|
DataCatalog Data Steward
Beta
Can update overview and data steward fields |
|
|
DataCatalog EntryGroup Creator
Can create new entryGroups |
|
|
DataCatalog entryGroup Owner
Full access to entryGroups |
|
|
DataCatalog entry Owner
Full access to entries |
|
|
DataCatalog Entry Viewer
Read access to entries |
|
|
Data Catalog Tag Editor
Provides access to modify tags on Google Cloud assets for BigQuery and Pub/Sub |
|
|
Data Catalog TagTemplate Creator
Access to create new tag templates |
|
|
Data Catalog TagTemplate Owner
Full access to tag templates |
|
|
Data Catalog TagTemplate User
Access to use templates to tag resources |
|
|
Data Catalog TagTemplate Viewer
Read access to templates and tags created using the templates |
|
|
Data Catalog Viewer
Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub |
|
Data Connectors roles
| Role | Permissions |
|---|---|
|
Connector Admin
Beta
Full access to Data Connectors. |
|
|
Connector User
Beta
Access to use Data Connectors. |
|
Data Migration roles
| Role | Permissions |
|---|---|
|
Database Migration Admin
Full access to all resources of Database Migration. |
|
Data Pipelines roles
| Role | Permissions |
|---|---|
|
Data pipelines Admin
Administrator of Data pipelines resources |
|
|
Data pipelines Invoker
Invoker of Data pipelines jobs |
|
|
Data pipelines Viewer
Viewer of Data pipelines resources |
|
Dataflow roles
| Role | Permissions |
|---|---|
|
Dataflow Admin
Minimal role for creating and managing dataflow jobs. |
|
|
Dataflow Developer
Provides the permissions necessary to execute and manipulate Dataflow jobs. Lowest-level resources where you can grant this role:
|
|
|
Dataflow Viewer
Provides read-only access to all Dataflow-related resources. Lowest-level resources where you can grant this role:
|
|
|
Dataflow Worker
Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline. Lowest-level resources where you can grant this role:
|
|
Dataform roles
| Role | Permissions |
|---|---|
|
Dataform Admin
Beta
Full access to all Dataform resources. |
|
|
Dataform Editor
Beta
Edit access to Workspaces and Read-only access to Repositories. |
|
|
Dataform Viewer
Beta
Read-only access to all Dataform resources. |
|
Dataprep roles
| Role | Permissions |
|---|---|
|
Dataprep User
Beta
Use of Dataprep. |
|
Dataproc roles
| Role | Permissions |
|---|---|
|
Dataproc Administrator
Full control of Dataproc resources. |
|
|
Dataproc Editor
Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones. Lowest-level resources where you can grant this role:
|
|
|
Dataproc Hub Agent
Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances. |
|
|
Dataproc Viewer
Provides read-only access to Dataproc resources. Lowest-level resources where you can grant this role:
|
|
|
Dataproc Worker
Provides worker access to Dataproc resources. Intended for service accounts. |
|
Dataproc Metastore roles
| Role | Permissions |
|---|---|
|
Dataproc Metastore Admin
Full access to all Dataproc Metastore resources. |
|
|
Dataproc Metastore Editor
Read and write access to all Dataproc Metastore resources. |
|
|
Metastore Federation Accessor
Access to the Metastore Federation resource. |
|
|
Dataproc Metastore Metadata Editor
Beta
Access to read and modify the metadata of databases and tables under those databases. |
|
|
Dataproc Metastore Metadata Operator
Read-only access to Dataproc Metastore resources with additional metadata operations permission. |
|
|
Dataproc Metastore Data Owner
Beta
Full access to the metadata of databases and tables under those databases. |
|
|
Dataproc Metastore Metadata User
Beta
Access to the Dataproc Metastore gRPC endpoint |
|
|
Dataproc Metastore Metadata Viewer
Beta
Access to read the metadata of databases and tables under those databases |
|
|
Dataproc Metastore Viewer
Read-only access to all Dataproc Metastore resources. |
|
Datastore roles
| Role | Permissions |
|---|---|
|
Cloud Datastore Import Export Admin
Provides full access to manage imports and exports. Lowest-level resources where you can grant this role:
|
|
|
Cloud Datastore Index Admin
Provides full access to manage index definitions. Lowest-level resources where you can grant this role:
|
|
|
Cloud Datastore Key Visualizer Viewer
Full access to Key Visualizer scans. |
|
|
Cloud Datastore Owner
Provides full access to Datastore resources. Lowest-level resources where you can grant this role:
|
|
|
Cloud Datastore User
Provides read/write access to data in a Datastore database. Lowest-level resources where you can grant this role:
|
|
|
Cloud Datastore Viewer
Provides read access to Datastore resources. Lowest-level resources where you can grant this role:
|
|
DataStream roles
| Role | Permissions |
|---|---|
|
Datastream Admin
Beta
Full access to all Datastream resources. |
|
|
Datastream Viewer
Beta
Read-only access to all Datastream resources. |
|
Deployment Manager roles
| Role | Permissions |
|---|---|
|
Deployment Manager Editor
Provides the permissions necessary to create and manage deployments. Lowest-level resources where you can grant this role:
|
|
|
Deployment Manager Type Editor
Provides read and write access to all Type Registry resources. Lowest-level resources where you can grant this role:
|
|
|
Deployment Manager Type Viewer
Provides read-only access to all Type Registry resources. Lowest-level resources where you can grant this role:
|
|
|
Deployment Manager Viewer
Provides read-only access to all Deployment Manager-related resources. Lowest-level resources where you can grant this role:
|
|
Dialogflow roles
| Role | Permissions |
|---|---|
|
AAM Admin
An admin has access to all resources and can perform all administrative actions in an AAM project. |
|
|
AAM Conversational Architect
A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases. |
|
|
AAM Dialog Designer
A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling. |
|
|
AAM Lead Dialog Designer
A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling. |
|
|
AAM Viewer
A user can view the taxonomy and data reports in an AAM project. |
|
|
Dialogflow API Admin
Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control. Lowest-level resources where you can grant this role:
|
|
|
Dialogflow API Client
Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control. Lowest-level resources where you can grant this role:
|
|
|
Dialogflow Console Agent Editor
Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control. Lowest-level resources where you can grant this role:
|
|
|
Dialogflow Console Simulator User
Can perform query of dialogflow suggestions in the simulator in web console. |
|
|
Dialogflow Console Smart Messaging Allowlist Editor
Can edit allowlist for smart messaging associated with conversation model in the agent assist console |
|
|
Dialogflow Conversation Manager
Can manage all the resources related to Dialogflow Conversations. |
|
|
Dialogflow Entity Type Admin
Can read & write entity types. |
|
|
Dialogflow Environment editor
Can read & update environment and its sub-resources. |
|
|
Dialogflow Flow editor
Can read & update flow and its sub-resources. |
|
|
Dialogflow Integration Manager
Can add, remove, enable and disable Dialogflow integrations. |
|
|
Dialogflow Intent Admin
Can read & write intents. |
|
|
Dialogflow API Reader
Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control. Lowest-level resources where you can grant this role:
|
|
|
Dialogflow Test Case Admin
Can read & write test cases. |
|
|
Dialogflow Webhook Admin
Can read & write webhooks. |
|
DNS roles
| Role | Permissions |
|---|---|
|
DNS Administrator
Provides read-write access to all Cloud DNS resources. Lowest-level resources where you can grant this role:
|
|
|
DNS Peer
Access to target networks with DNS peering zones |
|
|
DNS Reader
Provides read-only access to all Cloud DNS resources. Lowest-level resources where you can grant this role:
|
|
Document AI roles
| Role | Permissions |
|---|---|
|
Document AI Administrator
Beta
Grants full access to all resources in Document AI |
|
|
Document AI API User
Beta
Grants access to process documents in Document AI |
|
|
Document AI Editor
Beta
Grants access to use all resources in Document AI |
|
|
Document AI Viewer
Beta
Grants access to view all resources and process documents in Document AI |
|
Earth Engine roles
| Role | Permissions |
|---|---|
|
Earth Engine Resource Admin
Beta
Full access to all Earth Engine resource features |
|
|
Earth Engine Apps Publisher
Beta
Publisher of Earth Engine Apps |
|
|
Earth Engine Resource Viewer
Beta
Viewer of all Earth Engine resources |
|
|
Earth Engine Resource Writer
Beta
Writer of all Earth Engine resources |
|
Edge Container roles
| Role | Permissions |
|---|---|
|
Edge Container Admin
Full access to Edge Container all resources. |
|
|
Edge Container Machine User
Access to use Edge Container Machine resources. |
|
|
Edge Container Viewer
Read-only access to Edge Container all resources. |
|
Endpoints roles
| Role | Permissions |
|---|---|
|
Endpoints Portal Admin
Beta
Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the Google Cloud console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page. Lowest-level resources where you can grant this role:
|
|
Error Reporting roles
| Role | Permissions |
|---|---|
|
Error Reporting Admin
Beta
Provides full access to Error Reporting data. Lowest-level resources where you can grant this role:
|
|
|
Error Reporting User
Beta
Provides the permissions to read and write Error Reporting data, except for sending new error events. Lowest-level resources where you can grant this role:
|
|
|
Error Reporting Viewer
Beta
Provides read-only access to Error Reporting data. Lowest-level resources where you can grant this role:
|
|
|
Error Reporting Writer
Beta
Provides the permissions to send error events to Error Reporting. Lowest-level resources where you can grant this role:
|
|
Eventarc roles
| Role | Permissions |
|---|---|
|
Eventarc Admin
Full control over all Eventarc resources. |
|
|
Eventarc Connection Publisher
Beta
Can publish events to Eventarc Channel Connections. |
|
|
Eventarc Developer
Access to read and write Eventarc resources. |
|
|
Eventarc Event Receiver
Can receive events from all event providers. |
|
|
Eventarc Publisher
Beta
Can publish events to Eventarc channels. |
|
|
Eventarc Viewer
Can view the state of all Eventarc resources, including IAM policies. |
|
Firebase roles
| Role | Permissions |
|---|---|
|
Firebase Admin
Full access to Firebase products. |
|
|
Firebase Analytics Admin
Full access to Google Analytics for Firebase. |
|
|
Firebase Analytics Viewer
Read access to Google Analytics for Firebase. |
|
|
Firebase Develop Admin
Full access to Firebase Develop products and Analytics. |
|
|
Firebase Develop Viewer
Read access to Firebase Develop products and Analytics. |
|
|
Firebase Grow Admin
Full access to Firebase Grow products and Analytics. |
|
|
Firebase Grow Viewer
Read access to Firebase Grow products and Analytics. |
|
|
Firebase Quality Admin
Full access to Firebase Quality products and Analytics. |
|
|
Firebase Quality Viewer
Read access to Firebase Quality products and Analytics. |
|
|
Firebase Viewer
Read-only access to Firebase products. |
|
Firebase Products roles
| Role | Permissions |
|---|---|
|
Firebase Remote Config Admin
Full access to Firebase Remote Config resources. |
|
|
Firebase Remote Config Viewer
Read access to Firebase Remote Config resources. |
|
|
Firebase Test Lab Admin
Full access to all Test Lab features |
|
|
Firebase Test Lab Viewer
Read access to Test Lab features |
|
|
Firebase A/B Testing Admin
Beta
Full read/write access to Firebase A/B Testing resources. |
|
|
Firebase A/B Testing Viewer
Beta
Read-only access to Firebase A/B Testing resources. |
|
|
Firebase App Check Admin
Full management of Firebase App Check. |
|
|
Firebase App Check Viewer
Read-only access for Firebase App Check. |
|
|
Firebase App Distribution Admin
Full read/write access to Firebase App Distribution resources. |
|
|
Firebase App Distribution Viewer
Read-only access to Firebase App Distribution resources. |
|
|
Firebase Authentication Admin
Full read/write access to Firebase Authentication resources. |
|
|
Firebase Authentication Viewer
Read-only access to Firebase Authentication resources. |
|
|
Firebase Crashlytics Admin
Full read/write access to Firebase Crashlytics resources. |
|
|
Firebase Crashlytics Viewer
Read-only access to Firebase Crashlytics resources. |
|
|
Firebase Realtime Database Admin
Full read/write access to Firebase Realtime Database resources. |
|
|
Firebase Realtime Database Viewer
Read-only access to Firebase Realtime Database resources. |
|
|
Firebase Dynamic Links Admin
Full read/write access to Firebase Dynamic Links resources. |
|
|
Firebase Dynamic Links Viewer
Read-only access to Firebase Dynamic Links resources. |
|
|
Firebase Hosting Admin
Full read/write access to Firebase Hosting resources. |
|
|
Firebase Hosting Viewer
Read-only access to Firebase Hosting resources. |
|
|
Firebase In-App Messaging Admin
Beta
Full read/write access to Firebase In-App Messaging resources. |
|
|
Firebase In-App Messaging Viewer
Beta
Read-only access to Firebase In-App Messaging resources. |
|
|
Firebase Messaging Campaigns Admin
Beta
Full management of Firebase Messaging Campaigns. |
|
|
Firebase Messaging Campaigns Viewer
Beta
Read-only access for Firebase Messaging Campaigns. |
|
|
Firebase ML Kit Admin
Beta
Full read/write access to Firebase ML Kit resources. |
|
|
Firebase ML Kit Viewer
Beta
Read-only access to Firebase ML Kit resources. |
|
|
Firebase Cloud Messaging Admin
Full read/write access to Firebase Cloud Messaging resources. |
|
|
Firebase Cloud Messaging Viewer
Read-only access to Firebase Cloud Messaging resources. |
|
|
Firebase Performance Reporting Admin
Full access to firebaseperformance resources. |
|
|
Firebase Performance Reporting Viewer
Read-only access to firebaseperformance resources. |
|
|
Firebase Rules Admin
Full management of Firebase Rules. |
|
|
Firebase Rules Viewer
Read-only access on all resources with the ability to test Rulesets. |
|
|
Cloud Storage for Firebase Admin
Beta
Full management of Cloud Storage for Firebase. |
|
|
Cloud Storage for Firebase Viewer
Beta
Read-only access for Cloud Storage for Firebase. |
|
Fleet Engine roles
| Role | Permissions |
|---|---|
|
Fleet Engine Consumer SDK User
Limited read access to Fleet Engine resources |
|
|
Fleet Engine Delivery Consumer User
Limited read access to Fleet Engine Delivery resources |
|
|
Fleet Engine Delivery Fleet Reader User
Grants read access to all Fleet Engine Delivery resources |
|
|
Fleet Engine Delivery Super User
Full access to Fleet Engine DeliveryVehicles and Tasks resources. |
|
|
Fleet Engine Delivery Trusted Driver User
Read and write access to Fleet Engine Delivery resources |
|
|
Fleet Engine Delivery Untrusted Driver User
Limited write access to Fleet Engine Delivery Vehicle resources |
|
|
Fleet Engine Driver SDK User
Read and limited update access to Fleet Engine resources |
|
|
Fleet Engine Service Super User
Full access to all Fleet Engine resources. |
|
Genomics roles
| Role | Permissions |
|---|---|
|
Genomics Admin
Full access to genomics datasets and operations. |
|
|
Genomics Editor
Access to read and edit genomics datasets and operations. |
|
|
Genomics Pipelines Runner
Full access to operate on genomics pipelines. |
|
|
Genomics Viewer
Access to view genomics datasets and operations. |
|
GKE Hub roles
| Role | Permissions |
|---|---|
|
GKE Hub Admin
Full access to GKE Hub resources. |
|
|
GKE Connect Agent
Ability to set up GKE Connect between external clusters and Google. |
|
|
GKE Hub Editor
Edit access to GKE Hub resources. |
|
|
Connect Gateway Admin
Full access to Connect Gateway. |
|
|
Connect Gateway Editor
Edit access to Connect Gateway. |
|
|
Connect Gateway Reader
Read-only access to Connect Gateway. |
|
|
GKE Hub Viewer
Read-only access to GKE Hubs and related resources. |
|
GKE on-prem roles
| Role | Permissions |
|---|---|
|
GKE on-prem Admin
Full access to GKE on-prem all resources. |
|
|
GKE on-prem Viewer
Read-only access to GKE on-prem all resources. |
|
Google Workspace Add-ons roles
| Role | Permissions |
|---|---|
|
Google Workspace Add-ons Developer
Full access to Google Workspace Add-ons resources |
|
|
Google Workspace Add-ons Reader
Read-only access to Google Workspace Add-ons resources |
|
|
Google Workspace Add-ons Tester
Testing execution access to Google Workspace Add-ons resources |
|
Hangouts Chat roles
| Role | Permissions |
|---|---|
|
Chat Bots Owner
Can view and modify bot configurations |
|
|
Chat Bots Viewer
Can view bot configurations |
|
IAM roles
| Role | Permissions |
|---|---|
|
Deny Admin
Beta
Deny admin role, with permissions to read and modify deny policies Lowest-level resources where you can grant this role:
|
|
|
Deny Reviewer
Beta
Deny Reviewer role, with permissions to read deny policies Lowest-level resources where you can grant this role:
|
|
|
Security Admin
Security admin role, with permissions to get and set any IAM policy. |
|
|
Security Reviewer
Provides permissions to list all resources and allow policies on them. |
|
KRM API Hosting roles
| Role | Permissions |
|---|---|
|
Config Controller Admin
Full access to all Config Controller resources. |
|
|
Config Controller Viewer
Read-only access to all Config Controller resources. |
|
Kubernetes Engine roles
| Role | Permissions |
|---|---|
|
Kubernetes Engine Admin
Provides access to full management of clusters and their Kubernetes API objects.
To set a service account on nodes, you must also have the Service Account User role
( Lowest-level resources where you can grant this role:
|
|
|
Kubernetes Engine Cluster Admin
Provides access to management of clusters.
To set a service account on nodes, you must also have the Service Account User role
( Lowest-level resources where you can grant this role:
|
|
|
Kubernetes Engine Cluster Viewer
Provides access to get and list GKE clusters. |
|
|
Kubernetes Engine Developer
Provides access to Kubernetes API objects inside clusters. Lowest-level resources where you can grant this role:
|
|
|
Kubernetes Engine Host Service Agent User
Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project. |
|
|
Kubernetes Engine Node Service Account
Least privilege role to use as the service account for GKE Nodes. |
|
|
Kubernetes Engine Viewer
Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects. Lowest-level resources where you can grant this role:
|
|
Live Stream roles
| Role | Permissions |
|---|---|
|
Live Stream Editor
Beta
Full access to Live Stream resources. |
|
|
Live Stream Viewer
Beta
Read access to Live Stream resources. |
|
Logging roles
| Role | Permissions |
|---|---|
|
Logging Admin
Provides all permissions necessary to use all features of Cloud Logging. Lowest-level resources where you can grant this role:
|
|
|
Logs Bucket Writer
Ability to write logs to a log bucket. Lowest-level resources where you can grant this role:
|
|
|
Logs Configuration Writer
Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. Lowest-level resources where you can grant this role:
|
|
|
Log Field Accessor
Ability to read restricted fields in a log bucket. Lowest-level resources where you can grant this role:
|
|
|
Log Link Accessor
Beta
Ability to see links for a bucket. |
|
|
Logs Writer
Provides the permissions to write log entries. Lowest-level resources where you can grant this role:
|
|
|
Private Logs Viewer
Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. Lowest-level resources where you can grant this role:
|
|
|
Logs View Accessor
Ability to read logs in a view. Lowest-level resources where you can grant this role:
|
|
|
Logs Viewer
Provides access to view logs. Lowest-level resources where you can grant this role:
|
|
Maps API Admin roles
| Role | Permissions |
|---|---|
|
Maps API Admin
Read and Write all Maps Management and Maps Styles Resources. |
|
|
Maps API Viewer
Read all Maps Management and Maps Styles Resources. |
|
Memorystore Memcache roles
| Role | Permissions |
|---|---|
|
Cloud Memorystore Memcached Admin
Full access to Memcached instances and related resources. |
|
|
Cloud Memorystore Memcached Editor
Read-Write access to Memcached instances and related resources. |
|
|
Cloud Memorystore Memcached Viewer
Read-only access to Memcached instances and related resources. |
|
Memorystore Redis roles
| Role | Permissions |
|---|---|
|
Cloud Memorystore Redis Admin
Full control for all Memorystore for Redis resources. |
|
|
Cloud Memorystore Redis Editor
Manage Memorystore for Redis instances. Can't create or delete instances. |
|
|
Cloud Memorystore Redis Viewer
Read-only access to all Memorystore for Redis resources. |
|
Mesh Management roles
| Role | Permissions |
|---|---|
|
Mesh Config Admin
Beta
Full access to all mesh configuration resources |
|
|
Mesh Config Viewer
Beta
Read access to mesh configuration |
|
Migration Center roles
| Role | Permissions |
|---|---|
|
Migration Center Admin
Beta
Full access to Migration Center all resources. |
|
|
Migration Center Viewer
Beta
Read-only access to Migration Center all resources. |
|
Monitoring roles
| Role | Permissions |
|---|---|
|
Monitoring Admin
Provides the same access as the Monitoring Editor role ( Lowest-level resources where you can grant this role:
|
|
|
Monitoring AlertPolicy Editor
Beta
Read/write access to alerting policies. |
|
|
Monitoring AlertPolicy Viewer
Beta
Read-only access to alerting policies. |
|
|
Monitoring Dashboard Configuration Editor
Read/write access to dashboard configurations. |
|
|
Monitoring Dashboard Configuration Viewer
Read-only access to dashboard configurations. |
|
|
Monitoring Editor
Provides full access to information about all monitoring data and configurations. Lowest-level resources where you can grant this role:
|
|
|
Monitoring Metric Writer
Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics. Lowest-level resources where you can grant this role:
|
|
|
Monitoring Metrics Scopes Admin
Beta
Access to add and remove monitored projects from metrics scopes. |
|
|
Monitoring Metrics Scopes Viewer
Beta
Read-only access to metrics scopes and their monitored projects. |
|
|
Monitoring NotificationChannel Editor
Beta
Read/write access to notification channels. |
|
|
Monitoring NotificationChannel Viewer
Beta
Read-only access to notification channels. |
|
|
Monitoring Services Editor
Read/write access to services. |
|
|
Monitoring Services Viewer
Read-only access to services. |
|
|
Monitoring Uptime Check Configuration Editor
Beta
Read/write access to uptime check configurations. |
|
|
Monitoring Uptime Check Configuration Viewer
Beta
Read-only access to uptime check configurations. |
|
|
Monitoring Viewer
Provides read-only access to get and list information about all monitoring data and configurations. Lowest-level resources where you can grant this role:
|
|
Network Connectivity roles
| Role | Permissions |
|---|---|
|
Hub & Spoke Admin
Enables full access to hub and spoke resources. Lowest-level resources where you can grant this role:
|
|
|
Hub & Spoke Viewer
Enables read-only access to hub and spoke resources. Lowest-level resources where you can grant this role:
|
|
|
Spoke Admin
Enables full access to spoke resources and read-only access to hub resources. Lowest-level resources where you can grant this role:
|
|
Network Management roles
| Role | Permissions |
|---|---|
|
Network Management Admin
Full access to Network Management resources. Lowest-level resources where you can grant this role:
|
|
|
Network Management Viewer
Read-only access to Network Management resources. Lowest-level resources where you can grant this role:
|
|
On-Demand Scanning roles
| Role | Permissions |
|---|---|
|
On-Demand Scanning Admin
Beta
All permissions for On-Demand Scanning |
|
Ops Config Monitoring roles
| Role | Permissions |
|---|---|
|
Ops Config Monitoring Resource Metadata Viewer
Beta
Read-only access to resource metadata. |
|
|
Ops Config Monitoring Resource Metadata Writer
Beta
Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata. |
|
Organization Policy roles
| Role | Permissions |
|---|---|
|
Access Transparency Admin
Enable Access Transparency for Organization Lowest-level resources where you can grant this role:
|
|
|
Organization Policy Administrator
Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies. Lowest-level resources where you can grant this role:
|
|
|
Organization Policy Viewer
Provides access to view Organization Policies on resources. Lowest-level resources where you can grant this role:
|
|
Other roles
| Role | Permissions |
|---|---|
|
Advisory Notifications Viewer
Beta
Grants view access in Advisory Notifications |
|
|
Autoscaling Metrics Writer
Beta
Access to write metrics for autoscaling site |
|
|
Autoscaling Recommendations Reader
Beta
Access to read recommendations from autoscaling site |
|
|
Autoscaling Site Admin
Beta
Full access to all autoscaling site features |
|
|
Autoscaling State Writer
Beta
Access to write state for autoscaling site |
|
|
Bare Metal Solution Admin
Administrator of Bare Metal Solution resources |
|
|
Bare Metal Solution Editor
Editor of Bare Metal Solution resources |
|
|
Bare Metal Solution Instances Admin
Admin of Bare Metal Solution Instance resources |
|
|
Bare Metal Solution Instances Viewer
Viewer of Bare Metal Solution Instance resources |
|
|
Luns Admin
Administrator of Bare Metal Solution Lun resources |
|
|
Luns Viewer
Viewer of Bare Metal Solution Lun resources |
|
|
Networks Admin
Admin of Bare Metal Solution networks resources |
|
|
NFS Shares Admin
Administrator of Bare Metal Solution NFS Share resources |
|
|
NFS Shares Editor
Editor of Bare Metal Solution NFS Share resources |
|
|
NFS Shares Viewer
Viewer of Bare Metal Solution NFS Share resources |
|
|
Bare Metal Solution Storage Admin
Administrator of Bare Metal Solution storage resources |
|
|
Bare Metal Solution Viewer
Viewer of Bare Metal Solution resources |
|
|
Volume Admin
Administrator of Bare Metal Solution volume resources |
|
|
Volumes Editor
Editor of Bare Metal Solution volumes resources |
|
|
Volumes Viewer
Viewer of Bare Metal Solution volumes resources |
|
|
Batch Agent Reporter
Beta
Reporter of batch agent states. |
|
|
Batch Job Administrator
Beta
Administrator of batch Jobs |
|
|
Batch Job Viewer
Beta
Viewer of Batch Jobs, Task Groups and Tasks |
|
|
MigrationWorkflow Editor
Editor of EDW migration workflows. |
|
|
Task Orchestrator
Orchestrator of EDW migration tasks. |
|
|
Migration Translation User
User of EDW migration SQL translation service. |
|
|
MigrationWorkflow Viewer
Viewer of EDW migration MigrationWorkflow. |
|
|
Task Worker
Worker that executes EDW migration subtasks. |
|
|
Carbon Footprint Viewer
|
|
|
Care Studio Patients Viewer
This role can view all properties of Patients. |
|
|
Chronicle Service Admin
Admins can view and modify Chronicle service details. |
|
|
Chronicle Service Viewer
Viewers can see Chronicle service details but not change them. |
|
|
Cloud Optimization AI Admin
Beta
Administrator of Cloud Optimization AI resources |
|
|
Cloud Optimization AI Editor
Beta
Editor of Cloud Optimization AI resources |
|
|
Cloud Optimization AI Viewer
Beta
Viewer of Cloud Optimization AI resources |
|
|
Contact Center AI Platform Admin
Full access to Contact Center AI Platform resources. |
|
|
Contact Center AI Platform Viewer
Readonly access to Contact Center AI Platform resources. |
|
|
Contact Center AI Insights editor
Beta
Grants read and write access to all Contact Center AI Insights resources. |
|
|
Contact Center AI Insights viewer
Beta
Grants read access to all Contact Center AI Insights resources. |
|
|
GKE Security Posture Viewer
Beta
Readonly access to GKE Security Posture resources. |
|
|
Content Warehouse Admin
Beta
Grants full access to all the resources in Content Warehouse |
|
|
Content Warehouse Document Admin
Beta
Grants full access to the document resource in Content Warehouse |
|
|
Content Warehouse document creator
Beta
Grants access to create document in Content Warehouse |
|
|
Content Warehouse Document Editor
Beta
Grants access to update document resource in Content Warehouse |
|
|
Content Warehouse document schema viewer
Beta
Grants access to view the document schemas in Content Warehouse |
|
|
Content Warehouse Viewer
Beta
Grants access to view all the resources in Content Warehouse |
|
|
Data Processing Controls Resource Admin
Data processing controls admin who can fully manage data processing controls settings and view all datasource data. |
|
|
Data Processing Controls Data Source Manager
Data processing controls data source manager who can get, list, and update the underlying data. |
|
|
Early Access Center Administrator
Grants full access to the Early Access Center, including access to all DATA_READ and DATA_WRITE permissions. Including the ability to enroll into Early Access Campaigns. |
|
|
Early Access Center Viewer
Grants view access to the Early Access Center, including access to all DATA_READ but no DATA_WRITE permissions. |
|
|
Essential Contacts Admin
Full access to all essential contacts |
|
|
Essential Contacts Viewer
Viewer for all essential contacts |
|
|
Firebase Cloud Messaging API Admin
Beta
Full read/write access to Firebase Cloud Messaging API resources. |
|
|
Firebase Crash Symbol Uploader
Full read/write access to symbol mapping file resources for Firebase Crash Reporting. |
|
|
Identity Platform Admin
Beta
Full access to Identity Platform resources. |
|
|
Identity Platform Viewer
Beta
Read access to Identity Platform resources. |
|
|
Identity Toolkit Admin
Full access to Identity Toolkit resources. |
|
|
Identity Toolkit Viewer
Read access to Identity Toolkit resources. |
|
|
Apigee Integration Admin
A user that has full access to all Apigee integrations. |
|
|
Apigee Integration Deployer
A developer that can deploy/undeploy Apigee integrations to the integration runtime. |
|
|
Apigee Integration Editor
A developer that can list, create and update Apigee integrations. |
|
|
Apigee Integration Invoker
A role that can invoke Apigee integrations. |
|
|
Apigee Integration Viewer
A developer that can list and view Apigee integrations. |
|
|
Apigee Integration Approver
A role that can approve / reject Apigee integrations that contain a suspension/wait task. |
|
|
Certificate Viewer
A developer that can list and view Certificates. |
|
|
Application Integration Admin
A user that has full access (CRUD) to all integrations. |
|
|
Application Integration Deployer
A developer that can deploy/undeploy integrations to the integration runtime. |
|
|
Application Integration Editor
A developer that can list, create and update integrations. |
|
|
Application Integration Invoker
A role that can invoke integrations. |
|
|
Application Integration Viewer
A developer that can list and view integrations. |
|
|
Security Integration Admin
Beta
A user that has full access to all Security integrations. |
|
|
Application Integration SFDC Instance Admin
A user that has full access (CRUD) to all SFDC instances. |
|
|
Application Integration SFDC Instance Editor
A developer that can list, create and update integrations. |
|
|
Application Integration SFDC Instance Viewer
A developer that can list and view SFDC instances. |
|
|
Application Integration Approver
A role that can resolve suspended integrations. |
|
|
Issuerswitch Admin
Beta
Access to all issuer switch roles |
|
|
Issuerswitch Resolutions Admin
Beta
Full access to issuer switch resolutions |
|
|
Issuerswitch Rules Admin
Beta
Full access to issuer switch rules |
|
|
Issuerswitch Rules Viewer
Beta
This role can view rules and related metadata. |
|
|
Issuerswitch Transactions Viewer
Beta
This role can view all transactions |
|
|
OAuth Config Editor
Beta
Read/write access to OAuth config resources |
|
|
OAuth Config Viewer
Beta
Read-only access to OAuth config resources |
|
|
Payments Reseller Admin
Beta
Full access to all Payments Reseller resources, including subscriptions, products and promotions |
|
|
Payments Reseller Viewer
Beta
Read access to all Payments Reseller resources, including subscriptions, products and promotions |
|
|
Payments Reseller Products Viewer
Beta
Read access to Payments Reseller Product resource |
|
|
Payments Reseller Promotions Viewer
Beta
Read access to Payments Reseller Promotion resource |
|
|
Payments Reseller Subscriptions Editor
Beta
Write access to Payments Reseller Subscription resource |
|
|
Payments Reseller Subscriptions Viewer
Beta
Read access to Payments Reseller Subscription resource |
|
|
Activity Analysis Viewer
Beta
Viewer user that can read all activity analysis. |
|
|
Simulator Admin
Beta
Admin user that can run and access replays. |
|
|
Recommendations Exporter
Beta
Exporter of Recommendations |
|
|
Remote Build Execution Action Cache Writer
Beta
Remote Build Execution Action Cache Writer |
|
|
Remote Build Execution Artifact Admin
Beta
Remote Build Execution Artifact Admin |
|
|
Remote Build Execution Artifact Creator
Beta
Remote Build Execution Artifact Creator |
|
|
Remote Build Execution Artifact Viewer
Beta
Remote Build Execution Artifact Viewer |
|
|
Remote Build Execution Configuration Admin
Beta
Remote Build Execution Configuration Admin |
|
|
Remote Build Execution Configuration Viewer
Beta
Remote Build Execution Configuration Viewer |
|
|
Remote Build Execution Logstream Writer
Beta
Remote Build Execution Logstream Writer |
|
|
Remote Build Execution Reservation Admin
Beta
Remote Build Execution Reservation Admin |
|
|
Remote Build Execution Worker
Beta
Remote Build Execution Worker |
|
|
Retail Admin
Full access to Retail api resources. |
|
|
Retail Editor
Full access to Retail api resources except purge, rejoin, and setSponsorship. |
|
|
Retail Viewer
Grants access to read all resources in Retail. |
|
|
Cloud RuntimeConfig Admin
Full access to RuntimeConfig resources. |
|
|
SLZ BQDW Blueprint Organization Level Remediator
Beta
Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization. |
|
|
SLZ BQDW Blueprint Project Level Remediator
Beta
Access to modify (remediate) resources in SLZ BQDW Blueprint at Project. |
|
|
Overwatch Activator
Beta
This role can activate or suspend Overwatches |
|
|
Overwatch Admin
Beta
Full access to Overwatches |
|
|
Overwatch Viewer
Beta
This role can view all properties of Overwatches |
|
|
Security Insights Viewer
Beta
Read-only access to Security Insights resources |
|
|
Cloud Speech Administrator
Grants full access to all resources in Speech-to-text |
|
|
Cloud Speech Client
Grants access to the recognition APIs. |
|
|
Cloud Speech Editor
Grants access to edit resources in Speech-to-text |
|
|
Subscribe with Google Developer
Beta
Access DevTools for Subscribe with Google |
|
|
Timeseries Insights DataSet Editor
Beta
Edit access to DataSets. |
|
|
Timeseries Insights DataSet Owner
Beta
Full access to DataSets. |
|
|
Timeseries Insights DataSet Viewer
Beta
Read-only access (List and Query) to DataSets. |
|
|
Traffic Director Client
Beta
Fetch service configurations and report metrics. |
|
|
Translation Hub Admin
Beta
Admin of Translation Hub |
|
|
Translation Hub Portal User
Beta
Portal user of Translation Hub |
|
|
Visual Inspection AI Solution Editor
Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics |
|
|
Visual Inspection AI Usage Metrics Reporter
ReportUsageMetric access to Visual Inspection AI Service |
|
|
Visual Inspection AI Viewer
Read access to Visual Inspection AI resources |
|
Project roles
| Role | Permissions |
|---|---|
|
Browser
Read access to browse the hierarchy for a project, including the folder, organization, and allow policy. This role doesn't include permission to view resources in the project. Lowest-level resources where you can grant this role:
|
|
Proximity Beacon roles
| Role | Permissions |
|---|---|
|
Beacon Attachment Editor
Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces. |
|
|
Beacon Attachment Publisher
Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project. |
|
|
Beacon Attachment Viewer
Can view all attachments under a namespace; no beacon or namespace permissions. |
|
|
Beacon Editor
Necessary access to register, modify, and view beacons; no attachment or namespace permissions. |
|
Pub/Sub roles
| Role | Permissions |
|---|---|
|
Pub/Sub Admin
Provides full access to topics and subscriptions. Lowest-level resources where you can grant this role:
|
|
|
Pub/Sub Editor
Provides access to modify topics and subscriptions, and access to publish and consume messages. Lowest-level resources where you can grant this role:
|
|
|
Pub/Sub Publisher
Provides access to publish messages to a topic. Lowest-level resources where you can grant this role:
|
|
|
Pub/Sub Subscriber
Provides access to consume messages from a subscription and to attach subscriptions to a topic. Lowest-level resources where you can grant this role:
|
|
|
Pub/Sub Viewer
Provides access to view topics and subscriptions. Lowest-level resources where you can grant this role:
|
|
Pub/Sub Lite roles
| Role | Permissions |
|---|---|
|
Pub/Sub Lite Admin
Full access to topics, subscriptions and reservations. |
|
|
Pub/Sub Lite Editor
Modify topics, subscriptions and reservations, publish and consume messages. |
|
|
Pub/Sub Lite Publisher
Publish messages to a topic. |
|
|
Pub/Sub Lite Subscriber
Subscribe to and read messages from a topic. |
|
|
Pub/Sub Lite Viewer
View topics, subscriptions and reservations. |
|
Rapid Migration Assessment roles
| Role | Permissions |
|---|---|
|
Rapid Migration Assessment Admin
Beta
Full access to Rapid Migration Assessment all resources. |
|
|
Rapid Migration Assessment Runner
Beta
Update and Read access to Rapid Migration Assessment all resources. |
|
|
Rapid Migration Assessment Viewer
Beta
Read-only access to Rapid Migration Assessment all resources. |
|
reCAPTCHA Enterprise roles
| Role | Permissions |
|---|---|
|
reCAPTCHA Enterprise Admin
Beta
Access to view and modify reCAPTCHA Enterprise keys |
|
|
reCAPTCHA Enterprise Agent
Beta
Access to create and annotate reCAPTCHA Enterprise assessments |
|
|
reCAPTCHA Enterprise Viewer
Beta
Access to view reCAPTCHA Enterprise keys and metrics |
|
Recommendations AI roles
| Role | Permissions |
|---|---|
|
Recommendations AI Admin
Beta
Full access to all Recommendations AI resources. |
|
|
Recommendations AI Admin Viewer
Beta
Viewer of all Recommendations AI resources. |
|
|
Recommendations AI Editor
Beta
Editor of all Recommendations AI resources. |
|
|
Recommendations AI Viewer
Beta
Viewer of all Recommendations AI resources except |
|
Recommender roles
| Role | Permissions |
|---|---|
|
BigQuery Slot Recommender Admin
Beta
Admin of BigQuery Capacity Commitments insights and recommendations. |
|
|
BigQuery Recommender Billing Account Admin
Beta
Billing Account Admin of BigQuery Capacity Commitments insights and recommendations. |
|
|
BigQuery Recommender Billing Account Viewer
Beta
Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations. |
|
|
BigQuery Recommender Project Admin
Beta
Project Admin of BigQuery Capacity Commitments insights and recommendations. |
|
|
BigQuery Recommender Project Viewer
Beta
Project Viewer of BigQuery Capacity Commitments insights and recommendations. |
|
|
BigQuery Slot Recommender Viewer
Beta
Viewer of BigQuery Capacity Commitments insights and recommendations. |
|
|
Billing Account Usage Commitment Recommender Admin
Beta
Admin of Billing Account Usage Commitment Recommender. |
|
|
Billing Account Usage Commitment Recommender Viewer
Beta
Viewer of Billing Account Usage Commitment Recommender. |
|
|
Cloud Asset Insights Admin
Admin of all Cloud Asset insights. |
|
|
Cloud Asset Insights Viewer
Viewer of all Cloud Asset insights. |
|
|
Cloud SQL Recommender Admin
Beta
Admin of Cloud SQL insights and recommendations. |
|
|
Cloud SQL Recommender Viewer
Beta
Viewer of Cloud SQL insights and recommendations. |
|
|
Compute Recommender Admin
Admin of compute recommendations. |
|
|
Compute Recommender Viewer
Viewer of compute recommendations. |
|
|
GKE Diagnosis Recommender Admin
Beta
Admin of GKE Diagnosis Insights and Recommendations. |
|
|
GKE Diagnosis Recommender Viewer
Beta
Viewer of GKE Diagnosis Insights and Recommendations. |
|
|
Dataflow Diagnostics Admin
Admin of Diagnostics recommendations. |
|
|
Dataflow Diagnostics Viewer
Viewer of Diagnostics recommendations. |
|
|
Error Reporting Recommender Admin
Admin of Error Reporting Insights and Recommendations. |
|
|
Error Reporting Recommender Viewer
Viewer of Error Reporting Insights and Recommendations. |
|
|
Firewall Recommender Admin
Admin of Firewall insights and recommendations. |
|
|
Firewall Recommender Viewer
Viewer of Firewall insights and recommendations. |
|
|
Google Maps Platform Insights/Recommendations Admin
Admin of all Google Maps Platform insights and recommendations. |
|
|
Google Maps Platform Insights/Recommendations Viewer
Viewer of all Google Maps Platform insights and recommendations. |
|
|
IAM Recommender Admin
Admin of IAM recommendations. |
|
|
IAM Recommender Viewer
Viewer of IAM recommendations. |
|
|
Network Analyzer Recommender Admin
Alpha
Admin of Network Analyzer Insights and Recommendations. |
|
|
Network Analyzer Cloud SQL Recommender Admin
Alpha
Admin of Network Analyzer Cloud SQL Insights and Recommendations. |
|
|
Network Analyzer Cloud SQL Recommender Viewer
Alpha
Viewer of Network Analyzer Cloud SQL Insights and Recommendations. |
|
|
Network Analyzer Dynamic Route Recommender Admin
Alpha
Admin of Network Analyzer Dynamic Route Insights and Recommendations. |
|
|
Network Analyzer Dynamic Route Recommender Viewer
Alpha
Viewer of Network Analyzer Dynamic Route Insights and Recommendations. |
|
|
Network Analyzer GKE Connectivity Recommender Admin
Alpha
Admin of Network Analyzer GKE Connectivity Insights and Recommendations. |
|
|
Network Analyzer GKE Connectivity Recommender Viewer
Alpha
Viewer of Network Analyzer GKE Connectivity Insights and Recommendations. |
|
|
Network Analyzer GKE IP Address Recommender Admin
Alpha
Admin of Network Analyzer GKE IP Address Insights and Recommendations. |
|
|
Network Analyzer GKE IP Address Recommender Viewer
Alpha
Viewer of Network Analyzer GKE IP Address Insights and Recommendations. |
|
|
Network Analyzer IP Address Recommender Admin
Alpha
Admin of Network Analyzer IP Address Insights and Recommendations. |
|
|
Network Analyzer IP Address Recommender Viewer
Alpha
Viewer of Network Analyzer IP Address Insights and Recommendations. |
|
|
Network Analyzer Load Balancer Recommender Admin
Beta
Admin of Network Analyzer Load Balancer Insights and Recommendations. |
|
|
Network Analyzer Load Balancer Recommender Viewer
Beta
Viewer of Network Analyzer Load Balancer Insights and Recommendations. |
|
|
Network Analyzer Recommender Viewer
Beta
Viewer of Network Analyzer Insights and Recommendations. |
|
|
Network Analyzer VPC Connectivity Recommender Admin
Beta
Admin of Network Analyzer VPC Connectivity Insights and Recommendations. |
|
|
Network Analyzer VPC Connectivity Recommender Viewer
Beta
Viewer of Network Analyzer VPC Connectivity Insights and Recommendations. |
|
|
Product Suggestion Recommenders Admin
Beta
Admin of all Product Suggestion insights and recommendations. |
|
|
Product Suggestion Recommenders Viewer
Beta
Viewer of all Product Suggestion insights and recommendations. |
|
|
Project Usage Commitment Recommender Admin
Beta
Admin of Project Usage Commitment Recommender. |
|
|
Project Usage Commitment Recommender Viewer
Beta
Viewer of Project Usage Commitment Recommender. |
|
|
Project Utilization Recommender Admin
Admin of Project Utilization insights and recommendations. |
|
|
Project Utilization Recommender Viewer
Viewer of Project Utilization insights and recommendations. |
|
|
Spend Based Commitment Recommender Admin
Beta
Admin of Spend Based Commitment Recommender. |
|
|
Spend Based Commitment Recommender Viewer
Beta
Viewer of Spend Based Commitment Recommender. |
|
Resource Manager roles
| Role | Permissions |
|---|---|
|
Folder Admin
Provides all available permissions for working with folders. Lowest-level resources where you can grant this role:
|
|
|
Folder Creator
Provides permissions needed to browse the hierarchy and create folders. Lowest-level resources where you can grant this role:
|
|
|
Folder Editor
Provides permission to modify folders as well as to view a folder's allow policy. Lowest-level resources where you can grant this role:
|
|
|
Folder IAM Admin
Provides permissions to administer allow policies on folders. Lowest-level resources where you can grant this role:
|
|
|
Folder Mover
Provides permission to move projects and folders into and out of a parent organization or folder. Lowest-level resources where you can grant this role:
|
|
|
Folder Viewer
Provides permission to get a folder and list the folders and projects below a resource. Lowest-level resources where you can grant this role:
|
|
|
Project Lien Modifier
Provides access to modify Liens on projects. Lowest-level resources where you can grant this role:
|
|
|
Organization Administrator
Access to manage IAM policies and view organization policies for organizations, folders, and projects. Lowest-level resources where you can grant this role:
|
|
|
Organization Viewer
Provides access to view an organization. Lowest-level resources where you can grant this role:
|
|
|
Project Creator
Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project. Lowest-level resources where you can grant this role:
|
|
|
Project Deleter
Provides access to delete Google Cloud projects. Lowest-level resources where you can grant this role:
|
|
|
Project IAM Admin
Provides permissions to administer allow policies on projects. Lowest-level resources where you can grant this role:
|
|
|
Project Mover
Provides access to update and move projects. Lowest-level resources where you can grant this role:
|
|
|
Tag Administrator
Access to create, delete, update, and manage access to Tags |
|
|
Tag Hold Administrator
Access to create, delete and list TagHolds under a TagValue |
|
|
Tag User
Access to list Tags and manage their associations with resources |
|
|
Tag Viewer
Access to list Tags and their associations with resources |
|
Resource Settings roles
| Role | Permissions |
|---|---|
|
Resource Settings Administrator
Provides admin capabilities to set Resource Setting Values on resources. Lowest-level resources where you can grant this role:
|
|
|
Resource Settings Viewer
Provides capabilities to view Resource Settings and Resource Setting Values on resources. |
|
Risk Manager roles
| Role | Permissions |
|---|---|
|
Risk Manager Admin
Beta
Grants all Risk Manager permissions |
|
|
Risk Manager Editor
Beta
Access to edit Risk Manager resources |
|
|
Risk Manager Report Reviewer
Beta
Access to review Risk Manager reports |
|
|
Risk Manager Viewer
Beta
Access to view Risk Manager resources |
|
Roles roles
| Role | Permissions |
|---|---|
|
Organization Role Administrator
Provides access to administer all custom roles in the organization and the projects below it. Lowest-level resources where you can grant this role:
|
|
|
Organization Role Viewer
Provides read access to all custom roles in the organization and the projects below it. Lowest-level resources where you can grant this role:
|
|
|
Role Administrator
Provides access to all custom roles in the project. Lowest-level resources where you can grant this role:
|
|
|
Role Viewer
Provides read access to all custom roles in the project. Lowest-level resources where you can grant this role:
|
|
Secret Manager roles
| Role | Permissions |
|---|---|
|
Secret Manager Admin
Full access to administer Secret Manager resources. Lowest-level resources where you can grant this role:
|
|
|
Secret Manager Secret Accessor
Allows accessing the payload of secrets. Lowest-level resources where you can grant this role:
|
|
|
Secret Manager Secret Version Adder
Allows adding versions to existing secrets. Lowest-level resources where you can grant this role:
|
|
|
Secret Manager Secret Version Manager
Allows creating and managing versions of existing secrets. Lowest-level resources where you can grant this role:
|
|
|
Secret Manager Viewer
Allows viewing metadata of all Secret Manager resources Lowest-level resources where you can grant this role:
|
|
Security Center roles
| Role | Permissions |
|---|---|
|
Security Center Admin
Admin(super user) access to security center Lowest-level resources where you can grant this role:
|
|
|
Security Center Admin Editor
Admin Read-write access to security center Lowest-level resources where you can grant this role:
|
|
|
Security Center Admin Viewer
Admin Read access to security center Lowest-level resources where you can grant this role:
|
|
|
Security Center Asset Security Marks Writer
Write access to asset security marks Lowest-level resources where you can grant this role:
|
|
|
Security Center Assets Discovery Runner
Run asset discovery access to assets Lowest-level resources where you can grant this role:
|
|
|
Security Center Assets Viewer
Read access to assets Lowest-level resources where you can grant this role:
|
|
|
Security Center BigQuery Exports Editor
Read-Write access to security center BigQuery Exports |
|
|
Security Center BigQuery Exports Viewer
Read access to security center BigQuery Exports |
|
|
Security Center External Systems Editor
Write access to security center external systems |
|
|
Security Center Finding Security Marks Writer
Write access to finding security marks Lowest-level resources where you can grant this role:
|
|
|
Security Center Findings Bulk Mute Editor
Ability to mute findings in bulk |
|
|
Security Center Findings Editor
Read-write access to findings Lowest-level resources where you can grant this role:
|
|
|
Security Center Findings Mute Setter
Set mute access to findings |
|
|
Security Center Findings State Setter
Set state access to findings Lowest-level resources where you can grant this role:
|
|
|
Security Center Findings Viewer
Read access to findings Lowest-level resources where you can grant this role:
|
|
|
Security Center Findings Workflow State Setter
Beta
Set workflow state access to findings Lowest-level resources where you can grant this role:
|
|
|
Security Center Mute Configurations Editor
Read-Write access to security center mute configurations |
|
|
Security Center Mute Configurations Viewer
Read access to security center mute configurations |
|
|
Security Center Notification Configurations Editor
Write access to notification configurations Lowest-level resources where you can grant this role:
|
|
|
Security Center Notification Configurations Viewer
Read access to notification configurations Lowest-level resources where you can grant this role:
|
|
|
Security Center Settings Admin
Admin(super user) access to security center settings Lowest-level resources where you can grant this role:
|
|
|
Security Center Settings Editor
Read-Write access to security center settings Lowest-level resources where you can grant this role:
|
|
|
Security Center Settings Viewer
Read access to security center settings Lowest-level resources where you can grant this role:
|
|
|
Security Center Sources Admin
Admin access to sources Lowest-level resources where you can grant this role:
|
|
|
Security Center Sources Editor
Read-write access to sources Lowest-level resources where you can grant this role:
|
|
|
Security Center Sources Viewer
Read access to sources Lowest-level resources where you can grant this role:
|
|
Serverless VPC Access roles
| Role | Permissions |
|---|---|
|
Serverless VPC Access Admin
Full access to all Serverless VPC Access resources |
|
|
Serverless VPC Access User
User of Serverless VPC Access connectors |
|
|
Serverless VPC Access Viewer
Viewer of all Serverless VPC Access resources |
|
Service Accounts roles
| Role | Permissions |
|---|---|
|
Service Account Admin
Create and manage service accounts. Lowest-level resources where you can grant this role:
|
|
|
Create Service Accounts
Access to create service accounts. |
|
|
Delete Service Accounts
Access to delete service accounts. |
|
|
Service Account Key Admin
Create and manage (and rotate) service account keys. Lowest-level resources where you can grant this role:
|
|
|
Service Account OpenID Connect Identity Token Creator
Create OpenID Connect (OIDC) identity tokens |
|
|
Service Account Token Creator
Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). Lowest-level resources where you can grant this role:
|
|
|
Service Account User
Run operations as the service account. Lowest-level resources where you can grant this role:
|
|
|
View Service Accounts
Read access to service accounts, metadata, and keys. |
|
|
Workload Identity User
Impersonate service accounts from GKE Workloads |
|
Service Agents roles
| Role | Permissions |
|---|---|
|
Vertex AI Custom Code Service Agent
Gives Vertex AI Custom Code the proper permissions. |
|
|
Vertex AI Service Agent
Gives Vertex AI the permissions it needs to function. |
|
|
AlloyDB Service Agent
Gives the AlloyDB service account permission to manage customer resources |
|
|
Anthos Service Agent
Gives the Anthos service agent access to Google Cloud resources. |
|
|
Anthos Audit Service Agent
Gives the Anthos Audit service agent access to Cloud Platform resources. |
|
|
Anthos Config Management Service Agent
Gives the Anthos Config Management service agent access to Google Cloud resources. |
|
|
Anthos Identity Service Agent
Gives the Anthos Identity service agent access to Google Cloud resources. |
|
|
Anthos Service Mesh Service Agent
Gives the Anthos Service Mesh service agent access to Cloud Platform resources. |
|
|
Anthos Support Service Agent
Gives the Anthos Support Service Agent access to Cloud Platform resource. |
|
|
Cloud API Gateway Service Agent
Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts. |
|
|
Cloud API Gateway Management Service Agent
Gives Cloud API Gateway service account access to retrieve a Service configuration. |
|
|
Apigee Service Agent
Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys. |
|
|
App Development Experience Service Agent
Give the App Development Experience service agent access to Cloud Platform resources. |
|
|
App Engine Standard Environment Service Agent
Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts. |
|
|
App Engine flexible environment Service Agent
Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts. |
|
|
Artifact Registry Service Agent
Gives the Artifact Registry service account access to managed resources. |
|
|
Assured Workloads Service Agent
Gives the Assured Workloads service account access to create KMS keyrings and keys, and to monitor Assured Workloads. |
|
|
AutoML Service Agent
AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable. |
|
|
Recommendations AI Service Agent
Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects. |
|
|
Google Batch Service Agent
Gives Google Batch account access to manage customer resources. |
|
|
BigQuery Connection Service Agent
Gives BigQuery Connection Service access to Cloud SQL instances in user projects. |
|
|
BigQuery Data Transfer Service Agent
Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project. |
|
|
Binary Authorization Service Agent
Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures. |
|
|
Cloud Asset Service Agent
Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed. |
|
|
Cloud Build Service Agent
Gives Cloud Build service account access to managed resources. |
|
|
Cloud Deploy Service Agent
Gives Cloud Deploy Service Account access to managed resources. |
|
|
Cloud Functions Service Agent
Gives Cloud Functions service account access to managed resources. |
|
|
Cloud IoT Core Service Agent
Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs. |
|
|
Cloud KMS Service Agent
Gives Cloud KMS service account access to managed resources. |
|
|
Cloud Optimization Service Agent
Grants Cloud Optimization Service Account access to read and write data in the user project. |
|
|
Cloud Scheduler Service Agent
Grants Cloud Scheduler Service Account access to manage resources. |
|
|
Cloud SQL Service Agent
Grants Cloud SQL access to services and APIs in the user project |
|
|
Cloud Tasks Service Agent
Grants Cloud Tasks Service Account access to manage resources. |
|
|
Cloud TPU V2 API Service Agent
Give Cloud TPUs service account access to managed resources |
|
|
Cloud Translation API Service Agent
Gives Cloud Translation Service Account access to consumer resources. |
|
|
Compliance Scanning Service Agent
Gives Compliance Scanning the access it needs to analyze containers and VMs for compliance and create occurrences using the Container Analysis API |
|
|
Cloud Composer API Service Agent
Cloud Composer API service agent can manage environments. |
|
|
Compute Engine Service Agent
Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts. |
|
|
Contact Center AI Insights Service Agent
Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage. |
|
|
Kubernetes Engine Node Service Agent
Minimal set of permission required by a GKE node to support standard capabilities such as logging and monitoring export, and image pulls. |
|
|
Kubernetes Engine Service Agent
Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts. |
|
|
Container Analysis Service Agent
Gives Container Analysis API the access it needs to function |
|
|
Container Registry Service Agent
Access for Container Registry |
|
|
Container Scanner Service Agent
Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API |
|
|
Container Threat Detection Service Agent
Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters. |
|
|
Content Warehouse Service Agent
Gives the Content Warehouse service account to manage customer resources |
|
|
Data Connectors Service Agent
Gives Data Connectors service agent permission to access the virtual private cloud |
|
|
Cloud Dataflow Service Agent
Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts. |
|
|
Dataform Service Agent
Gives permission for the Dataform API to access a secret from Secret Manager |
|
|
Cloud Data Fusion API Service Agent
Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources. |
|
|
Data Labeling Service Agent
Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service. |
|
|
Datapipelines Service Agent
Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project. |
|
|
Cloud Dataplex Service Agent
Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management. |
|
|
Dataprep Service Agent
Dataprep service identity. Includes access to service accounts. |
|
|
Dataproc Service Agent
Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts. |
|
|
Data Studio Service Agent
Grants Data Studio Service Account access to manage resources. |
|
|
Dialogflow Service Agent
Gives Dialogflow Service Account access to resources on behalf of user project for intent detection in integrations (Facebook Messenger, Slack, Telephony, etc.). |
|
|
DLP API Service Agent
Gives the Cloud DLP API service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub, and Cloud KMS. |
|
|
DocumentAI Core Service Agent
Gives DocumentAI Core Service Account access to consumer resources. |
|
|
Cloud Endpoints Service Agent
Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller. |
|
|
Endpoints Portal Service Agent
Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content. |
|
|
Enterprise Knowledge Graph Service Agent
Gives Enterprise Knowledge Graph Service Account access to consumer resources. |
|
|
Eventarc Service Agent
Gives Eventarc service account access to managed resources. |
|
|
Cloud Filestore Service Agent
Gives Cloud Filestore service account access to managed resources. |
|
|
Firebase App Distribution Admin SDK Service Agent
Read and write access to Firebase App Distribution with the Admin SDK |
|
|
Firebase Service Management Service Agent
Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services. |
|
|
Firebase Admin SDK Administrator Service Agent
Read and write access to Firebase products available in the Admin SDK |
|
|
Firebase SDK Provisioning Service Agent
Access to provision apps with the Admin SDK. |
|
|
Firebase App Check Service Agent
Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise and Play Integrity API. |
|
|
Firebase Extensions API Service Agent
Grants Firebase Extensions API Service Account access to manage resources. |
|
|
Cloud Storage for Firebase Service Agent
Access to Cloud Storage for Firebase through API and SDK. |
|
|
Firestore Service Agent
Gives Firestore service account access to managed resources. |
|
|
Cloud Firewall Insights Service Agent
Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf. |
|
|
FleetEngine Service Agent
Grants the FleetEngine Service Account access to manage resources. |
|
|
Game Services Service Agent
Gives Game Services Service Account access to GCP resources. |
|
|
Genomics Service Agent
Gives Genomics Service Account access to compute resources. Includes access to service accounts. |
|
|
Backup for GKE Service Agent
Grants the Backup for GKE Service Account access to managed resources. |
|
|
GKE Hub Service Agent
Gives the GKE Hub service agent access to Cloud Platform resources. |
|
|
Anthos Multi-Cloud Service Agent
Grants the Anthos Multi-Cloud Service Account access to manage resources. |
|
|
Healthcare Service Agent
Gives the Healthcare Service Account access to networks,Kubernetes engine, and pubsub resources. |
|
|
Integrations Service Agent
Service agent that grants access to execute an integration. |
|
|
KubeRun Events Control Plane Service Agent
Service account role used to setup authentication for the control plane used by KubeRun Events. |
|
|
KubeRun Events Data Plane Service Agent
Service account role used to setup authentication for the data plane used by KubeRun Events. |
|
|
Cloud Life Sciences Service Agent
Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts. |
|
|
Live Stream Service Agent
Uploads media files to customer Cloud Storage buckets. |
|
|
Cloud Logging Service Agent
Grants a Cloud Logging Service Account the ability to create and link datasets. |
|
|
Cloud Managed Identities Service Agent
Gives Managed Identities service account access to managed resources. |
|
|
Media Asset Service Agent
Downloads and uploads media files from and to customer Cloud Storage buckets. |
|
|
Cloud Memorystore Memcached Service Agent
Gives Cloud Memorystore Memcached service account access to managed resource |
|
|
Mesh Config Service Agent
Apply mesh configuration |
|
|
Mesh Managed Control Plane Service Agent
Anthos Service Mesh Managed Control Plane Agent |
|
|
Mesh Data Plane Service Agent
Run user-space Istio components |
|
|
Dataproc Metastore Service Agent
Gives the Dataproc Metastore service account access to managed resources. |
|
|
Migration Center Service Agent
Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products. |
|
|
AI Platform Service Agent
AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator. |
|
|
Monitoring Service Agent
Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project. |
|
|
Multi Cluster Ingress Service Agent
Gives the Multi Cluster Ingress service agent access to CloudPlatform resources. |
|
|
Multi-cluster metering Service Agent
Gives the Multi-cluster metering service agent access to CloudPlatform resources. |
|
|
GCP Network Management Service Agent
Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine. |
|
|
AI Platform Notebooks Service Agent
Provide access for notebooks service agent to manage notebook instances in user projects |
|
|
Cloud OS Config Service Agent
Grants OS Config Service Account access to Google Compute Engine instances. |
|
|
Cloud Pub/Sub Service Agent
Grants Cloud Pub/Sub Service Account access to manage resources. |
|
|
RMA Service Agent
Gives RMA service account access to MC resources. |
|
|
Cloud Memorystore Redis Service Agent
Gives Cloud Memorystore Redis service account access to managed resource |
|
|
Remote Build Execution Service Agent
Gives Remote Build Execution service account access to managed resources. |
|
|
Retail Service Agent
Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Google Cloud's operations suite metrics for customer projects. |
|
|
Risk Manager Service Agent
Service agent that grants Risk Manager service access to fetch findings for generating Reports |
|
|
Cloud Run Service Agent
Gives Cloud Run service account access to managed resources. |
|
|
Secured Landing Zone Service Agent
Grants Secured Landing Zone service account permissions to manage resources in the customer project |
|
|
Security Center Automation Service Agent
Security Center automation service agent can configure GCP resources to enable security scanning. |
|
|
Security Center Control Service Agent
Security Center Control service agent can monitor and configure GCP resources and import security findings. |
|
|
Security Center Integration Executor Service Agent
Gives Security Center access to execute Integrations. |
|
|
Security Center Notification Service Agent
Security Center service agent can publish notifications to Pub/Sub topics. |
|
|
Security Health Analytics Service Agent
Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities. |
|
|
Google Cloud Security Response Service Agent
Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks |
|
|
Security Center Service Agent
Security Center service agent can scan GCP resources and import security scans. |
|
|
Service Directory Service Agent
Give the Service Directory service agent access to Cloud Platform resources. |
|
|
Service Networking Service Agent
Gives permission to manage network configuration, such as establishing network peering, necessary for service producers |
|
|
Cloud Source Repositories Service Agent
Allow Cloud Source Repositories to integrate with other Cloud services. |
|
|
Cloud Speech-to-Text Service Agent
Gives Speech-to-Text service account access to Cloud Storage resources. |
|
|
Dataform Service Agent
Gives permission for the Dataform API to access a secret from Secret Manager |
|
|
Storage Transfer Service Agent
Grants Storage Transfer Service Agent permissions required to run transfers |
|
|
Cloud TPU API Service Agent
Give Cloud TPUs service account access to managed resources |
|
|
Transcoder Service Agent
Downloads and uploads media files from and to customer Cloud Storage buckets. Publishes status updates to customer Pub/Sub. |
|
|
Visual Inspection AI Service Agent
Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs. |
|
|
Serverless VPC Access Service Agent
Can create and manage resources to support serverless application to connect to virtual private cloud. |
|
|
Cloud Web Security Scanner Service Agent
Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details. |
|
|
Cloud Workflows Service Agent
Gives Cloud Workflows service account access to managed resources. |
|
|
Workload Certificate Service Agent
Gives the Workload Certificate service agent access to Cloud Platform resources. |
|
|
Workload Manager Service Agent
Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring. |
|
Service Consumer Management roles
| Role | Permissions |
|---|---|
|
Admin of Tenancy Units
Beta
Administrate tenancy units |
|
|
Viewer of Tenancy Units
Beta
View tenancy units |
|
Service Directory roles
| Role | Permissions |
|---|---|
|
Service Directory Admin
Full control of all Service Directory resources and permissions. |
|
|
Service Directory Editor
Edit Service Directory resources. |
|
|
Service Directory Network Attacher
Gives access to attach VPC Networks to Service Directory Endpoints |
|
|
Private Service Connect Authorized Service
Gives access to VPC Networks via Service Directory |
|
|
Service Directory Viewer
View Service Directory resources. |
|
Service Management roles
| Role | Permissions |
|---|---|
|
Cloud Run Service Agent
Gives Cloud Run service account access to managed resources. |
|
|
Service Management Administrator
Full control of Google Service Management resources. |
|
|
Service Config Editor
Access to update the service config and create rollouts. |
|
|
Quota Administrator
Beta
Provides access to administer service quotas. Lowest-level resources where you can grant this role:
|
|
|
Quota Viewer
Beta
Provides access to view service quotas. Lowest-level resources where you can grant this role:
|
|
|
Service Reporter
Can report usage of a service during runtime. |
|
|
Service Consumer
Can enable the service. |
|
|
Service Controller
Can check preconditions and report usage of a service during runtime. Lowest-level resources where you can grant this role:
|
|
Service Networking roles
| Role | Permissions |
|---|---|
|
Service Networking Admin
Beta
Full control of service networking with projects. |
|
Service Usage roles
| Role | Permissions |
|---|---|
|
API Keys Admin
Ability to create, delete, update, get and list API keys for a project. |
|
|
API Keys Viewer
Ability to get and list API keys for a project. |
|
|
Service Usage Admin
Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project. |
|
|
Service Usage Consumer
Ability to inspect service states and operations, and consume quota and billing for a consumer project. |
|
|
Service Usage Viewer
Ability to inspect service states and operations for a consumer project. |
|
Source roles
| Role | Permissions |
|---|---|
|
Source Repository Administrator
Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies. Lowest-level resources where you can grant this role:
|
|
|
Source Repository Reader
Provides permissions to list, clone, fetch, and browse repositories. Lowest-level resources where you can grant this role:
|
|
|
Source Repository Writer
Provides permissions to list, clone, fetch, browse, and update repositories. Lowest-level resources where you can grant this role:
|
|
Stackdriver roles
| Role | Permissions |
|---|---|
|
Stackdriver Accounts Editor
Read/write access to manage Stackdriver account structure. |
|
|
Stackdriver Accounts Viewer
Read-only access to get and list information about Stackdriver account structure. |
|
|
Stackdriver Resource Metadata Writer
Beta
Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata. |
|
Stream roles
| Role | Permissions |
|---|---|
|
Stream Admin
Full access to Stream all resources. |
|
|
Stream Content Admin
Full access to all StreamContent resources. |
|
|
Stream Content Builder
Read and build access to StreamContent resources. |
|
|
Stream Instance Admin
Full access to all StreamInstance resources and Read access to all StreamContent resources. |
|
|
Stream Viewer
Read-only access to Stream all resources. |
|
Support roles
| Role | Permissions |
|---|---|
|
Support Account Administrator
Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information. Lowest-level resources where you can grant this role:
|
|
|
Tech Support Editor
Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support). See the Cloud Support documentation for more information. |
|
|
Tech Support Viewer
Read-only access to technical support cases (applicable for GCP Customer Care and Maps support). See the Cloud Support documentation for more information. |
|
|
Support Account Viewer
Read-only access to details of a support account. This does not allow viewing cases. See the Cloud Support documentation for more information. Lowest-level resources where you can grant this role:
|
|
Third-party Partner roles
| Role | Permissions |
|---|---|
|
Dell EMC Cloud OneFS Admin
Beta
This role is managed by Dell EMC, not Google. |
|
|
Dell EMC Cloud OneFS User
Beta
This role is managed by Dell EMC, not Google. |
|
|
Dell EMC Cloud OneFS Viewer
Beta
This role is managed by Dell EMC, not Google. |
|
|
NetApp Cloud Volumes Admin
Beta
This role is managed by NetApp, not Google. |
|
|
NetApp Cloud Volumes Viewer
Beta
This role is managed by NetApp, not Google. |
|
|
Redis Enterprise Cloud Admin
Beta
This role is managed by Redis Labs, not Google. |
|
|
Redis Enterprise Cloud Viewer
Beta
This role is managed by Redis Labs, not Google. |
|
Transcoder roles
| Role | Permissions |
|---|---|
|
Transcoder Admin
Full access to all transcoder resources. |
|
|
Transcoder Viewer
Viewer of all transcoder resources. |
|
Transfer Appliance roles
| Role | Permissions |
|---|---|
|
Transfer Appliance Admin
Beta
Full access to Transfer Appliance all resources. |
|
|
Transfer Appliance Viewer
Beta
Read-only access to Transfer Appliance all resources. |
|
Vertex AI roles
| Role | Permissions |
|---|---|
|
Vertex AI Administrator
Beta
Grants full access to all resources in Vertex AI |
|
|
Vertex AI Feature Store EntityType owner
Beta
Provides full access to all permissions for a particular entity type resource. Lowest-level resources where you can grant this role:
|
|
|
Vertex AI Feature Store Admin
Beta
Grants full access to all resources in Vertex AI Feature Store Lowest-level resources where you can grant this role:
|
|
|
Vertex AI Feature Store Data Viewer
Beta
This role provides permissions to read Feature data. Lowest-level resources where you can grant this role:
|
|
|
Vertex AI Feature Store Data Writer
Beta
This role provides permissions to read and write Feature data. Lowest-level resources where you can grant this role:
|
|
|
Vertex AI Feature Store Instance Creator
Beta
Administrator of Featurestore resources, but not the child resources under Featurestores. Lowest-level resources where you can grant this role:
|
|
|
Vertex AI Feature Store Resource Viewer
Beta
Viewer of all resources in Vertex AI Feature Store but cannot make changes. Lowest-level resources where you can grant this role:
|
|
|
Vertex AI Feature Store User
Beta
Deprecated. Use featurestoreAdmin instead. |
|
|
Vertex AI Migration Service User
Beta
Grants access to use migration service in Vertex AI |
|
|
Vertex AI Tensorboard Web App User
Beta
Grants access to the Vertex AI Tensorboard web app. Using the web app will incur charges. |
|
|
Vertex AI User
Beta
Grants access to use all resource in Vertex AI |
|
|
Vertex AI Viewer
Beta
Grants access to view all resource in Vertex AI |
|
Video Stitcher roles
| Role | Permissions |
|---|---|
|
Video Stitcher Admin
Beta
Full access to all video stitcher resources. |
|
|
Video Stitcher User
Beta
Full access to video stitcher sessions. |
|
|
Video Stitcher Viewer
Beta
Read-only access to video stitcher resources. |
|
VMwareEngine roles
| Role | Permissions |
|---|---|
|
VMware Engine Service Admin
Admin has full access to VMware Engine Service |
|
|
VMware Engine Service Viewer
Viewer has read-only access to VMware Engine Service |
|
Workflows roles
| Role | Permissions |
|---|---|
|
Workflows Admin
Full access to workflows and related resources. |
|
|
Workflows Editor
Read and write access to workflows and related resources. |
|
|
Workflows Invoker
Access to execute workflows and manage the executions. |
|
|
Workflows Viewer
Read-only access to workflows and related resources. |
|
Workforce Pools roles
| Role | Permissions |
|---|---|
|
IAM Workforce Pool Admin
Beta
Full rights to create and manage all workforce pools in the org, along with the ability to delegate permissions to other admins. |
|
|
IAM Workforce Pool Editor
Beta
Rights to edit a particular instance of a workforce pool. |
|
|
IAM Workforce Pool Viewer
Beta
Rights to read workforce pool. |
|
Workload Identity Pools roles
| Role | Permissions |
|---|---|
|
IAM Workload Identity Pool Admin
Beta
Full rights to create and manage workload identity pools. |
|
|
IAM Workload Identity Pool Viewer
Beta
Read access to workload identity pools. |
|
Workload Manager roles
| Role | Permissions |
|---|---|
|
Workload Manager Admin
Beta
Full access to Workload Manager all resources. |
|
|
Workload Manager Viewer
Beta
Read-only access to Workload Manager all resources. |
|
|
Workload Manager Worker
Beta
The role used by Workload Manager application runners to read and update workloads. |
|
Custom roles
In addition to the predefined roles, IAM also provides the ability to create customized IAM roles. You can create a custom IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding custom roles and Creating and managing custom roles for more information.
What's next
- Learn how to grant IAM roles to principals.
- Find out how to choose the most appropriate predefined roles.
- Learn about custom roles.
- Use the Policy Troubleshooter to understand why a user does or doesn't have access to a resource or have permission to call an API.