IAM basic and predefined roles reference

This page lists all basic and predefined roles for Identity and Access Management (IAM). To learn more about IAM roles, see Roles and permissions.

Basic roles

Basic roles are highly permissive roles that existed prior to the introduction of IAM. You can use basic roles to grant principals broad access to Google Cloud resources.

When you grant a basic role to a principal, the principal gets all of the permissions in the basic role. They also get any permissions that services provide to principals with basic roles—for example, permissions gained through Cloud Storage convenience values and BigQuery special group membership.

The following table summarizes the permissions that the basic roles give users across all Google Cloud services:

Basic roles Permissions

Basic roles	Permissions
Viewer (`roles/viewer`)	Permissions for read-only actions that don't affect state, such as viewing (but not modifying) existing resources or data. For a list of permissions in the Viewer role, see the role details in the Google Cloud console: Go to Viewer role
Editor (`roles/editor`)	All viewer permissions, plus permissions for actions that modify state, such as changing existing resources. The permissions in the Editor role let you create and delete resources for most Google Cloud services. However, the Editor role doesn't contain permissions to perform all actions for all services. For more information about how to check whether a role has the permissions that you need, see Role types. For a list of permissions in the Editor role, see the role details in the Google Cloud console: Go to Editor role
Owner (`roles/owner`)	All Editor permissions, plus permissions for the following actions: Manage roles and permissions for a project and all resources within the project. Set up billing for a project. Note: To grant the Owner role on a project to a user outside of your organization, you must use the Google Cloud console, not the gcloud CLI. If your project is not part of an organization, you must use the Google Cloud console to grant the Owner role. For a list of permissions in the Owner role, see the role details in the Google Cloud console: Go to Owner role

Viewer (roles/viewer)

Permissions for read-only actions that don't affect state, such as viewing (but not modifying) existing resources or data.

For a list of permissions in the Viewer role, see the role details in the Google Cloud console:

Go to Viewer role

Editor (roles/editor)

All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.

The permissions in the Editor role let you create and delete resources for most Google Cloud services. However, the Editor role doesn't contain permissions to perform all actions for all services. For more information about how to check whether a role has the permissions that you need, see Role types.

For a list of permissions in the Editor role, see the role details in the Google Cloud console:

Go to Editor role

Owner (roles/owner)

All Editor permissions, plus permissions for the following actions:

Manage roles and permissions for a project and all resources within the project.
Set up billing for a project.

For a list of permissions in the Owner role, see the role details in the Google Cloud console:

Go to Owner role

Predefined roles

Predefined roles give granular access to specific Google Cloud resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.

The following table lists all IAM predefined roles, organized by service.

For more information about predefined roles, see Roles and permissions. For help choosing the most appropriate predefined roles, see Choose predefined roles.

Access Approval roles

Permissions

Access Approval Approver

(roles/accessapproval.approver)

Ability to view or act on access approval requests and view configuration

accessapproval.requests.*

accessapproval.requests.approve
accessapproval.requests.dismiss
accessapproval.requests.get
accessapproval.requests.invalidate
accessapproval.requests.list

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Approval Config Editor

(roles/accessapproval.configEditor)

Ability to update the Access Approval configuration

accessapproval.serviceAccounts.get

accessapproval.settings.*

accessapproval.settings.delete
accessapproval.settings.get
accessapproval.settings.update

resourcemanager.projects.get

resourcemanager.projects.list

Access Approval Invalidator

(roles/accessapproval.invalidator)

Ability to invalidate existing approved approval requests

accessapproval.requests.invalidate

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Approval Viewer

(roles/accessapproval.viewer)

Ability to view access approval requests and configuration

accessapproval.requests.get

accessapproval.requests.list

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Context Manager roles

Permissions

Cloud Access Binding Admin

(roles/accesscontextmanager.gcpAccessAdmin)

Create, edit, and change Cloud access bindings.

accesscontextmanager.gcpUserAccessBindings.*

accesscontextmanager.gcpUserAccessBindings.create
accesscontextmanager.gcpUserAccessBindings.delete
accesscontextmanager.gcpUserAccessBindings.get
accesscontextmanager.gcpUserAccessBindings.list
accesscontextmanager.gcpUserAccessBindings.update

Cloud Access Binding Reader

(roles/accesscontextmanager.gcpAccessReader)

Read access to Cloud access bindings.

accesscontextmanager.gcpUserAccessBindings.get

accesscontextmanager.gcpUserAccessBindings.list

Access Context Manager Admin

(roles/accesscontextmanager.policyAdmin)

Full access to policies, access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.*

accesscontextmanager.accessLevels.create
accesscontextmanager.accessLevels.delete
accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessLevels.replaceAll
accesscontextmanager.accessLevels.update

accesscontextmanager.accessPolicies.*

accesscontextmanager.accessPolicies.create
accesscontextmanager.accessPolicies.delete
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.setIamPolicy
accesscontextmanager.accessPolicies.update

accesscontextmanager.accessZones.*

accesscontextmanager.accessZones.create
accesscontextmanager.accessZones.delete
accesscontextmanager.accessZones.get
accesscontextmanager.accessZones.list
accesscontextmanager.accessZones.update

accesscontextmanager.authorizedOrgsDescs.*

accesscontextmanager.authorizedOrgsDescs.create
accesscontextmanager.authorizedOrgsDescs.delete
accesscontextmanager.authorizedOrgsDescs.get
accesscontextmanager.authorizedOrgsDescs.list
accesscontextmanager.authorizedOrgsDescs.update

accesscontextmanager.policies.*

accesscontextmanager.policies.create
accesscontextmanager.policies.delete
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.setIamPolicy
accesscontextmanager.policies.update

accesscontextmanager.servicePerimeters.*

accesscontextmanager.servicePerimeters.commit
accesscontextmanager.servicePerimeters.create
accesscontextmanager.servicePerimeters.delete
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
accesscontextmanager.servicePerimeters.replaceAll
accesscontextmanager.servicePerimeters.update

cloudasset.assets.searchAllResources

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Context Manager Editor

(roles/accesscontextmanager.policyEditor)

Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.*

accesscontextmanager.accessLevels.create
accesscontextmanager.accessLevels.delete
accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessLevels.replaceAll
accesscontextmanager.accessLevels.update

accesscontextmanager.accessPolicies.create

accesscontextmanager.accessPolicies.delete

accesscontextmanager.accessPolicies.get

accesscontextmanager.accessPolicies.getIamPolicy

accesscontextmanager.accessPolicies.list

accesscontextmanager.accessPolicies.update

accesscontextmanager.accessZones.*

accesscontextmanager.accessZones.create
accesscontextmanager.accessZones.delete
accesscontextmanager.accessZones.get
accesscontextmanager.accessZones.list
accesscontextmanager.accessZones.update

accesscontextmanager.authorizedOrgsDescs.*

accesscontextmanager.authorizedOrgsDescs.create
accesscontextmanager.authorizedOrgsDescs.delete
accesscontextmanager.authorizedOrgsDescs.get
accesscontextmanager.authorizedOrgsDescs.list
accesscontextmanager.authorizedOrgsDescs.update

accesscontextmanager.policies.create

accesscontextmanager.policies.delete

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.policies.update

accesscontextmanager.servicePerimeters.*

accesscontextmanager.servicePerimeters.commit
accesscontextmanager.servicePerimeters.create
accesscontextmanager.servicePerimeters.delete
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
accesscontextmanager.servicePerimeters.replaceAll
accesscontextmanager.servicePerimeters.update

cloudasset.assets.searchAllResources

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Context Manager Reader

(roles/accesscontextmanager.policyReader)

Read access to policies, access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.get

accesscontextmanager.accessLevels.list

accesscontextmanager.accessPolicies.get

accesscontextmanager.accessPolicies.getIamPolicy

accesscontextmanager.accessPolicies.list

accesscontextmanager.accessZones.get

accesscontextmanager.accessZones.list

accesscontextmanager.authorizedOrgsDescs.get

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

VPC Service Controls Troubleshooter Viewer

(roles/accesscontextmanager.vpcScTroubleshooterViewer)

accesscontextmanager.accessLevels.get

accesscontextmanager.accessLevels.list

accesscontextmanager.authorizedOrgsDescs.get

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

logging.exclusions.get

logging.exclusions.list

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.sinks.get

logging.sinks.list

logging.usage.get

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Actions roles

Permissions

Actions Admin

(roles/actions.Admin)

Access to edit and deploy an action

actions.*

actions.agent.claimContentProvider
actions.agent.get
actions.agent.update
actions.agentVersions.create
actions.agentVersions.delete
actions.agentVersions.deploy
actions.agentVersions.get
actions.agentVersions.list

firebase.projects.get

firebase.projects.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

Actions Viewer

(roles/actions.Viewer)

Access to view an action

actions.agent.get

actions.agentVersions.get

actions.agentVersions.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

AI Notebooks roles

Permissions

Notebooks Admin

(roles/notebooks.admin)

Full access to Notebooks, all resources.

Lowest-level resources where you can grant this role:

Instance

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectLocations.get
compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.nodeTypes.get
compute.nodeTypes.list

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.validate

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

notebooks.*

notebooks.environments.create
notebooks.environments.delete
notebooks.environments.get
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.environments.setIamPolicy
notebooks.executions.create
notebooks.executions.delete
notebooks.executions.get
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.executions.setIamPolicy
notebooks.instances.checkUpgradability
notebooks.instances.create
notebooks.instances.delete
notebooks.instances.diagnose
notebooks.instances.get
notebooks.instances.getHealth
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.instances.reset
notebooks.instances.setAccelerator
notebooks.instances.setIamPolicy
notebooks.instances.setLabels
notebooks.instances.setMachineType
notebooks.instances.start
notebooks.instances.stop
notebooks.instances.update
notebooks.instances.updateConfig
notebooks.instances.updateShieldInstanceConfig
notebooks.instances.upgrade
notebooks.instances.use
notebooks.locations.get
notebooks.locations.list
notebooks.operations.cancel
notebooks.operations.delete
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.create
notebooks.runtimes.delete
notebooks.runtimes.diagnose
notebooks.runtimes.get
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.runtimes.reset
notebooks.runtimes.setIamPolicy
notebooks.runtimes.start
notebooks.runtimes.stop
notebooks.runtimes.switch
notebooks.runtimes.update
notebooks.runtimes.upgrade
notebooks.schedules.create
notebooks.schedules.delete
notebooks.schedules.get
notebooks.schedules.getIamPolicy
notebooks.schedules.list
notebooks.schedules.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Notebooks Legacy Admin

(roles/notebooks.legacyAdmin)

Full access to Notebooks all resources through compute API.

compute.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update
compute.backendBuckets.addSignedUrlKey
compute.backendBuckets.create
compute.backendBuckets.delete
compute.backendBuckets.deleteSignedUrlKey
compute.backendBuckets.get
compute.backendBuckets.getIamPolicy
compute.backendBuckets.list
compute.backendBuckets.setIamPolicy
compute.backendBuckets.setSecurityPolicy
compute.backendBuckets.update
compute.backendBuckets.use
compute.backendServices.addSignedUrlKey
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.deleteSignedUrlKey
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.backendServices.setIamPolicy
compute.backendServices.setSecurityPolicy
compute.backendServices.update
compute.backendServices.use
compute.commitments.create
compute.commitments.get
compute.commitments.list
compute.commitments.update
compute.commitments.updateReservations
compute.diskTypes.get
compute.diskTypes.list
compute.disks.addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.disks.removeResourcePolicies
compute.disks.resize
compute.disks.setIamPolicy
compute.disks.setLabels
compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.setLabels
compute.externalVpnGateways.use
compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.list
compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.forwardingRules.pscSetLabels
compute.forwardingRules.pscSetTarget
compute.forwardingRules.pscUpdate
compute.forwardingRules.setLabels
compute.forwardingRules.setTarget
compute.forwardingRules.update
compute.forwardingRules.use
compute.globalAddresses.create
compute.globalAddresses.createInternal
compute.globalAddresses.delete
compute.globalAddresses.deleteInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.setLabels
compute.globalAddresses.use
compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscCreate
compute.globalForwardingRules.pscDelete
compute.globalForwardingRules.pscGet
compute.globalForwardingRules.pscSetLabels
compute.globalForwardingRules.pscSetTarget
compute.globalForwardingRules.pscUpdate
compute.globalForwardingRules.setLabels
compute.globalForwardingRules.setTarget
compute.globalForwardingRules.update
compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.globalOperations.delete
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.globalPublicDelegatedPrefixes.create
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.globalPublicDelegatedPrefixes.use
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.healthChecks.useReadOnly
compute.httpHealthChecks.create
compute.httpHealthChecks.delete
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpHealthChecks.update
compute.httpHealthChecks.use
compute.httpHealthChecks.useReadOnly
compute.httpsHealthChecks.create
compute.httpsHealthChecks.delete
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.httpsHealthChecks.update
compute.httpsHealthChecks.use
compute.httpsHealthChecks.useReadOnly
compute.images.create
compute.images.createTagBinding
compute.images.delete
compute.images.deleteTagBinding
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.images.setIamPolicy
compute.images.setLabels
compute.images.update
compute.images.useReadOnly
compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly
compute.instances.addAccessConfig
compute.instances.addMaintenancePolicies
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.removeMaintenancePolicies
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly
compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.export
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly
compute.interconnectAttachments.create
compute.interconnectAttachments.delete
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectAttachments.setLabels
compute.interconnectAttachments.update
compute.interconnectAttachments.use
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list
compute.interconnects.create
compute.interconnects.delete
compute.interconnects.get
compute.interconnects.list
compute.interconnects.setLabels
compute.interconnects.update
compute.interconnects.use
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.setIamPolicy
compute.licenseCodes.update
compute.licenseCodes.use
compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly
compute.machineTypes.get
compute.machineTypes.list
compute.maintenancePolicies.create
compute.maintenancePolicies.delete
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.maintenancePolicies.setIamPolicy
compute.maintenancePolicies.use
compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
compute.networkAttachments.list
compute.networkEdgeSecurityServices.create
compute.networkEdgeSecurityServices.delete
compute.networkEdgeSecurityServices.get
compute.networkEdgeSecurityServices.list
compute.networkEdgeSecurityServices.update
compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networkEndpointGroups.use
compute.networks.access
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.mirror
compute.networks.removePeering
compute.networks.setFirewallPolicy
compute.networks.switchToCustomMode
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.addNodes
compute.nodeGroups.create
compute.nodeGroups.delete
compute.nodeGroups.deleteNodes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeGroups.setIamPolicy
compute.nodeGroups.setNodeTemplate
compute.nodeGroups.simulateMaintenanceEvent
compute.nodeGroups.update
compute.nodeTemplates.create
compute.nodeTemplates.delete
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTemplates.setIamPolicy
compute.nodeTypes.get
compute.nodeTypes.list
compute.organizations.administerXpn
compute.organizations.disableXpnHost
compute.organizations.disableXpnResource
compute.organizations.enableXpnHost
compute.organizations.enableXpnResource
compute.organizations.listAssociations
compute.organizations.setFirewallPolicy
compute.organizations.setSecurityPolicy
compute.oslogin.updateExternalUser
compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.packetMirrorings.update
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.projects.setDefaultNetworkTier
compute.projects.setDefaultServiceAccount
compute.projects.setUsageExportBucket
compute.publicAdvertisedPrefixes.create
compute.publicAdvertisedPrefixes.delete
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicAdvertisedPrefixes.update
compute.publicAdvertisedPrefixes.updatePolicy
compute.publicAdvertisedPrefixes.use
compute.publicDelegatedPrefixes.create
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.publicDelegatedPrefixes.use
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionBackendServices.setIamPolicy
compute.regionBackendServices.setSecurityPolicy
compute.regionBackendServices.update
compute.regionBackendServices.use
compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use
compute.regionHealthCheckServices.create
compute.regionHealthCheckServices.delete
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthCheckServices.update
compute.regionHealthCheckServices.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionNotificationEndpoints.create
compute.regionNotificationEndpoints.delete
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionNotificationEndpoints.update
compute.regionNotificationEndpoints.use
compute.regionOperations.delete
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
compute.regionSecurityPolicies.create
compute.regionSecurityPolicies.delete
compute.regionSecurityPolicies.get
compute.regionSecurityPolicies.list
compute.regionSecurityPolicies.update
compute.regionSecurityPolicies.use
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionSslPolicies.create
compute.regionSslPolicies.delete
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionSslPolicies.update
compute.regionSslPolicies.use
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.update
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.update
compute.regionTargetHttpsProxies.use
compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate
compute.regions.get
compute.regions.list
compute.reservations.create
compute.reservations.delete
compute.reservations.get
compute.reservations.list
compute.reservations.resize
compute.reservations.update
compute.resourcePolicies.create
compute.resourcePolicies.delete
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.resourcePolicies.setIamPolicy
compute.resourcePolicies.update
compute.resourcePolicies.use
compute.resourcePolicies.useReadOnly
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.update
compute.routers.use
compute.routes.create
compute.routes.delete
compute.routes.get
compute.routes.list
compute.securityPolicies.addAssociation
compute.securityPolicies.copyRules
compute.securityPolicies.create
compute.securityPolicies.delete
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.securityPolicies.move
compute.securityPolicies.removeAssociation
compute.securityPolicies.setIamPolicy
compute.securityPolicies.setLabels
compute.securityPolicies.update
compute.securityPolicies.use
compute.serviceAttachments.create
compute.serviceAttachments.delete
compute.serviceAttachments.get
compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.list
compute.serviceAttachments.setIamPolicy
compute.serviceAttachments.update
compute.serviceAttachments.use
compute.snapshots.create
compute.snapshots.createTagBinding
compute.snapshots.delete
compute.snapshots.deleteTagBinding
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.create
compute.sslPolicies.delete
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.sslPolicies.update
compute.sslPolicies.use
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.expandIpCidrRange
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.mirror
compute.subnetworks.setIamPolicy
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.update
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use
compute.targetHttpProxies.create
compute.targetHttpProxies.delete
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpProxies.setUrlMap
compute.targetHttpProxies.update
compute.targetHttpProxies.use
compute.targetHttpsProxies.create
compute.targetHttpsProxies.delete
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetHttpsProxies.setCertificateMap
compute.targetHttpsProxies.setQuicOverride
compute.targetHttpsProxies.setSslCertificates
compute.targetHttpsProxies.setSslPolicy
compute.targetHttpsProxies.setUrlMap
compute.targetHttpsProxies.update
compute.targetHttpsProxies.use
compute.targetInstances.create
compute.targetInstances.delete
compute.targetInstances.get
compute.targetInstances.list
compute.targetInstances.setSecurityPolicy
compute.targetInstances.use
compute.targetPools.addHealthCheck
compute.targetPools.addInstance
compute.targetPools.create
compute.targetPools.delete
compute.targetPools.get
compute.targetPools.list
compute.targetPools.removeHealthCheck
compute.targetPools.removeInstance
compute.targetPools.setSecurityPolicy
compute.targetPools.update
compute.targetPools.use
compute.targetSslProxies.create
compute.targetSslProxies.delete
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetSslProxies.setBackendService
compute.targetSslProxies.setCertificateMap
compute.targetSslProxies.setProxyHeader
compute.targetSslProxies.setSslCertificates
compute.targetSslProxies.setSslPolicy
compute.targetSslProxies.update
compute.targetSslProxies.use
compute.targetTcpProxies.create
compute.targetTcpProxies.delete
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetTcpProxies.update
compute.targetTcpProxies.use
compute.targetVpnGateways.create
compute.targetVpnGateways.delete
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.targetVpnGateways.setLabels
compute.targetVpnGateways.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.invalidateCache
compute.urlMaps.list
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.setLabels
compute.vpnGateways.use
compute.vpnTunnels.create
compute.vpnTunnels.delete
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.vpnTunnels.setLabels
compute.zoneOperations.delete
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zoneOperations.setIamPolicy
compute.zones.get
compute.zones.list

notebooks.*

notebooks.environments.create
notebooks.environments.delete
notebooks.environments.get
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.environments.setIamPolicy
notebooks.executions.create
notebooks.executions.delete
notebooks.executions.get
notebooks.executions.getIamPolicy
notebooks.executions.list
notebooks.executions.setIamPolicy
notebooks.instances.checkUpgradability
notebooks.instances.create
notebooks.instances.delete
notebooks.instances.diagnose
notebooks.instances.get
notebooks.instances.getHealth
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.instances.reset
notebooks.instances.setAccelerator
notebooks.instances.setIamPolicy
notebooks.instances.setLabels
notebooks.instances.setMachineType
notebooks.instances.start
notebooks.instances.stop
notebooks.instances.update
notebooks.instances.updateConfig
notebooks.instances.updateShieldInstanceConfig
notebooks.instances.upgrade
notebooks.instances.use
notebooks.locations.get
notebooks.locations.list
notebooks.operations.cancel
notebooks.operations.delete
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.create
notebooks.runtimes.delete
notebooks.runtimes.diagnose
notebooks.runtimes.get
notebooks.runtimes.getIamPolicy
notebooks.runtimes.list
notebooks.runtimes.reset
notebooks.runtimes.setIamPolicy
notebooks.runtimes.start
notebooks.runtimes.stop
notebooks.runtimes.switch
notebooks.runtimes.update
notebooks.runtimes.upgrade
notebooks.schedules.create
notebooks.schedules.delete
notebooks.schedules.get
notebooks.schedules.getIamPolicy
notebooks.schedules.list
notebooks.schedules.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Notebooks Legacy Viewer

(roles/notebooks.legacyViewer)

Read-only access to Notebooks all resources through compute API.

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectLocations.get
compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.nodeTypes.get
compute.nodeTypes.list

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.validate

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

notebooks.environments.get

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.get

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.checkUpgradability

notebooks.instances.get

notebooks.instances.getHealth

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.*

notebooks.locations.get
notebooks.locations.list

notebooks.operations.get

notebooks.operations.list

notebooks.runtimes.get

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.get

notebooks.schedules.getIamPolicy

notebooks.schedules.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Notebooks Runner

(roles/notebooks.runner)

Restricted access for running scheduled Notebooks.

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectLocations.get
compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.nodeTypes.get
compute.nodeTypes.list

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.validate

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

notebooks.environments.get

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.create

notebooks.executions.get

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.checkUpgradability

notebooks.instances.create

notebooks.instances.get

notebooks.instances.getHealth

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.*

notebooks.locations.get
notebooks.locations.list

notebooks.operations.get

notebooks.operations.list

notebooks.runtimes.create

notebooks.runtimes.get

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.create

notebooks.schedules.get

notebooks.schedules.getIamPolicy

notebooks.schedules.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Notebooks Viewer

(roles/notebooks.viewer)

Read-only access to Notebooks, all resources.

Lowest-level resources where you can grant this role:

Instance

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectLocations.get
compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.nodeTypes.get
compute.nodeTypes.list

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.validate

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

notebooks.environments.get

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.get

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.checkUpgradability

notebooks.instances.get

notebooks.instances.getHealth

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.*

notebooks.locations.get
notebooks.locations.list

notebooks.operations.get

notebooks.operations.list

notebooks.runtimes.get

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.get

notebooks.schedules.getIamPolicy

notebooks.schedules.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

AI Platform roles

Permissions

AI Platform Admin

(roles/ml.admin)

Provides full access to AI Platform resources, and its jobs, operations, models, and versions.

Lowest-level resources where you can grant this role:

Project

ml.*

ml.jobs.cancel
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.jobs.setIamPolicy
ml.jobs.update
ml.locations.get
ml.locations.list
ml.models.create
ml.models.delete
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.models.setIamPolicy
ml.models.update
ml.operations.cancel
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.create
ml.studies.delete
ml.studies.get
ml.studies.getIamPolicy
ml.studies.list
ml.studies.setIamPolicy
ml.trials.create
ml.trials.delete
ml.trials.get
ml.trials.list
ml.trials.update
ml.versions.create
ml.versions.delete
ml.versions.get
ml.versions.list
ml.versions.predict
ml.versions.update

resourcemanager.projects.get

AI Platform Developer

(roles/ml.developer)

Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.

Lowest-level resources where you can grant this role:

Project

ml.jobs.create

ml.jobs.get

ml.jobs.getIamPolicy

ml.jobs.list

ml.locations.*

ml.locations.get
ml.locations.list

ml.models.create

ml.models.get

ml.models.getIamPolicy

ml.models.list

ml.models.predict

ml.operations.get

ml.operations.list

ml.projects.getConfig

ml.studies.*

ml.studies.create
ml.studies.delete
ml.studies.get
ml.studies.getIamPolicy
ml.studies.list
ml.studies.setIamPolicy

ml.trials.*

ml.trials.create
ml.trials.delete
ml.trials.get
ml.trials.list
ml.trials.update

ml.versions.get

ml.versions.list

ml.versions.predict

resourcemanager.projects.get

AI Platform Job Owner

(roles/ml.jobOwner)

Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.

Lowest-level resources where you can grant this role:

ml.jobs.*

ml.jobs.cancel
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.jobs.setIamPolicy
ml.jobs.update

AI Platform Model Owner

(roles/ml.modelOwner)

Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.

Lowest-level resources where you can grant this role:

Model

ml.models.*

ml.models.create
ml.models.delete
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.models.setIamPolicy
ml.models.update

ml.versions.*

ml.versions.create
ml.versions.delete
ml.versions.get
ml.versions.list
ml.versions.predict
ml.versions.update

AI Platform Model User

(roles/ml.modelUser)

Provides permissions to read the model and its versions, and use them for prediction.

Lowest-level resources where you can grant this role:

Model

ml.models.get

ml.models.predict

ml.versions.get

ml.versions.list

ml.versions.predict

AI Platform Operation Owner

(roles/ml.operationOwner)

Provides full access to all permissions for a particular operation resource.

Lowest-level resources where you can grant this role:

Operation

ml.operations.*

ml.operations.cancel
ml.operations.get
ml.operations.list

AI Platform Viewer

(roles/ml.viewer)

Provides read-only access to AI Platform resources.

Lowest-level resources where you can grant this role:

Project

ml.jobs.get

ml.jobs.list

ml.locations.*

ml.locations.get
ml.locations.list

ml.models.get

ml.models.list

ml.operations.get

ml.operations.list

ml.projects.getConfig

ml.studies.get

ml.studies.getIamPolicy

ml.studies.list

ml.trials.get

ml.trials.list

ml.versions.get

ml.versions.list

resourcemanager.projects.get

Analytics Hub roles

Permissions

Analytics Hub Admin

(roles/analyticshub.admin)

Administer Data Exchanges and Listings

analyticshub.dataExchanges.*

analyticshub.dataExchanges.create
analyticshub.dataExchanges.delete
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.dataExchanges.setIamPolicy
analyticshub.dataExchanges.update

analyticshub.listings.create

analyticshub.listings.delete

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.listings.update

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Listing Admin

(roles/analyticshub.listingAdmin)

Grants full control over the Listing, including updating, deleting and setting ACLs

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.delete

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.listings.update

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Publisher

(roles/analyticshub.publisher)

Can publish to Data Exchanges thus creating Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.create

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Subscriber

(roles/analyticshub.subscriber)

Can browse Data Exchanges and subscribe to Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.subscribe

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Viewer

(roles/analyticshub.viewer)

Can browse Data Exchanges and Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

resourcemanager.projects.get

resourcemanager.projects.list

Android Management roles

Permissions

Android Management User

(roles/androidmanagement.user)

Full access to manage devices.

androidmanagement.enterprises.manage

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Anthos Multi-cloud roles

Permissions

Anthos Multi-cloud Admin

(roles/gkemulticloud.admin)

Admin access to Anthos Multi-cloud resources.

gkemulticloud.*

gkemulticloud.attachedClusters.create
gkemulticloud.attachedClusters.delete
gkemulticloud.attachedClusters.generateInstallManifest
gkemulticloud.attachedClusters.get
gkemulticloud.attachedClusters.import
gkemulticloud.attachedClusters.list
gkemulticloud.attachedClusters.update
gkemulticloud.attachedServerConfigs.get
gkemulticloud.awsClusters.create
gkemulticloud.awsClusters.delete
gkemulticloud.awsClusters.generateAccessToken
gkemulticloud.awsClusters.get
gkemulticloud.awsClusters.getAdminKubeconfig
gkemulticloud.awsClusters.list
gkemulticloud.awsClusters.update
gkemulticloud.awsNodePools.create
gkemulticloud.awsNodePools.delete
gkemulticloud.awsNodePools.get
gkemulticloud.awsNodePools.list
gkemulticloud.awsNodePools.update
gkemulticloud.awsServerConfigs.get
gkemulticloud.azureClients.create
gkemulticloud.azureClients.delete
gkemulticloud.azureClients.get
gkemulticloud.azureClients.list
gkemulticloud.azureClusters.create
gkemulticloud.azureClusters.delete
gkemulticloud.azureClusters.generateAccessToken
gkemulticloud.azureClusters.get
gkemulticloud.azureClusters.getAdminKubeconfig
gkemulticloud.azureClusters.list
gkemulticloud.azureClusters.update
gkemulticloud.azureNodePools.create
gkemulticloud.azureNodePools.delete
gkemulticloud.azureNodePools.get
gkemulticloud.azureNodePools.list
gkemulticloud.azureNodePools.update
gkemulticloud.azureServerConfigs.get
gkemulticloud.operations.cancel
gkemulticloud.operations.delete
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

Anthos Multi-cloud Telemetry Writer

(roles/gkemulticloud.telemetryWriter)

Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

opsconfigmonitoring.resourceMetadata.write

Anthos Multi-cloud Viewer

(roles/gkemulticloud.viewer)

Viewer access to Anthos Multi-cloud resources.

gkemulticloud.attachedClusters.generateInstallManifest

gkemulticloud.attachedClusters.get

gkemulticloud.attachedClusters.list

gkemulticloud.attachedServerConfigs.get

gkemulticloud.awsClusters.generateAccessToken

gkemulticloud.awsClusters.get

gkemulticloud.awsClusters.list

gkemulticloud.awsNodePools.get

gkemulticloud.awsNodePools.list

gkemulticloud.awsServerConfigs.get

gkemulticloud.azureClients.get

gkemulticloud.azureClients.list

gkemulticloud.azureClusters.generateAccessToken

gkemulticloud.azureClusters.get

gkemulticloud.azureClusters.list

gkemulticloud.azureNodePools.get

gkemulticloud.azureNodePools.list

gkemulticloud.azureServerConfigs.get

gkemulticloud.operations.get

gkemulticloud.operations.list

gkemulticloud.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

API Gateway roles

Permissions

ApiGateway Admin

(roles/apigateway.admin)

Full access to ApiGateway and related resources.

apigateway.*

apigateway.apiconfigs.create
apigateway.apiconfigs.delete
apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apiconfigs.setIamPolicy
apigateway.apiconfigs.update
apigateway.apis.create
apigateway.apis.delete
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.apis.setIamPolicy
apigateway.apis.update
apigateway.gateways.create
apigateway.gateways.delete
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.gateways.setIamPolicy
apigateway.gateways.update
apigateway.locations.get
apigateway.locations.list
apigateway.operations.cancel
apigateway.operations.delete
apigateway.operations.get
apigateway.operations.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

serviceusage.services.list

ApiGateway Viewer

(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get

apigateway.apiconfigs.getIamPolicy

apigateway.apiconfigs.list

apigateway.apis.get

apigateway.apis.getIamPolicy

apigateway.apis.list

apigateway.gateways.get

apigateway.gateways.getIamPolicy

apigateway.gateways.list

apigateway.locations.*

apigateway.locations.get
apigateway.locations.list

apigateway.operations.get

apigateway.operations.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

serviceusage.services.list

Apigee roles

Permissions

Apigee Organization Admin

(roles/apigee.admin)

Full access to all apigee resource features

apigee.*

apigee.apiproductattributes.createOrUpdateAll
apigee.apiproductattributes.delete
apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproductattributes.update
apigee.apiproducts.create
apigee.apiproducts.delete
apigee.apiproducts.get
apigee.apiproducts.list
apigee.apiproducts.update
apigee.appgroupapps.create
apigee.appgroupapps.delete
apigee.appgroupapps.get
apigee.appgroupapps.list
apigee.appgroupapps.manage
apigee.appgroups.create
apigee.appgroups.delete
apigee.appgroups.get
apigee.appgroups.list
apigee.appgroups.update
apigee.appkeys.create
apigee.appkeys.delete
apigee.appkeys.get
apigee.appkeys.manage
apigee.apps.get
apigee.apps.list
apigee.archivedeployments.create
apigee.archivedeployments.delete
apigee.archivedeployments.download
apigee.archivedeployments.get
apigee.archivedeployments.list
apigee.archivedeployments.update
apigee.archivedeployments.upload
apigee.caches.delete
apigee.caches.list
apigee.canaryevaluations.create
apigee.canaryevaluations.get
apigee.datacollectors.create
apigee.datacollectors.delete
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datacollectors.update
apigee.datalocation.get
apigee.datastores.create
apigee.datastores.delete
apigee.datastores.get
apigee.datastores.list
apigee.datastores.update
apigee.deployments.create
apigee.deployments.delete
apigee.deployments.get
apigee.deployments.list
apigee.deployments.update
apigee.developerappattributes.createOrUpdateAll
apigee.developerappattributes.delete
apigee.developerappattributes.get
apigee.developerappattributes.list
apigee.developerappattributes.update
apigee.developerapps.create
apigee.developerapps.delete
apigee.developerapps.get
apigee.developerapps.list
apigee.developerapps.manage
apigee.developerattributes.createOrUpdateAll
apigee.developerattributes.delete
apigee.developerattributes.get
apigee.developerattributes.list
apigee.developerattributes.update
apigee.developerbalances.adjust
apigee.developerbalances.get
apigee.developerbalances.update
apigee.developermonetizationconfigs.get
apigee.developermonetizationconfigs.update
apigee.developers.create
apigee.developers.delete
apigee.developers.get
apigee.developers.list
apigee.developers.update
apigee.developersubscriptions.create
apigee.developersubscriptions.get
apigee.developersubscriptions.list
apigee.developersubscriptions.update
apigee.endpointattachments.create
apigee.endpointattachments.delete
apigee.endpointattachments.get
apigee.endpointattachments.list
apigee.entitlements.get
apigee.envgroupattachments.create
apigee.envgroupattachments.delete
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.create
apigee.envgroups.delete
apigee.envgroups.get
apigee.envgroups.list
apigee.envgroups.update
apigee.environments.create
apigee.environments.delete
apigee.environments.get
apigee.environments.getDataLocation
apigee.environments.getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.environments.manageRuntime
apigee.environments.setIamPolicy
apigee.environments.update
apigee.exports.create
apigee.exports.get
apigee.exports.list
apigee.flowhooks.attachSharedFlow
apigee.flowhooks.detachSharedFlow
apigee.flowhooks.getSharedFlow
apigee.flowhooks.list
apigee.hostqueries.create
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hostsecurityreports.create
apigee.hostsecurityreports.get
apigee.hostsecurityreports.list
apigee.hoststats.get
apigee.ingressconfigs.get
apigee.instanceattachments.create
apigee.instanceattachments.delete
apigee.instanceattachments.get
apigee.instanceattachments.list
apigee.instances.create
apigee.instances.delete
apigee.instances.get
apigee.instances.list
apigee.instances.reportStatus
apigee.instances.update
apigee.keystorealiases.create
apigee.keystorealiases.delete
apigee.keystorealiases.exportCertificate
apigee.keystorealiases.generateCSR
apigee.keystorealiases.get
apigee.keystorealiases.list
apigee.keystorealiases.update
apigee.keystores.create
apigee.keystores.delete
apigee.keystores.export
apigee.keystores.get
apigee.keystores.list
apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.create
apigee.keyvaluemaps.delete
apigee.keyvaluemaps.list
apigee.maskconfigs.get
apigee.maskconfigs.update
apigee.nataddresses.activate
apigee.nataddresses.create
apigee.nataddresses.delete
apigee.nataddresses.get
apigee.nataddresses.list
apigee.operations.get
apigee.operations.list
apigee.organizations.create
apigee.organizations.delete
apigee.organizations.get
apigee.organizations.list
apigee.organizations.update
apigee.portals.create
apigee.portals.delete
apigee.portals.get
apigee.portals.list
apigee.portals.update
apigee.projectorganizations.get
apigee.projects.migrate
apigee.projects.previewMigration
apigee.projects.update
apigee.proxies.create
apigee.proxies.delete
apigee.proxies.get
apigee.proxies.list
apigee.proxies.update
apigee.proxyrevisions.delete
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.proxyrevisions.update
apigee.queries.create
apigee.queries.get
apigee.queries.list
apigee.rateplans.create
apigee.rateplans.delete
apigee.rateplans.get
apigee.rateplans.list
apigee.rateplans.update
apigee.references.create
apigee.references.delete
apigee.references.get
apigee.references.list
apigee.references.update
apigee.reports.create
apigee.reports.delete
apigee.reports.get
apigee.reports.list
apigee.reports.update
apigee.resourcefiles.create
apigee.resourcefiles.delete
apigee.resourcefiles.get
apigee.resourcefiles.list
apigee.resourcefiles.update
apigee.runtimeconfigs.get
apigee.securityIncidents.get
apigee.securityIncidents.list
apigee.securityProfileEnvironments.computeScore
apigee.securityProfileEnvironments.create
apigee.securityProfileEnvironments.delete
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityStats.queryTabularStats
apigee.securityStats.queryTimeSeriesStats
apigee.securityreports.create
apigee.securityreports.get
apigee.securityreports.list
apigee.setupcontexts.get
apigee.setupcontexts.update
apigee.sharedflowrevisions.delete
apigee.sharedflowrevisions.deploy
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflowrevisions.undeploy
apigee.sharedflowrevisions.update
apigee.sharedflows.create
apigee.sharedflows.delete
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.create
apigee.targetservers.delete
apigee.targetservers.get
apigee.targetservers.list
apigee.targetservers.update
apigee.traceconfig.get
apigee.traceconfig.update
apigee.traceconfigoverrides.create
apigee.traceconfigoverrides.delete
apigee.traceconfigoverrides.get
apigee.traceconfigoverrides.list
apigee.traceconfigoverrides.update
apigee.tracesessions.create
apigee.tracesessions.delete
apigee.tracesessions.get
apigee.tracesessions.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

Apigee Analytics Agent

(roles/apigee.analyticsAgent)

Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization

apigee.datalocation.get

apigee.environments.getDataLocation

apigee.runtimeconfigs.get

Apigee Analytics Editor

(roles/apigee.analyticsEditor)

Analytics editor for an Apigee Organization

apigee.datacollectors.*

apigee.datacollectors.create
apigee.datacollectors.delete
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datacollectors.update

apigee.datastores.*

apigee.datastores.create
apigee.datastores.delete
apigee.datastores.get
apigee.datastores.list
apigee.datastores.update

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.exports.*

apigee.exports.create
apigee.exports.get
apigee.exports.list

apigee.hostqueries.*

apigee.hostqueries.create
apigee.hostqueries.get
apigee.hostqueries.list

apigee.hoststats.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.queries.*

apigee.queries.create
apigee.queries.get
apigee.queries.list

apigee.reports.*

apigee.reports.create
apigee.reports.delete
apigee.reports.get
apigee.reports.list
apigee.reports.update

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Analytics Viewer

(roles/apigee.analyticsViewer)

Analytics viewer for an Apigee Organization

apigee.datacollectors.get

apigee.datacollectors.list

apigee.datastores.get

apigee.datastores.list

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.exports.get

apigee.exports.list

apigee.hostqueries.get

apigee.hostqueries.list

apigee.hoststats.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.queries.get

apigee.queries.list

apigee.reports.get

apigee.reports.list

resourcemanager.projects.get

resourcemanager.projects.list

Apigee API Admin

(roles/apigee.apiAdminV2)

Full read/write access to all apigee API resources

apigee.apiproductattributes.*

apigee.apiproductattributes.createOrUpdateAll
apigee.apiproductattributes.delete
apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproductattributes.update

apigee.apiproducts.*

apigee.apiproducts.create
apigee.apiproducts.delete
apigee.apiproducts.get
apigee.apiproducts.list
apigee.apiproducts.update

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.keyvaluemapentries.*

apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list

apigee.keyvaluemaps.*

apigee.keyvaluemaps.create
apigee.keyvaluemaps.delete
apigee.keyvaluemaps.list

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.proxies.*

apigee.proxies.create
apigee.proxies.delete
apigee.proxies.get
apigee.proxies.list
apigee.proxies.update

apigee.proxyrevisions.*

apigee.proxyrevisions.delete
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.proxyrevisions.update

apigee.sharedflowrevisions.*

apigee.sharedflowrevisions.delete
apigee.sharedflowrevisions.deploy
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflowrevisions.undeploy
apigee.sharedflowrevisions.update

apigee.sharedflows.*

apigee.sharedflows.create
apigee.sharedflows.delete
apigee.sharedflows.get
apigee.sharedflows.list

resourcemanager.projects.get

resourcemanager.projects.list

Apigee API Reader

(roles/apigee.apiReaderV2)

Reader of apigee resources

apigee.apiproductattributes.get

apigee.apiproductattributes.list

apigee.apiproducts.get

apigee.apiproducts.list

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.keyvaluemapentries.get

apigee.keyvaluemapentries.list

apigee.keyvaluemaps.list

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.proxies.get

apigee.proxies.list

apigee.proxyrevisions.deploy

apigee.proxyrevisions.get

apigee.proxyrevisions.list

apigee.proxyrevisions.undeploy

apigee.sharedflowrevisions.deploy

apigee.sharedflowrevisions.get

apigee.sharedflowrevisions.list

apigee.sharedflowrevisions.undeploy

apigee.sharedflows.get

apigee.sharedflows.list

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Developer Admin

(roles/apigee.developerAdmin)

Developer admin of apigee resources

apigee.apiproductattributes.get

apigee.apiproductattributes.list

apigee.apiproducts.get

apigee.apiproducts.list

apigee.appgroupapps.*

apigee.appgroupapps.create
apigee.appgroupapps.delete
apigee.appgroupapps.get
apigee.appgroupapps.list
apigee.appgroupapps.manage

apigee.appgroups.*

apigee.appgroups.create
apigee.appgroups.delete
apigee.appgroups.get
apigee.appgroups.list
apigee.appgroups.update

apigee.appkeys.*

apigee.appkeys.create
apigee.appkeys.delete
apigee.appkeys.get
apigee.appkeys.manage

apigee.apps.*

apigee.apps.get
apigee.apps.list

apigee.datacollectors.*

apigee.datacollectors.create
apigee.datacollectors.delete
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datacollectors.update

apigee.developerappattributes.*

apigee.developerappattributes.createOrUpdateAll
apigee.developerappattributes.delete
apigee.developerappattributes.get
apigee.developerappattributes.list
apigee.developerappattributes.update

apigee.developerapps.*

apigee.developerapps.create
apigee.developerapps.delete
apigee.developerapps.get
apigee.developerapps.list
apigee.developerapps.manage

apigee.developerattributes.*

apigee.developerattributes.createOrUpdateAll
apigee.developerattributes.delete
apigee.developerattributes.get
apigee.developerattributes.list
apigee.developerattributes.update

apigee.developerbalances.*

apigee.developerbalances.adjust
apigee.developerbalances.get
apigee.developerbalances.update

apigee.developermonetizationconfigs.*

apigee.developermonetizationconfigs.get
apigee.developermonetizationconfigs.update

apigee.developers.*

apigee.developers.create
apigee.developers.delete
apigee.developers.get
apigee.developers.list
apigee.developers.update

apigee.developersubscriptions.*

apigee.developersubscriptions.create
apigee.developersubscriptions.get
apigee.developersubscriptions.list
apigee.developersubscriptions.update

apigee.entitlements.get

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.hoststats.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.rateplans.get

apigee.rateplans.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

Apigee Environment Admin

(roles/apigee.environmentAdmin)

Full read/write access to apigee environment resources, including deployments.

apigee.archivedeployments.*

apigee.archivedeployments.create
apigee.archivedeployments.delete
apigee.archivedeployments.download
apigee.archivedeployments.get
apigee.archivedeployments.list
apigee.archivedeployments.update
apigee.archivedeployments.upload

apigee.datacollectors.get

apigee.datacollectors.list

apigee.deployments.*

apigee.deployments.create
apigee.deployments.delete
apigee.deployments.get
apigee.deployments.list
apigee.deployments.update

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getIamPolicy

apigee.environments.getStats

apigee.environments.list

apigee.environments.setIamPolicy

apigee.environments.update

apigee.flowhooks.*

apigee.flowhooks.attachSharedFlow
apigee.flowhooks.detachSharedFlow
apigee.flowhooks.getSharedFlow
apigee.flowhooks.list

apigee.ingressconfigs.get

apigee.keystorealiases.*

apigee.keystorealiases.create
apigee.keystorealiases.delete
apigee.keystorealiases.exportCertificate
apigee.keystorealiases.generateCSR
apigee.keystorealiases.get
apigee.keystorealiases.list
apigee.keystorealiases.update

apigee.keystores.*

apigee.keystores.create
apigee.keystores.delete
apigee.keystores.export
apigee.keystores.get
apigee.keystores.list

apigee.keyvaluemapentries.*

apigee.keyvaluemapentries.create
apigee.keyvaluemapentries.delete
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list

apigee.keyvaluemaps.*

apigee.keyvaluemaps.create
apigee.keyvaluemaps.delete
apigee.keyvaluemaps.list

apigee.maskconfigs.*

apigee.maskconfigs.get
apigee.maskconfigs.update

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.proxies.get

apigee.proxies.list

apigee.proxyrevisions.deploy

apigee.proxyrevisions.get

apigee.proxyrevisions.list

apigee.proxyrevisions.undeploy

apigee.references.*

apigee.references.create
apigee.references.delete
apigee.references.get
apigee.references.list
apigee.references.update

apigee.resourcefiles.*

apigee.resourcefiles.create
apigee.resourcefiles.delete
apigee.resourcefiles.get
apigee.resourcefiles.list
apigee.resourcefiles.update

apigee.sharedflowrevisions.deploy

apigee.sharedflowrevisions.get

apigee.sharedflowrevisions.list

apigee.sharedflowrevisions.undeploy

apigee.sharedflows.get

apigee.sharedflows.list

apigee.targetservers.*

apigee.targetservers.create
apigee.targetservers.delete
apigee.targetservers.get
apigee.targetservers.list
apigee.targetservers.update

apigee.traceconfig.*

apigee.traceconfig.get
apigee.traceconfig.update

apigee.traceconfigoverrides.*

apigee.traceconfigoverrides.create
apigee.traceconfigoverrides.delete
apigee.traceconfigoverrides.get
apigee.traceconfigoverrides.list
apigee.traceconfigoverrides.update

apigee.tracesessions.*

apigee.tracesessions.create
apigee.tracesessions.delete
apigee.tracesessions.get
apigee.tracesessions.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

Apigee Monetization Admin

(roles/apigee.monetizationAdmin)

All permissions related to monetization

apigee.apiproducts.get

apigee.apiproducts.list

apigee.developerbalances.*

apigee.developerbalances.adjust
apigee.developerbalances.get
apigee.developerbalances.update

apigee.developermonetizationconfigs.*

apigee.developermonetizationconfigs.get
apigee.developermonetizationconfigs.update

apigee.developersubscriptions.*

apigee.developersubscriptions.create
apigee.developersubscriptions.get
apigee.developersubscriptions.list
apigee.developersubscriptions.update

apigee.entitlements.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.rateplans.*

apigee.rateplans.create
apigee.rateplans.delete
apigee.rateplans.get
apigee.rateplans.list
apigee.rateplans.update

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Portal Admin

(roles/apigee.portalAdmin)

Portal admin for an Apigee Organization

apigee.entitlements.get

apigee.organizations.get

apigee.organizations.list

apigee.portals.*

apigee.portals.create
apigee.portals.delete
apigee.portals.get
apigee.portals.list
apigee.portals.update

apigee.projectorganizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Read-only Admin

(roles/apigee.readOnlyAdmin)

Viewer of all apigee resources

apigee.apiproductattributes.get

apigee.apiproductattributes.list

apigee.apiproducts.get

apigee.apiproducts.list

apigee.appgroupapps.get

apigee.appgroupapps.list

apigee.appgroups.get

apigee.appgroups.list

apigee.appkeys.get

apigee.apps.*

apigee.apps.get
apigee.apps.list

apigee.archivedeployments.download

apigee.archivedeployments.get

apigee.archivedeployments.list

apigee.caches.list

apigee.canaryevaluations.get

apigee.datacollectors.get

apigee.datacollectors.list

apigee.datalocation.get

apigee.datastores.get

apigee.datastores.list

apigee.deployments.get

apigee.deployments.list

apigee.developerappattributes.get

apigee.developerappattributes.list

apigee.developerapps.get

apigee.developerapps.list

apigee.developerattributes.get

apigee.developerattributes.list

apigee.developerbalances.get

apigee.developermonetizationconfigs.get

apigee.developers.get

apigee.developers.list

apigee.developersubscriptions.get

apigee.developersubscriptions.list

apigee.endpointattachments.get

apigee.endpointattachments.list

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getDataLocation

apigee.environments.getIamPolicy

apigee.environments.getStats

apigee.environments.list

apigee.exports.get

apigee.exports.list

apigee.flowhooks.getSharedFlow

apigee.flowhooks.list

apigee.hostqueries.get

apigee.hostqueries.list

apigee.hostsecurityreports.get

apigee.hostsecurityreports.list

apigee.hoststats.get

apigee.ingressconfigs.get

apigee.instanceattachments.get

apigee.instanceattachments.list

apigee.instances.get

apigee.instances.list

apigee.keystorealiases.get

apigee.keystorealiases.list

apigee.keystores.get

apigee.keystores.list

apigee.keyvaluemapentries.get

apigee.keyvaluemapentries.list

apigee.keyvaluemaps.list

apigee.maskconfigs.get

apigee.nataddresses.get

apigee.nataddresses.list

apigee.operations.*

apigee.operations.get
apigee.operations.list

apigee.organizations.get

apigee.organizations.list

apigee.portals.get

apigee.portals.list

apigee.projectorganizations.get

apigee.proxies.get

apigee.proxies.list

apigee.proxyrevisions.get

apigee.proxyrevisions.list

apigee.queries.get

apigee.queries.list

apigee.rateplans.get

apigee.rateplans.list

apigee.references.get

apigee.references.list

apigee.reports.get

apigee.reports.list

apigee.resourcefiles.get

apigee.resourcefiles.list

apigee.runtimeconfigs.get

apigee.securityIncidents.*

apigee.securityIncidents.get
apigee.securityIncidents.list

apigee.securityProfileEnvironments.computeScore

apigee.securityProfiles.*

apigee.securityProfiles.get
apigee.securityProfiles.list

apigee.securityStats.*

apigee.securityStats.queryTabularStats
apigee.securityStats.queryTimeSeriesStats

apigee.securityreports.get

apigee.securityreports.list

apigee.setupcontexts.get

apigee.sharedflowrevisions.get

apigee.sharedflowrevisions.list

apigee.sharedflows.get

apigee.sharedflows.list

apigee.targetservers.get

apigee.targetservers.list

apigee.traceconfig.get

apigee.traceconfigoverrides.get

apigee.traceconfigoverrides.list

apigee.tracesessions.get

apigee.tracesessions.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

Apigee Runtime Agent

(roles/apigee.runtimeAgent)

Curated set of permissions for a runtime agent to access Apigee Organization resources

apigee.canaryevaluations.*

apigee.canaryevaluations.create
apigee.canaryevaluations.get

apigee.entitlements.get

apigee.ingressconfigs.get

apigee.instances.reportStatus

apigee.operations.*

apigee.operations.get
apigee.operations.list

apigee.organizations.get

apigee.projectorganizations.get

apigee.runtimeconfigs.get

Apigee Security Admin

(roles/apigee.securityAdmin)

Security admin for an Apigee Organization

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.list

apigee.hostsecurityreports.*

apigee.hostsecurityreports.create
apigee.hostsecurityreports.get
apigee.hostsecurityreports.list

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.securityIncidents.*

apigee.securityIncidents.get
apigee.securityIncidents.list

apigee.securityProfileEnvironments.*

apigee.securityProfileEnvironments.computeScore
apigee.securityProfileEnvironments.create
apigee.securityProfileEnvironments.delete

apigee.securityProfiles.*

apigee.securityProfiles.get
apigee.securityProfiles.list

apigee.securityStats.*

apigee.securityStats.queryTabularStats
apigee.securityStats.queryTimeSeriesStats

apigee.securityreports.*

apigee.securityreports.create
apigee.securityreports.get
apigee.securityreports.list

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Security Viewer

(roles/apigee.securityViewer)

Security viewer for an Apigee Organization

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.list

apigee.hostsecurityreports.get

apigee.hostsecurityreports.list

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.securityIncidents.*

apigee.securityIncidents.get
apigee.securityIncidents.list

apigee.securityProfileEnvironments.computeScore

apigee.securityProfiles.*

apigee.securityProfiles.get
apigee.securityProfiles.list

apigee.securityStats.*

apigee.securityStats.queryTabularStats
apigee.securityStats.queryTimeSeriesStats

apigee.securityreports.get

apigee.securityreports.list

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Synchronizer Manager

(roles/apigee.synchronizerManager)

Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization

apigee.environments.get

apigee.environments.manageRuntime

apigee.ingressconfigs.get

Apigee Connect Admin

(roles/apigeeconnect.Admin)

Admin of Apigee Connect

apigeeconnect.connections.list

Apigee Connect Agent

(roles/apigeeconnect.Agent)

Ability to set up Apigee Connect agent between external clusters and Google.

apigeeconnect.endpoints.connect

Apigee Registry roles

Permissions

Cloud Apigee Registry Admin ^Beta

(roles/apigeeregistry.admin)

Full access to Cloud Apigee Registry Registry and Runtime resources.

apigeeregistry.*

apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.setIamPolicy
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.setIamPolicy
apigeeregistry.artifacts.update
apigeeregistry.deployments.create
apigeeregistry.deployments.delete
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.instances.get
apigeeregistry.instances.update
apigeeregistry.locations.get
apigeeregistry.locations.list
apigeeregistry.operations.cancel
apigeeregistry.operations.delete
apigeeregistry.operations.get
apigeeregistry.operations.list
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.setIamPolicy
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.setIamPolicy
apigeeregistry.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Apigee Registry Editor ^Beta

(roles/apigeeregistry.editor)

Edit access to Cloud Apigee Registry Registry resources.

apigeeregistry.apis.create

apigeeregistry.apis.delete

apigeeregistry.apis.get

apigeeregistry.apis.getIamPolicy

apigeeregistry.apis.list

apigeeregistry.apis.update

apigeeregistry.artifacts.create

apigeeregistry.artifacts.delete

apigeeregistry.artifacts.get

apigeeregistry.artifacts.getIamPolicy

apigeeregistry.artifacts.list

apigeeregistry.artifacts.update

apigeeregistry.deployments.*

apigeeregistry.deployments.create
apigeeregistry.deployments.delete
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update

apigeeregistry.specs.create

apigeeregistry.specs.delete

apigeeregistry.specs.get

apigeeregistry.specs.getIamPolicy

apigeeregistry.specs.list

apigeeregistry.specs.update

apigeeregistry.versions.create

apigeeregistry.versions.delete

apigeeregistry.versions.get

apigeeregistry.versions.getIamPolicy

apigeeregistry.versions.list

apigeeregistry.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Apigee Registry Viewer ^Beta

(roles/apigeeregistry.viewer)

Read-only access to Cloud Apigee Registry Registry resources.

apigeeregistry.apis.get

apigeeregistry.apis.list

apigeeregistry.artifacts.get

apigeeregistry.artifacts.list

apigeeregistry.deployments.get

apigeeregistry.deployments.list

apigeeregistry.specs.get

apigeeregistry.specs.list

apigeeregistry.versions.get

apigeeregistry.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Apigee Registry Worker ^Beta

(roles/apigeeregistry.worker)

The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.

apigeeregistry.apis.get

apigeeregistry.apis.list

apigeeregistry.apis.update

apigeeregistry.artifacts.create

apigeeregistry.artifacts.delete

apigeeregistry.artifacts.get

apigeeregistry.artifacts.list

apigeeregistry.artifacts.update

apigeeregistry.deployments.get

apigeeregistry.deployments.list

apigeeregistry.deployments.update

apigeeregistry.specs.get

apigeeregistry.specs.list

apigeeregistry.specs.update

apigeeregistry.versions.get

apigeeregistry.versions.list

apigeeregistry.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

App Engine roles

Permissions

App Engine Admin

(roles/appengine.appAdmin)

Read/Write/Modify access to all application configuration and settings.

To deploy new versions, a principal must have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine.applications.update

appengine.instances.*

appengine.instances.delete
appengine.instances.enableDebug
appengine.instances.get
appengine.instances.list

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.runtimes.actAsAdmin

appengine.services.*

appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Creator

(roles/appengine.appCreator)

Ability to create the App Engine resource for the project.

Lowest-level resources where you can grant this role:

Project

appengine.applications.create

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Viewer

(roles/appengine.appViewer)

Read-only access to all application configuration and settings.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Code Viewer

(roles/appengine.codeViewer)

Read-only access to all application configuration, settings, and deployed source code.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.getFileContents

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Managed VM Debug Access

(roles/appengine.debugger)

Ability to read or manage v2 instances.

appengine.applications.get

appengine.instances.*

appengine.instances.delete
appengine.instances.enableDebug
appengine.instances.get
appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Deployer

(roles/appengine.deployer)

Read-only access to all application configuration and settings.

To deploy new versions, you must also have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

Cannot modify existing versions other than deleting versions that are not receiving traffic.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.uploadArtifacts

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Memcache Data Admin

(roles/appengine.memcacheDataAdmin)

Can get, set, delete, and flush App Engine Memcache items.

appengine.applications.get

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Service Admin

(roles/appengine.serviceAdmin)

Read-only access to all application configuration and settings.

Write access to module-level and version-level settings. Cannot deploy a new version.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine.instances.delete

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.*

appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

Artifact Registry roles

Permissions

Artifact Registry Administrator

(roles/artifactregistry.admin)

Administrator access to create and manage repositories.

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.*

artifactregistry.files.get
artifactregistry.files.list

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.*

artifactregistry.packages.delete
artifactregistry.packages.get
artifactregistry.packages.list

artifactregistry.projectsettings.*

artifactregistry.projectsettings.get
artifactregistry.projectsettings.update

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.create

artifactregistry.repositories.createTagBinding

artifactregistry.repositories.delete

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.deleteTagBinding

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.setIamPolicy

artifactregistry.repositories.update

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.*

artifactregistry.tags.create
artifactregistry.tags.delete
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update

artifactregistry.versions.*

artifactregistry.versions.delete
artifactregistry.versions.get
artifactregistry.versions.list

artifactregistry.yumartifacts.create

(roles/artifactregistry.createOnPushRepoAdmin)

Access to manage artifacts in repositories, as well as create new repositories on push

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.*

artifactregistry.files.get
artifactregistry.files.list

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.*

artifactregistry.packages.delete
artifactregistry.packages.get
artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.createOnPush

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.*

artifactregistry.tags.create
artifactregistry.tags.delete
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update

artifactregistry.versions.*

artifactregistry.versions.delete
artifactregistry.versions.get
artifactregistry.versions.list

artifactregistry.yumartifacts.create

(roles/artifactregistry.createOnPushWriter)

Access to read and write repository items, as well as create new repositories on push

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.*

artifactregistry.files.get
artifactregistry.files.list

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.createOnPush

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

Artifact Registry Reader

(roles/artifactregistry.reader)

Access to read repository items.

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.*

artifactregistry.files.get
artifactregistry.files.list

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

Artifact Registry Repository Administrator

(roles/artifactregistry.repoAdmin)

Access to manage artifacts in repositories.

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.*

artifactregistry.files.get
artifactregistry.files.list

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.*

artifactregistry.packages.delete
artifactregistry.packages.get
artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.*

artifactregistry.tags.create
artifactregistry.tags.delete
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update

artifactregistry.versions.*

artifactregistry.versions.delete
artifactregistry.versions.get
artifactregistry.versions.list

artifactregistry.yumartifacts.create

Artifact Registry Writer

(roles/artifactregistry.writer)

Access to read and write repository items.

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.*

artifactregistry.files.get
artifactregistry.files.list

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

Assured Workloads roles

Permissions

Assured Workloads Administrator

(roles/assuredworkloads.admin)

Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

assuredworkloads.*

assuredworkloads.operations.get
assuredworkloads.operations.list
assuredworkloads.violations.get
assuredworkloads.violations.list
assuredworkloads.violations.update
assuredworkloads.workload.create
assuredworkloads.workload.delete
assuredworkloads.workload.get
assuredworkloads.workload.list
assuredworkloads.workload.update

bigquery.config.update

logging.settings.update

orgpolicy.policy.*

orgpolicy.policy.get
orgpolicy.policy.set

resourcemanager.folders.create

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.create

resourcemanager.projects.get

resourcemanager.projects.list

Assured Workloads Editor

(roles/assuredworkloads.editor)

Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

assuredworkloads.*

assuredworkloads.operations.get
assuredworkloads.operations.list
assuredworkloads.violations.get
assuredworkloads.violations.list
assuredworkloads.violations.update
assuredworkloads.workload.create
assuredworkloads.workload.delete
assuredworkloads.workload.get
assuredworkloads.workload.list
assuredworkloads.workload.update

bigquery.config.update

orgpolicy.policy.*

orgpolicy.policy.get
orgpolicy.policy.set

resourcemanager.folders.create

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.create

resourcemanager.projects.get

resourcemanager.projects.list

Assured Workloads Reader

(roles/assuredworkloads.reader)

Grants read access to all Assured Workloads resources and CRM resources - project/folder

assuredworkloads.operations.*

assuredworkloads.operations.get
assuredworkloads.operations.list

assuredworkloads.violations.get

assuredworkloads.violations.list

assuredworkloads.workload.get

assuredworkloads.workload.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

AutoML roles

Permissions

AutoML Admin ^Beta

(roles/automl.admin)

Full access to all AutoML resources

Lowest-level resources where you can grant this role:

Dataset
Model

automl.*

automl.annotationSpecs.create
automl.annotationSpecs.delete
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotationSpecs.update
automl.annotations.approve
automl.annotations.create
automl.annotations.list
automl.annotations.manipulate
automl.annotations.reject
automl.columnSpecs.get
automl.columnSpecs.list
automl.columnSpecs.update
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.getIamPolicy
automl.datasets.import
automl.datasets.list
automl.datasets.setIamPolicy
automl.datasets.update
automl.examples.delete
automl.examples.get
automl.examples.list
automl.examples.update
automl.files.delete
automl.files.list
automl.humanAnnotationTasks.create
automl.humanAnnotationTasks.delete
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.create
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.getIamPolicy
automl.models.list
automl.models.predict
automl.models.setIamPolicy
automl.models.undeploy
automl.operations.cancel
automl.operations.delete
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
automl.tableSpecs.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.list

AutoML Editor ^Beta

(roles/automl.editor)

Editor of all AutoML resources

Lowest-level resources where you can grant this role:

Dataset
Model

automl.annotationSpecs.*

automl.annotationSpecs.create
automl.annotationSpecs.delete
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotationSpecs.update

automl.annotations.*

automl.annotations.approve
automl.annotations.create
automl.annotations.list
automl.annotations.manipulate
automl.annotations.reject

automl.columnSpecs.*

automl.columnSpecs.get
automl.columnSpecs.list
automl.columnSpecs.update

automl.datasets.create

automl.datasets.delete

automl.datasets.export

automl.datasets.get

automl.datasets.import

automl.datasets.list

automl.datasets.update

automl.examples.*

automl.examples.delete
automl.examples.get
automl.examples.list
automl.examples.update

automl.files.*

automl.files.delete
automl.files.list

automl.humanAnnotationTasks.*

automl.humanAnnotationTasks.create
automl.humanAnnotationTasks.delete
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list

automl.locations.get

automl.locations.list

automl.modelEvaluations.*

automl.modelEvaluations.create
automl.modelEvaluations.get
automl.modelEvaluations.list

automl.models.create

automl.models.delete

automl.models.deploy

automl.models.export

automl.models.get

automl.models.list

automl.models.predict

automl.models.undeploy

automl.operations.*

automl.operations.cancel
automl.operations.delete
automl.operations.get
automl.operations.list

automl.tableSpecs.*

automl.tableSpecs.get
automl.tableSpecs.list
automl.tableSpecs.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.list

AutoML Predictor ^Beta

(roles/automl.predictor)

Predict using models

Lowest-level resources where you can grant this role:

Model

automl.models.predict

resourcemanager.projects.get

resourcemanager.projects.list

AutoML Viewer ^Beta

(roles/automl.viewer)

Viewer of all AutoML resources

Lowest-level resources where you can grant this role:

Dataset
Model

automl.annotationSpecs.get

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.get

automl.columnSpecs.list

automl.datasets.get

automl.datasets.list

automl.examples.get

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.get

automl.humanAnnotationTasks.list

automl.locations.get

automl.locations.list

automl.modelEvaluations.get

automl.modelEvaluations.list

automl.models.get

automl.models.list

automl.operations.get

automl.operations.list

automl.tableSpecs.get

automl.tableSpecs.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.list

Backup and DR roles

Permissions

Backup and DR Admin

(roles/backupdr.admin)

Provides full access to all Backup and DR resources.

backupdr.*

backupdr.locations.get
backupdr.locations.list
backupdr.managementServers.access
backupdr.managementServers.accessSensitiveData
backupdr.managementServers.assignBackupPlans
backupdr.managementServers.backupAccess
backupdr.managementServers.create
backupdr.managementServers.delete
backupdr.managementServers.get
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.manageApplications
backupdr.managementServers.manageBackupPlans
backupdr.managementServers.manageBackupServers
backupdr.managementServers.manageBackups
backupdr.managementServers.manageClones
backupdr.managementServers.manageExpiration
backupdr.managementServers.manageHosts
backupdr.managementServers.manageInternalACL
backupdr.managementServers.manageJobs
backupdr.managementServers.manageLiveClones
backupdr.managementServers.manageMigrations
backupdr.managementServers.manageMirroring
backupdr.managementServers.manageMounts
backupdr.managementServers.manageRestores
backupdr.managementServers.manageSensitiveData
backupdr.managementServers.manageStorage
backupdr.managementServers.manageSystem
backupdr.managementServers.manageWorkflows
backupdr.managementServers.refreshWorkflows
backupdr.managementServers.runWorkflows
backupdr.managementServers.setIamPolicy
backupdr.managementServers.testFailOvers
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewBackupServers
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows
backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Backup User

(roles/backupdr.backupUser)

Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.get

backupdr.managementServers.list

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackups

backupdr.managementServers.manageHosts

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Cloud Storage Operator

(roles/backupdr.cloudStorageOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

Backup and DR Compute Engine Operator

(roles/backupdr.computeEngineOperator)

Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.

compute.addresses.list

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Mount User

(roles/backupdr.mountUser)

Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.list

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Restore User

(roles/backupdr.restoreUser)

Allows the user to restore or mount from a backup. This role cannot create a backup plan.

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.list

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR User

(roles/backupdr.user)

Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR User V2

(roles/backupdr.userv2)

Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackupPlans

backupdr.managementServers.manageBackups

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageJobs

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Viewer

(roles/backupdr.viewer)

Provides read-only access to all Backup and DR resources.

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup for GKE roles

Permissions

Backup for GKE Admin

(roles/gkebackup.admin)

Full access to all Backup for GKE resources.

gkebackup.*

gkebackup.backupPlans.create
gkebackup.backupPlans.delete
gkebackup.backupPlans.get
gkebackup.backupPlans.getIamPolicy
gkebackup.backupPlans.list
gkebackup.backupPlans.setIamPolicy
gkebackup.backupPlans.update
gkebackup.backups.create
gkebackup.backups.delete
gkebackup.backups.get
gkebackup.backups.list
gkebackup.backups.update
gkebackup.locations.get
gkebackup.locations.list
gkebackup.operations.cancel
gkebackup.operations.delete
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.create
gkebackup.restorePlans.delete
gkebackup.restorePlans.get
gkebackup.restorePlans.getIamPolicy
gkebackup.restorePlans.list
gkebackup.restorePlans.setIamPolicy
gkebackup.restorePlans.update
gkebackup.restores.create
gkebackup.restores.delete
gkebackup.restores.get
gkebackup.restores.list
gkebackup.restores.update
gkebackup.volumeBackups.get
gkebackup.volumeBackups.list
gkebackup.volumeRestores.get
gkebackup.volumeRestores.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup for GKE Backup Admin

(roles/gkebackup.backupAdmin)

Allows administrators to manage all BackupPlan and Backup resources.

gkebackup.backupPlans.*

gkebackup.backupPlans.create
gkebackup.backupPlans.delete
gkebackup.backupPlans.get
gkebackup.backupPlans.getIamPolicy
gkebackup.backupPlans.list
gkebackup.backupPlans.setIamPolicy
gkebackup.backupPlans.update

gkebackup.backups.*

gkebackup.backups.create
gkebackup.backups.delete
gkebackup.backups.get
gkebackup.backups.list
gkebackup.backups.update

gkebackup.locations.*

gkebackup.locations.get
gkebackup.locations.list

gkebackup.operations.get

gkebackup.operations.list

gkebackup.volumeBackups.*

gkebackup.volumeBackups.get
gkebackup.volumeBackups.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup for GKE Delegated Backup Admin

(roles/gkebackup.delegatedBackupAdmin)

Allows administrators to manage Backup resources for specific BackupPlans

gkebackup.backupPlans.get

gkebackup.backups.*

gkebackup.backups.create
gkebackup.backups.delete
gkebackup.backups.get
gkebackup.backups.list
gkebackup.backups.update

gkebackup.volumeBackups.*

gkebackup.volumeBackups.get
gkebackup.volumeBackups.list

Backup for GKE Delegated Restore Admin

(roles/gkebackup.delegatedRestoreAdmin)

Allows administrators to manage Restore resources for specific RestorePlans

gkebackup.restorePlans.get

gkebackup.restores.*

gkebackup.restores.create
gkebackup.restores.delete
gkebackup.restores.get
gkebackup.restores.list
gkebackup.restores.update

gkebackup.volumeRestores.*

gkebackup.volumeRestores.get
gkebackup.volumeRestores.list

Backup for GKE Restore Admin

(roles/gkebackup.restoreAdmin)

Allows administrators to manage all RestorePlan and Restore resources.

gkebackup.backupPlans.get

gkebackup.backupPlans.list

gkebackup.backups.get

gkebackup.backups.list

gkebackup.locations.*

gkebackup.locations.get
gkebackup.locations.list

gkebackup.operations.get

gkebackup.operations.list

gkebackup.restorePlans.*

gkebackup.restorePlans.create
gkebackup.restorePlans.delete
gkebackup.restorePlans.get
gkebackup.restorePlans.getIamPolicy
gkebackup.restorePlans.list
gkebackup.restorePlans.setIamPolicy
gkebackup.restorePlans.update

gkebackup.restores.*

gkebackup.restores.create
gkebackup.restores.delete
gkebackup.restores.get
gkebackup.restores.list
gkebackup.restores.update

gkebackup.volumeBackups.*

gkebackup.volumeBackups.get
gkebackup.volumeBackups.list

gkebackup.volumeRestores.*

gkebackup.volumeRestores.get
gkebackup.volumeRestores.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup for GKE Viewer

(roles/gkebackup.viewer)

Read-only access to all Backup for GKE resources.

gkebackup.backupPlans.get

gkebackup.backupPlans.getIamPolicy

gkebackup.backupPlans.list

gkebackup.backups.get

gkebackup.backups.list

gkebackup.locations.*

gkebackup.locations.get
gkebackup.locations.list

gkebackup.operations.get

gkebackup.operations.list

gkebackup.restorePlans.get

gkebackup.restorePlans.getIamPolicy

gkebackup.restorePlans.list

gkebackup.restores.get

gkebackup.restores.list

gkebackup.volumeBackups.*

gkebackup.volumeBackups.get
gkebackup.volumeBackups.list

gkebackup.volumeRestores.*

gkebackup.volumeRestores.get
gkebackup.volumeRestores.list

resourcemanager.projects.get

resourcemanager.projects.list

Bare Metal Solution roles

Permissions

Bare Metal Solution Admin

(roles/baremetalsolution.admin)

Administrator of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.*

baremetalsolution.instances.attachNetwork
baremetalsolution.instances.attachVolume
baremetalsolution.instances.create
baremetalsolution.instances.detachLun
baremetalsolution.instances.detachNetwork
baremetalsolution.instances.detachVolume
baremetalsolution.instances.disableInteractiveSerialConsole
baremetalsolution.instances.enableInteractiveSerialConsole
baremetalsolution.instances.get
baremetalsolution.instances.list
baremetalsolution.instances.rename
baremetalsolution.instances.reset
baremetalsolution.instances.start
baremetalsolution.instances.stop
baremetalsolution.instances.update

baremetalsolution.luns.*

baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.evict
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.luns.update

baremetalsolution.maintenanceevents.*

baremetalsolution.maintenanceevents.addProposal
baremetalsolution.maintenanceevents.approve
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

baremetalsolution.networks.create
baremetalsolution.networks.delete
baremetalsolution.networks.get
baremetalsolution.networks.list
baremetalsolution.networks.rename
baremetalsolution.networks.update

baremetalsolution.nfsshares.*

baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.rename
baremetalsolution.nfsshares.update

baremetalsolution.operations.get

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.*

baremetalsolution.snapshotschedulepolicies.create
baremetalsolution.snapshotschedulepolicies.delete
baremetalsolution.snapshotschedulepolicies.get
baremetalsolution.snapshotschedulepolicies.list
baremetalsolution.snapshotschedulepolicies.update

baremetalsolution.sshKeys.*

baremetalsolution.sshKeys.create
baremetalsolution.sshKeys.delete
baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

baremetalsolution.volumes.create
baremetalsolution.volumes.delete
baremetalsolution.volumes.evict
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumes.rename
baremetalsolution.volumes.resize
baremetalsolution.volumes.update

baremetalsolution.volumesnapshots.*

baremetalsolution.volumesnapshots.create
baremetalsolution.volumesnapshots.delete
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
baremetalsolution.volumesnapshots.restore

resourcemanager.projects.get

resourcemanager.projects.list

Bare Metal Solution Editor

(roles/baremetalsolution.editor)

Editor of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.*

baremetalsolution.instances.attachNetwork
baremetalsolution.instances.attachVolume
baremetalsolution.instances.create
baremetalsolution.instances.detachLun
baremetalsolution.instances.detachNetwork
baremetalsolution.instances.detachVolume
baremetalsolution.instances.disableInteractiveSerialConsole
baremetalsolution.instances.enableInteractiveSerialConsole
baremetalsolution.instances.get
baremetalsolution.instances.list
baremetalsolution.instances.rename
baremetalsolution.instances.reset
baremetalsolution.instances.start
baremetalsolution.instances.stop
baremetalsolution.instances.update

baremetalsolution.luns.*

baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.evict
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.luns.update

baremetalsolution.maintenanceevents.*

baremetalsolution.maintenanceevents.addProposal
baremetalsolution.maintenanceevents.approve
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

baremetalsolution.networks.create
baremetalsolution.networks.delete
baremetalsolution.networks.get
baremetalsolution.networks.list
baremetalsolution.networks.rename
baremetalsolution.networks.update

baremetalsolution.nfsshares.*

baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.rename
baremetalsolution.nfsshares.update

baremetalsolution.operations.get

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.*

baremetalsolution.snapshotschedulepolicies.create
baremetalsolution.snapshotschedulepolicies.delete
baremetalsolution.snapshotschedulepolicies.get
baremetalsolution.snapshotschedulepolicies.list
baremetalsolution.snapshotschedulepolicies.update

baremetalsolution.sshKeys.*

baremetalsolution.sshKeys.create
baremetalsolution.sshKeys.delete
baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

baremetalsolution.volumes.create
baremetalsolution.volumes.delete
baremetalsolution.volumes.evict
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumes.rename
baremetalsolution.volumes.resize
baremetalsolution.volumes.update

baremetalsolution.volumesnapshots.*

baremetalsolution.volumesnapshots.create
baremetalsolution.volumesnapshots.delete
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
baremetalsolution.volumesnapshots.restore

resourcemanager.projects.get

resourcemanager.projects.list

Bare Metal Solution Instances Admin

(roles/baremetalsolution.instancesadmin)

Admin of Bare Metal Solution Instance resources

baremetalsolution.instances.*

baremetalsolution.instances.attachNetwork
baremetalsolution.instances.attachVolume
baremetalsolution.instances.create
baremetalsolution.instances.detachLun
baremetalsolution.instances.detachNetwork
baremetalsolution.instances.detachVolume
baremetalsolution.instances.disableInteractiveSerialConsole
baremetalsolution.instances.enableInteractiveSerialConsole
baremetalsolution.instances.get
baremetalsolution.instances.list
baremetalsolution.instances.rename
baremetalsolution.instances.reset
baremetalsolution.instances.start
baremetalsolution.instances.stop
baremetalsolution.instances.update

baremetalsolution.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Bare Metal Solution Instances Viewer

(roles/baremetalsolution.instancesviewer)

Viewer of Bare Metal Solution Instance resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.get

baremetalsolution.instances.list

baremetalsolution.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Luns Admin

(roles/baremetalsolution.lunsadmin)

Administrator of Bare Metal Solution Lun resources

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.operations.get

Luns Viewer

(roles/baremetalsolution.lunsviewer)

Viewer of Bare Metal Solution Lun resources

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.operations.get

Maintenance Events Admin

(roles/baremetalsolution.maintenanceeventsadmin)

Administrator of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.*

baremetalsolution.maintenanceevents.addProposal
baremetalsolution.maintenanceevents.approve
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list

Maintenance Events Editor

(roles/baremetalsolution.maintenanceeventseditor)

Editor of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.*

baremetalsolution.maintenanceevents.addProposal
baremetalsolution.maintenanceevents.approve
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list

Maintenance Events Viewer

(roles/baremetalsolution.maintenanceeventsviewer)

Viewer of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.get

baremetalsolution.maintenanceevents.list

Networks Admin

(roles/baremetalsolution.networksadmin)

Admin of Bare Metal Solution networks resources

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

baremetalsolution.networks.create
baremetalsolution.networks.delete
baremetalsolution.networks.get
baremetalsolution.networks.list
baremetalsolution.networks.rename
baremetalsolution.networks.update

baremetalsolution.operations.get

NFS Shares Admin

(roles/baremetalsolution.nfssharesadmin)

Administrator of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.*

baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.rename
baremetalsolution.nfsshares.update

baremetalsolution.operations.get

NFS Shares Editor

(roles/baremetalsolution.nfsshareseditor)

Editor of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.*

baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.rename
baremetalsolution.nfsshares.update

baremetalsolution.operations.get

NFS Shares Viewer

(roles/baremetalsolution.nfssharesviewer)

Viewer of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.get

baremetalsolution.nfsshares.list

baremetalsolution.operations.get

Procurements Admin

(roles/baremetalsolution.procurementsadmin)

Administrator of Bare Metal Solution Procurements

baremetalsolution.procurements.*

baremetalsolution.procurements.create
baremetalsolution.procurements.get
baremetalsolution.procurements.list

baremetalsolution.skus.list

Procurements Editor

(roles/baremetalsolution.procurementseditor)

Editor of Bare Metal Solution Procurements

baremetalsolution.procurements.*

baremetalsolution.procurements.create
baremetalsolution.procurements.get
baremetalsolution.procurements.list

baremetalsolution.skus.list

Procurements Viewer

(roles/baremetalsolution.procurementsviewer)

Viewer of Bare Metal Solution Procurements

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

Bare Metal Solution Storage Admin

(roles/baremetalsolution.storageadmin)

Administrator of Bare Metal Solution storage resources

baremetalsolution.luns.*

baremetalsolution.luns.create
baremetalsolution.luns.delete
baremetalsolution.luns.evict
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.luns.update

baremetalsolution.nfsshares.*

baremetalsolution.nfsshares.create
baremetalsolution.nfsshares.delete
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.nfsshares.rename
baremetalsolution.nfsshares.update

baremetalsolution.operations.get

baremetalsolution.snapshotschedulepolicies.*

baremetalsolution.snapshotschedulepolicies.create
baremetalsolution.snapshotschedulepolicies.delete
baremetalsolution.snapshotschedulepolicies.get
baremetalsolution.snapshotschedulepolicies.list
baremetalsolution.snapshotschedulepolicies.update

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

baremetalsolution.volumes.create
baremetalsolution.volumes.delete
baremetalsolution.volumes.evict
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumes.rename
baremetalsolution.volumes.resize
baremetalsolution.volumes.update

baremetalsolution.volumesnapshots.*

baremetalsolution.volumesnapshots.create
baremetalsolution.volumesnapshots.delete
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
baremetalsolution.volumesnapshots.restore

resourcemanager.projects.get

resourcemanager.projects.list

Bare Metal Solution Viewer

(roles/baremetalsolution.viewer)

Viewer of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.get

baremetalsolution.instances.list

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.maintenanceevents.get

baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.get

baremetalsolution.networks.list

baremetalsolution.nfsshares.get

baremetalsolution.nfsshares.list

baremetalsolution.operations.get

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.get

baremetalsolution.snapshotschedulepolicies.list

baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.get

baremetalsolution.volumes.list

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

resourcemanager.projects.get

resourcemanager.projects.list

Volume Admin

(roles/baremetalsolution.volumesadmin)

Administrator of Bare Metal Solution volume resources

baremetalsolution.operations.get

baremetalsolution.volumes.*

baremetalsolution.volumes.create
baremetalsolution.volumes.delete
baremetalsolution.volumes.evict
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumes.rename
baremetalsolution.volumes.resize
baremetalsolution.volumes.update

Volumes Editor

(roles/baremetalsolution.volumeseditor)

Editor of Bare Metal Solution volumes resources

baremetalsolution.operations.get

baremetalsolution.volumequotas.list

baremetalsolution.volumes.create

baremetalsolution.volumes.delete

baremetalsolution.volumes.get

baremetalsolution.volumes.list

baremetalsolution.volumes.rename

baremetalsolution.volumes.resize

baremetalsolution.volumes.update

Snapshots Admin

(roles/baremetalsolution.volumesnapshotsadmin)

Administrator of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.*

baremetalsolution.volumesnapshots.create
baremetalsolution.volumesnapshots.delete
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
baremetalsolution.volumesnapshots.restore

Snapshots Editor

(roles/baremetalsolution.volumesnapshotseditor)

Editor of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.create

baremetalsolution.volumesnapshots.delete

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

Snapshots Viewer

(roles/baremetalsolution.volumesnapshotsviewer)

Viewer of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

Volumes Viewer

(roles/baremetalsolution.volumessviewer)

Viewer of Bare Metal Solution volumes resources

baremetalsolution.operations.get

baremetalsolution.volumes.get

baremetalsolution.volumes.list

BeyondCorp roles

Permissions

Cloud BeyondCorp Admin ^Beta

(roles/beyondcorp.admin)

Full access to all Cloud BeyondCorp resources.

beyondcorp.appConnections.*

beyondcorp.appConnections.create
beyondcorp.appConnections.delete
beyondcorp.appConnections.get
beyondcorp.appConnections.getIamPolicy
beyondcorp.appConnections.list
beyondcorp.appConnections.setIamPolicy
beyondcorp.appConnections.update

beyondcorp.appConnectors.*

beyondcorp.appConnectors.create
beyondcorp.appConnectors.delete
beyondcorp.appConnectors.get
beyondcorp.appConnectors.getIamPolicy
beyondcorp.appConnectors.list
beyondcorp.appConnectors.reportStatus
beyondcorp.appConnectors.setIamPolicy
beyondcorp.appConnectors.update

beyondcorp.appGateways.*

beyondcorp.appGateways.create
beyondcorp.appGateways.delete
beyondcorp.appGateways.get
beyondcorp.appGateways.getIamPolicy
beyondcorp.appGateways.list
beyondcorp.appGateways.setIamPolicy
beyondcorp.appGateways.update

beyondcorp.clientConnectorServices.create

beyondcorp.clientConnectorServices.delete

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientConnectorServices.setIamPolicy

beyondcorp.clientConnectorServices.update

beyondcorp.clientGateways.*

beyondcorp.clientGateways.create
beyondcorp.clientGateways.delete
beyondcorp.clientGateways.get
beyondcorp.clientGateways.getIamPolicy
beyondcorp.clientGateways.list
beyondcorp.clientGateways.setIamPolicy

beyondcorp.locations.*

beyondcorp.locations.get
beyondcorp.locations.list

beyondcorp.operations.*

beyondcorp.operations.cancel
beyondcorp.operations.delete
beyondcorp.operations.get
beyondcorp.operations.list

beyondcorp.subscriptions.*

beyondcorp.subscriptions.create
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud BeyondCorp Client Connector Admin ^Beta

(roles/beyondcorp.clientConnectorAdmin)

Full access to all BeyondCorp Client Connector resources.

beyondcorp.clientConnectorServices.create

beyondcorp.clientConnectorServices.delete

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientConnectorServices.setIamPolicy

beyondcorp.clientConnectorServices.update

beyondcorp.clientGateways.*

beyondcorp.clientGateways.create
beyondcorp.clientGateways.delete
beyondcorp.clientGateways.get
beyondcorp.clientGateways.getIamPolicy
beyondcorp.clientGateways.list
beyondcorp.clientGateways.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.list

Cloud BeyondCorp Client Connector Service User ^Beta

(roles/beyondcorp.clientConnectorServiceUser)

Access Client Connector Service

beyondcorp.clientConnectorServices.access

Cloud BeyondCorp Client Connector Viewer ^Beta

(roles/beyondcorp.clientConnectorViewer)

Read-only access to all BeyondCorp Client Connector resources.

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientGateways.get

beyondcorp.clientGateways.getIamPolicy

beyondcorp.clientGateways.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud BeyondCorp Subscription Admin ^Beta

(roles/beyondcorp.subscriptionAdmin)

Full access to all BeyondCorp Subscription resources.

beyondcorp.subscriptions.*

beyondcorp.subscriptions.create
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list

resourcemanager.organizations.get

Cloud BeyondCorp Subscription Viewer ^Beta

(roles/beyondcorp.subscriptionViewer)

Read-only access to all BeyondCorp Subscription resources.

beyondcorp.subscriptions.get

beyondcorp.subscriptions.list

resourcemanager.organizations.get

Cloud BeyondCorp Viewer ^Beta

(roles/beyondcorp.viewer)

Read-only access to all Cloud BeyondCorp resources.

beyondcorp.appConnections.get

beyondcorp.appConnections.getIamPolicy

beyondcorp.appConnections.list

beyondcorp.appConnectors.get

beyondcorp.appConnectors.getIamPolicy

beyondcorp.appConnectors.list

beyondcorp.appGateways.get

beyondcorp.appGateways.getIamPolicy

beyondcorp.appGateways.list

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientGateways.get

beyondcorp.clientGateways.getIamPolicy

beyondcorp.clientGateways.list

beyondcorp.locations.*

beyondcorp.locations.get
beyondcorp.locations.list

beyondcorp.operations.get

beyondcorp.operations.list

beyondcorp.subscriptions.get

beyondcorp.subscriptions.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery roles

Permissions

BigQuery Admin

(roles/bigquery.admin)

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

Lowest-level resources where you can grant this role:

Datasets
Row access policies
Tables
Views

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.capacityCommitments.update

bigquery.config.*

bigquery.config.get
bigquery.config.update

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery.datasets.createTagBinding
bigquery.datasets.delete
bigquery.datasets.deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery.datasets.listEffectiveTags
bigquery.datasets.listSharedDatasetUsage
bigquery.datasets.listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.jobs.*

bigquery.jobs.create
bigquery.jobs.delete
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.jobs.update

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.savedqueries.create
bigquery.savedqueries.delete
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.savedqueries.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.setCategory
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag

bigquery.transfers.*

bigquery.transfers.get
bigquery.transfers.update

bigquerymigration.translation.translate

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Connection Admin

(roles/bigquery.connectionAdmin)

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

BigQuery Connection User

(roles/bigquery.connectionUser)

bigquery.connections.get

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.use

BigQuery Data Editor

(roles/bigquery.dataEditor)

When applied to a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

Table
View

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Owner

(roles/bigquery.dataOwner)

When applied to a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

Table
View

bigquery.config.get

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery.datasets.createTagBinding
bigquery.datasets.delete
bigquery.datasets.deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery.datasets.listEffectiveTags
bigquery.datasets.listSharedDatasetUsage
bigquery.datasets.listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.setCategory
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Viewer

(roles/bigquery.dataViewer)

When applied to a table or view, this role provides permissions to:

Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read the dataset's metadata and list tables in the dataset.
Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

Table
View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.createSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Filtered Data Viewer

(roles/bigquery.filteredDataViewer)

Access to view filtered table data defined by a row access policy

bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User

(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

Lowest-level resources where you can grant this role:

Project

bigquery.config.get

bigquery.jobs.create

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Metadata Viewer

(roles/bigquery.metadataViewer)

When applied to a table or view, this role provides permissions to:

Read metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

List tables and views in the dataset.
Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

List all datasets and read metadata for all datasets in the project.
List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

Table
View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.get

bigquery.tables.getIamPolicy

bigquery.tables.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Read Session User

(roles/bigquery.readSessionUser)

Provides the ability to create and use read sessions.

Lowest-level resources where you can grant this role:

Project

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Admin

(roles/bigquery.resourceAdmin)

Administer all BigQuery resources.

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.capacityCommitments.update

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsInsights.update

recommender.bigqueryCapacityCommitmentsRecommendations.*

recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryCapacityCommitmentsRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Editor

(roles/bigquery.resourceEditor)

Manage all BigQuery resources, but cannot make purchasing decisions.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Viewer

(roles/bigquery.resourceViewer)

View all BigQuery resources but cannot make changes or purchasing decisions.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery User

(roles/bigquery.user)

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Lowest-level resources where you can grant this role:

Dataset

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.jobs.create

bigquery.jobs.list

bigquery.models.list

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.list

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.list

bigquery.transfers.get

bigquerymigration.translation.translate

resourcemanager.projects.get

resourcemanager.projects.list

Masked Reader

(roles/bigquerydatapolicy.maskedReader)

Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns

bigquery.dataPolicies.maskedGet

Billing roles

Permissions

Billing Account Administrator

(roles/billing.admin)

Provides access to see and manage all aspects of billing accounts.

Lowest-level resources where you can grant this role:

Billing Account

billing.accounts.close

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.move

billing.accounts.redeemPromotion

billing.accounts.removeFromOrganization

billing.accounts.reopen

billing.accounts.setIamPolicy

billing.accounts.update

billing.accounts.updatePaymentInfo

billing.accounts.updateUsageExportSpec

billing.budgets.*

billing.budgets.create
billing.budgets.delete
billing.budgets.get
billing.budgets.list
billing.budgets.update

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.*

billing.resourceAssociations.create
billing.resourceAssociations.delete
billing.resourceAssociations.list

billing.subscriptions.*

billing.subscriptions.create
billing.subscriptions.get
billing.subscriptions.list
billing.subscriptions.update

cloudnotifications.activities.list

cloudsupport.properties.get

cloudsupport.techCases.*

cloudsupport.techCases.create
cloudsupport.techCases.escalate
cloudsupport.techCases.get
cloudsupport.techCases.list
cloudsupport.techCases.update

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

compute.commitments.*

compute.commitments.create
compute.commitments.get
compute.commitments.list
compute.commitments.update
compute.commitments.updateReservations

consumerprocurement.accounts.*

consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

consumerprocurement.events.get
consumerprocurement.events.list

consumerprocurement.orderAttributions.*

consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update

consumerprocurement.orders.*

consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

logging.logEntries.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.privateLogEntries.list

recommender.commitmentUtilizationInsights.*

recommender.commitmentUtilizationInsights.get
recommender.commitmentUtilizationInsights.list
recommender.commitmentUtilizationInsights.update

recommender.costInsights.*

recommender.costInsights.get
recommender.costInsights.list
recommender.costInsights.update

recommender.spendBasedCommitmentInsights.*

recommender.spendBasedCommitmentInsights.get
recommender.spendBasedCommitmentInsights.list
recommender.spendBasedCommitmentInsights.update

recommender.spendBasedCommitmentRecommendations.*

recommender.spendBasedCommitmentRecommendations.get
recommender.spendBasedCommitmentRecommendations.list
recommender.spendBasedCommitmentRecommendations.update

recommender.spendBasedCommitmentRecommenderConfig.*

recommender.spendBasedCommitmentRecommenderConfig.get
recommender.spendBasedCommitmentRecommenderConfig.update

recommender.usageCommitmentRecommendations.*

recommender.usageCommitmentRecommendations.get
recommender.usageCommitmentRecommendations.list
recommender.usageCommitmentRecommendations.update

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

resourcemanager.projects.get

resourcemanager.projects.list

Billing Account Costs Manager

(roles/billing.costsManager)

Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.

Lowest-level resources where you can grant this role:

Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.updateUsageExportSpec

billing.budgets.*

billing.budgets.create
billing.budgets.delete
billing.budgets.get
billing.budgets.list
billing.budgets.update

billing.resourceAssociations.list

recommender.costInsights.*

recommender.costInsights.get
recommender.costInsights.list
recommender.costInsights.update

Billing Account Creator

(roles/billing.creator)

Provides access to create billing accounts.

Lowest-level resources where you can grant this role:

Organization

billing.accounts.create

resourcemanager.organizations.get

Project Billing Manager

(roles/billing.projectManager)

When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.

Lowest-level resources where you can grant this role:

Project

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

Billing Account User

(roles/billing.user)

When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.

Lowest-level resources where you can grant this role:

Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

Billing Account Viewer

(roles/billing.viewer)

View billing account cost and pricing information, transactions, and billing and commitment recommendations.

Lowest-level resources where you can grant this role:

Billing Account

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.budgets.get

billing.budgets.list

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.list

billing.subscriptions.get

billing.subscriptions.list

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.costInsights.get

recommender.costInsights.list

recommender.spendBasedCommitmentInsights.get

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.get

recommender.spendBasedCommitmentRecommendations.list

recommender.spendBasedCommitmentRecommenderConfig.get

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

Binary Authorization roles

Permissions

Binary Authorization Attestor Admin

(roles/binaryauthorization.attestorsAdmin)

Administrator of Binary Authorization Attestors

binaryauthorization.attestors.*

binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.attestors.setIamPolicy
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Attestor Editor

(roles/binaryauthorization.attestorsEditor)

Editor of Binary Authorization Attestors

binaryauthorization.attestors.create

binaryauthorization.attestors.delete

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.update

binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Attestor Image Verifier

(roles/binaryauthorization.attestorsVerifier)

Caller of Binary Authorization Attestors VerifyImageAttested

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Attestor Viewer

(roles/binaryauthorization.attestorsViewer)

Viewer of Binary Authorization Attestors

binaryauthorization.attestors.get

binaryauthorization.attestors.list

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Administrator

(roles/binaryauthorization.policyAdmin)

Administrator of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.*

binaryauthorization.continuousValidationConfig.get
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.continuousValidationConfig.setIamPolicy
binaryauthorization.continuousValidationConfig.update

binaryauthorization.platformPolicies.*

binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace

binaryauthorization.policy.*

binaryauthorization.policy.evaluatePolicy
binaryauthorization.policy.get
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy
binaryauthorization.policy.update

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Editor

(roles/binaryauthorization.policyEditor)

Editor of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get

binaryauthorization.continuousValidationConfig.update

binaryauthorization.platformPolicies.*

binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

binaryauthorization.policy.update

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Evaluator ^Beta

(roles/binaryauthorization.policyEvaluator)

Evaluator of Binary Authorization Policy

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Viewer

(roles/binaryauthorization.policyViewer)

Viewer of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

CA Service roles

Permissions

CA Service Admin

(roles/privateca.admin)

Full access to all CA Service resources.

privateca.*

privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.setIamPolicy
privateca.caPools.update
privateca.caPools.use
privateca.certificateAuthorities.create
privateca.certificateAuthorities.delete
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateAuthorities.setIamPolicy
privateca.certificateAuthorities.update
privateca.certificateRevocationLists.create
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateRevocationLists.setIamPolicy
privateca.certificateRevocationLists.update
privateca.certificateTemplates.create
privateca.certificateTemplates.delete
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.setIamPolicy
privateca.certificateTemplates.update
privateca.certificateTemplates.use
privateca.certificates.create
privateca.certificates.createForSelf
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.certificates.setIamPolicy
privateca.certificates.update
privateca.locations.get
privateca.locations.list
privateca.operations.cancel
privateca.operations.delete
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.create
privateca.reusableConfigs.delete
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
privateca.reusableConfigs.setIamPolicy
privateca.reusableConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

CA Service Auditor

(roles/privateca.auditor)

Read-only access to all CA Service resources.

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.*

privateca.locations.get
privateca.locations.list

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

CA Service Operation Manager

(roles/privateca.caManager)

Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.

privateca.caPools.create

privateca.caPools.delete

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.caPools.update

privateca.certificateAuthorities.create

privateca.certificateAuthorities.delete

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateAuthorities.update

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateRevocationLists.update

privateca.certificateTemplates.create

privateca.certificateTemplates.delete

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificateTemplates.update

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.certificates.update

privateca.locations.*

privateca.locations.get
privateca.locations.list

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.create

privateca.reusableConfigs.delete

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

privateca.reusableConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

CA Service Certificate Manager

(roles/privateca.certificateManager)

Create certificates and read-only access for CA Service resources.

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificates.create

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.*

privateca.locations.get
privateca.locations.list

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

CA Service Certificate Requester

(roles/privateca.certificateRequester)

Request certificates from CA Service.

privateca.certificates.create

CA Service Pool Reader

(roles/privateca.poolReader)

Read CA Pools in CA Service.

privateca.caPools.get

CA Service Certificate Template User

(roles/privateca.templateUser)

Read, list and use certificate templates.

privateca.certificateTemplates.get

privateca.certificateTemplates.list

privateca.certificateTemplates.use

CA Service Workload Certificate Requester

(roles/privateca.workloadCertificateRequester)

Request certificates from CA Service with caller's identity.

privateca.certificates.createForSelf

Certificate Manager roles

Permissions

Certificate Manager Editor

(roles/certificatemanager.editor)

Edit access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.create

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certissuanceconfigs.update

certificatemanager.certissuanceconfigs.use

certificatemanager.certmapentries.create

certificatemanager.certmapentries.get

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmapentries.update

certificatemanager.certmaps.create

certificatemanager.certmaps.get

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certmaps.update

certificatemanager.certmaps.use

certificatemanager.certs.create

certificatemanager.certs.get

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.certs.update

certificatemanager.certs.use

certificatemanager.dnsauthorizations.create

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.update

certificatemanager.dnsauthorizations.use

certificatemanager.locations.*

certificatemanager.locations.get
certificatemanager.locations.list

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.create

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

certificatemanager.trustconfigs.update

certificatemanager.trustconfigs.use

resourcemanager.projects.get

resourcemanager.projects.list

Certificate Manager Owner

(roles/certificatemanager.owner)

Full access to Certificate Manager all resources.

certificatemanager.*

certificatemanager.certissuanceconfigs.create
certificatemanager.certissuanceconfigs.delete
certificatemanager.certissuanceconfigs.get
certificatemanager.certissuanceconfigs.list
certificatemanager.certissuanceconfigs.update
certificatemanager.certissuanceconfigs.use
certificatemanager.certmapentries.create
certificatemanager.certmapentries.delete
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.setIamPolicy
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.delete
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.setIamPolicy
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.setIamPolicy
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.delete
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.setIamPolicy
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.get
certificatemanager.locations.list
certificatemanager.operations.cancel
certificatemanager.operations.delete
certificatemanager.operations.get
certificatemanager.operations.list
certificatemanager.trustconfigs.create
certificatemanager.trustconfigs.delete
certificatemanager.trustconfigs.get
certificatemanager.trustconfigs.list
certificatemanager.trustconfigs.update
certificatemanager.trustconfigs.use

resourcemanager.projects.get

resourcemanager.projects.list

Certificate Manager Viewer

(roles/certificatemanager.viewer)

Read-only access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.get

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmaps.get

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certs.get

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.locations.*

certificatemanager.locations.get
certificatemanager.locations.list

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

Chronicle API roles

Permissions

Chronicle API Admin

(roles/chronicle.admin)

Full access to the Chronicle API services, including global settings.

chronicle.*

chronicle.collectors.create
chronicle.collectors.delete
chronicle.collectors.get
chronicle.collectors.list
chronicle.collectors.update
chronicle.curatedRuleSetCategories.countAllCuratedRuleSetDetections
chronicle.curatedRuleSetCategories.get
chronicle.curatedRuleSetCategories.list
chronicle.curatedRuleSetDeployments.batchUpdate
chronicle.curatedRuleSetDeployments.get
chronicle.curatedRuleSetDeployments.list
chronicle.curatedRuleSetDeployments.update
chronicle.curatedRuleSets.countCuratedRuleSetDetections
chronicle.curatedRuleSets.get
chronicle.curatedRuleSets.list
chronicle.curatedRules.get
chronicle.curatedRules.list
chronicle.dashboards.copy
chronicle.dashboards.create
chronicle.dashboards.delete
chronicle.dashboards.edit
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.dashboards.schedule
chronicle.extensionValidationReports.get
chronicle.extensionValidationReports.list
chronicle.feedSourceTypeSchemas.list
chronicle.feeds.create
chronicle.feeds.delete
chronicle.feeds.disable
chronicle.feeds.enable
chronicle.feeds.get
chronicle.feeds.list
chronicle.feeds.update
chronicle.forwarders.create
chronicle.forwarders.delete
chronicle.forwarders.generate
chronicle.forwarders.get
chronicle.forwarders.list
chronicle.forwarders.update
chronicle.instances.get
chronicle.instances.report
chronicle.legacies.legacyGetCuratedRulesTrends
chronicle.legacies.legacyGetRuleCounts
chronicle.legacies.legacyGetRulesTrends
chronicle.legacies.legacyUpdateFinding
chronicle.logTypeSchemas.list
chronicle.multitenantDirectories.get
chronicle.operations.cancel
chronicle.operations.delete
chronicle.operations.get
chronicle.operations.list
chronicle.operations.wait
chronicle.parserExtensions.activate
chronicle.parserExtensions.create
chronicle.parserExtensions.delete
chronicle.parserExtensions.generateKeyValueMappings
chronicle.parserExtensions.get
chronicle.parserExtensions.legacySubmitParserExtension
chronicle.parserExtensions.list
chronicle.parserExtensions.removeSyslog
chronicle.parsers.activate
chronicle.parsers.activateReleaseCandidate
chronicle.parsers.copyPrebuiltParser
chronicle.parsers.create
chronicle.parsers.deactivate
chronicle.parsers.delete
chronicle.parsers.get
chronicle.parsers.list
chronicle.parsers.runParser
chronicle.parsingErrors.list
chronicle.referenceLists.create
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle.referenceLists.update
chronicle.referenceLists.verifyReferenceList
chronicle.retrohunts.create
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle.ruleDeployments.update
chronicle.ruleExecutionErrors.list
chronicle.rules.create
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.update
chronicle.rules.verifyRuleText
chronicle.validationErrors.list
chronicle.validationReports.get

resourcemanager.projects.get

resourcemanager.projects.list

Chronicle API Editor

(roles/chronicle.editor)

Modify Access to Chronicle API resources.

chronicle.collectors.get

chronicle.collectors.list

chronicle.curatedRuleSetCategories.*

chronicle.curatedRuleSetCategories.countAllCuratedRuleSetDetections
chronicle.curatedRuleSetCategories.get
chronicle.curatedRuleSetCategories.list

chronicle.curatedRuleSetDeployments.*

chronicle.curatedRuleSetDeployments.batchUpdate
chronicle.curatedRuleSetDeployments.get
chronicle.curatedRuleSetDeployments.list
chronicle.curatedRuleSetDeployments.update

chronicle.curatedRuleSets.*

chronicle.curatedRuleSets.countCuratedRuleSetDetections
chronicle.curatedRuleSets.get
chronicle.curatedRuleSets.list

chronicle.curatedRules.*

chronicle.curatedRules.get
chronicle.curatedRules.list

chronicle.dashboards.*

chronicle.dashboards.copy
chronicle.dashboards.create
chronicle.dashboards.delete
chronicle.dashboards.edit
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.dashboards.schedule

chronicle.forwarders.generate

chronicle.forwarders.get

chronicle.forwarders.list

chronicle.instances.*

chronicle.instances.get
chronicle.instances.report

chronicle.legacies.*

chronicle.legacies.legacyGetCuratedRulesTrends
chronicle.legacies.legacyGetRuleCounts
chronicle.legacies.legacyGetRulesTrends
chronicle.legacies.legacyUpdateFinding

chronicle.logTypeSchemas.list

chronicle.multitenantDirectories.get

chronicle.operations.*

chronicle.operations.cancel
chronicle.operations.delete
chronicle.operations.get
chronicle.operations.list
chronicle.operations.wait

chronicle.referenceLists.*

chronicle.referenceLists.create
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle.referenceLists.update
chronicle.referenceLists.verifyReferenceList

chronicle.retrohunts.*

chronicle.retrohunts.create
chronicle.retrohunts.get
chronicle.retrohunts.list

chronicle.ruleDeployments.*

chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle.ruleDeployments.update

chronicle.ruleExecutionErrors.list

chronicle.rules.*

chronicle.rules.create
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.update
chronicle.rules.verifyRuleText

resourcemanager.projects.get

resourcemanager.projects.list

Chronicle API Limited Viewer

(roles/chronicle.limitedViewer)

Grants read-only access to Chronicle API resources, excluding Rules and Retrohunts.

chronicle.dashboards.get

chronicle.dashboards.list

chronicle.instances.get

chronicle.multitenantDirectories.get

Chronicle API Viewer

(roles/chronicle.viewer)

Read-only access to the Chronicle API resources.

chronicle.collectors.get

chronicle.collectors.list

chronicle.curatedRuleSetCategories.*

chronicle.curatedRuleSetCategories.countAllCuratedRuleSetDetections
chronicle.curatedRuleSetCategories.get
chronicle.curatedRuleSetCategories.list

chronicle.curatedRuleSetDeployments.get

chronicle.curatedRuleSetDeployments.list

chronicle.curatedRuleSets.*

chronicle.curatedRuleSets.countCuratedRuleSetDetections
chronicle.curatedRuleSets.get
chronicle.curatedRuleSets.list

chronicle.curatedRules.*

chronicle.curatedRules.get
chronicle.curatedRules.list

chronicle.dashboards.get

chronicle.dashboards.list

chronicle.dashboards.schedule

chronicle.forwarders.generate

chronicle.forwarders.get

chronicle.forwarders.list

chronicle.instances.*

chronicle.instances.get
chronicle.instances.report

chronicle.legacies.legacyGetCuratedRulesTrends

chronicle.legacies.legacyGetRuleCounts

chronicle.legacies.legacyGetRulesTrends

chronicle.logTypeSchemas.list

chronicle.multitenantDirectories.get

chronicle.operations.get

chronicle.operations.list

chronicle.operations.wait

chronicle.referenceLists.get

chronicle.referenceLists.list

chronicle.referenceLists.verifyReferenceList

chronicle.retrohunts.get

chronicle.retrohunts.list

chronicle.ruleDeployments.get

chronicle.ruleDeployments.list

chronicle.ruleExecutionErrors.list

chronicle.rules.get

chronicle.rules.list

chronicle.rules.listRevisions

chronicle.rules.verifyRuleText

resourcemanager.projects.get

resourcemanager.projects.list

Cloud AlloyDB roles

Permissions

Cloud AlloyDB Admin ^Beta

(roles/alloydb.admin)

Full access to Cloud AlloyDB all resources.

alloydb.*

alloydb.backups.create
alloydb.backups.delete
alloydb.backups.get
alloydb.backups.list
alloydb.backups.update
alloydb.clusters.create
alloydb.clusters.delete
alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.clusters.list
alloydb.clusters.update
alloydb.instances.connect
alloydb.instances.create
alloydb.instances.delete
alloydb.instances.failover
alloydb.instances.get
alloydb.instances.injectFault
alloydb.instances.list
alloydb.instances.restart
alloydb.instances.update
alloydb.locations.get
alloydb.locations.list
alloydb.operations.cancel
alloydb.operations.delete
alloydb.operations.get
alloydb.operations.list
alloydb.supportedDatabaseFlags.get
alloydb.supportedDatabaseFlags.list
alloydb.users.create
alloydb.users.delete
alloydb.users.get
alloydb.users.list
alloydb.users.login
alloydb.users.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud AlloyDB Client ^Beta

(roles/alloydb.client)

Connectivity access to Cloud AlloyDB instances.

alloydb.clusters.generateClientCertificate

alloydb.clusters.get

alloydb.instances.connect

alloydb.instances.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud AlloyDB Database User ^Beta

(roles/alloydb.databaseUser)

Role allowing access to login as a database user.

alloydb.clusters.get

alloydb.instances.get

alloydb.users.login

resourcemanager.projects.get

resourcemanager.projects.list

Cloud AlloyDB Viewer ^Beta

(roles/alloydb.viewer)

Read-only access to Cloud AlloyDB all resources.

alloydb.backups.get

alloydb.backups.list

alloydb.clusters.get

alloydb.clusters.list

alloydb.instances.get

alloydb.instances.list

alloydb.locations.*

alloydb.locations.get
alloydb.locations.list

alloydb.operations.get

alloydb.operations.list

alloydb.supportedDatabaseFlags.*

alloydb.supportedDatabaseFlags.get
alloydb.supportedDatabaseFlags.list

alloydb.users.get

alloydb.users.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Asset roles

Permissions

Cloud Asset Owner

(roles/cloudasset.owner)

Full access to cloud assets metadata

cloudasset.*

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset.assets.analyzeOrgPolicy
cloudasset.assets.exportAccessLevel
cloudasset.assets.exportAccessPolicy
cloudasset.assets.exportAiplatformBatchPredictionJobs
cloudasset.assets.exportAiplatformCustomJobs
cloudasset.assets.exportAiplatformDataLabelingJobs
cloudasset.assets.exportAiplatformDatasets
cloudasset.assets.exportAiplatformEndpoints
cloudasset.assets.exportAiplatformHyperparameterTuningJobs
cloudasset.assets.exportAiplatformMetadataStores
cloudasset.assets.exportAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.exportAiplatformModels
cloudasset.assets.exportAiplatformPipelineJobs
cloudasset.assets.exportAiplatformSpecialistPools
cloudasset.assets.exportAiplatformTrainingPipelines
cloudasset.assets.exportAllAccessPolicy
cloudasset.assets.exportAnthosConnectedCluster
cloudasset.assets.exportAnthosedgeCluster
cloudasset.assets.exportApigatewayApi
cloudasset.assets.exportApigatewayApiConfig
cloudasset.assets.exportApigatewayGateway
cloudasset.assets.exportApikeysKeys
cloudasset.assets.exportAppengineApplications
cloudasset.assets.exportAppengineServices
cloudasset.assets.exportAppengineVersions
cloudasset.assets.exportArtifactregistryDockerImages
cloudasset.assets.exportArtifactregistryRepositories
cloudasset.assets.exportAssuredWorkloadsWorkloads
cloudasset.assets.exportBeyondCorpApiGateways
cloudasset.assets.exportBeyondCorpAppConnections
cloudasset.assets.exportBeyondCorpAppConnectors
cloudasset.assets.exportBeyondCorpAppGateways
cloudasset.assets.exportBeyondCorpClientConnectorServices
cloudasset.assets.exportBeyondCorpClientGateways
cloudasset.assets.exportBigqueryDatasets
cloudasset.assets.exportBigqueryModels
cloudasset.assets.exportBigqueryTables
cloudasset.assets.exportBigtableAppProfile
cloudasset.assets.exportBigtableBackup
cloudasset.assets.exportBigtableCluster
cloudasset.assets.exportBigtableInstance
cloudasset.assets.exportBigtableTable
cloudasset.assets.exportCloudAssetFeeds
cloudasset.assets.exportCloudDeployDeliveryPipelines
cloudasset.assets.exportCloudDeployReleases
cloudasset.assets.exportCloudDeployRollouts
cloudasset.assets.exportCloudDeployTargets
cloudasset.assets.exportCloudDocumentAIEvaluation
cloudasset.assets.exportCloudDocumentAIHumanReviewConfig
cloudasset.assets.exportCloudDocumentAILabelerPool
cloudasset.assets.exportCloudDocumentAIProcessor
cloudasset.assets.exportCloudDocumentAIProcessorVersion
cloudasset.assets.exportCloudbillingBillingAccounts
cloudasset.assets.exportCloudbillingProjectBillingInfos
cloudasset.assets.exportCloudfunctionsFunctions
cloudasset.assets.exportCloudfunctionsGen2Functions
cloudasset.assets.exportCloudkmsCryptoKeyVersions
cloudasset.assets.exportCloudkmsCryptoKeys
cloudasset.assets.exportCloudkmsEkmConnections
cloudasset.assets.exportCloudkmsImportJobs
cloudasset.assets.exportCloudkmsKeyRings
cloudasset.assets.exportCloudmemcacheInstances
cloudasset.assets.exportCloudresourcemanagerFolders
cloudasset.assets.exportCloudresourcemanagerOrganizations
cloudasset.assets.exportCloudresourcemanagerProjects
cloudasset.assets.exportCloudresourcemanagerTagBindings
cloudasset.assets.exportCloudresourcemanagerTagKeys
cloudasset.assets.exportCloudresourcemanagerTagValues
cloudasset.assets.exportComposerEnvironments
cloudasset.assets.exportComputeAddress
cloudasset.assets.exportComputeAutoscalers
cloudasset.assets.exportComputeBackendBuckets
cloudasset.assets.exportComputeBackendServices
cloudasset.assets.exportComputeCommitments
cloudasset.assets.exportComputeDisks
cloudasset.assets.exportComputeExternalVpnGateways
cloudasset.assets.exportComputeFirewallPolicies
cloudasset.assets.exportComputeFirewalls
cloudasset.assets.exportComputeForwardingRules
cloudasset.assets.exportComputeGlobalAddress
cloudasset.assets.exportComputeGlobalForwardingRules
cloudasset.assets.exportComputeHealthChecks
cloudasset.assets.exportComputeHttpHealthChecks
cloudasset.assets.exportComputeHttpsHealthChecks
cloudasset.assets.exportComputeImages
cloudasset.assets.exportComputeInstanceGroupManagers
cloudasset.assets.exportComputeInstanceGroups
cloudasset.assets.exportComputeInstanceTemplates
cloudasset.assets.exportComputeInstances
cloudasset.assets.exportComputeInterconnect
cloudasset.assets.exportComputeInterconnectAttachment
cloudasset.assets.exportComputeLicenses
cloudasset.assets.exportComputeNetworkEndpointGroups
cloudasset.assets.exportComputeNetworks
cloudasset.assets.exportComputeNodeGroups
cloudasset.assets.exportComputeNodeTemplates
cloudasset.assets.exportComputePacketMirrorings
cloudasset.assets.exportComputeProjects
cloudasset.assets.exportComputeRegionAutoscaler
cloudasset.assets.exportComputeRegionBackendServices
cloudasset.assets.exportComputeRegionDisk
cloudasset.assets.exportComputeRegionInstanceGroup
cloudasset.assets.exportComputeRegionInstanceGroupManager
cloudasset.assets.exportComputeReservations
cloudasset.assets.exportComputeResourcePolicies
cloudasset.assets.exportComputeRouters
cloudasset.assets.exportComputeRoutes
cloudasset.assets.exportComputeSecurityPolicy
cloudasset.assets.exportComputeServiceAttachments
cloudasset.assets.exportComputeSnapshots
cloudasset.assets.exportComputeSslCertificates
cloudasset.assets.exportComputeSslPolicies
cloudasset.assets.exportComputeSubnetworks
cloudasset.assets.exportComputeTargetHttpProxies
cloudasset.assets.exportComputeTargetHttpsProxies
cloudasset.assets.exportComputeTargetInstances
cloudasset.assets.exportComputeTargetPools
cloudasset.assets.exportComputeTargetSslProxies
cloudasset.assets.exportComputeTargetTcpProxies
cloudasset.assets.exportComputeTargetVpnGateways
cloudasset.assets.exportComputeUrlMaps
cloudasset.assets.exportComputeVpnGateways
cloudasset.assets.exportComputeVpnTunnels
cloudasset.assets.exportConnectorsConnections
cloudasset.assets.exportConnectorsConnectorVersions
cloudasset.assets.exportConnectorsConnectors
cloudasset.assets.exportConnectorsProviders
cloudasset.assets.exportConnectorsRuntimeConfigs
cloudasset.assets.exportContainerAppsDeployment
cloudasset.assets.exportContainerAppsReplicaSets
cloudasset.assets.exportContainerBatchJobs
cloudasset.assets.exportContainerClusterrole
cloudasset.assets.exportContainerClusterrolebinding
cloudasset.assets.exportContainerClusters
cloudasset.assets.exportContainerExtensionsIngresses
cloudasset.assets.exportContainerJobs
cloudasset.assets.exportContainerNamespace
cloudasset.assets.exportContainerNetworkingIngresses
cloudasset.assets.exportContainerNetworkingNetworkPolicies
cloudasset.assets.exportContainerNode
cloudasset.assets.exportContainerNodepool
cloudasset.assets.exportContainerPod
cloudasset.assets.exportContainerReplicaSets
cloudasset.assets.exportContainerRole
cloudasset.assets.exportContainerRolebinding
cloudasset.assets.exportContainerServices
cloudasset.assets.exportContainerregistryImage
cloudasset.assets.exportDataMigrationConnectionProfiles
cloudasset.assets.exportDataMigrationMigrationJobs
cloudasset.assets.exportDataflowJobs
cloudasset.assets.exportDatafusionInstance
cloudasset.assets.exportDataplexAssets
cloudasset.assets.exportDataplexLakes
cloudasset.assets.exportDataplexTasks
cloudasset.assets.exportDataplexZones
cloudasset.assets.exportDataprocAutoscalingPolicies
cloudasset.assets.exportDataprocBatches
cloudasset.assets.exportDataprocClusters
cloudasset.assets.exportDataprocJobs
cloudasset.assets.exportDataprocSessions
cloudasset.assets.exportDataprocWorkflowTemplates
cloudasset.assets.exportDatastreamConnectionProfile
cloudasset.assets.exportDatastreamPrivateConnection
cloudasset.assets.exportDatastreamStream
cloudasset.assets.exportDialogflowAgents
cloudasset.assets.exportDialogflowConversationProfiles
cloudasset.assets.exportDialogflowKnowledgeBases
cloudasset.assets.exportDialogflowLocationSettings
cloudasset.assets.exportDlpDeidentifyTemplates
cloudasset.assets.exportDlpDlpJobs
cloudasset.assets.exportDlpInspectTemplates
cloudasset.assets.exportDlpJobTriggers
cloudasset.assets.exportDlpStoredInfoTypes
cloudasset.assets.exportDnsManagedZones
cloudasset.assets.exportDnsPolicies
cloudasset.assets.exportDomainsRegistrations
cloudasset.assets.exportEventarcTriggers
cloudasset.assets.exportFileBackups
cloudasset.assets.exportFileInstances
cloudasset.assets.exportFirebaseAppInfos
cloudasset.assets.exportFirebaseProjects
cloudasset.assets.exportFirestoreDatabases
cloudasset.assets.exportGKEHubFeatures
cloudasset.assets.exportGKEHubMemberships
cloudasset.assets.exportGameservicesGameServerClusters
cloudasset.assets.exportGameservicesGameServerConfigs
cloudasset.assets.exportGameservicesGameServerDeployments
cloudasset.assets.exportGameservicesRealms
cloudasset.assets.exportGkeBackupBackupPlans
cloudasset.assets.exportGkeBackupBackups
cloudasset.assets.exportGkeBackupRestorePlans
cloudasset.assets.exportGkeBackupRestores
cloudasset.assets.exportGkeBackupVolumeBackups
cloudasset.assets.exportGkeBackupVolumeRestores
cloudasset.assets.exportHealthcareConsentStores
cloudasset.assets.exportHealthcareDatasets
cloudasset.assets.exportHealthcareDicomStores
cloudasset.assets.exportHealthcareFhirStores
cloudasset.assets.exportHealthcareHl7V2Stores
cloudasset.assets.exportIamPolicy
cloudasset.assets.exportIamRoles
cloudasset.assets.exportIamServiceAccountKeys
cloudasset.assets.exportIamServiceAccounts
cloudasset.assets.exportIapTunnel
cloudasset.assets.exportIapTunnelInstances
cloudasset.assets.exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset.assets.exportIapWebServiceVersion
cloudasset.assets.exportIapWebServices
cloudasset.assets.exportIapWebType
cloudasset.assets.exportIdsEndpoints
cloudasset.assets.exportIntegrationsAuthConfigs
cloudasset.assets.exportIntegrationsCertificates
cloudasset.assets.exportIntegrationsExecutions
cloudasset.assets.exportIntegrationsIntegrationVersions
cloudasset.assets.exportIntegrationsIntegrations
cloudasset.assets.exportIntegrationsSfdcChannels
cloudasset.assets.exportIntegrationsSfdcInstances
cloudasset.assets.exportIntegrationsSuspensions
cloudasset.assets.exportLoggingLogMetrics
cloudasset.assets.exportLoggingLogSinks
cloudasset.assets.exportManagedidentitiesDomain
cloudasset.assets.exportMetastoreBackups
cloudasset.assets.exportMetastoreMetadataImports
cloudasset.assets.exportMetastoreServices
cloudasset.assets.exportMonitoringAlertPolicies
cloudasset.assets.exportNetworkConnectivityHubs
cloudasset.assets.exportNetworkConnectivitySpokes
cloudasset.assets.exportNetworkManagementConnectivityTests
cloudasset.assets.exportNetworkServicesEndpointPolicies
cloudasset.assets.exportNetworkServicesGateways
cloudasset.assets.exportNetworkServicesGrpcRoutes
cloudasset.assets.exportNetworkServicesHttpRoutes
cloudasset.assets.exportNetworkServicesMeshes
cloudasset.assets.exportNetworkServicesServiceBindings
cloudasset.assets.exportNetworkServicesTcpRoutes
cloudasset.assets.exportNetworkServicesTlsRoutes
cloudasset.assets.exportOSConfigOSPolicyAssignmentReports
cloudasset.assets.exportOSConfigOSPolicyAssignments
cloudasset.assets.exportOSConfigVulnerabilityReports
cloudasset.assets.exportOSInventories
cloudasset.assets.exportOrgPolicy
cloudasset.assets.exportPatchDeployments
cloudasset.assets.exportPubsubSnapshots
cloudasset.assets.exportPubsubSubscriptions
cloudasset.assets.exportPubsubTopics
cloudasset.assets.exportRedisInstances
cloudasset.assets.exportResource
cloudasset.assets.exportSecretManagerSecretVersions
cloudasset.assets.exportSecretManagerSecrets
cloudasset.assets.exportServiceDirectoryNamespaces
cloudasset.assets.exportServicePerimeter
cloudasset.assets.exportServiceconsumermanagementConsumerProperty
cloudasset.assets.exportServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.exportServiceconsumermanagementConsumers
cloudasset.assets.exportServiceconsumermanagementProducerOverrides
cloudasset.assets.exportServiceconsumermanagementTenancyUnits
cloudasset.assets.exportServiceconsumermanagementVisibility
cloudasset.assets.exportServicemanagementServices
cloudasset.assets.exportServiceusageAdminOverrides
cloudasset.assets.exportServiceusageConsumerOverrides
cloudasset.assets.exportServiceusageServices
cloudasset.assets.exportSpannerBackups
cloudasset.assets.exportSpannerDatabases
cloudasset.assets.exportSpannerInstances
cloudasset.assets.exportSpeakerIdPhrases
cloudasset.assets.exportSpeakerIdSettings
cloudasset.assets.exportSpeakerIdSpeakers
cloudasset.assets.exportSpeechCustomClasses
cloudasset.assets.exportSpeechPhraseSets
cloudasset.assets.exportSqladminBackupRuns
cloudasset.assets.exportSqladminInstances
cloudasset.assets.exportStorageBuckets
cloudasset.assets.exportTpuNodes
cloudasset.assets.exportVpcaccessConnector
cloudasset.assets.listAccessLevel
cloudasset.assets.listAccessPolicy
cloudasset.assets.listAiplatformBatchPredictionJobs
cloudasset.assets.listAiplatformCustomJobs
cloudasset.assets.listAiplatformDataLabelingJobs
cloudasset.assets.listAiplatformDatasets
cloudasset.assets.listAiplatformEndpoints
cloudasset.assets.listAiplatformHyperparameterTuningJobs
cloudasset.assets.listAiplatformMetadataStores
cloudasset.assets.listAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.listAiplatformModels
cloudasset.assets.listAiplatformPipelineJobs
cloudasset.assets.listAiplatformSpecialistPools
cloudasset.assets.listAiplatformTrainingPipelines
cloudasset.assets.listAllAccessPolicy
cloudasset.assets.listAnthosConnectedCluster
cloudasset.assets.listAnthosedgeCluster
cloudasset.assets.listApigatewayApi
cloudasset.assets.listApigatewayApiConfig
cloudasset.assets.listApigatewayGateway
cloudasset.assets.listApikeysKeys
cloudasset.assets.listAppengineApplications
cloudasset.assets.listAppengineServices
cloudasset.assets.listAppengineVersions
cloudasset.assets.listArtifactregistryDockerImages
cloudasset.assets.listArtifactregistryRepositories
cloudasset.assets.listAssuredWorkloadsWorkloads
cloudasset.assets.listBeyondCorpApiGateways
cloudasset.assets.listBeyondCorpAppConnections
cloudasset.assets.listBeyondCorpAppConnectors
cloudasset.assets.listBeyondCorpAppGateways
cloudasset.assets.listBeyondCorpClientConnectorServices
cloudasset.assets.listBeyondCorpClientGateways
cloudasset.assets.listBigqueryDatasets
cloudasset.assets.listBigqueryModels
cloudasset.assets.listBigqueryTables
cloudasset.assets.listBigtableAppProfile
cloudasset.assets.listBigtableBackup
cloudasset.assets.listBigtableCluster
cloudasset.assets.listBigtableInstance
cloudasset.assets.listBigtableTable
cloudasset.assets.listCloudAssetFeeds
cloudasset.assets.listCloudDeployDeliveryPipelines
cloudasset.assets.listCloudDeployReleases
cloudasset.assets.listCloudDeployRollouts
cloudasset.assets.listCloudDeployTargets
cloudasset.assets.listCloudDocumentAIEvaluation
cloudasset.assets.listCloudDocumentAIHumanReviewConfig
cloudasset.assets.listCloudDocumentAILabelerPool
cloudasset.assets.listCloudDocumentAIProcessor
cloudasset.assets.listCloudDocumentAIProcessorVersion
cloudasset.assets.listCloudbillingBillingAccounts
cloudasset.assets.listCloudbillingProjectBillingInfos
cloudasset.assets.listCloudfunctionsFunctions
cloudasset.assets.listCloudfunctionsGen2Functions
cloudasset.assets.listCloudkmsCryptoKeyVersions
cloudasset.assets.listCloudkmsCryptoKeys
cloudasset.assets.listCloudkmsEkmConnections
cloudasset.assets.listCloudkmsImportJobs
cloudasset.assets.listCloudkmsKeyRings
cloudasset.assets.listCloudmemcacheInstances
cloudasset.assets.listCloudresourcemanagerFolders
cloudasset.assets.listCloudresourcemanagerOrganizations
cloudasset.assets.listCloudresourcemanagerProjects
cloudasset.assets.listCloudresourcemanagerTagBindings
cloudasset.assets.listCloudresourcemanagerTagKeys
cloudasset.assets.listCloudresourcemanagerTagValues
cloudasset.assets.listComposerEnvironments
cloudasset.assets.listComputeAddress
cloudasset.assets.listComputeAutoscalers
cloudasset.assets.listComputeBackendBuckets
cloudasset.assets.listComputeBackendServices
cloudasset.assets.listComputeCommitments
cloudasset.assets.listComputeDisks
cloudasset.assets.listComputeExternalVpnGateways
cloudasset.assets.listComputeFirewallPolicies
cloudasset.assets.listComputeFirewalls
cloudasset.assets.listComputeForwardingRules
cloudasset.assets.listComputeGlobalAddress
cloudasset.assets.listComputeGlobalForwardingRules
cloudasset.assets.listComputeHealthChecks
cloudasset.assets.listComputeHttpHealthChecks
cloudasset.assets.listComputeHttpsHealthChecks
cloudasset.assets.listComputeImages
cloudasset.assets.listComputeInstanceGroupManagers
cloudasset.assets.listComputeInstanceGroups
cloudasset.assets.listComputeInstanceTemplates
cloudasset.assets.listComputeInstances
cloudasset.assets.listComputeInterconnect
cloudasset.assets.listComputeInterconnectAttachment
cloudasset.assets.listComputeLicenses
cloudasset.assets.listComputeNetworkEndpointGroups
cloudasset.assets.listComputeNetworks
cloudasset.assets.listComputeNodeGroups
cloudasset.assets.listComputeNodeTemplates
cloudasset.assets.listComputePacketMirrorings
cloudasset.assets.listComputeProjects
cloudasset.assets.listComputeRegionAutoscaler
cloudasset.assets.listComputeRegionBackendServices
cloudasset.assets.listComputeRegionDisk
cloudasset.assets.listComputeRegionInstanceGroup
cloudasset.assets.listComputeRegionInstanceGroupManager
cloudasset.assets.listComputeReservations
cloudasset.assets.listComputeResourcePolicies
cloudasset.assets.listComputeRouters
cloudasset.assets.listComputeRoutes
cloudasset.assets.listComputeSecurityPolicy
cloudasset.assets.listComputeServiceAttachments
cloudasset.assets.listComputeSnapshots
cloudasset.assets.listComputeSslCertificates
cloudasset.assets.listComputeSslPolicies
cloudasset.assets.listComputeSubnetworks
cloudasset.assets.listComputeTargetHttpProxies
cloudasset.assets.listComputeTargetHttpsProxies
cloudasset.assets.listComputeTargetInstances
cloudasset.assets.listComputeTargetPools
cloudasset.assets.listComputeTargetSslProxies
cloudasset.assets.listComputeTargetTcpProxies
cloudasset.assets.listComputeTargetVpnGateways
cloudasset.assets.listComputeUrlMaps
cloudasset.assets.listComputeVpnGateways
cloudasset.assets.listComputeVpnTunnels
cloudasset.assets.listConnectorsConnections
cloudasset.assets.listConnectorsConnectorVersions
cloudasset.assets.listConnectorsConnectors
cloudasset.assets.listConnectorsProviders
cloudasset.assets.listConnectorsRuntimeConfigs
cloudasset.assets.listContainerAppsDeployment
cloudasset.assets.listContainerAppsReplicaSets
cloudasset.assets.listContainerBatchJobs
cloudasset.assets.listContainerClusterrole
cloudasset.assets.listContainerClusterrolebinding
cloudasset.assets.listContainerClusters
cloudasset.assets.listContainerExtensionsIngresses
cloudasset.assets.listContainerJobs
cloudasset.assets.listContainerNamespace
cloudasset.assets.listContainerNetworkingIngresses
cloudasset.assets.listContainerNetworkingNetworkPolicies
cloudasset.assets.listContainerNode
cloudasset.assets.listContainerNodepool
cloudasset.assets.listContainerPod
cloudasset.assets.listContainerReplicaSets
cloudasset.assets.listContainerRole
cloudasset.assets.listContainerRolebinding
cloudasset.assets.listContainerServices
cloudasset.assets.listContainerregistryImage
cloudasset.assets.listDataMigrationConnectionProfiles
cloudasset.assets.listDataMigrationMigrationJobs
cloudasset.assets.listDataflowJobs
cloudasset.assets.listDatafusionInstance
cloudasset.assets.listDataplexAssets
cloudasset.assets.listDataplexLakes
cloudasset.assets.listDataplexTasks
cloudasset.assets.listDataplexZones
cloudasset.assets.listDataprocAutoscalingPolicies
cloudasset.assets.listDataprocBatches
cloudasset.assets.listDataprocClusters
cloudasset.assets.listDataprocJobs
cloudasset.assets.listDataprocSessions
cloudasset.assets.listDataprocWorkflowTemplates
cloudasset.assets.listDatastreamConnectionProfile
cloudasset.assets.listDatastreamPrivateConnection
cloudasset.assets.listDatastreamStream
cloudasset.assets.listDialogflowAgents
cloudasset.assets.listDialogflowConversationProfiles
cloudasset.assets.listDialogflowKnowledgeBases
cloudasset.assets.listDialogflowLocationSettings
cloudasset.assets.listDlpDeidentifyTemplates
cloudasset.assets.listDlpDlpJobs
cloudasset.assets.listDlpInspectTemplates
cloudasset.assets.listDlpJobTriggers
cloudasset.assets.listDlpStoredInfoTypes
cloudasset.assets.listDnsManagedZones
cloudasset.assets.listDnsPolicies
cloudasset.assets.listDomainsRegistrations
cloudasset.assets.listEventarcTriggers
cloudasset.assets.listFileBackups
cloudasset.assets.listFileInstances
cloudasset.assets.listFirebaseAppInfos
cloudasset.assets.listFirebaseProjects
cloudasset.assets.listFirestoreDatabases
cloudasset.assets.listGKEHubFeatures
cloudasset.assets.listGKEHubMemberships
cloudasset.assets.listGameservicesGameServerClusters
cloudasset.assets.listGameservicesGameServerConfigs
cloudasset.assets.listGameservicesGameServerDeployments
cloudasset.assets.listGameservicesRealms
cloudasset.assets.listGkeBackupBackupPlans
cloudasset.assets.listGkeBackupBackups
cloudasset.assets.listGkeBackupRestorePlans
cloudasset.assets.listGkeBackupRestores
cloudasset.assets.listGkeBackupVolumeBackups
cloudasset.assets.listGkeBackupVolumeRestores
cloudasset.assets.listHealthcareConsentStores
cloudasset.assets.listHealthcareDatasets
cloudasset.assets.listHealthcareDicomStores
cloudasset.assets.listHealthcareFhirStores
cloudasset.assets.listHealthcareHl7V2Stores
cloudasset.assets.listIamPolicy
cloudasset.assets.listIamRoles
cloudasset.assets.listIamServiceAccountKeys
cloudasset.assets.listIamServiceAccounts
cloudasset.assets.listIapTunnel
cloudasset.assets.listIapTunnelInstances
cloudasset.assets.listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset.assets.listIapWebServiceVersion
cloudasset.assets.listIapWebServices
cloudasset.assets.listIapWebType
cloudasset.assets.listIdsEndpoints
cloudasset.assets.listIntegrationsAuthConfigs
cloudasset.assets.listIntegrationsCertificates
cloudasset.assets.listIntegrationsExecutions
cloudasset.assets.listIntegrationsIntegrationVersions
cloudasset.assets.listIntegrationsIntegrations
cloudasset.assets.listIntegrationsSfdcChannels
cloudasset.assets.listIntegrationsSfdcInstances
cloudasset.assets.listIntegrationsSuspensions
cloudasset.assets.listLoggingLogMetrics
cloudasset.assets.listLoggingLogSinks
cloudasset.assets.listManagedidentitiesDomain
cloudasset.assets.listMetastoreBackups
cloudasset.assets.listMetastoreMetadataImports
cloudasset.assets.listMetastoreServices
cloudasset.assets.listMonitoringAlertPolicies
cloudasset.assets.listNetworkConnectivityHubs
cloudasset.assets.listNetworkConnectivitySpokes
cloudasset.assets.listNetworkManagementConnectivityTests
cloudasset.assets.listNetworkServicesEndpointPolicies
cloudasset.assets.listNetworkServicesGateways
cloudasset.assets.listNetworkServicesGrpcRoutes
cloudasset.assets.listNetworkServicesHttpRoutes
cloudasset.assets.listNetworkServicesMeshes
cloudasset.assets.listNetworkServicesServiceBindings
cloudasset.assets.listNetworkServicesTcpRoutes
cloudasset.assets.listNetworkServicesTlsRoutes
cloudasset.assets.listOSConfigOSPolicyAssignmentReports
cloudasset.assets.listOSConfigOSPolicyAssignments
cloudasset.assets.listOSConfigVulnerabilityReports
cloudasset.assets.listOSInventories
cloudasset.assets.listOrgPolicy
cloudasset.assets.listPatchDeployments
cloudasset.assets.listPubsubSnapshots
cloudasset.assets.listPubsubSubscriptions
cloudasset.assets.listPubsubTopics
cloudasset.assets.listRedisInstances
cloudasset.assets.listResource
cloudasset.assets.listRunDomainMapping
cloudasset.assets.listRunRevision
cloudasset.assets.listRunService
cloudasset.assets.listSecretManagerSecretVersions
cloudasset.assets.listSecretManagerSecrets
cloudasset.assets.listServiceDirectoryNamespaces
cloudasset.assets.listServicePerimeter
cloudasset.assets.listServiceconsumermanagementConsumerProperty
cloudasset.assets.listServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.listServiceconsumermanagementConsumers
cloudasset.assets.listServiceconsumermanagementProducerOverrides
cloudasset.assets.listServiceconsumermanagementTenancyUnits
cloudasset.assets.listServiceconsumermanagementVisibility
cloudasset.assets.listServicemanagementServices
cloudasset.assets.listServiceusageAdminOverrides
cloudasset.assets.listServiceusageConsumerOverrides
cloudasset.assets.listServiceusageServices
cloudasset.assets.listSpannerBackups
cloudasset.assets.listSpannerDatabases
cloudasset.assets.listSpannerInstances
cloudasset.assets.listSpeakerIdPhrases
cloudasset.assets.listSpeakerIdSettings
cloudasset.assets.listSpeakerIdSpeakers
cloudasset.assets.listSpeechCustomClasses
cloudasset.assets.listSpeechPhraseSets
cloudasset.assets.listSqladminBackupRuns
cloudasset.assets.listSqladminInstances
cloudasset.assets.listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset.assets.listVpcaccessConnector
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.list
cloudasset.feeds.update
cloudasset.savedqueries.create
cloudasset.savedqueries.delete
cloudasset.savedqueries.get
cloudasset.savedqueries.list
cloudasset.savedqueries.update

recommender.cloudAssetInsights.*

recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.cloudAssetInsights.update

recommender.locations.*

recommender.locations.get
recommender.locations.list

Cloud Asset Viewer

(roles/cloudasset.viewer)

Read only access to cloud assets metadata

cloudasset.assets.*

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset.assets.analyzeOrgPolicy
cloudasset.assets.exportAccessLevel
cloudasset.assets.exportAccessPolicy
cloudasset.assets.exportAiplatformBatchPredictionJobs
cloudasset.assets.exportAiplatformCustomJobs
cloudasset.assets.exportAiplatformDataLabelingJobs
cloudasset.assets.exportAiplatformDatasets
cloudasset.assets.exportAiplatformEndpoints
cloudasset.assets.exportAiplatformHyperparameterTuningJobs
cloudasset.assets.exportAiplatformMetadataStores
cloudasset.assets.exportAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.exportAiplatformModels
cloudasset.assets.exportAiplatformPipelineJobs
cloudasset.assets.exportAiplatformSpecialistPools
cloudasset.assets.exportAiplatformTrainingPipelines
cloudasset.assets.exportAllAccessPolicy
cloudasset.assets.exportAnthosConnectedCluster
cloudasset.assets.exportAnthosedgeCluster
cloudasset.assets.exportApigatewayApi
cloudasset.assets.exportApigatewayApiConfig
cloudasset.assets.exportApigatewayGateway
cloudasset.assets.exportApikeysKeys
cloudasset.assets.exportAppengineApplications
cloudasset.assets.exportAppengineServices
cloudasset.assets.exportAppengineVersions
cloudasset.assets.exportArtifactregistryDockerImages
cloudasset.assets.exportArtifactregistryRepositories
cloudasset.assets.exportAssuredWorkloadsWorkloads
cloudasset.assets.exportBeyondCorpApiGateways
cloudasset.assets.exportBeyondCorpAppConnections
cloudasset.assets.exportBeyondCorpAppConnectors
cloudasset.assets.exportBeyondCorpAppGateways
cloudasset.assets.exportBeyondCorpClientConnectorServices
cloudasset.assets.exportBeyondCorpClientGateways
cloudasset.assets.exportBigqueryDatasets
cloudasset.assets.exportBigqueryModels
cloudasset.assets.exportBigqueryTables
cloudasset.assets.exportBigtableAppProfile
cloudasset.assets.exportBigtableBackup
cloudasset.assets.exportBigtableCluster
cloudasset.assets.exportBigtableInstance
cloudasset.assets.exportBigtableTable
cloudasset.assets.exportCloudAssetFeeds
cloudasset.assets.exportCloudDeployDeliveryPipelines
cloudasset.assets.exportCloudDeployReleases
cloudasset.assets.exportCloudDeployRollouts
cloudasset.assets.exportCloudDeployTargets
cloudasset.assets.exportCloudDocumentAIEvaluation
cloudasset.assets.exportCloudDocumentAIHumanReviewConfig
cloudasset.assets.exportCloudDocumentAILabelerPool
cloudasset.assets.exportCloudDocumentAIProcessor
cloudasset.assets.exportCloudDocumentAIProcessorVersion
cloudasset.assets.exportCloudbillingBillingAccounts
cloudasset.assets.exportCloudbillingProjectBillingInfos
cloudasset.assets.exportCloudfunctionsFunctions
cloudasset.assets.exportCloudfunctionsGen2Functions
cloudasset.assets.exportCloudkmsCryptoKeyVersions
cloudasset.assets.exportCloudkmsCryptoKeys
cloudasset.assets.exportCloudkmsEkmConnections
cloudasset.assets.exportCloudkmsImportJobs
cloudasset.assets.exportCloudkmsKeyRings
cloudasset.assets.exportCloudmemcacheInstances
cloudasset.assets.exportCloudresourcemanagerFolders
cloudasset.assets.exportCloudresourcemanagerOrganizations
cloudasset.assets.exportCloudresourcemanagerProjects
cloudasset.assets.exportCloudresourcemanagerTagBindings
cloudasset.assets.exportCloudresourcemanagerTagKeys
cloudasset.assets.exportCloudresourcemanagerTagValues
cloudasset.assets.exportComposerEnvironments
cloudasset.assets.exportComputeAddress
cloudasset.assets.exportComputeAutoscalers
cloudasset.assets.exportComputeBackendBuckets
cloudasset.assets.exportComputeBackendServices
cloudasset.assets.exportComputeCommitments
cloudasset.assets.exportComputeDisks
cloudasset.assets.exportComputeExternalVpnGateways
cloudasset.assets.exportComputeFirewallPolicies
cloudasset.assets.exportComputeFirewalls
cloudasset.assets.exportComputeForwardingRules
cloudasset.assets.exportComputeGlobalAddress
cloudasset.assets.exportComputeGlobalForwardingRules
cloudasset.assets.exportComputeHealthChecks
cloudasset.assets.exportComputeHttpHealthChecks
cloudasset.assets.exportComputeHttpsHealthChecks
cloudasset.assets.exportComputeImages
cloudasset.assets.exportComputeInstanceGroupManagers
cloudasset.assets.exportComputeInstanceGroups
cloudasset.assets.exportComputeInstanceTemplates
cloudasset.assets.exportComputeInstances
cloudasset.assets.exportComputeInterconnect
cloudasset.assets.exportComputeInterconnectAttachment
cloudasset.assets.exportComputeLicenses
cloudasset.assets.exportComputeNetworkEndpointGroups
cloudasset.assets.exportComputeNetworks
cloudasset.assets.exportComputeNodeGroups
cloudasset.assets.exportComputeNodeTemplates
cloudasset.assets.exportComputePacketMirrorings
cloudasset.assets.exportComputeProjects
cloudasset.assets.exportComputeRegionAutoscaler
cloudasset.assets.exportComputeRegionBackendServices
cloudasset.assets.exportComputeRegionDisk
cloudasset.assets.exportComputeRegionInstanceGroup
cloudasset.assets.exportComputeRegionInstanceGroupManager
cloudasset.assets.exportComputeReservations
cloudasset.assets.exportComputeResourcePolicies
cloudasset.assets.exportComputeRouters
cloudasset.assets.exportComputeRoutes
cloudasset.assets.exportComputeSecurityPolicy
cloudasset.assets.exportComputeServiceAttachments
cloudasset.assets.exportComputeSnapshots
cloudasset.assets.exportComputeSslCertificates
cloudasset.assets.exportComputeSslPolicies
cloudasset.assets.exportComputeSubnetworks
cloudasset.assets.exportComputeTargetHttpProxies
cloudasset.assets.exportComputeTargetHttpsProxies
cloudasset.assets.exportComputeTargetInstances
cloudasset.assets.exportComputeTargetPools
cloudasset.assets.exportComputeTargetSslProxies
cloudasset.assets.exportComputeTargetTcpProxies
cloudasset.assets.exportComputeTargetVpnGateways
cloudasset.assets.exportComputeUrlMaps
cloudasset.assets.exportComputeVpnGateways
cloudasset.assets.exportComputeVpnTunnels
cloudasset.assets.exportConnectorsConnections
cloudasset.assets.exportConnectorsConnectorVersions
cloudasset.assets.exportConnectorsConnectors
cloudasset.assets.exportConnectorsProviders
cloudasset.assets.exportConnectorsRuntimeConfigs
cloudasset.assets.exportContainerAppsDeployment
cloudasset.assets.exportContainerAppsReplicaSets
cloudasset.assets.exportContainerBatchJobs
cloudasset.assets.exportContainerClusterrole
cloudasset.assets.exportContainerClusterrolebinding
cloudasset.assets.exportContainerClusters
cloudasset.assets.exportContainerExtensionsIngresses
cloudasset.assets.exportContainerJobs
cloudasset.assets.exportContainerNamespace
cloudasset.assets.exportContainerNetworkingIngresses
cloudasset.assets.exportContainerNetworkingNetworkPolicies
cloudasset.assets.exportContainerNode
cloudasset.assets.exportContainerNodepool
cloudasset.assets.exportContainerPod
cloudasset.assets.exportContainerReplicaSets
cloudasset.assets.exportContainerRole
cloudasset.assets.exportContainerRolebinding
cloudasset.assets.exportContainerServices
cloudasset.assets.exportContainerregistryImage
cloudasset.assets.exportDataMigrationConnectionProfiles
cloudasset.assets.exportDataMigrationMigrationJobs
cloudasset.assets.exportDataflowJobs
cloudasset.assets.exportDatafusionInstance
cloudasset.assets.exportDataplexAssets
cloudasset.assets.exportDataplexLakes
cloudasset.assets.exportDataplexTasks
cloudasset.assets.exportDataplexZones
cloudasset.assets.exportDataprocAutoscalingPolicies
cloudasset.assets.exportDataprocBatches
cloudasset.assets.exportDataprocClusters
cloudasset.assets.exportDataprocJobs
cloudasset.assets.exportDataprocSessions
cloudasset.assets.exportDataprocWorkflowTemplates
cloudasset.assets.exportDatastreamConnectionProfile
cloudasset.assets.exportDatastreamPrivateConnection
cloudasset.assets.exportDatastreamStream
cloudasset.assets.exportDialogflowAgents
cloudasset.assets.exportDialogflowConversationProfiles
cloudasset.assets.exportDialogflowKnowledgeBases
cloudasset.assets.exportDialogflowLocationSettings
cloudasset.assets.exportDlpDeidentifyTemplates
cloudasset.assets.exportDlpDlpJobs
cloudasset.assets.exportDlpInspectTemplates
cloudasset.assets.exportDlpJobTriggers
cloudasset.assets.exportDlpStoredInfoTypes
cloudasset.assets.exportDnsManagedZones
cloudasset.assets.exportDnsPolicies
cloudasset.assets.exportDomainsRegistrations
cloudasset.assets.exportEventarcTriggers
cloudasset.assets.exportFileBackups
cloudasset.assets.exportFileInstances
cloudasset.assets.exportFirebaseAppInfos
cloudasset.assets.exportFirebaseProjects
cloudasset.assets.exportFirestoreDatabases
cloudasset.assets.exportGKEHubFeatures
cloudasset.assets.exportGKEHubMemberships
cloudasset.assets.exportGameservicesGameServerClusters
cloudasset.assets.exportGameservicesGameServerConfigs
cloudasset.assets.exportGameservicesGameServerDeployments
cloudasset.assets.exportGameservicesRealms
cloudasset.assets.exportGkeBackupBackupPlans
cloudasset.assets.exportGkeBackupBackups
cloudasset.assets.exportGkeBackupRestorePlans
cloudasset.assets.exportGkeBackupRestores
cloudasset.assets.exportGkeBackupVolumeBackups
cloudasset.assets.exportGkeBackupVolumeRestores
cloudasset.assets.exportHealthcareConsentStores
cloudasset.assets.exportHealthcareDatasets
cloudasset.assets.exportHealthcareDicomStores
cloudasset.assets.exportHealthcareFhirStores
cloudasset.assets.exportHealthcareHl7V2Stores
cloudasset.assets.exportIamPolicy
cloudasset.assets.exportIamRoles
cloudasset.assets.exportIamServiceAccountKeys
cloudasset.assets.exportIamServiceAccounts
cloudasset.assets.exportIapTunnel
cloudasset.assets.exportIapTunnelInstances
cloudasset.assets.exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset.assets.exportIapWebServiceVersion
cloudasset.assets.exportIapWebServices
cloudasset.assets.exportIapWebType
cloudasset.assets.exportIdsEndpoints
cloudasset.assets.exportIntegrationsAuthConfigs
cloudasset.assets.exportIntegrationsCertificates
cloudasset.assets.exportIntegrationsExecutions
cloudasset.assets.exportIntegrationsIntegrationVersions
cloudasset.assets.exportIntegrationsIntegrations
cloudasset.assets.exportIntegrationsSfdcChannels
cloudasset.assets.exportIntegrationsSfdcInstances
cloudasset.assets.exportIntegrationsSuspensions
cloudasset.assets.exportLoggingLogMetrics
cloudasset.assets.exportLoggingLogSinks
cloudasset.assets.exportManagedidentitiesDomain
cloudasset.assets.exportMetastoreBackups
cloudasset.assets.exportMetastoreMetadataImports
cloudasset.assets.exportMetastoreServices
cloudasset.assets.exportMonitoringAlertPolicies
cloudasset.assets.exportNetworkConnectivityHubs
cloudasset.assets.exportNetworkConnectivitySpokes
cloudasset.assets.exportNetworkManagementConnectivityTests
cloudasset.assets.exportNetworkServicesEndpointPolicies
cloudasset.assets.exportNetworkServicesGateways
cloudasset.assets.exportNetworkServicesGrpcRoutes
cloudasset.assets.exportNetworkServicesHttpRoutes
cloudasset.assets.exportNetworkServicesMeshes
cloudasset.assets.exportNetworkServicesServiceBindings
cloudasset.assets.exportNetworkServicesTcpRoutes
cloudasset.assets.exportNetworkServicesTlsRoutes
cloudasset.assets.exportOSConfigOSPolicyAssignmentReports
cloudasset.assets.exportOSConfigOSPolicyAssignments
cloudasset.assets.exportOSConfigVulnerabilityReports
cloudasset.assets.exportOSInventories
cloudasset.assets.exportOrgPolicy
cloudasset.assets.exportPatchDeployments
cloudasset.assets.exportPubsubSnapshots
cloudasset.assets.exportPubsubSubscriptions
cloudasset.assets.exportPubsubTopics
cloudasset.assets.exportRedisInstances
cloudasset.assets.exportResource
cloudasset.assets.exportSecretManagerSecretVersions
cloudasset.assets.exportSecretManagerSecrets
cloudasset.assets.exportServiceDirectoryNamespaces
cloudasset.assets.exportServicePerimeter
cloudasset.assets.exportServiceconsumermanagementConsumerProperty
cloudasset.assets.exportServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.exportServiceconsumermanagementConsumers
cloudasset.assets.exportServiceconsumermanagementProducerOverrides
cloudasset.assets.exportServiceconsumermanagementTenancyUnits
cloudasset.assets.exportServiceconsumermanagementVisibility
cloudasset.assets.exportServicemanagementServices
cloudasset.assets.exportServiceusageAdminOverrides
cloudasset.assets.exportServiceusageConsumerOverrides
cloudasset.assets.exportServiceusageServices
cloudasset.assets.exportSpannerBackups
cloudasset.assets.exportSpannerDatabases
cloudasset.assets.exportSpannerInstances
cloudasset.assets.exportSpeakerIdPhrases
cloudasset.assets.exportSpeakerIdSettings
cloudasset.assets.exportSpeakerIdSpeakers
cloudasset.assets.exportSpeechCustomClasses
cloudasset.assets.exportSpeechPhraseSets
cloudasset.assets.exportSqladminBackupRuns
cloudasset.assets.exportSqladminInstances
cloudasset.assets.exportStorageBuckets
cloudasset.assets.exportTpuNodes
cloudasset.assets.exportVpcaccessConnector
cloudasset.assets.listAccessLevel
cloudasset.assets.listAccessPolicy
cloudasset.assets.listAiplatformBatchPredictionJobs
cloudasset.assets.listAiplatformCustomJobs
cloudasset.assets.listAiplatformDataLabelingJobs
cloudasset.assets.listAiplatformDatasets
cloudasset.assets.listAiplatformEndpoints
cloudasset.assets.listAiplatformHyperparameterTuningJobs
cloudasset.assets.listAiplatformMetadataStores
cloudasset.assets.listAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.listAiplatformModels
cloudasset.assets.listAiplatformPipelineJobs
cloudasset.assets.listAiplatformSpecialistPools
cloudasset.assets.listAiplatformTrainingPipelines
cloudasset.assets.listAllAccessPolicy
cloudasset.assets.listAnthosConnectedCluster
cloudasset.assets.listAnthosedgeCluster
cloudasset.assets.listApigatewayApi
cloudasset.assets.listApigatewayApiConfig
cloudasset.assets.listApigatewayGateway
cloudasset.assets.listApikeysKeys
cloudasset.assets.listAppengineApplications
cloudasset.assets.listAppengineServices
cloudasset.assets.listAppengineVersions
cloudasset.assets.listArtifactregistryDockerImages
cloudasset.assets.listArtifactregistryRepositories
cloudasset.assets.listAssuredWorkloadsWorkloads
cloudasset.assets.listBeyondCorpApiGateways
cloudasset.assets.listBeyondCorpAppConnections
cloudasset.assets.listBeyondCorpAppConnectors
cloudasset.assets.listBeyondCorpAppGateways
cloudasset.assets.listBeyondCorpClientConnectorServices
cloudasset.assets.listBeyondCorpClientGateways
cloudasset.assets.listBigqueryDatasets
cloudasset.assets.listBigqueryModels
cloudasset.assets.listBigqueryTables
cloudasset.assets.listBigtableAppProfile
cloudasset.assets.listBigtableBackup
cloudasset.assets.listBigtableCluster
cloudasset.assets.listBigtableInstance
cloudasset.assets.listBigtableTable
cloudasset.assets.listCloudAssetFeeds
cloudasset.assets.listCloudDeployDeliveryPipelines
cloudasset.assets.listCloudDeployReleases
cloudasset.assets.listCloudDeployRollouts
cloudasset.assets.listCloudDeployTargets
cloudasset.assets.listCloudDocumentAIEvaluation
cloudasset.assets.listCloudDocumentAIHumanReviewConfig
cloudasset.assets.listCloudDocumentAILabelerPool
cloudasset.assets.listCloudDocumentAIProcessor
cloudasset.assets.listCloudDocumentAIProcessorVersion
cloudasset.assets.listCloudbillingBillingAccounts
cloudasset.assets.listCloudbillingProjectBillingInfos
cloudasset.assets.listCloudfunctionsFunctions
cloudasset.assets.listCloudfunctionsGen2Functions
cloudasset.assets.listCloudkmsCryptoKeyVersions
cloudasset.assets.listCloudkmsCryptoKeys
cloudasset.assets.listCloudkmsEkmConnections
cloudasset.assets.listCloudkmsImportJobs
cloudasset.assets.listCloudkmsKeyRings
cloudasset.assets.listCloudmemcacheInstances
cloudasset.assets.listCloudresourcemanagerFolders
cloudasset.assets.listCloudresourcemanagerOrganizations
cloudasset.assets.listCloudresourcemanagerProjects
cloudasset.assets.listCloudresourcemanagerTagBindings
cloudasset.assets.listCloudresourcemanagerTagKeys
cloudasset.assets.listCloudresourcemanagerTagValues
cloudasset.assets.listComposerEnvironments
cloudasset.assets.listComputeAddress
cloudasset.assets.listComputeAutoscalers
cloudasset.assets.listComputeBackendBuckets
cloudasset.assets.listComputeBackendServices
cloudasset.assets.listComputeCommitments
cloudasset.assets.listComputeDisks
cloudasset.assets.listComputeExternalVpnGateways
cloudasset.assets.listComputeFirewallPolicies
cloudasset.assets.listComputeFirewalls
cloudasset.assets.listComputeForwardingRules
cloudasset.assets.listComputeGlobalAddress
cloudasset.assets.listComputeGlobalForwardingRules
cloudasset.assets.listComputeHealthChecks
cloudasset.assets.listComputeHttpHealthChecks
cloudasset.assets.listComputeHttpsHealthChecks
cloudasset.assets.listComputeImages
cloudasset.assets.listComputeInstanceGroupManagers
cloudasset.assets.listComputeInstanceGroups
cloudasset.assets.listComputeInstanceTemplates
cloudasset.assets.listComputeInstances
cloudasset.assets.listComputeInterconnect
cloudasset.assets.listComputeInterconnectAttachment
cloudasset.assets.listComputeLicenses
cloudasset.assets.listComputeNetworkEndpointGroups
cloudasset.assets.listComputeNetworks
cloudasset.assets.listComputeNodeGroups
cloudasset.assets.listComputeNodeTemplates
cloudasset.assets.listComputePacketMirrorings
cloudasset.assets.listComputeProjects
cloudasset.assets.listComputeRegionAutoscaler
cloudasset.assets.listComputeRegionBackendServices
cloudasset.assets.listComputeRegionDisk
cloudasset.assets.listComputeRegionInstanceGroup
cloudasset.assets.listComputeRegionInstanceGroupManager
cloudasset.assets.listComputeReservations
cloudasset.assets.listComputeResourcePolicies
cloudasset.assets.listComputeRouters
cloudasset.assets.listComputeRoutes
cloudasset.assets.listComputeSecurityPolicy
cloudasset.assets.listComputeServiceAttachments
cloudasset.assets.listComputeSnapshots
cloudasset.assets.listComputeSslCertificates
cloudasset.assets.listComputeSslPolicies
cloudasset.assets.listComputeSubnetworks
cloudasset.assets.listComputeTargetHttpProxies
cloudasset.assets.listComputeTargetHttpsProxies
cloudasset.assets.listComputeTargetInstances
cloudasset.assets.listComputeTargetPools
cloudasset.assets.listComputeTargetSslProxies
cloudasset.assets.listComputeTargetTcpProxies
cloudasset.assets.listComputeTargetVpnGateways
cloudasset.assets.listComputeUrlMaps
cloudasset.assets.listComputeVpnGateways
cloudasset.assets.listComputeVpnTunnels
cloudasset.assets.listConnectorsConnections
cloudasset.assets.listConnectorsConnectorVersions
cloudasset.assets.listConnectorsConnectors
cloudasset.assets.listConnectorsProviders
cloudasset.assets.listConnectorsRuntimeConfigs
cloudasset.assets.listContainerAppsDeployment
cloudasset.assets.listContainerAppsReplicaSets
cloudasset.assets.listContainerBatchJobs
cloudasset.assets.listContainerClusterrole
cloudasset.assets.listContainerClusterrolebinding
cloudasset.assets.listContainerClusters
cloudasset.assets.listContainerExtensionsIngresses
cloudasset.assets.listContainerJobs
cloudasset.assets.listContainerNamespace
cloudasset.assets.listContainerNetworkingIngresses
cloudasset.assets.listContainerNetworkingNetworkPolicies
cloudasset.assets.listContainerNode
cloudasset.assets.listContainerNodepool
cloudasset.assets.listContainerPod
cloudasset.assets.listContainerReplicaSets
cloudasset.assets.listContainerRole
cloudasset.assets.listContainerRolebinding
cloudasset.assets.listContainerServices
cloudasset.assets.listContainerregistryImage
cloudasset.assets.listDataMigrationConnectionProfiles
cloudasset.assets.listDataMigrationMigrationJobs
cloudasset.assets.listDataflowJobs
cloudasset.assets.listDatafusionInstance
cloudasset.assets.listDataplexAssets
cloudasset.assets.listDataplexLakes
cloudasset.assets.listDataplexTasks
cloudasset.assets.listDataplexZones
cloudasset.assets.listDataprocAutoscalingPolicies
cloudasset.assets.listDataprocBatches
cloudasset.assets.listDataprocClusters
cloudasset.assets.listDataprocJobs
cloudasset.assets.listDataprocSessions
cloudasset.assets.listDataprocWorkflowTemplates
cloudasset.assets.listDatastreamConnectionProfile
cloudasset.assets.listDatastreamPrivateConnection
cloudasset.assets.listDatastreamStream
cloudasset.assets.listDialogflowAgents
cloudasset.assets.listDialogflowConversationProfiles
cloudasset.assets.listDialogflowKnowledgeBases
cloudasset.assets.listDialogflowLocationSettings
cloudasset.assets.listDlpDeidentifyTemplates
cloudasset.assets.listDlpDlpJobs
cloudasset.assets.listDlpInspectTemplates
cloudasset.assets.listDlpJobTriggers
cloudasset.assets.listDlpStoredInfoTypes
cloudasset.assets.listDnsManagedZones
cloudasset.assets.listDnsPolicies
cloudasset.assets.listDomainsRegistrations
cloudasset.assets.listEventarcTriggers
cloudasset.assets.listFileBackups
cloudasset.assets.listFileInstances
cloudasset.assets.listFirebaseAppInfos
cloudasset.assets.listFirebaseProjects
cloudasset.assets.listFirestoreDatabases
cloudasset.assets.listGKEHubFeatures
cloudasset.assets.listGKEHubMemberships
cloudasset.assets.listGameservicesGameServerClusters
cloudasset.assets.listGameservicesGameServerConfigs
cloudasset.assets.listGameservicesGameServerDeployments
cloudasset.assets.listGameservicesRealms
cloudasset.assets.listGkeBackupBackupPlans
cloudasset.assets.listGkeBackupBackups
cloudasset.assets.listGkeBackupRestorePlans
cloudasset.assets.listGkeBackupRestores
cloudasset.assets.listGkeBackupVolumeBackups
cloudasset.assets.listGkeBackupVolumeRestores
cloudasset.assets.listHealthcareConsentStores
cloudasset.assets.listHealthcareDatasets
cloudasset.assets.listHealthcareDicomStores
cloudasset.assets.listHealthcareFhirStores
cloudasset.assets.listHealthcareHl7V2Stores
cloudasset.assets.listIamPolicy
cloudasset.assets.listIamRoles
cloudasset.assets.listIamServiceAccountKeys
cloudasset.assets.listIamServiceAccounts
cloudasset.assets.listIapTunnel
cloudasset.assets.listIapTunnelInstances
cloudasset.assets.listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset.assets.listIapWebServiceVersion
cloudasset.assets.listIapWebServices
cloudasset.assets.listIapWebType
cloudasset.assets.listIdsEndpoints
cloudasset.assets.listIntegrationsAuthConfigs
cloudasset.assets.listIntegrationsCertificates
cloudasset.assets.listIntegrationsExecutions
cloudasset.assets.listIntegrationsIntegrationVersions
cloudasset.assets.listIntegrationsIntegrations
cloudasset.assets.listIntegrationsSfdcChannels
cloudasset.assets.listIntegrationsSfdcInstances
cloudasset.assets.listIntegrationsSuspensions
cloudasset.assets.listLoggingLogMetrics
cloudasset.assets.listLoggingLogSinks
cloudasset.assets.listManagedidentitiesDomain
cloudasset.assets.listMetastoreBackups
cloudasset.assets.listMetastoreMetadataImports
cloudasset.assets.listMetastoreServices
cloudasset.assets.listMonitoringAlertPolicies
cloudasset.assets.listNetworkConnectivityHubs
cloudasset.assets.listNetworkConnectivitySpokes
cloudasset.assets.listNetworkManagementConnectivityTests
cloudasset.assets.listNetworkServicesEndpointPolicies
cloudasset.assets.listNetworkServicesGateways
cloudasset.assets.listNetworkServicesGrpcRoutes
cloudasset.assets.listNetworkServicesHttpRoutes
cloudasset.assets.listNetworkServicesMeshes
cloudasset.assets.listNetworkServicesServiceBindings
cloudasset.assets.listNetworkServicesTcpRoutes
cloudasset.assets.listNetworkServicesTlsRoutes
cloudasset.assets.listOSConfigOSPolicyAssignmentReports
cloudasset.assets.listOSConfigOSPolicyAssignments
cloudasset.assets.listOSConfigVulnerabilityReports
cloudasset.assets.listOSInventories
cloudasset.assets.listOrgPolicy
cloudasset.assets.listPatchDeployments
cloudasset.assets.listPubsubSnapshots
cloudasset.assets.listPubsubSubscriptions
cloudasset.assets.listPubsubTopics
cloudasset.assets.listRedisInstances
cloudasset.assets.listResource
cloudasset.assets.listRunDomainMapping
cloudasset.assets.listRunRevision
cloudasset.assets.listRunService
cloudasset.assets.listSecretManagerSecretVersions
cloudasset.assets.listSecretManagerSecrets
cloudasset.assets.listServiceDirectoryNamespaces
cloudasset.assets.listServicePerimeter
cloudasset.assets.listServiceconsumermanagementConsumerProperty
cloudasset.assets.listServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.listServiceconsumermanagementConsumers
cloudasset.assets.listServiceconsumermanagementProducerOverrides
cloudasset.assets.listServiceconsumermanagementTenancyUnits
cloudasset.assets.listServiceconsumermanagementVisibility
cloudasset.assets.listServicemanagementServices
cloudasset.assets.listServiceusageAdminOverrides
cloudasset.assets.listServiceusageConsumerOverrides
cloudasset.assets.listServiceusageServices
cloudasset.assets.listSpannerBackups
cloudasset.assets.listSpannerDatabases
cloudasset.assets.listSpannerInstances
cloudasset.assets.listSpeakerIdPhrases
cloudasset.assets.listSpeakerIdSettings
cloudasset.assets.listSpeakerIdSpeakers
cloudasset.assets.listSpeechCustomClasses
cloudasset.assets.listSpeechPhraseSets
cloudasset.assets.listSqladminBackupRuns
cloudasset.assets.listSqladminInstances
cloudasset.assets.listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset.assets.listVpcaccessConnector
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

recommender.locations.get
recommender.locations.list

Cloud Bigtable roles

Permissions

Bigtable Administrator

(roles/bigtable.admin)

Administers all Bigtable instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.

Lowest-level resources where you can grant this role:

Table

bigtable.*

bigtable.appProfiles.create
bigtable.appProfiles.delete
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.appProfiles.update
bigtable.backups.create
bigtable.backups.delete
bigtable.backups.get
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.backups.read
bigtable.backups.restore
bigtable.backups.setIamPolicy
bigtable.backups.update
bigtable.clusters.create
bigtable.clusters.delete
bigtable.clusters.get
bigtable.clusters.list
bigtable.clusters.update
bigtable.hotTablets.list
bigtable.instances.create
bigtable.instances.createTagBinding
bigtable.instances.delete
bigtable.instances.deleteTagBinding
bigtable.instances.get
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.instances.listEffectiveTags
bigtable.instances.listTagBindings
bigtable.instances.ping
bigtable.instances.setIamPolicy
bigtable.instances.update
bigtable.keyvisualizer.get
bigtable.keyvisualizer.list
bigtable.locations.list
bigtable.tables.checkConsistency
bigtable.tables.create
bigtable.tables.delete
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.getIamPolicy
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
bigtable.tables.setIamPolicy
bigtable.tables.undelete
bigtable.tables.update

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

resourcemanager.projects.get

Bigtable Reader

(roles/bigtable.reader)

Provides read-only access to the data stored within Bigtable tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.

Lowest-level resources where you can grant this role:

Table

bigtable.appProfiles.get

bigtable.appProfiles.list

bigtable.backups.get

bigtable.backups.list

bigtable.clusters.get

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.get

bigtable.instances.list

bigtable.instances.ping

bigtable.keyvisualizer.*

bigtable.keyvisualizer.get
bigtable.keyvisualizer.list

bigtable.locations.list

bigtable.tables.checkConsistency

bigtable.tables.generateConsistencyToken

bigtable.tables.get

bigtable.tables.list

bigtable.tables.readRows

bigtable.tables.sampleRowKeys

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

resourcemanager.projects.get

Bigtable User

(roles/bigtable.user)

Provides read-write access to the data stored within Bigtable tables. Intended for application developers or service accounts.

Lowest-level resources where you can grant this role:

Table

bigtable.appProfiles.get

bigtable.appProfiles.list

bigtable.backups.get

bigtable.backups.list

bigtable.clusters.get

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.get

bigtable.instances.list

bigtable.instances.ping

bigtable.keyvisualizer.*

bigtable.keyvisualizer.get
bigtable.keyvisualizer.list

bigtable.locations.list

bigtable.tables.checkConsistency

bigtable.tables.generateConsistencyToken

bigtable.tables.get

bigtable.tables.list

bigtable.tables.mutateRows

bigtable.tables.readRows

bigtable.tables.sampleRowKeys

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

resourcemanager.projects.get

Bigtable Viewer

(roles/bigtable.viewer)

Provides no data access. Intended as a minimal set of permissions to access the Google Cloud console for Bigtable.

Lowest-level resources where you can grant this role:

Table

bigtable.appProfiles.get

bigtable.appProfiles.list

bigtable.backups.get

bigtable.backups.list

bigtable.clusters.get

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.get

bigtable.instances.list

bigtable.instances.listEffectiveTags

bigtable.instances.listTagBindings

bigtable.locations.list

bigtable.tables.checkConsistency

bigtable.tables.generateConsistencyToken

bigtable.tables.get

bigtable.tables.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.list

resourcemanager.projects.get

Cloud Build roles

Permissions

Cloud Build Approver

(roles/cloudbuild.builds.approver)

Can approve or reject pending builds.

cloudbuild.builds.approve

cloudbuild.builds.get

cloudbuild.builds.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Service Account

(roles/cloudbuild.builds.builder)

Provides access to perform builds.

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.files.*

artifactregistry.files.get
artifactregistry.files.list

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry.locations.list

artifactregistry.mavenartifacts.*

artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.*

artifactregistry.npmpackages.get
artifactregistry.npmpackages.list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list

artifactregistry.repositories.createOnPush

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.workerpools.use

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

logging.logEntries.create

logging.logEntries.list

logging.views.access

pubsub.topics.create

pubsub.topics.publish

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

Cloud Build Editor

(roles/cloudbuild.builds.editor)

Provides access to create and cancel builds.

Lowest-level resources where you can grant this role:

Project

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Viewer

(roles/cloudbuild.builds.viewer)

Provides access to view builds.

Lowest-level resources where you can grant this role:

Project

cloudbuild.builds.get

cloudbuild.builds.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Connection Admin ^Beta

(roles/cloudbuild.connectionAdmin)

Can manage connections and repositories.

cloudbuild.connections.*

cloudbuild.connections.create
cloudbuild.connections.delete
cloudbuild.connections.fetchLinkableRepositories
cloudbuild.connections.get
cloudbuild.connections.getIamPolicy
cloudbuild.connections.list
cloudbuild.connections.setIamPolicy
cloudbuild.connections.update

cloudbuild.repositories.create

cloudbuild.repositories.delete

cloudbuild.repositories.fetchGitRefs

cloudbuild.repositories.get

cloudbuild.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Connection Viewer ^Beta

(roles/cloudbuild.connectionViewer)

Can view and list connections and repositories.

cloudbuild.connections.fetchLinkableRepositories

cloudbuild.connections.get

cloudbuild.connections.getIamPolicy

cloudbuild.connections.list

cloudbuild.repositories.fetchGitRefs

cloudbuild.repositories.get

cloudbuild.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Integrations Editor

(roles/cloudbuild.integrationsEditor)

Can update Integrations

cloudbuild.integrations.get

cloudbuild.integrations.list

cloudbuild.integrations.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Integrations Owner

(roles/cloudbuild.integrationsOwner)

Can create/delete Integrations

cloudbuild.integrations.*

cloudbuild.integrations.create
cloudbuild.integrations.delete
cloudbuild.integrations.get
cloudbuild.integrations.list
cloudbuild.integrations.update

compute.firewalls.create

compute.firewalls.get

compute.firewalls.list

compute.networks.get

compute.networks.updatePolicy

compute.regions.get

compute.subnetworks.get

compute.subnetworks.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Integrations Viewer

(roles/cloudbuild.integrationsViewer)

Can view Integrations

cloudbuild.integrations.get

cloudbuild.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build Read Only Token Accessor ^Beta

(roles/cloudbuild.readTokenAccessor)

Can view the connection and access its read-only token.

cloudbuild.connections.get

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.get

Cloud Build Token Accessor ^Beta

(roles/cloudbuild.tokenAccessor)

Can view the connection and access its read/write and read-only tokens.

cloudbuild.connections.get

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.accessReadWriteToken

cloudbuild.repositories.get

cloudbuild.repositories.list

Cloud Build WorkerPool Editor

(roles/cloudbuild.workerPoolEditor)

Can update and view WorkerPools

cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build WorkerPool Owner

(roles/cloudbuild.workerPoolOwner)

Can create, delete, update, and view WorkerPools

cloudbuild.workerpools.create

cloudbuild.workerpools.delete

cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Build WorkerPool User

(roles/cloudbuild.workerPoolUser)

Can run builds in the WorkerPool

cloudbuild.workerpools.use

Cloud Build WorkerPool Viewer

(roles/cloudbuild.workerPoolViewer)

Can view WorkerPools

cloudbuild.workerpools.get

cloudbuild.workerpools.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Composer roles

Permissions

Cloud Composer v2 API Service Agent Extension

(roles/composer.ServiceAgentV2Ext)

Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.setIamPolicy

Composer Administrator

(roles/composer.admin)

Provides full control of Cloud Composer resources.

Lowest-level resources where you can grant this role:

Project

composer.*

composer.dags.execute
composer.dags.get
composer.dags.getSourceCode
composer.dags.list
composer.environments.create
composer.environments.delete
composer.environments.executeAirflowCommand
composer.environments.get
composer.environments.list
composer.environments.update
composer.imageversions.list
composer.operations.delete
composer.operations.get
composer.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Environment and Storage Object Administrator

(roles/composer.environmentAndStorageObjectAdmin)

Provides full control of Cloud Composer resources and of the objects in all project buckets.

Lowest-level resources where you can grant this role:

Project

composer.*

composer.dags.execute
composer.dags.get
composer.dags.getSourceCode
composer.dags.list
composer.environments.create
composer.environments.delete
composer.environments.executeAirflowCommand
composer.environments.get
composer.environments.list
composer.environments.update
composer.imageversions.list
composer.operations.delete
composer.operations.get
composer.operations.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update

Environment and Storage Object User

(roles/composer.environmentAndStorageObjectUser)

Read and use access to Cloud Composer resources and read access to Cloud Storage objects.

composer.dags.*

composer.dags.execute
composer.dags.get
composer.dags.getSourceCode
composer.dags.list

composer.environments.get

composer.environments.list

composer.imageversions.list

composer.operations.get

composer.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.objects.get

storage.objects.list

Environment and Storage Object Viewer

(roles/composer.environmentAndStorageObjectViewer)

Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.

Lowest-level resources where you can grant this role:

Project

composer.dags.*

composer.dags.execute
composer.dags.get
composer.dags.getSourceCode
composer.dags.list

composer.environments.get

composer.environments.list

composer.imageversions.list

composer.operations.get

composer.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.objects.get

storage.objects.list

Composer Shared VPC Agent

(roles/composer.sharedVpcAgent)

Role that should be assigned to Composer Agent service account in Shared VPC host project

compute.networkAttachments.create

compute.networkAttachments.delete

compute.networkAttachments.get

compute.networks.access

compute.networks.addPeering

compute.networks.get

compute.networks.list

compute.networks.listPeeringRoutes

compute.networks.removePeering

compute.networks.updatePeering

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zones.*

compute.zones.get
compute.zones.list

dns.managedZones.get

dns.managedZones.list

dns.networks.targetWithPeeringZone

Composer User

(roles/composer.user)

Provides the permissions necessary to list and get Cloud Composer environments and operations.

Lowest-level resources where you can grant this role:

Project

composer.dags.*

composer.dags.execute
composer.dags.get
composer.dags.getSourceCode
composer.dags.list

composer.environments.get

composer.environments.list

composer.imageversions.list

composer.operations.get

composer.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Composer Worker

(roles/composer.worker)

Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.

Lowest-level resources where you can grant this role:

Project

artifactregistry.*

artifactregistry.aptartifacts.create
artifactregistry.dockerimages.get
artifactregistry.dockerimages.list
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.kfpartifacts.create
artifactregistry.locations.get
artifactregistry.locations.list
artifactregistry.mavenartifacts.get
artifactregistry.mavenartifacts.list
artifactregistry.npmpackages.get
artifactregistry.npmpackages.list
artifactregistry.packages.delete
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.projectsettings.get
artifactregistry.projectsettings.update
artifactregistry.pythonpackages.get
artifactregistry.pythonpackages.list
artifactregistry.repositories.create
artifactregistry.repositories.createOnPush
artifactregistry.repositories.createTagBinding
artifactregistry.repositories.delete
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.deleteTagBinding
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.getIamPolicy
artifactregistry.repositories.list
artifactregistry.repositories.listEffectiveTags
artifactregistry.repositories.listTagBindings
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.repositories.setIamPolicy
artifactregistry.repositories.update
artifactregistry.repositories.uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.delete
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.delete
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.yumartifacts.create

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.workerpools.use

composer.environments.get

container.*

container.apiServices.create
container.apiServices.delete
container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.apiServices.update
container.apiServices.updateStatus
container.auditSinks.create
container.auditSinks.delete
container.auditSinks.get
container.auditSinks.list
container.auditSinks.update
container.backendConfigs.create
container.backendConfigs.delete
container.backendConfigs.get
container.backendConfigs.list
container.backendConfigs.update
container.bindings.create
container.bindings.delete
container.bindings.get
container.bindings.list
container.bindings.update
container.certificateSigningRequests.approve
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.getStatus
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.create
container.clusters.createTagBinding
container.clusters.delete
container.clusters.deleteTagBinding
container.clusters.get
container.clusters.getCredentials
container.clusters.impersonate
container.clusters.list
container.clusters.listEffectiveTags
container.clusters.listTagBindings
container.clusters.update
container.componentStatuses.get
container.componentStatuses.list
container.configMaps.create
container.configMaps.delete
container.configMaps.get
container.configMaps.list
container.configMaps.update
container.controllerRevisions.create
container.controllerRevisions.delete
container.controllerRevisions.get
container.controllerRevisions.list
container.controllerRevisions.update
container.cronJobs.create
container.cronJobs.delete
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.cronJobs.update
container.cronJobs.updateStatus
container.csiDrivers.create
container.csiDrivers.delete
container.csiDrivers.get
container.csiDrivers.list
container.csiDrivers.update
container.csiNodeInfos.create
container.csiNodeInfos.delete
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodeInfos.update
container.csiNodes.create
container.csiNodes.delete
container.csiNodes.get
container.csiNodes.list
container.csiNodes.update
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.customResourceDefinitions.updateStatus
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container.daemonSets.updateStatus
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.deployments.rollback
container.deployments.update
container.deployments.updateScale
container.deployments.updateStatus
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.endpoints.create
container.endpoints.delete
container.endpoints.get
container.endpoints.list
container.endpoints.update
container.events.create
container.events.delete
container.events.get
container.events.list
container.events.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.horizontalPodAutoscalers.create
container.horizontalPodAutoscalers.delete
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.horizontalPodAutoscalers.update
container.horizontalPodAutoscalers.updateStatus
container.hostServiceAgent.use
container.ingresses.create
container.ingresses.delete
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.ingresses.update
container.ingresses.updateStatus
container.initializerConfigurations.create
container.initializerConfigurations.delete
container.initializerConfigurations.get
container.initializerConfigurations.list
container.initializerConfigurations.update
container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.jobs.update
container.jobs.updateStatus
container.leases.create
container.leases.delete
container.leases.get
container.leases.list
container.leases.update
container.limitRanges.create
container.limitRanges.delete
container.limitRanges.get
container.limitRanges.list
container.limitRanges.update
container.localSubjectAccessReviews.create
container.localSubjectAccessReviews.list
container.managedCertificates.create
container.managedCertificates.delete
container.managedCertificates.get
container.managedCertificates.list
container.managedCertificates.update
container.mutatingWebhookConfigurations.create
container.mutatingWebhookConfigurations.delete
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.mutatingWebhookConfigurations.update
container.namespaces.create
container.namespaces.delete
container.namespaces.finalize
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.namespaces.update
container.namespaces.updateStatus
container.networkPolicies.create
container.networkPolicies.delete
container.networkPolicies.get
container.networkPolicies.list
container.networkPolicies.update
container.nodes.create
container.nodes.delete
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.nodes.proxy
container.nodes.update
container.nodes.updateStatus
container.operations.get
container.operations.list
container.persistentVolumeClaims.create
container.persistentVolumeClaims.delete
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumeClaims.update
container.persistentVolumeClaims.updateStatus
container.persistentVolumes.create
container.persistentVolumes.delete
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.persistentVolumes.update
container.persistentVolumes.updateStatus
container.petSets.create
container.petSets.delete
container.petSets.get
container.petSets.list
container.petSets.update
container.petSets.updateStatus
container.podDisruptionBudgets.create
container.podDisruptionBudgets.delete
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podDisruptionBudgets.update
container.podDisruptionBudgets.updateStatus
container.podPresets.create
container.podPresets.delete
container.podPresets.get
container.podPresets.list
container.podPresets.update
container.podSecurityPolicies.create
container.podSecurityPolicies.delete
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podSecurityPolicies.update
container.podSecurityPolicies.use
container.podTemplates.create
container.podTemplates.delete
container.podTemplates.get
container.podTemplates.list
container.podTemplates.update
container.pods.attach
container.pods.create
container.pods.delete
container.pods.evict
container.pods.exec
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.initialize
container.pods.list
container.pods.portForward
container.pods.proxy
container.pods.update
container.pods.updateStatus
container.priorityClasses.create
container.priorityClasses.delete
container.priorityClasses.get
container.priorityClasses.list
container.priorityClasses.update
container.replicaSets.create
container.replicaSets.delete
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicaSets.update
container.replicaSets.updateScale
container.replicaSets.updateStatus
container.replicationControllers.create
container.replicationControllers.delete
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.replicationControllers.update
container.replicationControllers.updateScale
container.replicationControllers.updateStatus
container.resourceQuotas.create
container.resourceQuotas.delete
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.resourceQuotas.update
container.resourceQuotas.updateStatus
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update
container.roles.bind
container.roles.create
container.roles.delete
container.roles.escalate
container.roles.get
container.roles.list
container.roles.update
container.runtimeClasses.create
container.runtimeClasses.delete
container.runtimeClasses.get
container.runtimeClasses.list
container.runtimeClasses.update
container.scheduledJobs.create
container.scheduledJobs.delete
container.scheduledJobs.get
container.scheduledJobs.list
container.scheduledJobs.update
container.scheduledJobs.updateStatus
container.secrets.create
container.secrets.delete
container.secrets.get
container.secrets.list
container.secrets.update
container.selfSubjectAccessReviews.create
container.selfSubjectAccessReviews.list
container.selfSubjectRulesReviews.create
container.serviceAccounts.create
container.serviceAccounts.createToken
container.serviceAccounts.delete
container.serviceAccounts.get
container.serviceAccounts.list
container.serviceAccounts.update
container.services.create
container.services.delete
container.services.get
container.services.getStatus
container.services.list
container.services.proxy
container.services.update
container.services.updateStatus
container.statefulSets.create
container.statefulSets.delete
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.statefulSets.update
container.statefulSets.updateScale
container.statefulSets.updateStatus
container.storageClasses.create
container.storageClasses.delete
container.storageClasses.get
container.storageClasses.list
container.storageClasses.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.subjectAccessReviews.create
container.subjectAccessReviews.list
container.thirdPartyObjects.create
container.thirdPartyObjects.delete
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyObjects.update
container.thirdPartyResources.create
container.thirdPartyResources.delete
container.thirdPartyResources.get
container.thirdPartyResources.list
container.thirdPartyResources.update
container.tokenReviews.create
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.validatingWebhookConfigurations.create
container.validatingWebhookConfigurations.delete
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.validatingWebhookConfigurations.update
container.volumeAttachments.create
container.volumeAttachments.delete
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeAttachments.update
container.volumeAttachments.updateStatus
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

datalineage.events.create

datalineage.processes.create

datalineage.processes.get

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.update

logging.logEntries.create

logging.logEntries.list

logging.logEntries.route

logging.views.access

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

orgpolicy.policy.get

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.delete

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update

recommender.containerDiagnosisRecommendations.*

recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update

recommender.networkAnalyzerGkeIpAddressInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update

Cloud Config Manager roles

Permissions

Cloud Config Manager Admin ^Beta

(roles/config.admin)

Full access to Cloud Config Manager resources.

config.*

config.deployments.create
config.deployments.delete
config.deployments.get
config.deployments.getIamPolicy
config.deployments.list
config.deployments.setIamPolicy
config.deployments.update
config.locations.get
config.locations.list
config.operations.cancel
config.operations.delete
config.operations.get
config.operations.list
config.resources.get
config.resources.list
config.revisions.get
config.revisions.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Config Manager Viewer ^Beta

(roles/config.viewer)

Read-only access to Cloud Config Manager resources.

config.deployments.get

config.deployments.getIamPolicy

config.deployments.list

config.locations.*

config.locations.get
config.locations.list

config.operations.get

config.operations.list

config.resources.*

config.resources.get
config.resources.list

config.revisions.*

config.revisions.get
config.revisions.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Connectors roles

Permissions

Connector Admin

(roles/connectors.admin)

Full access to all resources of Connectors Service.

connectors.*

connectors.actions.execute
connectors.actions.list
connectors.connections.create
connectors.connections.delete
connectors.connections.executeSqlQuery
connectors.connections.get
connectors.connections.getConnectionSchemaMetadata
connectors.connections.getIamPolicy
connectors.connections.getRuntimeActionSchema
connectors.connections.getRuntimeEntitySchema
connectors.connections.list
connectors.connections.setIamPolicy
connectors.connections.update
connectors.connectors.get
connectors.connectors.list
connectors.endpointAttachments.create
connectors.endpointAttachments.delete
connectors.endpointAttachments.get
connectors.endpointAttachments.getIamPolicy
connectors.endpointAttachments.list
connectors.endpointAttachments.setIamPolicy
connectors.endpointAttachments.update
connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions
connectors.entityTypes.list
connectors.eventSubscriptions.create
connectors.eventSubscriptions.delete
connectors.eventSubscriptions.get
connectors.eventSubscriptions.list
connectors.eventSubscriptions.update
connectors.eventtypes.get
connectors.eventtypes.list
connectors.locations.get
connectors.locations.list
connectors.managedZones.create
connectors.managedZones.delete
connectors.managedZones.get
connectors.managedZones.getIamPolicy
connectors.managedZones.list
connectors.managedZones.setIamPolicy
connectors.managedZones.update
connectors.operations.cancel
connectors.operations.delete
connectors.operations.get
connectors.operations.list
connectors.providers.get
connectors.providers.list
connectors.runtimeconfig.get
connectors.schemaMetadata.refresh
connectors.settings.get
connectors.settings.update
connectors.versions.get
connectors.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.secrets.getIamPolicy

Connectors Endpoint Attachment Admin

(roles/connectors.endpointAttachmentAdmin)

Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources.

connectors.endpointAttachments.*

connectors.endpointAttachments.create
connectors.endpointAttachments.delete
connectors.endpointAttachments.get
connectors.endpointAttachments.getIamPolicy
connectors.endpointAttachments.list
connectors.endpointAttachments.setIamPolicy
connectors.endpointAttachments.update

Connectors Endpoint Attachment Viewer

(roles/connectors.endpointAttachmentViewer)

Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources

connectors.endpointAttachments.get

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

Connectors Event Subscriptions Admin

(roles/connectors.eventSubscriptionAdmin)

Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources

connectors.eventSubscriptions.*

connectors.eventSubscriptions.create
connectors.eventSubscriptions.delete
connectors.eventSubscriptions.get
connectors.eventSubscriptions.list
connectors.eventSubscriptions.update

Connectors Event Subscriptions Viewer

(roles/connectors.eventSubscriptionViewer)

Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources.

connectors.eventSubscriptions.get

connectors.eventSubscriptions.list

Connector Invoker

(roles/connectors.invoker)

Full Access to invoke all operations on Connections.

connectors.actions.*

connectors.actions.execute
connectors.actions.list

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions

connectors.entityTypes.list

Connectors Managed Zone Admin

(roles/connectors.managedZoneAdmin)

Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources

connectors.managedZones.*

connectors.managedZones.create
connectors.managedZones.delete
connectors.managedZones.get
connectors.managedZones.getIamPolicy
connectors.managedZones.list
connectors.managedZones.setIamPolicy
connectors.managedZones.update

Connectors Managed Zone Viewer

(roles/connectors.managedZoneViewer)

Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources.

connectors.managedZones.get

connectors.managedZones.getIamPolicy

connectors.managedZones.list

Connectors Viewer

(roles/connectors.viewer)

Read-only access to Connectors all resources.

connectors.connections.get

connectors.connections.getConnectionSchemaMetadata

connectors.connections.getIamPolicy

connectors.connections.getRuntimeActionSchema

connectors.connections.getRuntimeEntitySchema

connectors.connections.list

connectors.connectors.*

connectors.connectors.get
connectors.connectors.list

connectors.endpointAttachments.get

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.eventSubscriptions.get

connectors.eventSubscriptions.list

connectors.eventtypes.*

connectors.eventtypes.get
connectors.eventtypes.list

connectors.locations.*

connectors.locations.get
connectors.locations.list

connectors.managedZones.get

connectors.managedZones.getIamPolicy

connectors.managedZones.list

connectors.operations.get

connectors.operations.list

connectors.providers.*

connectors.providers.get
connectors.providers.list

connectors.runtimeconfig.get

connectors.settings.get

connectors.versions.*

connectors.versions.get
connectors.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Data Fusion roles

Permissions

Cloud Data Fusion Accessor ^Beta

(roles/datafusion.accessor)

Read-only access to Cloud Data Fusion Instances. Use it on instance level along with the namespace grants to provide access to the specific namespace.

datafusion.instances.get

datafusion.instances.getIamPolicy

datafusion.instances.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Data Fusion Admin

(roles/datafusion.admin)

Full access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

Project

datafusion.*

datafusion.artifacts.create
datafusion.artifacts.delete
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.artifacts.update
datafusion.instances.create
datafusion.instances.delete
datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.restart
datafusion.instances.runtime
datafusion.instances.setIamPolicy
datafusion.instances.update
datafusion.instances.upgrade
datafusion.locations.get
datafusion.locations.list
datafusion.operations.cancel
datafusion.operations.delete
datafusion.operations.get
datafusion.operations.list
datafusion.pipelineConnections.create
datafusion.pipelineConnections.delete
datafusion.pipelineConnections.get
datafusion.pipelineConnections.list
datafusion.pipelineConnections.update
datafusion.pipelineConnections.use
datafusion.pipelines.create
datafusion.pipelines.delete
datafusion.pipelines.execute
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.pipelines.preview
datafusion.pipelines.update
datafusion.profiles.create
datafusion.profiles.delete
datafusion.profiles.get
datafusion.profiles.list
datafusion.profiles.update
datafusion.secureKeys.create
datafusion.secureKeys.delete
datafusion.secureKeys.getSecret
datafusion.secureKeys.list
datafusion.secureKeys.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Data Fusion Developer ^Beta

(roles/datafusion.developer)

Access Cloud Data Fusion Instances, develop and run pipelines.

datafusion.artifacts.get

datafusion.artifacts.list

datafusion.instances.get

datafusion.instances.getIamPolicy

datafusion.instances.list

datafusion.instances.runtime

datafusion.locations.*

datafusion.locations.get
datafusion.locations.list

datafusion.operations.get

datafusion.operations.list

datafusion.pipelineConnections.get

datafusion.pipelineConnections.list

datafusion.pipelineConnections.use

datafusion.pipelines.*

datafusion.pipelines.create
datafusion.pipelines.delete
datafusion.pipelines.execute
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.pipelines.preview
datafusion.pipelines.update

datafusion.profiles.get

datafusion.profiles.list

datafusion.secureKeys.*

datafusion.secureKeys.create
datafusion.secureKeys.delete
datafusion.secureKeys.getSecret
datafusion.secureKeys.list
datafusion.secureKeys.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Data Fusion Operator ^Beta

(roles/datafusion.operator)

Access Cloud Data Fusion Instances, operate namespaces and related resources.

datafusion.artifacts.*

datafusion.artifacts.create
datafusion.artifacts.delete
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.artifacts.update

datafusion.instances.get

datafusion.instances.getIamPolicy

datafusion.instances.list

datafusion.instances.runtime

datafusion.locations.*

datafusion.locations.get
datafusion.locations.list

datafusion.operations.get

datafusion.operations.list

datafusion.pipelineConnections.get

datafusion.pipelineConnections.list

datafusion.pipelineConnections.use

datafusion.pipelines.create

datafusion.pipelines.delete

datafusion.pipelines.execute

datafusion.pipelines.get

datafusion.pipelines.list

datafusion.pipelines.update

datafusion.profiles.*

datafusion.profiles.create
datafusion.profiles.delete
datafusion.profiles.get
datafusion.profiles.list
datafusion.profiles.update

datafusion.secureKeys.*

datafusion.secureKeys.create
datafusion.secureKeys.delete
datafusion.secureKeys.getSecret
datafusion.secureKeys.list
datafusion.secureKeys.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Data Fusion Runner

(roles/datafusion.runner)

Access to Cloud Data Fusion runtime resources.

datafusion.instances.runtime

Cloud Data Fusion Viewer

(roles/datafusion.viewer)

Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

Project

datafusion.artifacts.get

datafusion.artifacts.list

datafusion.instances.get

datafusion.instances.getIamPolicy

datafusion.instances.list

datafusion.instances.runtime

datafusion.locations.*

datafusion.locations.get
datafusion.locations.list

datafusion.operations.get

datafusion.operations.list

datafusion.pipelineConnections.get

datafusion.pipelineConnections.list

datafusion.pipelines.get

datafusion.pipelines.list

datafusion.profiles.get

datafusion.profiles.list

datafusion.secureKeys.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Data Labeling roles

Permissions

Data Labeling Service Admin ^Beta

(roles/datalabeling.admin)

Full access to all Data Labeling resources

datalabeling.*

datalabeling.annotateddatasets.delete
datalabeling.annotateddatasets.get
datalabeling.annotateddatasets.label
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.create
datalabeling.annotationspecsets.delete
datalabeling.annotationspecsets.get
datalabeling.annotationspecsets.list
datalabeling.dataitems.get
datalabeling.dataitems.list
datalabeling.datasets.create
datalabeling.datasets.delete
datalabeling.datasets.export
datalabeling.datasets.get
datalabeling.datasets.import
datalabeling.datasets.list
datalabeling.examples.get
datalabeling.examples.list
datalabeling.instructions.create
datalabeling.instructions.delete
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.cancel
datalabeling.operations.get
datalabeling.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Data Labeling Service Editor ^Beta

(roles/datalabeling.editor)

Editor of all Data Labeling resources

datalabeling.*

datalabeling.annotateddatasets.delete
datalabeling.annotateddatasets.get
datalabeling.annotateddatasets.label
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.create
datalabeling.annotationspecsets.delete
datalabeling.annotationspecsets.get
datalabeling.annotationspecsets.list
datalabeling.dataitems.get
datalabeling.dataitems.list
datalabeling.datasets.create
datalabeling.datasets.delete
datalabeling.datasets.export
datalabeling.datasets.get
datalabeling.datasets.import
datalabeling.datasets.list
datalabeling.examples.get
datalabeling.examples.list
datalabeling.instructions.create
datalabeling.instructions.delete
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.cancel
datalabeling.operations.get
datalabeling.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Data Labeling Service Viewer ^Beta

(roles/datalabeling.viewer)

Viewer of all Data Labeling resources

datalabeling.annotateddatasets.get

datalabeling.annotateddatasets.list

datalabeling.annotationspecsets.get

datalabeling.annotationspecsets.list

datalabeling.dataitems.*

datalabeling.dataitems.get
datalabeling.dataitems.list

datalabeling.datasets.get

datalabeling.datasets.list

datalabeling.examples.*

datalabeling.examples.get
datalabeling.examples.list

datalabeling.instructions.get

datalabeling.instructions.list

datalabeling.operations.get

datalabeling.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Dataplex roles

Permissions

Dataplex Administrator

(roles/dataplex.admin)

Full access to all Dataplex resources.

cloudasset.assets.analyzeIamPolicy

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

dataplex.assetActions.list

dataplex.assets.create

dataplex.assets.delete

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.assets.setIamPolicy

dataplex.assets.update

dataplex.content.*

dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update

dataplex.dataAttributeBindings.*

dataplex.dataAttributeBindings.create
dataplex.dataAttributeBindings.delete
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributeBindings.setIamPolicy
dataplex.dataAttributeBindings.update

dataplex.dataAttributes.*

dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.setIamPolicy
dataplex.dataAttributes.update

dataplex.dataTaxonomies.*

dataplex.dataTaxonomies.configureDataAccess
dataplex.dataTaxonomies.configureResourceAccess
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.setIamPolicy
dataplex.dataTaxonomies.update

dataplex.datascans.*

dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update

dataplex.entities.*

dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update

dataplex.environments.*

dataplex.environments.create
dataplex.environments.delete
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.setIamPolicy
dataplex.environments.update

dataplex.lakeActions.list

dataplex.lakes.*

dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.lakes.update

dataplex.locations.*

dataplex.locations.get
dataplex.locations.list

dataplex.operations.*

dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list

dataplex.partitions.*

dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update

dataplex.tasks.*

dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.setIamPolicy
dataplex.tasks.update

dataplex.zoneActions.list

dataplex.zones.*

dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataplex.zones.update

resourcemanager.projects.get

resourcemanager.projects.list

Dataplex Binding Administrator

(roles/dataplex.bindingAdmin)

Full access on DataAttribute Bindig resources.

dataplex.dataAttributeBindings.*

dataplex.dataAttributeBindings.create
dataplex.dataAttributeBindings.delete
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributeBindings.setIamPolicy
dataplex.dataAttributeBindings.update

Dataplex Data Owner

(roles/dataplex.dataOwner)

Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.ownData

dataplex.assets.readData

dataplex.assets.writeData

Dataplex Data Reader

(roles/dataplex.dataReader)

Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.readData

Dataplex DataScan Administrator

(roles/dataplex.dataScanAdmin)

Full access to DataScan resources.

dataplex.datascans.*

dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update

Dataplex DataScan DataViewer

(roles/dataplex.dataScanDataViewer)

Read access to DataScan resources and additional contents.

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

Dataplex DataScan Editor

(roles/dataplex.dataScanEditor)

Write access to DataScan resources.

dataplex.datascans.create

dataplex.datascans.delete

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.run

dataplex.datascans.update

Dataplex DataScan Viewer

(roles/dataplex.dataScanViewer)

Read access to DataScan resources.

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

Dataplex Data Writer

(roles/dataplex.dataWriter)

Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.writeData

Dataplex Developer

(roles/dataplex.developer)

Allows running data analytics workloads in a lake.

dataplex.content.*

dataplex.content.create
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.content.update

dataplex.environments.execute

dataplex.environments.get

dataplex.environments.list

dataplex.tasks.cancel

dataplex.tasks.create

dataplex.tasks.delete

dataplex.tasks.get

dataplex.tasks.list

dataplex.tasks.run

dataplex.tasks.update

Dataplex Editor

(roles/dataplex.editor)

Write access to Dataplex resources.

cloudasset.assets.analyzeIamPolicy

dataplex.assetActions.list

dataplex.assets.create

dataplex.assets.delete

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.assets.update

dataplex.content.delete

dataplex.content.get

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.dataAttributeBindings.create

dataplex.dataAttributeBindings.delete

dataplex.dataAttributeBindings.get

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributeBindings.update

dataplex.dataAttributes.bind

dataplex.dataAttributes.create

dataplex.dataAttributes.delete

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataAttributes.update

dataplex.dataTaxonomies.configureDataAccess

dataplex.dataTaxonomies.configureResourceAccess

dataplex.dataTaxonomies.create

dataplex.dataTaxonomies.delete

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.dataTaxonomies.update

dataplex.datascans.create

dataplex.datascans.delete

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.run

dataplex.datascans.update

dataplex.environments.create

dataplex.environments.delete

dataplex.environments.get

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.environments.update

dataplex.lakeActions.list

dataplex.lakes.create

dataplex.lakes.delete

dataplex.lakes.get

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.lakes.update

dataplex.operations.*

dataplex.operations.cancel
dataplex.operations.delete
dataplex.operations.get
dataplex.operations.list

dataplex.tasks.cancel

dataplex.tasks.create

dataplex.tasks.delete

dataplex.tasks.get

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.tasks.run

dataplex.tasks.update

dataplex.zoneActions.list

dataplex.zones.create

dataplex.zones.delete

dataplex.zones.get

dataplex.zones.getIamPolicy

dataplex.zones.list

dataplex.zones.update

Dataplex Metadata Reader

(roles/dataplex.metadataReader)

Read only access to metadata.

dataplex.assets.get

dataplex.assets.list

dataplex.entities.get

dataplex.entities.list

dataplex.partitions.get

dataplex.partitions.list

dataplex.zones.get

dataplex.zones.list

Dataplex Metadata Writer

(roles/dataplex.metadataWriter)

Read and write access to metadata.

dataplex.assets.get

dataplex.assets.list

dataplex.entities.*

dataplex.entities.create
dataplex.entities.delete
dataplex.entities.get
dataplex.entities.list
dataplex.entities.update

dataplex.partitions.*

dataplex.partitions.create
dataplex.partitions.delete
dataplex.partitions.get
dataplex.partitions.list
dataplex.partitions.update

dataplex.zones.get

dataplex.zones.list

Dataplex Security Administrator

(roles/dataplex.securityAdmin)

Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.

dataplex.dataTaxonomies.configureDataAccess

dataplex.dataTaxonomies.configureResourceAccess

Dataplex Storage Data Owner

(roles/dataplex.storageDataOwner)

Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.datasets.get

bigquery.models.create

bigquery.models.delete

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.models.updateData

bigquery.models.updateMetadata

bigquery.routines.create

bigquery.routines.delete

bigquery.routines.get

bigquery.routines.list

bigquery.routines.update

bigquery.tables.create

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

Dataplex Storage Data Reader

(roles/dataplex.storageDataReader)

Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.datasets.get

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

storage.buckets.get

storage.objects.get

storage.objects.list

Dataplex Storage Data Writer

(roles/dataplex.storageDataWriter)

Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.tables.updateData

storage.objects.create

storage.objects.delete

storage.objects.update

Dataplex Taxonomy Administrator

(roles/dataplex.taxonomyAdmin)

Full access to DataTaxonomy, DataAttribute resources.

dataplex.dataAttributes.*

dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.setIamPolicy
dataplex.dataAttributes.update

dataplex.dataTaxonomies.create

dataplex.dataTaxonomies.delete

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.dataTaxonomies.setIamPolicy

dataplex.dataTaxonomies.update

Dataplex Taxonomy Viewer

(roles/dataplex.taxonomyViewer)

Read access on DataTaxonomy, DataAttribute resources .

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

Dataplex Viewer

(roles/dataplex.viewer)

Read access to Dataplex resources.

cloudasset.assets.analyzeIamPolicy

dataplex.assetActions.list

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.content.get

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.dataAttributeBindings.get

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.environments.get

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.lakeActions.list

dataplex.lakes.get

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.operations.get

dataplex.operations.list

dataplex.tasks.get

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.zoneActions.list

dataplex.zones.get

dataplex.zones.getIamPolicy

dataplex.zones.list

Cloud Debugger roles

Permissions

Cloud Debugger Agent ^Beta

(roles/clouddebugger.agent)

Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.

Lowest-level resources where you can grant this role:

Service Account

clouddebugger.breakpoints.list

clouddebugger.breakpoints.listActive

clouddebugger.breakpoints.update

clouddebugger.debuggees.create

Cloud Debugger User ^Beta

(roles/clouddebugger.user)

Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

Lowest-level resources where you can grant this role:

Project

clouddebugger.breakpoints.create

clouddebugger.breakpoints.delete

clouddebugger.breakpoints.get

clouddebugger.breakpoints.list

clouddebugger.debuggees.list

Cloud Deploy roles

Permissions

Cloud Deploy Admin

(roles/clouddeploy.admin)

Full control of Cloud Deploy resources.

clouddeploy.*

clouddeploy.config.get
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.delete
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.setIamPolicy
clouddeploy.deliveryPipelines.update
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.jobRuns.terminate
clouddeploy.locations.get
clouddeploy.locations.list
clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.delete
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.advance
clouddeploy.rollouts.approve
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.list
clouddeploy.rollouts.retryJob
clouddeploy.targets.create
clouddeploy.targets.delete
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.setIamPolicy
clouddeploy.targets.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Approver

(roles/clouddeploy.approver)

Permission to approve or reject rollouts.

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.rollouts.approve

clouddeploy.rollouts.get

clouddeploy.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Developer

(roles/clouddeploy.developer)

Permission to manage deployment configuration without permission to access operational resources, such as targets.

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.update

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.releases.*

clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.delete
clouddeploy.releases.get
clouddeploy.releases.list

clouddeploy.rollouts.get

clouddeploy.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Runner

(roles/clouddeploy.jobRunner)

Permission to execute Cloud Deploy work without permission to deliver to a target.

logging.logEntries.create

storage.objects.create

storage.objects.get

storage.objects.list

Cloud Deploy Operator

(roles/clouddeploy.operator)

Permission to manage deployment configuration.

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.update

clouddeploy.jobRuns.*

clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.jobRuns.terminate

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.releases.*

clouddeploy.releases.abandon
clouddeploy.releases.create
clouddeploy.releases.delete
clouddeploy.releases.get
clouddeploy.releases.list

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.ignoreJob

clouddeploy.rollouts.list

clouddeploy.rollouts.retryJob

clouddeploy.targets.create

clouddeploy.targets.delete

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Releaser

(roles/clouddeploy.releaser)

Permission to create Cloud Deploy releases and rollouts.

clouddeploy.deliveryPipelines.get

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.*

clouddeploy.operations.cancel
clouddeploy.operations.delete
clouddeploy.operations.get
clouddeploy.operations.list

clouddeploy.releases.create

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.targets.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Deploy Viewer

(roles/clouddeploy.viewer)

Can view Cloud Deploy resources.

clouddeploy.config.get

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.locations.get
clouddeploy.locations.list

clouddeploy.operations.get

clouddeploy.operations.list

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud DLP roles

Permissions

DLP Administrator

(roles/dlp.admin)

Administer DLP including jobs and templates.

dlp.analyzeRiskTemplates.*

dlp.analyzeRiskTemplates.create
dlp.analyzeRiskTemplates.delete
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.analyzeRiskTemplates.update

dlp.columnDataProfiles.*

dlp.columnDataProfiles.get
dlp.columnDataProfiles.list

dlp.deidentifyTemplates.*

dlp.deidentifyTemplates.create
dlp.deidentifyTemplates.delete
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.deidentifyTemplates.update

dlp.estimates.*

dlp.estimates.cancel
dlp.estimates.create
dlp.estimates.delete
dlp.estimates.get
dlp.estimates.list

dlp.inspectFindings.list

dlp.inspectTemplates.*

dlp.inspectTemplates.create
dlp.inspectTemplates.delete
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.inspectTemplates.update

dlp.jobTriggers.*

dlp.jobTriggers.create
dlp.jobTriggers.delete
dlp.jobTriggers.get
dlp.jobTriggers.hybridInspect
dlp.jobTriggers.list
dlp.jobTriggers.update

dlp.jobs.*

dlp.jobs.cancel
dlp.jobs.create
dlp.jobs.delete
dlp.jobs.get
dlp.jobs.hybridInspect
dlp.jobs.list

dlp.kms.encrypt

dlp.locations.*

dlp.locations.get
dlp.locations.list

dlp.projectDataProfiles.*

dlp.projectDataProfiles.get
dlp.projectDataProfiles.list

dlp.storedInfoTypes.*

dlp.storedInfoTypes.create
dlp.storedInfoTypes.delete
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
dlp.storedInfoTypes.update

dlp.tableDataProfiles.*

dlp.tableDataProfiles.get
dlp.tableDataProfiles.list

serviceusage.services.use

DLP Analyze Risk Templates Editor

(roles/dlp.analyzeRiskTemplatesEditor)

Edit DLP analyze risk templates.

dlp.analyzeRiskTemplates.*

dlp.analyzeRiskTemplates.create
dlp.analyzeRiskTemplates.delete
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.analyzeRiskTemplates.update

DLP Analyze Risk Templates Reader

(roles/dlp.analyzeRiskTemplatesReader)

Read DLP analyze risk templates.

dlp.analyzeRiskTemplates.get

dlp.analyzeRiskTemplates.list

DLP Column Data Profiles Reader

(roles/dlp.columnDataProfilesReader)

Read DLP column profiles.

dlp.columnDataProfiles.*

dlp.columnDataProfiles.get
dlp.columnDataProfiles.list

DLP Data Profiles Reader

(roles/dlp.dataProfilesReader)

Read DLP profiles.

dlp.columnDataProfiles.*

dlp.columnDataProfiles.get
dlp.columnDataProfiles.list

dlp.projectDataProfiles.*

dlp.projectDataProfiles.get
dlp.projectDataProfiles.list

dlp.tableDataProfiles.*

dlp.tableDataProfiles.get
dlp.tableDataProfiles.list

DLP De-identify Templates Editor

(roles/dlp.deidentifyTemplatesEditor)

Edit DLP de-identify templates.

dlp.deidentifyTemplates.*

dlp.deidentifyTemplates.create
dlp.deidentifyTemplates.delete
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.deidentifyTemplates.update

DLP De-identify Templates Reader

(roles/dlp.deidentifyTemplatesReader)

Read DLP de-identify templates.

dlp.deidentifyTemplates.get

dlp.deidentifyTemplates.list

DLP Cost Estimation

(roles/dlp.estimatesAdmin)

Manage DLP Cost Estimates.

dlp.estimates.*

dlp.estimates.cancel
dlp.estimates.create
dlp.estimates.delete
dlp.estimates.get
dlp.estimates.list

DLP Inspect Findings Reader

(roles/dlp.inspectFindingsReader)

Read DLP stored findings.

dlp.inspectFindings.list

DLP Inspect Templates Editor

(roles/dlp.inspectTemplatesEditor)

Edit DLP inspect templates.

dlp.inspectTemplates.*

dlp.inspectTemplates.create
dlp.inspectTemplates.delete
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.inspectTemplates.update

DLP Inspect Templates Reader

(roles/dlp.inspectTemplatesReader)

Read DLP inspect templates.

dlp.inspectTemplates.get

dlp.inspectTemplates.list

DLP Job Triggers Editor

(roles/dlp.jobTriggersEditor)

Edit job triggers configurations.

dlp.jobTriggers.*

dlp.jobTriggers.create
dlp.jobTriggers.delete
dlp.jobTriggers.get
dlp.jobTriggers.hybridInspect
dlp.jobTriggers.list
dlp.jobTriggers.update

DLP Job Triggers Reader

(roles/dlp.jobTriggersReader)

Read job triggers.

dlp.jobTriggers.get

dlp.jobTriggers.list

DLP Jobs Editor

(roles/dlp.jobsEditor)

Edit and create jobs

dlp.jobs.*

dlp.jobs.cancel
dlp.jobs.create
dlp.jobs.delete
dlp.jobs.get
dlp.jobs.hybridInspect
dlp.jobs.list

dlp.kms.encrypt

DLP Jobs Reader

(roles/dlp.jobsReader)

Read jobs

dlp.jobs.get

dlp.jobs.list

DLP Organization Data Profiles Driver

(roles/dlp.orgdriver)

Permissions needed by the DLP service account to generate data profiles within an organization or folder.

Lowest-level resources where you can grant this role:

Folder

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.connections.updateTag

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.jobs.create

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

bigquery.transfers.get

bigquerymigration.translation.translate

cloudasset.assets.*

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset.assets.analyzeOrgPolicy
cloudasset.assets.exportAccessLevel
cloudasset.assets.exportAccessPolicy
cloudasset.assets.exportAiplatformBatchPredictionJobs
cloudasset.assets.exportAiplatformCustomJobs
cloudasset.assets.exportAiplatformDataLabelingJobs
cloudasset.assets.exportAiplatformDatasets
cloudasset.assets.exportAiplatformEndpoints
cloudasset.assets.exportAiplatformHyperparameterTuningJobs
cloudasset.assets.exportAiplatformMetadataStores
cloudasset.assets.exportAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.exportAiplatformModels
cloudasset.assets.exportAiplatformPipelineJobs
cloudasset.assets.exportAiplatformSpecialistPools
cloudasset.assets.exportAiplatformTrainingPipelines
cloudasset.assets.exportAllAccessPolicy
cloudasset.assets.exportAnthosConnectedCluster
cloudasset.assets.exportAnthosedgeCluster
cloudasset.assets.exportApigatewayApi
cloudasset.assets.exportApigatewayApiConfig
cloudasset.assets.exportApigatewayGateway
cloudasset.assets.exportApikeysKeys
cloudasset.assets.exportAppengineApplications
cloudasset.assets.exportAppengineServices
cloudasset.assets.exportAppengineVersions
cloudasset.assets.exportArtifactregistryDockerImages
cloudasset.assets.exportArtifactregistryRepositories
cloudasset.assets.exportAssuredWorkloadsWorkloads
cloudasset.assets.exportBeyondCorpApiGateways
cloudasset.assets.exportBeyondCorpAppConnections
cloudasset.assets.exportBeyondCorpAppConnectors
cloudasset.assets.exportBeyondCorpAppGateways
cloudasset.assets.exportBeyondCorpClientConnectorServices
cloudasset.assets.exportBeyondCorpClientGateways
cloudasset.assets.exportBigqueryDatasets
cloudasset.assets.exportBigqueryModels
cloudasset.assets.exportBigqueryTables
cloudasset.assets.exportBigtableAppProfile
cloudasset.assets.exportBigtableBackup
cloudasset.assets.exportBigtableCluster
cloudasset.assets.exportBigtableInstance
cloudasset.assets.exportBigtableTable
cloudasset.assets.exportCloudAssetFeeds
cloudasset.assets.exportCloudDeployDeliveryPipelines
cloudasset.assets.exportCloudDeployReleases
cloudasset.assets.exportCloudDeployRollouts
cloudasset.assets.exportCloudDeployTargets
cloudasset.assets.exportCloudDocumentAIEvaluation
cloudasset.assets.exportCloudDocumentAIHumanReviewConfig
cloudasset.assets.exportCloudDocumentAILabelerPool
cloudasset.assets.exportCloudDocumentAIProcessor
cloudasset.assets.exportCloudDocumentAIProcessorVersion
cloudasset.assets.exportCloudbillingBillingAccounts
cloudasset.assets.exportCloudbillingProjectBillingInfos
cloudasset.assets.exportCloudfunctionsFunctions
cloudasset.assets.exportCloudfunctionsGen2Functions
cloudasset.assets.exportCloudkmsCryptoKeyVersions
cloudasset.assets.exportCloudkmsCryptoKeys
cloudasset.assets.exportCloudkmsEkmConnections
cloudasset.assets.exportCloudkmsImportJobs
cloudasset.assets.exportCloudkmsKeyRings
cloudasset.assets.exportCloudmemcacheInstances
cloudasset.assets.exportCloudresourcemanagerFolders
cloudasset.assets.exportCloudresourcemanagerOrganizations
cloudasset.assets.exportCloudresourcemanagerProjects
cloudasset.assets.exportCloudresourcemanagerTagBindings
cloudasset.assets.exportCloudresourcemanagerTagKeys
cloudasset.assets.exportCloudresourcemanagerTagValues
cloudasset.assets.exportComposerEnvironments
cloudasset.assets.exportComputeAddress
cloudasset.assets.exportComputeAutoscalers
cloudasset.assets.exportComputeBackendBuckets
cloudasset.assets.exportComputeBackendServices
cloudasset.assets.exportComputeCommitments
cloudasset.assets.exportComputeDisks
cloudasset.assets.exportComputeExternalVpnGateways
cloudasset.assets.exportComputeFirewallPolicies
cloudasset.assets.exportComputeFirewalls
cloudasset.assets.exportComputeForwardingRules
cloudasset.assets.exportComputeGlobalAddress
cloudasset.assets.exportComputeGlobalForwardingRules
cloudasset.assets.exportComputeHealthChecks
cloudasset.assets.exportComputeHttpHealthChecks
cloudasset.assets.exportComputeHttpsHealthChecks
cloudasset.assets.exportComputeImages
cloudasset.assets.exportComputeInstanceGroupManagers
cloudasset.assets.exportComputeInstanceGroups
cloudasset.assets.exportComputeInstanceTemplates
cloudasset.assets.exportComputeInstances
cloudasset.assets.exportComputeInterconnect
cloudasset.assets.exportComputeInterconnectAttachment
cloudasset.assets.exportComputeLicenses
cloudasset.assets.exportComputeNetworkEndpointGroups
cloudasset.assets.exportComputeNetworks
cloudasset.assets.exportComputeNodeGroups
cloudasset.assets.exportComputeNodeTemplates
cloudasset.assets.exportComputePacketMirrorings
cloudasset.assets.exportComputeProjects
cloudasset.assets.exportComputeRegionAutoscaler
cloudasset.assets.exportComputeRegionBackendServices
cloudasset.assets.exportComputeRegionDisk
cloudasset.assets.exportComputeRegionInstanceGroup
cloudasset.assets.exportComputeRegionInstanceGroupManager
cloudasset.assets.exportComputeReservations
cloudasset.assets.exportComputeResourcePolicies
cloudasset.assets.exportComputeRouters
cloudasset.assets.exportComputeRoutes
cloudasset.assets.exportComputeSecurityPolicy
cloudasset.assets.exportComputeServiceAttachments
cloudasset.assets.exportComputeSnapshots
cloudasset.assets.exportComputeSslCertificates
cloudasset.assets.exportComputeSslPolicies
cloudasset.assets.exportComputeSubnetworks
cloudasset.assets.exportComputeTargetHttpProxies
cloudasset.assets.exportComputeTargetHttpsProxies
cloudasset.assets.exportComputeTargetInstances
cloudasset.assets.exportComputeTargetPools
cloudasset.assets.exportComputeTargetSslProxies
cloudasset.assets.exportComputeTargetTcpProxies
cloudasset.assets.exportComputeTargetVpnGateways
cloudasset.assets.exportComputeUrlMaps
cloudasset.assets.exportComputeVpnGateways
cloudasset.assets.exportComputeVpnTunnels
cloudasset.assets.exportConnectorsConnections
cloudasset.assets.exportConnectorsConnectorVersions
cloudasset.assets.exportConnectorsConnectors
cloudasset.assets.exportConnectorsProviders
cloudasset.assets.exportConnectorsRuntimeConfigs
cloudasset.assets.exportContainerAppsDeployment
cloudasset.assets.exportContainerAppsReplicaSets
cloudasset.assets.exportContainerBatchJobs
cloudasset.assets.exportContainerClusterrole
cloudasset.assets.exportContainerClusterrolebinding
cloudasset.assets.exportContainerClusters
cloudasset.assets.exportContainerExtensionsIngresses
cloudasset.assets.exportContainerJobs
cloudasset.assets.exportContainerNamespace
cloudasset.assets.exportContainerNetworkingIngresses
cloudasset.assets.exportContainerNetworkingNetworkPolicies
cloudasset.assets.exportContainerNode
cloudasset.assets.exportContainerNodepool
cloudasset.assets.exportContainerPod
cloudasset.assets.exportContainerReplicaSets
cloudasset.assets.exportContainerRole
cloudasset.assets.exportContainerRolebinding
cloudasset.assets.exportContainerServices
cloudasset.assets.exportContainerregistryImage
cloudasset.assets.exportDataMigrationConnectionProfiles
cloudasset.assets.exportDataMigrationMigrationJobs
cloudasset.assets.exportDataflowJobs
cloudasset.assets.exportDatafusionInstance
cloudasset.assets.exportDataplexAssets
cloudasset.assets.exportDataplexLakes
cloudasset.assets.exportDataplexTasks
cloudasset.assets.exportDataplexZones
cloudasset.assets.exportDataprocAutoscalingPolicies
cloudasset.assets.exportDataprocBatches
cloudasset.assets.exportDataprocClusters
cloudasset.assets.exportDataprocJobs
cloudasset.assets.exportDataprocSessions
cloudasset.assets.exportDataprocWorkflowTemplates
cloudasset.assets.exportDatastreamConnectionProfile
cloudasset.assets.exportDatastreamPrivateConnection
cloudasset.assets.exportDatastreamStream
cloudasset.assets.exportDialogflowAgents
cloudasset.assets.exportDialogflowConversationProfiles
cloudasset.assets.exportDialogflowKnowledgeBases
cloudasset.assets.exportDialogflowLocationSettings
cloudasset.assets.exportDlpDeidentifyTemplates
cloudasset.assets.exportDlpDlpJobs
cloudasset.assets.exportDlpInspectTemplates
cloudasset.assets.exportDlpJobTriggers
cloudasset.assets.exportDlpStoredInfoTypes
cloudasset.assets.exportDnsManagedZones
cloudasset.assets.exportDnsPolicies
cloudasset.assets.exportDomainsRegistrations
cloudasset.assets.exportEventarcTriggers
cloudasset.assets.exportFileBackups
cloudasset.assets.exportFileInstances
cloudasset.assets.exportFirebaseAppInfos
cloudasset.assets.exportFirebaseProjects
cloudasset.assets.exportFirestoreDatabases
cloudasset.assets.exportGKEHubFeatures
cloudasset.assets.exportGKEHubMemberships
cloudasset.assets.exportGameservicesGameServerClusters
cloudasset.assets.exportGameservicesGameServerConfigs
cloudasset.assets.exportGameservicesGameServerDeployments
cloudasset.assets.exportGameservicesRealms
cloudasset.assets.exportGkeBackupBackupPlans
cloudasset.assets.exportGkeBackupBackups
cloudasset.assets.exportGkeBackupRestorePlans
cloudasset.assets.exportGkeBackupRestores
cloudasset.assets.exportGkeBackupVolumeBackups
cloudasset.assets.exportGkeBackupVolumeRestores
cloudasset.assets.exportHealthcareConsentStores
cloudasset.assets.exportHealthcareDatasets
cloudasset.assets.exportHealthcareDicomStores
cloudasset.assets.exportHealthcareFhirStores
cloudasset.assets.exportHealthcareHl7V2Stores
cloudasset.assets.exportIamPolicy
cloudasset.assets.exportIamRoles
cloudasset.assets.exportIamServiceAccountKeys
cloudasset.assets.exportIamServiceAccounts
cloudasset.assets.exportIapTunnel
cloudasset.assets.exportIapTunnelInstances
cloudasset.assets.exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset.assets.exportIapWebServiceVersion
cloudasset.assets.exportIapWebServices
cloudasset.assets.exportIapWebType
cloudasset.assets.exportIdsEndpoints
cloudasset.assets.exportIntegrationsAuthConfigs
cloudasset.assets.exportIntegrationsCertificates
cloudasset.assets.exportIntegrationsExecutions
cloudasset.assets.exportIntegrationsIntegrationVersions
cloudasset.assets.exportIntegrationsIntegrations
cloudasset.assets.exportIntegrationsSfdcChannels
cloudasset.assets.exportIntegrationsSfdcInstances
cloudasset.assets.exportIntegrationsSuspensions
cloudasset.assets.exportLoggingLogMetrics
cloudasset.assets.exportLoggingLogSinks
cloudasset.assets.exportManagedidentitiesDomain
cloudasset.assets.exportMetastoreBackups
cloudasset.assets.exportMetastoreMetadataImports
cloudasset.assets.exportMetastoreServices
cloudasset.assets.exportMonitoringAlertPolicies
cloudasset.assets.exportNetworkConnectivityHubs
cloudasset.assets.exportNetworkConnectivitySpokes
cloudasset.assets.exportNetworkManagementConnectivityTests
cloudasset.assets.exportNetworkServicesEndpointPolicies
cloudasset.assets.exportNetworkServicesGateways
cloudasset.assets.exportNetworkServicesGrpcRoutes
cloudasset.assets.exportNetworkServicesHttpRoutes
cloudasset.assets.exportNetworkServicesMeshes
cloudasset.assets.exportNetworkServicesServiceBindings
cloudasset.assets.exportNetworkServicesTcpRoutes
cloudasset.assets.exportNetworkServicesTlsRoutes
cloudasset.assets.exportOSConfigOSPolicyAssignmentReports
cloudasset.assets.exportOSConfigOSPolicyAssignments
cloudasset.assets.exportOSConfigVulnerabilityReports
cloudasset.assets.exportOSInventories
cloudasset.assets.exportOrgPolicy
cloudasset.assets.exportPatchDeployments
cloudasset.assets.exportPubsubSnapshots
cloudasset.assets.exportPubsubSubscriptions
cloudasset.assets.exportPubsubTopics
cloudasset.assets.exportRedisInstances
cloudasset.assets.exportResource
cloudasset.assets.exportSecretManagerSecretVersions
cloudasset.assets.exportSecretManagerSecrets
cloudasset.assets.exportServiceDirectoryNamespaces
cloudasset.assets.exportServicePerimeter
cloudasset.assets.exportServiceconsumermanagementConsumerProperty
cloudasset.assets.exportServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.exportServiceconsumermanagementConsumers
cloudasset.assets.exportServiceconsumermanagementProducerOverrides
cloudasset.assets.exportServiceconsumermanagementTenancyUnits
cloudasset.assets.exportServiceconsumermanagementVisibility
cloudasset.assets.exportServicemanagementServices
cloudasset.assets.exportServiceusageAdminOverrides
cloudasset.assets.exportServiceusageConsumerOverrides
cloudasset.assets.exportServiceusageServices
cloudasset.assets.exportSpannerBackups
cloudasset.assets.exportSpannerDatabases
cloudasset.assets.exportSpannerInstances
cloudasset.assets.exportSpeakerIdPhrases
cloudasset.assets.exportSpeakerIdSettings
cloudasset.assets.exportSpeakerIdSpeakers
cloudasset.assets.exportSpeechCustomClasses
cloudasset.assets.exportSpeechPhraseSets
cloudasset.assets.exportSqladminBackupRuns
cloudasset.assets.exportSqladminInstances
cloudasset.assets.exportStorageBuckets
cloudasset.assets.exportTpuNodes
cloudasset.assets.exportVpcaccessConnector
cloudasset.assets.listAccessLevel
cloudasset.assets.listAccessPolicy
cloudasset.assets.listAiplatformBatchPredictionJobs
cloudasset.assets.listAiplatformCustomJobs
cloudasset.assets.listAiplatformDataLabelingJobs
cloudasset.assets.listAiplatformDatasets
cloudasset.assets.listAiplatformEndpoints
cloudasset.assets.listAiplatformHyperparameterTuningJobs
cloudasset.assets.listAiplatformMetadataStores
cloudasset.assets.listAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.listAiplatformModels
cloudasset.assets.listAiplatformPipelineJobs
cloudasset.assets.listAiplatformSpecialistPools
cloudasset.assets.listAiplatformTrainingPipelines
cloudasset.assets.listAllAccessPolicy
cloudasset.assets.listAnthosConnectedCluster
cloudasset.assets.listAnthosedgeCluster
cloudasset.assets.listApigatewayApi
cloudasset.assets.listApigatewayApiConfig
cloudasset.assets.listApigatewayGateway
cloudasset.assets.listApikeysKeys
cloudasset.assets.listAppengineApplications
cloudasset.assets.listAppengineServices
cloudasset.assets.listAppengineVersions
cloudasset.assets.listArtifactregistryDockerImages
cloudasset.assets.listArtifactregistryRepositories
cloudasset.assets.listAssuredWorkloadsWorkloads
cloudasset.assets.listBeyondCorpApiGateways
cloudasset.assets.listBeyondCorpAppConnections
cloudasset.assets.listBeyondCorpAppConnectors
cloudasset.assets.listBeyondCorpAppGateways
cloudasset.assets.listBeyondCorpClientConnectorServices
cloudasset.assets.listBeyondCorpClientGateways
cloudasset.assets.listBigqueryDatasets
cloudasset.assets.listBigqueryModels
cloudasset.assets.listBigqueryTables
cloudasset.assets.listBigtableAppProfile
cloudasset.assets.listBigtableBackup
cloudasset.assets.listBigtableCluster
cloudasset.assets.listBigtableInstance
cloudasset.assets.listBigtableTable
cloudasset.assets.listCloudAssetFeeds
cloudasset.assets.listCloudDeployDeliveryPipelines
cloudasset.assets.listCloudDeployReleases
cloudasset.assets.listCloudDeployRollouts
cloudasset.assets.listCloudDeployTargets
cloudasset.assets.listCloudDocumentAIEvaluation
cloudasset.assets.listCloudDocumentAIHumanReviewConfig
cloudasset.assets.listCloudDocumentAILabelerPool
cloudasset.assets.listCloudDocumentAIProcessor
cloudasset.assets.listCloudDocumentAIProcessorVersion
cloudasset.assets.listCloudbillingBillingAccounts
cloudasset.assets.listCloudbillingProjectBillingInfos
cloudasset.assets.listCloudfunctionsFunctions
cloudasset.assets.listCloudfunctionsGen2Functions
cloudasset.assets.listCloudkmsCryptoKeyVersions
cloudasset.assets.listCloudkmsCryptoKeys
cloudasset.assets.listCloudkmsEkmConnections
cloudasset.assets.listCloudkmsImportJobs
cloudasset.assets.listCloudkmsKeyRings
cloudasset.assets.listCloudmemcacheInstances
cloudasset.assets.listCloudresourcemanagerFolders
cloudasset.assets.listCloudresourcemanagerOrganizations
cloudasset.assets.listCloudresourcemanagerProjects
cloudasset.assets.listCloudresourcemanagerTagBindings
cloudasset.assets.listCloudresourcemanagerTagKeys
cloudasset.assets.listCloudresourcemanagerTagValues
cloudasset.assets.listComposerEnvironments
cloudasset.assets.listComputeAddress
cloudasset.assets.listComputeAutoscalers
cloudasset.assets.listComputeBackendBuckets
cloudasset.assets.listComputeBackendServices
cloudasset.assets.listComputeCommitments
cloudasset.assets.listComputeDisks
cloudasset.assets.listComputeExternalVpnGateways
cloudasset.assets.listComputeFirewallPolicies
cloudasset.assets.listComputeFirewalls
cloudasset.assets.listComputeForwardingRules
cloudasset.assets.listComputeGlobalAddress
cloudasset.assets.listComputeGlobalForwardingRules
cloudasset.assets.listComputeHealthChecks
cloudasset.assets.listComputeHttpHealthChecks
cloudasset.assets.listComputeHttpsHealthChecks
cloudasset.assets.listComputeImages
cloudasset.assets.listComputeInstanceGroupManagers
cloudasset.assets.listComputeInstanceGroups
cloudasset.assets.listComputeInstanceTemplates
cloudasset.assets.listComputeInstances
cloudasset.assets.listComputeInterconnect
cloudasset.assets.listComputeInterconnectAttachment
cloudasset.assets.listComputeLicenses
cloudasset.assets.listComputeNetworkEndpointGroups
cloudasset.assets.listComputeNetworks
cloudasset.assets.listComputeNodeGroups
cloudasset.assets.listComputeNodeTemplates
cloudasset.assets.listComputePacketMirrorings
cloudasset.assets.listComputeProjects
cloudasset.assets.listComputeRegionAutoscaler
cloudasset.assets.listComputeRegionBackendServices
cloudasset.assets.listComputeRegionDisk
cloudasset.assets.listComputeRegionInstanceGroup
cloudasset.assets.listComputeRegionInstanceGroupManager
cloudasset.assets.listComputeReservations
cloudasset.assets.listComputeResourcePolicies
cloudasset.assets.listComputeRouters
cloudasset.assets.listComputeRoutes
cloudasset.assets.listComputeSecurityPolicy
cloudasset.assets.listComputeServiceAttachments
cloudasset.assets.listComputeSnapshots
cloudasset.assets.listComputeSslCertificates
cloudasset.assets.listComputeSslPolicies
cloudasset.assets.listComputeSubnetworks
cloudasset.assets.listComputeTargetHttpProxies
cloudasset.assets.listComputeTargetHttpsProxies
cloudasset.assets.listComputeTargetInstances
cloudasset.assets.listComputeTargetPools
cloudasset.assets.listComputeTargetSslProxies
cloudasset.assets.listComputeTargetTcpProxies
cloudasset.assets.listComputeTargetVpnGateways
cloudasset.assets.listComputeUrlMaps
cloudasset.assets.listComputeVpnGateways
cloudasset.assets.listComputeVpnTunnels
cloudasset.assets.listConnectorsConnections
cloudasset.assets.listConnectorsConnectorVersions
cloudasset.assets.listConnectorsConnectors
cloudasset.assets.listConnectorsProviders
cloudasset.assets.listConnectorsRuntimeConfigs
cloudasset.assets.listContainerAppsDeployment
cloudasset.assets.listContainerAppsReplicaSets
cloudasset.assets.listContainerBatchJobs
cloudasset.assets.listContainerClusterrole
cloudasset.assets.listContainerClusterrolebinding
cloudasset.assets.listContainerClusters
cloudasset.assets.listContainerExtensionsIngresses
cloudasset.assets.listContainerJobs
cloudasset.assets.listContainerNamespace
cloudasset.assets.listContainerNetworkingIngresses
cloudasset.assets.listContainerNetworkingNetworkPolicies
cloudasset.assets.listContainerNode
cloudasset.assets.listContainerNodepool
cloudasset.assets.listContainerPod
cloudasset.assets.listContainerReplicaSets
cloudasset.assets.listContainerRole
cloudasset.assets.listContainerRolebinding
cloudasset.assets.listContainerServices
cloudasset.assets.listContainerregistryImage
cloudasset.assets.listDataMigrationConnectionProfiles
cloudasset.assets.listDataMigrationMigrationJobs
cloudasset.assets.listDataflowJobs
cloudasset.assets.listDatafusionInstance
cloudasset.assets.listDataplexAssets
cloudasset.assets.listDataplexLakes
cloudasset.assets.listDataplexTasks
cloudasset.assets.listDataplexZones
cloudasset.assets.listDataprocAutoscalingPolicies
cloudasset.assets.listDataprocBatches
cloudasset.assets.listDataprocClusters
cloudasset.assets.listDataprocJobs
cloudasset.assets.listDataprocSessions
cloudasset.assets.listDataprocWorkflowTemplates
cloudasset.assets.listDatastreamConnectionProfile
cloudasset.assets.listDatastreamPrivateConnection
cloudasset.assets.listDatastreamStream
cloudasset.assets.listDialogflowAgents
cloudasset.assets.listDialogflowConversationProfiles
cloudasset.assets.listDialogflowKnowledgeBases
cloudasset.assets.listDialogflowLocationSettings
cloudasset.assets.listDlpDeidentifyTemplates
cloudasset.assets.listDlpDlpJobs
cloudasset.assets.listDlpInspectTemplates
cloudasset.assets.listDlpJobTriggers
cloudasset.assets.listDlpStoredInfoTypes
cloudasset.assets.listDnsManagedZones
cloudasset.assets.listDnsPolicies
cloudasset.assets.listDomainsRegistrations
cloudasset.assets.listEventarcTriggers
cloudasset.assets.listFileBackups
cloudasset.assets.listFileInstances
cloudasset.assets.listFirebaseAppInfos
cloudasset.assets.listFirebaseProjects
cloudasset.assets.listFirestoreDatabases
cloudasset.assets.listGKEHubFeatures
cloudasset.assets.listGKEHubMemberships
cloudasset.assets.listGameservicesGameServerClusters
cloudasset.assets.listGameservicesGameServerConfigs
cloudasset.assets.listGameservicesGameServerDeployments
cloudasset.assets.listGameservicesRealms
cloudasset.assets.listGkeBackupBackupPlans
cloudasset.assets.listGkeBackupBackups
cloudasset.assets.listGkeBackupRestorePlans
cloudasset.assets.listGkeBackupRestores
cloudasset.assets.listGkeBackupVolumeBackups
cloudasset.assets.listGkeBackupVolumeRestores
cloudasset.assets.listHealthcareConsentStores
cloudasset.assets.listHealthcareDatasets
cloudasset.assets.listHealthcareDicomStores
cloudasset.assets.listHealthcareFhirStores
cloudasset.assets.listHealthcareHl7V2Stores
cloudasset.assets.listIamPolicy
cloudasset.assets.listIamRoles
cloudasset.assets.listIamServiceAccountKeys
cloudasset.assets.listIamServiceAccounts
cloudasset.assets.listIapTunnel
cloudasset.assets.listIapTunnelInstances
cloudasset.assets.listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset.assets.listIapWebServiceVersion
cloudasset.assets.listIapWebServices
cloudasset.assets.listIapWebType
cloudasset.assets.listIdsEndpoints
cloudasset.assets.listIntegrationsAuthConfigs
cloudasset.assets.listIntegrationsCertificates
cloudasset.assets.listIntegrationsExecutions
cloudasset.assets.listIntegrationsIntegrationVersions
cloudasset.assets.listIntegrationsIntegrations
cloudasset.assets.listIntegrationsSfdcChannels
cloudasset.assets.listIntegrationsSfdcInstances
cloudasset.assets.listIntegrationsSuspensions
cloudasset.assets.listLoggingLogMetrics
cloudasset.assets.listLoggingLogSinks
cloudasset.assets.listManagedidentitiesDomain
cloudasset.assets.listMetastoreBackups
cloudasset.assets.listMetastoreMetadataImports
cloudasset.assets.listMetastoreServices
cloudasset.assets.listMonitoringAlertPolicies
cloudasset.assets.listNetworkConnectivityHubs
cloudasset.assets.listNetworkConnectivitySpokes
cloudasset.assets.listNetworkManagementConnectivityTests
cloudasset.assets.listNetworkServicesEndpointPolicies
cloudasset.assets.listNetworkServicesGateways
cloudasset.assets.listNetworkServicesGrpcRoutes
cloudasset.assets.listNetworkServicesHttpRoutes
cloudasset.assets.listNetworkServicesMeshes
cloudasset.assets.listNetworkServicesServiceBindings
cloudasset.assets.listNetworkServicesTcpRoutes
cloudasset.assets.listNetworkServicesTlsRoutes
cloudasset.assets.listOSConfigOSPolicyAssignmentReports
cloudasset.assets.listOSConfigOSPolicyAssignments
cloudasset.assets.listOSConfigVulnerabilityReports
cloudasset.assets.listOSInventories
cloudasset.assets.listOrgPolicy
cloudasset.assets.listPatchDeployments
cloudasset.assets.listPubsubSnapshots
cloudasset.assets.listPubsubSubscriptions
cloudasset.assets.listPubsubTopics
cloudasset.assets.listRedisInstances
cloudasset.assets.listResource
cloudasset.assets.listRunDomainMapping
cloudasset.assets.listRunRevision
cloudasset.assets.listRunService
cloudasset.assets.listSecretManagerSecretVersions
cloudasset.assets.listSecretManagerSecrets
cloudasset.assets.listServiceDirectoryNamespaces
cloudasset.assets.listServicePerimeter
cloudasset.assets.listServiceconsumermanagementConsumerProperty
cloudasset.assets.listServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.listServiceconsumermanagementConsumers
cloudasset.assets.listServiceconsumermanagementProducerOverrides
cloudasset.assets.listServiceconsumermanagementTenancyUnits
cloudasset.assets.listServiceconsumermanagementVisibility
cloudasset.assets.listServicemanagementServices
cloudasset.assets.listServiceusageAdminOverrides
cloudasset.assets.listServiceusageConsumerOverrides
cloudasset.assets.listServiceusageServices
cloudasset.assets.listSpannerBackups
cloudasset.assets.listSpannerDatabases
cloudasset.assets.listSpannerInstances
cloudasset.assets.listSpeakerIdPhrases
cloudasset.assets.listSpeakerIdSettings
cloudasset.assets.listSpeakerIdSpeakers
cloudasset.assets.listSpeechCustomClasses
cloudasset.assets.listSpeechPhraseSets
cloudasset.assets.listSqladminBackupRuns
cloudasset.assets.listSqladminInstances
cloudasset.assets.listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset.assets.listVpcaccessConnector
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources

datacatalog.categories.fineGrainedGet

datacatalog.entries.updateTag

datacatalog.entryGroups.updateTag

datacatalog.tagTemplates.create

datacatalog.tagTemplates.get

datacatalog.tagTemplates.getTag

datacatalog.tagTemplates.use

dlp.analyzeRiskTemplates.*

dlp.analyzeRiskTemplates.create
dlp.analyzeRiskTemplates.delete
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.analyzeRiskTemplates.update

dlp.columnDataProfiles.*

dlp.columnDataProfiles.get
dlp.columnDataProfiles.list

dlp.deidentifyTemplates.*

dlp.deidentifyTemplates.create
dlp.deidentifyTemplates.delete
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.deidentifyTemplates.update

dlp.estimates.*

dlp.estimates.cancel
dlp.estimates.create
dlp.estimates.delete
dlp.estimates.get
dlp.estimates.list

dlp.inspectFindings.list

dlp.inspectTemplates.*

dlp.inspectTemplates.create
dlp.inspectTemplates.delete
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.inspectTemplates.update

dlp.jobTriggers.*

dlp.jobTriggers.create
dlp.jobTriggers.delete
dlp.jobTriggers.get
dlp.jobTriggers.hybridInspect
dlp.jobTriggers.list
dlp.jobTriggers.update

dlp.jobs.*

dlp.jobs.cancel
dlp.jobs.create
dlp.jobs.delete
dlp.jobs.get
dlp.jobs.hybridInspect
dlp.jobs.list

dlp.kms.encrypt

dlp.locations.*

dlp.locations.get
dlp.locations.list

dlp.projectDataProfiles.*

dlp.projectDataProfiles.get
dlp.projectDataProfiles.list

dlp.storedInfoTypes.*

dlp.storedInfoTypes.create
dlp.storedInfoTypes.delete
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
dlp.storedInfoTypes.update

dlp.tableDataProfiles.*

dlp.tableDataProfiles.get
dlp.tableDataProfiles.list

pubsub.topics.updateTag

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

recommender.locations.get
recommender.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

DLP Project Data Profiles Reader

(roles/dlp.projectDataProfilesReader)

Read DLP project profiles.

dlp.projectDataProfiles.*

dlp.projectDataProfiles.get
dlp.projectDataProfiles.list

DLP Project Data Profiles Driver

(roles/dlp.projectdriver)

Permissions needed by the DLP service account to generate data profiles within a project.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.connections.updateTag

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.jobs.create

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

bigquery.transfers.get

bigquerymigration.translation.translate

cloudasset.assets.*

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.analyzeMove
cloudasset.assets.analyzeOrgPolicy
cloudasset.assets.exportAccessLevel
cloudasset.assets.exportAccessPolicy
cloudasset.assets.exportAiplatformBatchPredictionJobs
cloudasset.assets.exportAiplatformCustomJobs
cloudasset.assets.exportAiplatformDataLabelingJobs
cloudasset.assets.exportAiplatformDatasets
cloudasset.assets.exportAiplatformEndpoints
cloudasset.assets.exportAiplatformHyperparameterTuningJobs
cloudasset.assets.exportAiplatformMetadataStores
cloudasset.assets.exportAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.exportAiplatformModels
cloudasset.assets.exportAiplatformPipelineJobs
cloudasset.assets.exportAiplatformSpecialistPools
cloudasset.assets.exportAiplatformTrainingPipelines
cloudasset.assets.exportAllAccessPolicy
cloudasset.assets.exportAnthosConnectedCluster
cloudasset.assets.exportAnthosedgeCluster
cloudasset.assets.exportApigatewayApi
cloudasset.assets.exportApigatewayApiConfig
cloudasset.assets.exportApigatewayGateway
cloudasset.assets.exportApikeysKeys
cloudasset.assets.exportAppengineApplications
cloudasset.assets.exportAppengineServices
cloudasset.assets.exportAppengineVersions
cloudasset.assets.exportArtifactregistryDockerImages
cloudasset.assets.exportArtifactregistryRepositories
cloudasset.assets.exportAssuredWorkloadsWorkloads
cloudasset.assets.exportBeyondCorpApiGateways
cloudasset.assets.exportBeyondCorpAppConnections
cloudasset.assets.exportBeyondCorpAppConnectors
cloudasset.assets.exportBeyondCorpAppGateways
cloudasset.assets.exportBeyondCorpClientConnectorServices
cloudasset.assets.exportBeyondCorpClientGateways
cloudasset.assets.exportBigqueryDatasets
cloudasset.assets.exportBigqueryModels
cloudasset.assets.exportBigqueryTables
cloudasset.assets.exportBigtableAppProfile
cloudasset.assets.exportBigtableBackup
cloudasset.assets.exportBigtableCluster
cloudasset.assets.exportBigtableInstance
cloudasset.assets.exportBigtableTable
cloudasset.assets.exportCloudAssetFeeds
cloudasset.assets.exportCloudDeployDeliveryPipelines
cloudasset.assets.exportCloudDeployReleases
cloudasset.assets.exportCloudDeployRollouts
cloudasset.assets.exportCloudDeployTargets
cloudasset.assets.exportCloudDocumentAIEvaluation
cloudasset.assets.exportCloudDocumentAIHumanReviewConfig
cloudasset.assets.exportCloudDocumentAILabelerPool
cloudasset.assets.exportCloudDocumentAIProcessor
cloudasset.assets.exportCloudDocumentAIProcessorVersion
cloudasset.assets.exportCloudbillingBillingAccounts
cloudasset.assets.exportCloudbillingProjectBillingInfos
cloudasset.assets.exportCloudfunctionsFunctions
cloudasset.assets.exportCloudfunctionsGen2Functions
cloudasset.assets.exportCloudkmsCryptoKeyVersions
cloudasset.assets.exportCloudkmsCryptoKeys
cloudasset.assets.exportCloudkmsEkmConnections
cloudasset.assets.exportCloudkmsImportJobs
cloudasset.assets.exportCloudkmsKeyRings
cloudasset.assets.exportCloudmemcacheInstances
cloudasset.assets.exportCloudresourcemanagerFolders
cloudasset.assets.exportCloudresourcemanagerOrganizations
cloudasset.assets.exportCloudresourcemanagerProjects
cloudasset.assets.exportCloudresourcemanagerTagBindings
cloudasset.assets.exportCloudresourcemanagerTagKeys
cloudasset.assets.exportCloudresourcemanagerTagValues
cloudasset.assets.exportComposerEnvironments
cloudasset.assets.exportComputeAddress
cloudasset.assets.exportComputeAutoscalers
cloudasset.assets.exportComputeBackendBuckets
cloudasset.assets.exportComputeBackendServices
cloudasset.assets.exportComputeCommitments
cloudasset.assets.exportComputeDisks
cloudasset.assets.exportComputeExternalVpnGateways
cloudasset.assets.exportComputeFirewallPolicies
cloudasset.assets.exportComputeFirewalls
cloudasset.assets.exportComputeForwardingRules
cloudasset.assets.exportComputeGlobalAddress
cloudasset.assets.exportComputeGlobalForwardingRules
cloudasset.assets.exportComputeHealthChecks
cloudasset.assets.exportComputeHttpHealthChecks
cloudasset.assets.exportComputeHttpsHealthChecks
cloudasset.assets.exportComputeImages
cloudasset.assets.exportComputeInstanceGroupManagers
cloudasset.assets.exportComputeInstanceGroups
cloudasset.assets.exportComputeInstanceTemplates
cloudasset.assets.exportComputeInstances
cloudasset.assets.exportComputeInterconnect
cloudasset.assets.exportComputeInterconnectAttachment
cloudasset.assets.exportComputeLicenses
cloudasset.assets.exportComputeNetworkEndpointGroups
cloudasset.assets.exportComputeNetworks
cloudasset.assets.exportComputeNodeGroups
cloudasset.assets.exportComputeNodeTemplates
cloudasset.assets.exportComputePacketMirrorings
cloudasset.assets.exportComputeProjects
cloudasset.assets.exportComputeRegionAutoscaler
cloudasset.assets.exportComputeRegionBackendServices
cloudasset.assets.exportComputeRegionDisk
cloudasset.assets.exportComputeRegionInstanceGroup
cloudasset.assets.exportComputeRegionInstanceGroupManager
cloudasset.assets.exportComputeReservations
cloudasset.assets.exportComputeResourcePolicies
cloudasset.assets.exportComputeRouters
cloudasset.assets.exportComputeRoutes
cloudasset.assets.exportComputeSecurityPolicy
cloudasset.assets.exportComputeServiceAttachments
cloudasset.assets.exportComputeSnapshots
cloudasset.assets.exportComputeSslCertificates
cloudasset.assets.exportComputeSslPolicies
cloudasset.assets.exportComputeSubnetworks
cloudasset.assets.exportComputeTargetHttpProxies
cloudasset.assets.exportComputeTargetHttpsProxies
cloudasset.assets.exportComputeTargetInstances
cloudasset.assets.exportComputeTargetPools
cloudasset.assets.exportComputeTargetSslProxies
cloudasset.assets.exportComputeTargetTcpProxies
cloudasset.assets.exportComputeTargetVpnGateways
cloudasset.assets.exportComputeUrlMaps
cloudasset.assets.exportComputeVpnGateways
cloudasset.assets.exportComputeVpnTunnels
cloudasset.assets.exportConnectorsConnections
cloudasset.assets.exportConnectorsConnectorVersions
cloudasset.assets.exportConnectorsConnectors
cloudasset.assets.exportConnectorsProviders
cloudasset.assets.exportConnectorsRuntimeConfigs
cloudasset.assets.exportContainerAppsDeployment
cloudasset.assets.exportContainerAppsReplicaSets
cloudasset.assets.exportContainerBatchJobs
cloudasset.assets.exportContainerClusterrole
cloudasset.assets.exportContainerClusterrolebinding
cloudasset.assets.exportContainerClusters
cloudasset.assets.exportContainerExtensionsIngresses
cloudasset.assets.exportContainerJobs
cloudasset.assets.exportContainerNamespace
cloudasset.assets.exportContainerNetworkingIngresses
cloudasset.assets.exportContainerNetworkingNetworkPolicies
cloudasset.assets.exportContainerNode
cloudasset.assets.exportContainerNodepool
cloudasset.assets.exportContainerPod
cloudasset.assets.exportContainerReplicaSets
cloudasset.assets.exportContainerRole
cloudasset.assets.exportContainerRolebinding
cloudasset.assets.exportContainerServices
cloudasset.assets.exportContainerregistryImage
cloudasset.assets.exportDataMigrationConnectionProfiles
cloudasset.assets.exportDataMigrationMigrationJobs
cloudasset.assets.exportDataflowJobs
cloudasset.assets.exportDatafusionInstance
cloudasset.assets.exportDataplexAssets
cloudasset.assets.exportDataplexLakes
cloudasset.assets.exportDataplexTasks
cloudasset.assets.exportDataplexZones
cloudasset.assets.exportDataprocAutoscalingPolicies
cloudasset.assets.exportDataprocBatches
cloudasset.assets.exportDataprocClusters
cloudasset.assets.exportDataprocJobs
cloudasset.assets.exportDataprocSessions
cloudasset.assets.exportDataprocWorkflowTemplates
cloudasset.assets.exportDatastreamConnectionProfile
cloudasset.assets.exportDatastreamPrivateConnection
cloudasset.assets.exportDatastreamStream
cloudasset.assets.exportDialogflowAgents
cloudasset.assets.exportDialogflowConversationProfiles
cloudasset.assets.exportDialogflowKnowledgeBases
cloudasset.assets.exportDialogflowLocationSettings
cloudasset.assets.exportDlpDeidentifyTemplates
cloudasset.assets.exportDlpDlpJobs
cloudasset.assets.exportDlpInspectTemplates
cloudasset.assets.exportDlpJobTriggers
cloudasset.assets.exportDlpStoredInfoTypes
cloudasset.assets.exportDnsManagedZones
cloudasset.assets.exportDnsPolicies
cloudasset.assets.exportDomainsRegistrations
cloudasset.assets.exportEventarcTriggers
cloudasset.assets.exportFileBackups
cloudasset.assets.exportFileInstances
cloudasset.assets.exportFirebaseAppInfos
cloudasset.assets.exportFirebaseProjects
cloudasset.assets.exportFirestoreDatabases
cloudasset.assets.exportGKEHubFeatures
cloudasset.assets.exportGKEHubMemberships
cloudasset.assets.exportGameservicesGameServerClusters
cloudasset.assets.exportGameservicesGameServerConfigs
cloudasset.assets.exportGameservicesGameServerDeployments
cloudasset.assets.exportGameservicesRealms
cloudasset.assets.exportGkeBackupBackupPlans
cloudasset.assets.exportGkeBackupBackups
cloudasset.assets.exportGkeBackupRestorePlans
cloudasset.assets.exportGkeBackupRestores
cloudasset.assets.exportGkeBackupVolumeBackups
cloudasset.assets.exportGkeBackupVolumeRestores
cloudasset.assets.exportHealthcareConsentStores
cloudasset.assets.exportHealthcareDatasets
cloudasset.assets.exportHealthcareDicomStores
cloudasset.assets.exportHealthcareFhirStores
cloudasset.assets.exportHealthcareHl7V2Stores
cloudasset.assets.exportIamPolicy
cloudasset.assets.exportIamRoles
cloudasset.assets.exportIamServiceAccountKeys
cloudasset.assets.exportIamServiceAccounts
cloudasset.assets.exportIapTunnel
cloudasset.assets.exportIapTunnelInstances
cloudasset.assets.exportIapTunnelZones
cloudasset.assets.exportIapWeb
cloudasset.assets.exportIapWebServiceVersion
cloudasset.assets.exportIapWebServices
cloudasset.assets.exportIapWebType
cloudasset.assets.exportIdsEndpoints
cloudasset.assets.exportIntegrationsAuthConfigs
cloudasset.assets.exportIntegrationsCertificates
cloudasset.assets.exportIntegrationsExecutions
cloudasset.assets.exportIntegrationsIntegrationVersions
cloudasset.assets.exportIntegrationsIntegrations
cloudasset.assets.exportIntegrationsSfdcChannels
cloudasset.assets.exportIntegrationsSfdcInstances
cloudasset.assets.exportIntegrationsSuspensions
cloudasset.assets.exportLoggingLogMetrics
cloudasset.assets.exportLoggingLogSinks
cloudasset.assets.exportManagedidentitiesDomain
cloudasset.assets.exportMetastoreBackups
cloudasset.assets.exportMetastoreMetadataImports
cloudasset.assets.exportMetastoreServices
cloudasset.assets.exportMonitoringAlertPolicies
cloudasset.assets.exportNetworkConnectivityHubs
cloudasset.assets.exportNetworkConnectivitySpokes
cloudasset.assets.exportNetworkManagementConnectivityTests
cloudasset.assets.exportNetworkServicesEndpointPolicies
cloudasset.assets.exportNetworkServicesGateways
cloudasset.assets.exportNetworkServicesGrpcRoutes
cloudasset.assets.exportNetworkServicesHttpRoutes
cloudasset.assets.exportNetworkServicesMeshes
cloudasset.assets.exportNetworkServicesServiceBindings
cloudasset.assets.exportNetworkServicesTcpRoutes
cloudasset.assets.exportNetworkServicesTlsRoutes
cloudasset.assets.exportOSConfigOSPolicyAssignmentReports
cloudasset.assets.exportOSConfigOSPolicyAssignments
cloudasset.assets.exportOSConfigVulnerabilityReports
cloudasset.assets.exportOSInventories
cloudasset.assets.exportOrgPolicy
cloudasset.assets.exportPatchDeployments
cloudasset.assets.exportPubsubSnapshots
cloudasset.assets.exportPubsubSubscriptions
cloudasset.assets.exportPubsubTopics
cloudasset.assets.exportRedisInstances
cloudasset.assets.exportResource
cloudasset.assets.exportSecretManagerSecretVersions
cloudasset.assets.exportSecretManagerSecrets
cloudasset.assets.exportServiceDirectoryNamespaces
cloudasset.assets.exportServicePerimeter
cloudasset.assets.exportServiceconsumermanagementConsumerProperty
cloudasset.assets.exportServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.exportServiceconsumermanagementConsumers
cloudasset.assets.exportServiceconsumermanagementProducerOverrides
cloudasset.assets.exportServiceconsumermanagementTenancyUnits
cloudasset.assets.exportServiceconsumermanagementVisibility
cloudasset.assets.exportServicemanagementServices
cloudasset.assets.exportServiceusageAdminOverrides
cloudasset.assets.exportServiceusageConsumerOverrides
cloudasset.assets.exportServiceusageServices
cloudasset.assets.exportSpannerBackups
cloudasset.assets.exportSpannerDatabases
cloudasset.assets.exportSpannerInstances
cloudasset.assets.exportSpeakerIdPhrases
cloudasset.assets.exportSpeakerIdSettings
cloudasset.assets.exportSpeakerIdSpeakers
cloudasset.assets.exportSpeechCustomClasses
cloudasset.assets.exportSpeechPhraseSets
cloudasset.assets.exportSqladminBackupRuns
cloudasset.assets.exportSqladminInstances
cloudasset.assets.exportStorageBuckets
cloudasset.assets.exportTpuNodes
cloudasset.assets.exportVpcaccessConnector
cloudasset.assets.listAccessLevel
cloudasset.assets.listAccessPolicy
cloudasset.assets.listAiplatformBatchPredictionJobs
cloudasset.assets.listAiplatformCustomJobs
cloudasset.assets.listAiplatformDataLabelingJobs
cloudasset.assets.listAiplatformDatasets
cloudasset.assets.listAiplatformEndpoints
cloudasset.assets.listAiplatformHyperparameterTuningJobs
cloudasset.assets.listAiplatformMetadataStores
cloudasset.assets.listAiplatformModelDeploymentMonitoringJobs
cloudasset.assets.listAiplatformModels
cloudasset.assets.listAiplatformPipelineJobs
cloudasset.assets.listAiplatformSpecialistPools
cloudasset.assets.listAiplatformTrainingPipelines
cloudasset.assets.listAllAccessPolicy
cloudasset.assets.listAnthosConnectedCluster
cloudasset.assets.listAnthosedgeCluster
cloudasset.assets.listApigatewayApi
cloudasset.assets.listApigatewayApiConfig
cloudasset.assets.listApigatewayGateway
cloudasset.assets.listApikeysKeys
cloudasset.assets.listAppengineApplications
cloudasset.assets.listAppengineServices
cloudasset.assets.listAppengineVersions
cloudasset.assets.listArtifactregistryDockerImages
cloudasset.assets.listArtifactregistryRepositories
cloudasset.assets.listAssuredWorkloadsWorkloads
cloudasset.assets.listBeyondCorpApiGateways
cloudasset.assets.listBeyondCorpAppConnections
cloudasset.assets.listBeyondCorpAppConnectors
cloudasset.assets.listBeyondCorpAppGateways
cloudasset.assets.listBeyondCorpClientConnectorServices
cloudasset.assets.listBeyondCorpClientGateways
cloudasset.assets.listBigqueryDatasets
cloudasset.assets.listBigqueryModels
cloudasset.assets.listBigqueryTables
cloudasset.assets.listBigtableAppProfile
cloudasset.assets.listBigtableBackup
cloudasset.assets.listBigtableCluster
cloudasset.assets.listBigtableInstance
cloudasset.assets.listBigtableTable
cloudasset.assets.listCloudAssetFeeds
cloudasset.assets.listCloudDeployDeliveryPipelines
cloudasset.assets.listCloudDeployReleases
cloudasset.assets.listCloudDeployRollouts
cloudasset.assets.listCloudDeployTargets
cloudasset.assets.listCloudDocumentAIEvaluation
cloudasset.assets.listCloudDocumentAIHumanReviewConfig
cloudasset.assets.listCloudDocumentAILabelerPool
cloudasset.assets.listCloudDocumentAIProcessor
cloudasset.assets.listCloudDocumentAIProcessorVersion
cloudasset.assets.listCloudbillingBillingAccounts
cloudasset.assets.listCloudbillingProjectBillingInfos
cloudasset.assets.listCloudfunctionsFunctions
cloudasset.assets.listCloudfunctionsGen2Functions
cloudasset.assets.listCloudkmsCryptoKeyVersions
cloudasset.assets.listCloudkmsCryptoKeys
cloudasset.assets.listCloudkmsEkmConnections
cloudasset.assets.listCloudkmsImportJobs
cloudasset.assets.listCloudkmsKeyRings
cloudasset.assets.listCloudmemcacheInstances
cloudasset.assets.listCloudresourcemanagerFolders
cloudasset.assets.listCloudresourcemanagerOrganizations
cloudasset.assets.listCloudresourcemanagerProjects
cloudasset.assets.listCloudresourcemanagerTagBindings
cloudasset.assets.listCloudresourcemanagerTagKeys
cloudasset.assets.listCloudresourcemanagerTagValues
cloudasset.assets.listComposerEnvironments
cloudasset.assets.listComputeAddress
cloudasset.assets.listComputeAutoscalers
cloudasset.assets.listComputeBackendBuckets
cloudasset.assets.listComputeBackendServices
cloudasset.assets.listComputeCommitments
cloudasset.assets.listComputeDisks
cloudasset.assets.listComputeExternalVpnGateways
cloudasset.assets.listComputeFirewallPolicies
cloudasset.assets.listComputeFirewalls
cloudasset.assets.listComputeForwardingRules
cloudasset.assets.listComputeGlobalAddress
cloudasset.assets.listComputeGlobalForwardingRules
cloudasset.assets.listComputeHealthChecks
cloudasset.assets.listComputeHttpHealthChecks
cloudasset.assets.listComputeHttpsHealthChecks
cloudasset.assets.listComputeImages
cloudasset.assets.listComputeInstanceGroupManagers
cloudasset.assets.listComputeInstanceGroups
cloudasset.assets.listComputeInstanceTemplates
cloudasset.assets.listComputeInstances
cloudasset.assets.listComputeInterconnect
cloudasset.assets.listComputeInterconnectAttachment
cloudasset.assets.listComputeLicenses
cloudasset.assets.listComputeNetworkEndpointGroups
cloudasset.assets.listComputeNetworks
cloudasset.assets.listComputeNodeGroups
cloudasset.assets.listComputeNodeTemplates
cloudasset.assets.listComputePacketMirrorings
cloudasset.assets.listComputeProjects
cloudasset.assets.listComputeRegionAutoscaler
cloudasset.assets.listComputeRegionBackendServices
cloudasset.assets.listComputeRegionDisk
cloudasset.assets.listComputeRegionInstanceGroup
cloudasset.assets.listComputeRegionInstanceGroupManager
cloudasset.assets.listComputeReservations
cloudasset.assets.listComputeResourcePolicies
cloudasset.assets.listComputeRouters
cloudasset.assets.listComputeRoutes
cloudasset.assets.listComputeSecurityPolicy
cloudasset.assets.listComputeServiceAttachments
cloudasset.assets.listComputeSnapshots
cloudasset.assets.listComputeSslCertificates
cloudasset.assets.listComputeSslPolicies
cloudasset.assets.listComputeSubnetworks
cloudasset.assets.listComputeTargetHttpProxies
cloudasset.assets.listComputeTargetHttpsProxies
cloudasset.assets.listComputeTargetInstances
cloudasset.assets.listComputeTargetPools
cloudasset.assets.listComputeTargetSslProxies
cloudasset.assets.listComputeTargetTcpProxies
cloudasset.assets.listComputeTargetVpnGateways
cloudasset.assets.listComputeUrlMaps
cloudasset.assets.listComputeVpnGateways
cloudasset.assets.listComputeVpnTunnels
cloudasset.assets.listConnectorsConnections
cloudasset.assets.listConnectorsConnectorVersions
cloudasset.assets.listConnectorsConnectors
cloudasset.assets.listConnectorsProviders
cloudasset.assets.listConnectorsRuntimeConfigs
cloudasset.assets.listContainerAppsDeployment
cloudasset.assets.listContainerAppsReplicaSets
cloudasset.assets.listContainerBatchJobs
cloudasset.assets.listContainerClusterrole
cloudasset.assets.listContainerClusterrolebinding
cloudasset.assets.listContainerClusters
cloudasset.assets.listContainerExtensionsIngresses
cloudasset.assets.listContainerJobs
cloudasset.assets.listContainerNamespace
cloudasset.assets.listContainerNetworkingIngresses
cloudasset.assets.listContainerNetworkingNetworkPolicies
cloudasset.assets.listContainerNode
cloudasset.assets.listContainerNodepool
cloudasset.assets.listContainerPod
cloudasset.assets.listContainerReplicaSets
cloudasset.assets.listContainerRole
cloudasset.assets.listContainerRolebinding
cloudasset.assets.listContainerServices
cloudasset.assets.listContainerregistryImage
cloudasset.assets.listDataMigrationConnectionProfiles
cloudasset.assets.listDataMigrationMigrationJobs
cloudasset.assets.listDataflowJobs
cloudasset.assets.listDatafusionInstance
cloudasset.assets.listDataplexAssets
cloudasset.assets.listDataplexLakes
cloudasset.assets.listDataplexTasks
cloudasset.assets.listDataplexZones
cloudasset.assets.listDataprocAutoscalingPolicies
cloudasset.assets.listDataprocBatches
cloudasset.assets.listDataprocClusters
cloudasset.assets.listDataprocJobs
cloudasset.assets.listDataprocSessions
cloudasset.assets.listDataprocWorkflowTemplates
cloudasset.assets.listDatastreamConnectionProfile
cloudasset.assets.listDatastreamPrivateConnection
cloudasset.assets.listDatastreamStream
cloudasset.assets.listDialogflowAgents
cloudasset.assets.listDialogflowConversationProfiles
cloudasset.assets.listDialogflowKnowledgeBases
cloudasset.assets.listDialogflowLocationSettings
cloudasset.assets.listDlpDeidentifyTemplates
cloudasset.assets.listDlpDlpJobs
cloudasset.assets.listDlpInspectTemplates
cloudasset.assets.listDlpJobTriggers
cloudasset.assets.listDlpStoredInfoTypes
cloudasset.assets.listDnsManagedZones
cloudasset.assets.listDnsPolicies
cloudasset.assets.listDomainsRegistrations
cloudasset.assets.listEventarcTriggers
cloudasset.assets.listFileBackups
cloudasset.assets.listFileInstances
cloudasset.assets.listFirebaseAppInfos
cloudasset.assets.listFirebaseProjects
cloudasset.assets.listFirestoreDatabases
cloudasset.assets.listGKEHubFeatures
cloudasset.assets.listGKEHubMemberships
cloudasset.assets.listGameservicesGameServerClusters
cloudasset.assets.listGameservicesGameServerConfigs
cloudasset.assets.listGameservicesGameServerDeployments
cloudasset.assets.listGameservicesRealms
cloudasset.assets.listGkeBackupBackupPlans
cloudasset.assets.listGkeBackupBackups
cloudasset.assets.listGkeBackupRestorePlans
cloudasset.assets.listGkeBackupRestores
cloudasset.assets.listGkeBackupVolumeBackups
cloudasset.assets.listGkeBackupVolumeRestores
cloudasset.assets.listHealthcareConsentStores
cloudasset.assets.listHealthcareDatasets
cloudasset.assets.listHealthcareDicomStores
cloudasset.assets.listHealthcareFhirStores
cloudasset.assets.listHealthcareHl7V2Stores
cloudasset.assets.listIamPolicy
cloudasset.assets.listIamRoles
cloudasset.assets.listIamServiceAccountKeys
cloudasset.assets.listIamServiceAccounts
cloudasset.assets.listIapTunnel
cloudasset.assets.listIapTunnelInstances
cloudasset.assets.listIapTunnelZones
cloudasset.assets.listIapWeb
cloudasset.assets.listIapWebServiceVersion
cloudasset.assets.listIapWebServices
cloudasset.assets.listIapWebType
cloudasset.assets.listIdsEndpoints
cloudasset.assets.listIntegrationsAuthConfigs
cloudasset.assets.listIntegrationsCertificates
cloudasset.assets.listIntegrationsExecutions
cloudasset.assets.listIntegrationsIntegrationVersions
cloudasset.assets.listIntegrationsIntegrations
cloudasset.assets.listIntegrationsSfdcChannels
cloudasset.assets.listIntegrationsSfdcInstances
cloudasset.assets.listIntegrationsSuspensions
cloudasset.assets.listLoggingLogMetrics
cloudasset.assets.listLoggingLogSinks
cloudasset.assets.listManagedidentitiesDomain
cloudasset.assets.listMetastoreBackups
cloudasset.assets.listMetastoreMetadataImports
cloudasset.assets.listMetastoreServices
cloudasset.assets.listMonitoringAlertPolicies
cloudasset.assets.listNetworkConnectivityHubs
cloudasset.assets.listNetworkConnectivitySpokes
cloudasset.assets.listNetworkManagementConnectivityTests
cloudasset.assets.listNetworkServicesEndpointPolicies
cloudasset.assets.listNetworkServicesGateways
cloudasset.assets.listNetworkServicesGrpcRoutes
cloudasset.assets.listNetworkServicesHttpRoutes
cloudasset.assets.listNetworkServicesMeshes
cloudasset.assets.listNetworkServicesServiceBindings
cloudasset.assets.listNetworkServicesTcpRoutes
cloudasset.assets.listNetworkServicesTlsRoutes
cloudasset.assets.listOSConfigOSPolicyAssignmentReports
cloudasset.assets.listOSConfigOSPolicyAssignments
cloudasset.assets.listOSConfigVulnerabilityReports
cloudasset.assets.listOSInventories
cloudasset.assets.listOrgPolicy
cloudasset.assets.listPatchDeployments
cloudasset.assets.listPubsubSnapshots
cloudasset.assets.listPubsubSubscriptions
cloudasset.assets.listPubsubTopics
cloudasset.assets.listRedisInstances
cloudasset.assets.listResource
cloudasset.assets.listRunDomainMapping
cloudasset.assets.listRunRevision
cloudasset.assets.listRunService
cloudasset.assets.listSecretManagerSecretVersions
cloudasset.assets.listSecretManagerSecrets
cloudasset.assets.listServiceDirectoryNamespaces
cloudasset.assets.listServicePerimeter
cloudasset.assets.listServiceconsumermanagementConsumerProperty
cloudasset.assets.listServiceconsumermanagementConsumerQuotaLimits
cloudasset.assets.listServiceconsumermanagementConsumers
cloudasset.assets.listServiceconsumermanagementProducerOverrides
cloudasset.assets.listServiceconsumermanagementTenancyUnits
cloudasset.assets.listServiceconsumermanagementVisibility
cloudasset.assets.listServicemanagementServices
cloudasset.assets.listServiceusageAdminOverrides
cloudasset.assets.listServiceusageConsumerOverrides
cloudasset.assets.listServiceusageServices
cloudasset.assets.listSpannerBackups
cloudasset.assets.listSpannerDatabases
cloudasset.assets.listSpannerInstances
cloudasset.assets.listSpeakerIdPhrases
cloudasset.assets.listSpeakerIdSettings
cloudasset.assets.listSpeakerIdSpeakers
cloudasset.assets.listSpeechCustomClasses
cloudasset.assets.listSpeechPhraseSets
cloudasset.assets.listSqladminBackupRuns
cloudasset.assets.listSqladminInstances
cloudasset.assets.listStorageBuckets
cloudasset.assets.listTpuNodes
cloudasset.assets.listVpcaccessConnector
cloudasset.assets.queryAccessPolicy
cloudasset.assets.queryIamPolicy
cloudasset.assets.queryOSInventories
cloudasset.assets.queryResource
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources

datacatalog.categories.fineGrainedGet

datacatalog.entries.updateTag

datacatalog.entryGroups.updateTag

datacatalog.tagTemplates.create

datacatalog.tagTemplates.get

datacatalog.tagTemplates.getTag

datacatalog.tagTemplates.use

dlp.analyzeRiskTemplates.*

dlp.analyzeRiskTemplates.create
dlp.analyzeRiskTemplates.delete
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.analyzeRiskTemplates.update

dlp.columnDataProfiles.*

dlp.columnDataProfiles.get
dlp.columnDataProfiles.list

dlp.deidentifyTemplates.*

dlp.deidentifyTemplates.create
dlp.deidentifyTemplates.delete
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.deidentifyTemplates.update

dlp.estimates.*

dlp.estimates.cancel
dlp.estimates.create
dlp.estimates.delete
dlp.estimates.get
dlp.estimates.list

dlp.inspectFindings.list

dlp.inspectTemplates.*

dlp.inspectTemplates.create
dlp.inspectTemplates.delete
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.inspectTemplates.update

dlp.jobTriggers.*

dlp.jobTriggers.create
dlp.jobTriggers.delete
dlp.jobTriggers.get
dlp.jobTriggers.hybridInspect
dlp.jobTriggers.list
dlp.jobTriggers.update

dlp.jobs.*

dlp.jobs.cancel
dlp.jobs.create
dlp.jobs.delete
dlp.jobs.get
dlp.jobs.hybridInspect
dlp.jobs.list

dlp.kms.encrypt

dlp.locations.*

dlp.locations.get
dlp.locations.list

dlp.projectDataProfiles.*

dlp.projectDataProfiles.get
dlp.projectDataProfiles.list

dlp.storedInfoTypes.*

dlp.storedInfoTypes.create
dlp.storedInfoTypes.delete
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
dlp.storedInfoTypes.update

dlp.tableDataProfiles.*

dlp.tableDataProfiles.get
dlp.tableDataProfiles.list

pubsub.topics.updateTag

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

recommender.locations.get
recommender.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

DLP Reader

(roles/dlp.reader)

Read DLP entities, such as jobs and templates.

dlp.analyzeRiskTemplates.get

dlp.analyzeRiskTemplates.list

dlp.deidentifyTemplates.get

dlp.deidentifyTemplates.list

dlp.inspectFindings.list

dlp.inspectTemplates.get

dlp.inspectTemplates.list

dlp.jobTriggers.get

dlp.jobTriggers.list

dlp.jobs.get

dlp.jobs.list

dlp.locations.*

dlp.locations.get
dlp.locations.list

dlp.storedInfoTypes.get

dlp.storedInfoTypes.list

DLP Stored InfoTypes Editor

(roles/dlp.storedInfoTypesEditor)

Edit DLP stored info types.

dlp.storedInfoTypes.*

dlp.storedInfoTypes.create
dlp.storedInfoTypes.delete
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
dlp.storedInfoTypes.update

DLP Stored InfoTypes Reader

(roles/dlp.storedInfoTypesReader)

Read DLP stored info types.

dlp.storedInfoTypes.get

dlp.storedInfoTypes.list

DLP Subscription Admin

(roles/dlp.subscriptionsAdmin)

Manage DLP subscriptions.

dlp.subscriptions.*

dlp.subscriptions.cancel
dlp.subscriptions.create
dlp.subscriptions.get
dlp.subscriptions.list
dlp.subscriptions.update

resourcemanager.projects.get

resourcemanager.projects.list

DLP Subscription Viewer

(roles/dlp.subscriptionsReader)

View DLP subscriptions.

dlp.subscriptions.get

dlp.subscriptions.list

DLP Table Data Profiles Reader

(roles/dlp.tableDataProfilesReader)

Read DLP table profiles.

dlp.tableDataProfiles.*

dlp.tableDataProfiles.get
dlp.tableDataProfiles.list

DLP User

(roles/dlp.user)

Inspect, Redact, and De-identify Content

dlp.kms.encrypt

dlp.locations.*

dlp.locations.get
dlp.locations.list

serviceusage.services.use

Cloud Domains roles

Permissions

Cloud Domains Admin

(roles/domains.admin)

Full access to Cloud Domains Registrations and related resources.

domains.*

domains.locations.get
domains.locations.list
domains.operations.cancel
domains.operations.get
domains.operations.list
domains.registrations.configureContact
domains.registrations.configureDns
domains.registrations.configureManagement
domains.registrations.create
domains.registrations.createTagBinding
domains.registrations.delete
domains.registrations.deleteTagBinding
domains.registrations.get
domains.registrations.getIamPolicy
domains.registrations.list
domains.registrations.listEffectiveTags
domains.registrations.listTagBindings
domains.registrations.setIamPolicy
domains.registrations.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Domains Viewer

(roles/domains.viewer)

Read-only access to Cloud Domains Registrations and related resources.

domains.locations.*

domains.locations.get
domains.locations.list

domains.operations.get

domains.operations.list

domains.registrations.get

domains.registrations.getIamPolicy

domains.registrations.list

domains.registrations.listEffectiveTags

domains.registrations.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Filestore roles

Permissions

Cloud Filestore Editor ^Beta

(roles/file.editor)

Read-write access to Filestore instances and related resources.

file.*

file.backups.create
file.backups.createTagBinding
file.backups.delete
file.backups.deleteTagBinding
file.backups.get
file.backups.list
file.backups.listEffectiveTags
file.backups.listTagBindings
file.backups.update
file.instances.create
file.instances.createTagBinding
file.instances.delete
file.instances.deleteTagBinding
file.instances.get
file.instances.list
file.instances.listEffectiveTags
file.instances.listTagBindings
file.instances.restore
file.instances.revert
file.instances.update
file.locations.get
file.locations.list
file.operations.cancel
file.operations.delete
file.operations.get
file.operations.list
file.snapshots.create
file.snapshots.createTagBinding
file.snapshots.delete
file.snapshots.deleteTagBinding
file.snapshots.get
file.snapshots.list
file.snapshots.listEffectiveTags
file.snapshots.listTagBindings
file.snapshots.update

Cloud Filestore Viewer ^Beta

(roles/file.viewer)

Read-only access to Filestore instances and related resources.

file.backups.get

file.backups.list

file.backups.listEffectiveTags

file.backups.listTagBindings

file.instances.get

file.instances.list

file.instances.listEffectiveTags

file.instances.listTagBindings

file.locations.*

file.locations.get
file.locations.list

file.operations.get

file.operations.list

file.snapshots.listEffectiveTags

file.snapshots.listTagBindings

Cloud Functions roles

Permissions

Cloud Functions Admin

(roles/cloudfunctions.admin)

Full access to functions, operations and locations.

cloudbuild.builds.get

cloudbuild.builds.list

cloudfunctions.*

cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.invoke
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy
cloudfunctions.functions.sourceCodeGet
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.locations.get
cloudfunctions.locations.list
cloudfunctions.operations.get
cloudfunctions.operations.list
cloudfunctions.runtimes.list

eventarc.*

eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
eventarc.events.receiveAuditLogWritten
eventarc.events.receiveEvent
eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update
eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.providers.get
eventarc.providers.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update

recommender.cloudFunctionsPerformanceInsights.*

recommender.cloudFunctionsPerformanceInsights.get
recommender.cloudFunctionsPerformanceInsights.list
recommender.cloudFunctionsPerformanceInsights.update

recommender.cloudFunctionsPerformanceRecommendations.*

recommender.cloudFunctionsPerformanceRecommendations.get
recommender.cloudFunctionsPerformanceRecommendations.list
recommender.cloudFunctionsPerformanceRecommendations.update

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update

recommender.runServiceIdentityRecommendations.*

recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityInsights.get
recommender.runServiceSecurityInsights.list
recommender.runServiceSecurityInsights.update

recommender.runServiceSecurityRecommendations.*

recommender.runServiceSecurityRecommendations.get
recommender.runServiceSecurityRecommendations.list
recommender.runServiceSecurityRecommendations.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

run.*

run.configurations.get
run.configurations.list
run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.run
run.jobs.runWithOverrides
run.jobs.setIamPolicy
run.jobs.update
run.locations.list
run.operations.delete
run.operations.get
run.operations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.invoke
run.routes.list
run.services.create
run.services.createTagBinding
run.services.delete
run.services.deleteTagBinding
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.setIamPolicy
run.services.update
run.tasks.get
run.tasks.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Cloud Functions Developer

(roles/cloudfunctions.developer)

Read and write access to all functions-related resources.

cloudbuild.builds.get

cloudbuild.builds.list

cloudfunctions.functions.call

cloudfunctions.functions.create

cloudfunctions.functions.delete

cloudfunctions.functions.get

cloudfunctions.functions.invoke

cloudfunctions.functions.list

cloudfunctions.functions.sourceCodeGet

cloudfunctions.functions.sourceCodeSet

cloudfunctions.functions.update

cloudfunctions.locations.*

cloudfunctions.locations.get
cloudfunctions.locations.list

cloudfunctions.operations.*

cloudfunctions.operations.get
cloudfunctions.operations.list

cloudfunctions.runtimes.list

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.googleChannelConfigs.*

eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update

eventarc.locations.*

eventarc.locations.get
eventarc.locations.list

eventarc.operations.*

eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list

eventarc.providers.*

eventarc.providers.get
eventarc.providers.list

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

recommender.cloudFunctionsPerformanceInsights.*

recommender.cloudFunctionsPerformanceInsights.get
recommender.cloudFunctionsPerformanceInsights.list
recommender.cloudFunctionsPerformanceInsights.update

recommender.cloudFunctionsPerformanceRecommendations.*

recommender.cloudFunctionsPerformanceRecommendations.get
recommender.cloudFunctionsPerformanceRecommendations.list
recommender.cloudFunctionsPerformanceRecommendations.update

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update

recommender.runServiceIdentityRecommendations.*

recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityInsights.get
recommender.runServiceSecurityInsights.list
recommender.runServiceSecurityInsights.update

recommender.runServiceSecurityRecommendations.*

recommender.runServiceSecurityRecommendations.get
recommender.runServiceSecurityRecommendations.list
recommender.runServiceSecurityRecommendations.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

run.configurations.get
run.configurations.list

run.executions.*

run.executions.delete
run.executions.get
run.executions.list

run.jobs.create

run.jobs.delete

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.run

run.jobs.runWithOverrides

run.jobs.update

run.locations.list

run.operations.*

run.operations.delete
run.operations.get
run.operations.list

run.revisions.*

run.revisions.delete
run.revisions.get
run.revisions.list

run.routes.*

run.routes.get
run.routes.invoke
run.routes.list

run.services.create

run.services.delete

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.services.update

run.tasks.*

run.tasks.get
run.tasks.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Cloud Functions Invoker

(roles/cloudfunctions.invoker)

Ability to invoke HTTP functions with restricted access.

cloudfunctions.functions.invoke

Cloud Functions Viewer

(roles/cloudfunctions.viewer)

Read-only access to functions and locations.

cloudbuild.builds.get

cloudbuild.builds.list

cloudfunctions.functions.get

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.locations.*

cloudfunctions.locations.get
cloudfunctions.locations.list

cloudfunctions.operations.*

cloudfunctions.operations.get
cloudfunctions.operations.list

cloudfunctions.runtimes.list

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

eventarc.locations.get
eventarc.locations.list

eventarc.operations.get

eventarc.operations.list

eventarc.providers.*

eventarc.providers.get
eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

recommender.cloudFunctionsPerformanceInsights.get

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.get

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

run.configurations.get
run.configurations.list

run.executions.get

run.executions.list

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.locations.list

run.operations.get

run.operations.list

run.revisions.get

run.revisions.list

run.routes.get

run.routes.list

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.tasks.*

run.tasks.get
run.tasks.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Cloud Game Services roles

Permissions

Game Services API Admin

(roles/gameservices.admin)

Full access to Game Services API and related resources.

gameservices.*

gameservices.gameServerClusters.create
gameservices.gameServerClusters.delete
gameservices.gameServerClusters.get
gameservices.gameServerClusters.list
gameservices.gameServerClusters.update
gameservices.gameServerConfigs.create
gameservices.gameServerConfigs.delete
gameservices.gameServerConfigs.get
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.create
gameservices.gameServerDeployments.delete
gameservices.gameServerDeployments.get
gameservices.gameServerDeployments.list
gameservices.gameServerDeployments.rollout
gameservices.gameServerDeployments.update
gameservices.locations.get
gameservices.locations.list
gameservices.operations.cancel
gameservices.operations.delete
gameservices.operations.get
gameservices.operations.list
gameservices.realms.create
gameservices.realms.delete
gameservices.realms.get
gameservices.realms.list
gameservices.realms.update

resourcemanager.projects.get

resourcemanager.projects.list

Game Services API Viewer

(roles/gameservices.viewer)

Read-only access to Game Services API and related resources.

gameservices.gameServerClusters.get

gameservices.gameServerClusters.list

gameservices.gameServerConfigs.get

gameservices.gameServerConfigs.list

gameservices.gameServerDeployments.get

gameservices.gameServerDeployments.list

gameservices.locations.*

gameservices.locations.get
gameservices.locations.list

gameservices.operations.get

gameservices.operations.list

gameservices.realms.get

gameservices.realms.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Healthcare roles

Permissions

Healthcare Annotation Editor

(roles/healthcare.annotationEditor)

Create, delete, update, read and list annotations.

healthcare.annotationStores.get

healthcare.annotationStores.list

healthcare.annotations.*

healthcare.annotations.create
healthcare.annotations.delete
healthcare.annotations.get
healthcare.annotations.list
healthcare.annotations.update

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Annotation Reader

(roles/healthcare.annotationReader)

Read and list annotations in an Annotation store.

healthcare.annotationStores.get

healthcare.annotationStores.list

healthcare.annotations.get

healthcare.annotations.list

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Annotation Administrator

(roles/healthcare.annotationStoreAdmin)

Administer Annotation stores.

healthcare.annotationStores.*

healthcare.annotationStores.create
healthcare.annotationStores.delete
healthcare.annotationStores.evaluate
healthcare.annotationStores.export
healthcare.annotationStores.get
healthcare.annotationStores.getIamPolicy
healthcare.annotationStores.import
healthcare.annotationStores.list
healthcare.annotationStores.setIamPolicy
healthcare.annotationStores.update

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Annotation Store Viewer

(roles/healthcare.annotationStoreViewer)

List Annotation Stores in a dataset.

healthcare.annotationStores.get

healthcare.annotationStores.list

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Attribute Definition Editor

(roles/healthcare.attributeDefinitionEditor)

Edit AttributeDefinition objects.

healthcare.attributeDefinitions.*

healthcare.attributeDefinitions.create
healthcare.attributeDefinitions.delete
healthcare.attributeDefinitions.get
healthcare.attributeDefinitions.list
healthcare.attributeDefinitions.update

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Attribute Definition Reader

(roles/healthcare.attributeDefinitionReader)

Read AttributeDefinition objects in a consent store.

healthcare.attributeDefinitions.get

healthcare.attributeDefinitions.list

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Consent Artifact Administrator

(roles/healthcare.consentArtifactAdmin)

Administer ConsentArtifact objects.

healthcare.consentArtifacts.*

healthcare.consentArtifacts.create
healthcare.consentArtifacts.delete
healthcare.consentArtifacts.get
healthcare.consentArtifacts.list

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Consent Artifact Editor

(roles/healthcare.consentArtifactEditor)

Edit ConsentArtifact objects.

healthcare.consentArtifacts.create

healthcare.consentArtifacts.get

healthcare.consentArtifacts.list

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Consent Artifact Reader

(roles/healthcare.consentArtifactReader)

Read ConsentArtifact objects in a consent store.

healthcare.consentArtifacts.get

healthcare.consentArtifacts.list

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Consent Editor

(roles/healthcare.consentEditor)

Edit Consent objects.

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.consents.*

healthcare.consents.activate
healthcare.consents.create
healthcare.consents.delete
healthcare.consents.get
healthcare.consents.list
healthcare.consents.reject
healthcare.consents.revoke
healthcare.consents.update

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Consent Reader

(roles/healthcare.consentReader)

Read Consent objects in a consent store.

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.consents.get

healthcare.consents.list

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Consent Store Administrator

(roles/healthcare.consentStoreAdmin)

Administer Consent stores.

healthcare.consentStores.*

healthcare.consentStores.checkDataAccess
healthcare.consentStores.create
healthcare.consentStores.delete
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.getIamPolicy
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.consentStores.setIamPolicy
healthcare.consentStores.update

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Consent Store Viewer

(roles/healthcare.consentStoreViewer)

List Consent Stores in a dataset.

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Dataset Administrator

(roles/healthcare.datasetAdmin)

Administer Healthcare Datasets.

healthcare.datasets.*

healthcare.datasets.create
healthcare.datasets.deidentify
healthcare.datasets.delete
healthcare.datasets.get
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.datasets.setIamPolicy
healthcare.datasets.update

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.*

healthcare.operations.cancel
healthcare.operations.get
healthcare.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare Dataset Viewer

(roles/healthcare.datasetViewer)

List the Healthcare Datasets in a project.

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare DICOM Editor

(roles/healthcare.dicomEditor)

Edit DICOM images individually and in bulk.

healthcare.datasets.get

healthcare.datasets.list

healthcare.dicomStores.dicomWebDelete

healthcare.dicomStores.dicomWebRead

healthcare.dicomStores.dicomWebWrite

healthcare.dicomStores.export

healthcare.dicomStores.get

healthcare.dicomStores.import

healthcare.dicomStores.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare DICOM Store Administrator

(roles/healthcare.dicomStoreAdmin)

Administer DICOM stores.

healthcare.datasets.get

healthcare.datasets.list

healthcare.dicomStores.create

healthcare.dicomStores.deidentify

healthcare.dicomStores.delete

healthcare.dicomStores.dicomWebDelete

healthcare.dicomStores.get

healthcare.dicomStores.getIamPolicy

healthcare.dicomStores.list

healthcare.dicomStores.setIamPolicy

healthcare.dicomStores.update

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare DICOM Store Viewer

(roles/healthcare.dicomStoreViewer)

List DICOM Stores in a dataset.

healthcare.datasets.get

healthcare.datasets.list

healthcare.dicomStores.get

healthcare.dicomStores.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare DICOM Viewer

(roles/healthcare.dicomViewer)

Retrieve DICOM images from a DICOM store.

healthcare.datasets.get

healthcare.datasets.list

healthcare.dicomStores.dicomWebRead

healthcare.dicomStores.export

healthcare.dicomStores.get

healthcare.dicomStores.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare FHIR Resource Editor

(roles/healthcare.fhirResourceEditor)

Create, delete, update, read and search FHIR resources.

healthcare.datasets.get

healthcare.datasets.list

healthcare.fhirResources.create

healthcare.fhirResources.delete

healthcare.fhirResources.get

healthcare.fhirResources.patch

healthcare.fhirResources.translateConceptMap

healthcare.fhirResources.update

healthcare.fhirStores.executeBundle

healthcare.fhirStores.get

healthcare.fhirStores.list

healthcare.fhirStores.searchResources

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare FHIR Resource Reader

(roles/healthcare.fhirResourceReader)

Read and search FHIR resources.

healthcare.datasets.get

healthcare.datasets.list

healthcare.fhirResources.get

healthcare.fhirResources.translateConceptMap

healthcare.fhirStores.executeBundle

healthcare.fhirStores.get

healthcare.fhirStores.list

healthcare.fhirStores.searchResources

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare FHIR Store Administrator

(roles/healthcare.fhirStoreAdmin)

Administer FHIR resource stores.

healthcare.datasets.get

healthcare.datasets.list

healthcare.fhirResources.purge

healthcare.fhirStores.configureSearch

healthcare.fhirStores.create

healthcare.fhirStores.deidentify

healthcare.fhirStores.delete

healthcare.fhirStores.export

healthcare.fhirStores.get

healthcare.fhirStores.getIamPolicy

healthcare.fhirStores.import

healthcare.fhirStores.list

healthcare.fhirStores.setIamPolicy

healthcare.fhirStores.update

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare FHIR Store Viewer

(roles/healthcare.fhirStoreViewer)

List FHIR Stores in a dataset.

healthcare.datasets.get

healthcare.datasets.list

healthcare.fhirStores.get

healthcare.fhirStores.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare HL7v2 Message Consumer

(roles/healthcare.hl7V2Consumer)

List and read HL7v2 messages, update message labels, and publish new messages.

healthcare.datasets.get

healthcare.datasets.list

healthcare.hl7V2Messages.create

healthcare.hl7V2Messages.get

healthcare.hl7V2Messages.list

healthcare.hl7V2Messages.update

healthcare.hl7V2Stores.get

healthcare.hl7V2Stores.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare HL7v2 Message Editor

(roles/healthcare.hl7V2Editor)

Read, write, and delete access to HL7v2 messages.

healthcare.datasets.get

healthcare.datasets.list

healthcare.hl7V2Messages.*

healthcare.hl7V2Messages.create
healthcare.hl7V2Messages.delete
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.ingest
healthcare.hl7V2Messages.list
healthcare.hl7V2Messages.update

healthcare.hl7V2Stores.get

healthcare.hl7V2Stores.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare HL7v2 Message Ingest

(roles/healthcare.hl7V2Ingest)

Ingest HL7v2 messages received from a source network.

healthcare.datasets.get

healthcare.datasets.list

healthcare.hl7V2Messages.ingest

healthcare.hl7V2Stores.get

healthcare.hl7V2Stores.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare HL7v2 Store Administrator

(roles/healthcare.hl7V2StoreAdmin)

Administer HL7v2 Stores.

healthcare.datasets.get

healthcare.datasets.list

healthcare.hl7V2Stores.*

healthcare.hl7V2Stores.create
healthcare.hl7V2Stores.delete
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.import
healthcare.hl7V2Stores.list
healthcare.hl7V2Stores.setIamPolicy
healthcare.hl7V2Stores.update

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare HL7v2 Store Viewer

(roles/healthcare.hl7V2StoreViewer)

View HL7v2 Stores in a dataset.

healthcare.datasets.get

healthcare.datasets.list

healthcare.hl7V2Stores.get

healthcare.hl7V2Stores.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare NLP Service Viewer ^Beta

(roles/healthcare.nlpServiceViewer)

Extract and analyze medical entities from a given text.

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.nlpservice.analyzeEntities

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare User Data Mapping Editor

(roles/healthcare.userDataMappingEditor)

Edit UserDataMapping objects.

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

healthcare.userDataMappings.*

healthcare.userDataMappings.archive
healthcare.userDataMappings.create
healthcare.userDataMappings.delete
healthcare.userDataMappings.get
healthcare.userDataMappings.list
healthcare.userDataMappings.update

resourcemanager.projects.get

resourcemanager.projects.list

Healthcare User Data Mapping Reader

(roles/healthcare.userDataMappingReader)

Read UserDataMapping objects in a consent store.

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.locations.get
healthcare.locations.list

healthcare.operations.get

healthcare.userDataMappings.get

healthcare.userDataMappings.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud IAP roles

Permissions

IAP Policy Admin

(roles/iap.admin)

Provides full access to Identity-Aware Proxy resources.

Lowest-level resources where you can grant this role:

Project

iap.tunnel.*

iap.tunnel.getIamPolicy
iap.tunnel.setIamPolicy

iap.tunnelDestGroups.getIamPolicy

iap.tunnelDestGroups.setIamPolicy

iap.tunnelInstances.getIamPolicy

iap.tunnelInstances.setIamPolicy

iap.tunnelLocations.*

iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy

iap.tunnelZones.*

iap.tunnelZones.getIamPolicy
iap.tunnelZones.setIamPolicy

iap.web.getIamPolicy

iap.web.setIamPolicy

iap.webServiceVersions.getIamPolicy

iap.webServiceVersions.setIamPolicy

iap.webServices.getIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.getIamPolicy

iap.webTypes.setIamPolicy

IAP-secured Web App User

(roles/iap.httpsResourceAccessor)

Provides permission to access HTTPS resources which use Identity-Aware Proxy.

iap.webServiceVersions.accessViaIAP

IAP Settings Admin

(roles/iap.settingsAdmin)

Administrator of IAP Settings.

iap.projects.*

iap.projects.getSettings
iap.projects.updateSettings

iap.web.getSettings

iap.web.updateSettings

iap.webServiceVersions.getSettings

iap.webServiceVersions.updateSettings

iap.webServices.getSettings

iap.webServices.updateSettings

iap.webTypes.getSettings

iap.webTypes.updateSettings

IAP-secured Tunnel Destination Group Editor

(roles/iap.tunnelDestGroupEditor)

Edit Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.create

iap.tunnelDestGroups.delete

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

iap.tunnelDestGroups.update

IAP-secured Tunnel Destination Group Viewer

(roles/iap.tunnelDestGroupViewer)

View Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

IAP-secured Tunnel User

(roles/iap.tunnelResourceAccessor)

Access Tunnel resources which use Identity-Aware Proxy

iap.tunnelDestGroups.accessViaIAP

iap.tunnelInstances.accessViaIAP

Cloud IDS roles

Permissions

Cloud IDS Admin ^Beta

(roles/ids.admin)

Full access to Cloud IDS all resources.

ids.*

ids.endpoints.create
ids.endpoints.delete
ids.endpoints.get
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.endpoints.setIamPolicy
ids.endpoints.update
ids.locations.get
ids.locations.list
ids.operations.cancel
ids.operations.delete
ids.operations.get
ids.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud IDS Viewer ^Beta

(roles/ids.viewer)

Read-only access to Cloud IDS all resources.

ids.endpoints.get

ids.endpoints.getIamPolicy

ids.endpoints.list

ids.locations.*

ids.locations.get
ids.locations.list

ids.operations.get

ids.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud IoT roles

Permissions

Cloud IoT Admin

(roles/cloudiot.admin)

Full control of all Cloud IoT resources and permissions.

Lowest-level resources where you can grant this role:

Device

cloudiot.*

cloudiot.devices.bindGateway
cloudiot.devices.create
cloudiot.devices.delete
cloudiot.devices.get
cloudiot.devices.list
cloudiot.devices.sendCommand
cloudiot.devices.unbindGateway
cloudiot.devices.update
cloudiot.devices.updateConfig
cloudiot.registries.create
cloudiot.registries.delete
cloudiot.registries.get
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudiot.registries.setIamPolicy
cloudiot.registries.update

cloudiottoken.*

cloudiottoken.tokensettings.get
cloudiottoken.tokensettings.update

Cloud IoT Device Controller

(roles/cloudiot.deviceController)

Access to update the device configuration, but not to create or delete devices.

Lowest-level resources where you can grant this role:

Device

cloudiot.devices.get

cloudiot.devices.list

cloudiot.devices.sendCommand

cloudiot.devices.updateConfig

cloudiot.registries.get

cloudiot.registries.list

cloudiottoken.tokensettings.get

Cloud IoT Editor

(roles/cloudiot.editor)

Read-write access to all Cloud IoT resources.

Lowest-level resources where you can grant this role:

Device

cloudiot.devices.*

cloudiot.devices.bindGateway
cloudiot.devices.create
cloudiot.devices.delete
cloudiot.devices.get
cloudiot.devices.list
cloudiot.devices.sendCommand
cloudiot.devices.unbindGateway
cloudiot.devices.update
cloudiot.devices.updateConfig

cloudiot.registries.create

cloudiot.registries.delete

cloudiot.registries.get

cloudiot.registries.list

cloudiot.registries.update

cloudiottoken.*

cloudiottoken.tokensettings.get
cloudiottoken.tokensettings.update

Cloud IoT Provisioner

(roles/cloudiot.provisioner)

Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry.

Lowest-level resources where you can grant this role:

Device

cloudiot.devices.*

cloudiot.devices.bindGateway
cloudiot.devices.create
cloudiot.devices.delete
cloudiot.devices.get
cloudiot.devices.list
cloudiot.devices.sendCommand
cloudiot.devices.unbindGateway
cloudiot.devices.update
cloudiot.devices.updateConfig

cloudiot.registries.get

cloudiot.registries.list

cloudiottoken.tokensettings.get

Cloud IoT Viewer

(roles/cloudiot.viewer)

Read-only access to all Cloud IoT resources.

Lowest-level resources where you can grant this role:

Device

cloudiot.devices.get

cloudiot.devices.list

cloudiot.registries.get

cloudiot.registries.list

cloudiottoken.tokensettings.get

Cloud KMS roles

Permissions

Cloud KMS Admin

(roles/cloudkms.admin)

Provides full access to Cloud KMS resources, except encrypt and decrypt operations.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.create

cloudkms.cryptoKeyVersions.destroy

cloudkms.cryptoKeyVersions.get

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeyVersions.restore

cloudkms.cryptoKeyVersions.update

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.cryptoKeys.*

cloudkms.cryptoKeys.create
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.cryptoKeys.update

cloudkms.ekmConfigs.*

cloudkms.ekmConfigs.get
cloudkms.ekmConfigs.getIamPolicy
cloudkms.ekmConfigs.setIamPolicy
cloudkms.ekmConfigs.update

cloudkms.ekmConnections.*

cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.ekmConnections.setIamPolicy
cloudkms.ekmConnections.update
cloudkms.ekmConnections.use
cloudkms.ekmConnections.verifyConnectivity

cloudkms.importJobs.*

cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.importJobs.setIamPolicy
cloudkms.importJobs.useToImport

cloudkms.keyRings.*

cloudkms.keyRings.create
cloudkms.keyRings.createTagBinding
cloudkms.keyRings.deleteTagBinding
cloudkms.keyRings.get
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.keyRings.listEffectiveTags
cloudkms.keyRings.listTagBindings
cloudkms.keyRings.setIamPolicy

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Decrypter

(roles/cloudkms.cryptoKeyDecrypter)

Provides ability to use Cloud KMS resources for decrypt operations only.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Decrypter Via Delegation

(roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Enables Decrypt operations via other Google Cloud services

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS CryptoKey Encrypter

(roles/cloudkms.cryptoKeyEncrypter)

Provides ability to use Cloud KMS resources for encrypt operations only.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Encrypter/Decrypter

(roles/cloudkms.cryptoKeyEncrypterDecrypter)

Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation

(roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Enables Encrypt and Decrypt operations via other Google Cloud services

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS CryptoKey Encrypter Via Delegation

(roles/cloudkms.cryptoKeyEncrypterViaDelegation)

Enables Encrypt operations via other Google Cloud services

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Crypto Operator

(roles/cloudkms.cryptoOperator)

Enables all Crypto Operations.

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.*

cloudkms.locations.generateRandomBytes
cloudkms.locations.get
cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS EkmConnections Admin

(roles/cloudkms.ekmConnectionsAdmin)

Enables management of EkmConnections.

cloudkms.ekmConfigs.get

cloudkms.ekmConfigs.update

cloudkms.ekmConnections.create

cloudkms.ekmConnections.get

cloudkms.ekmConnections.list

cloudkms.ekmConnections.update

cloudkms.ekmConnections.verifyConnectivity

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Expert Raw AES-CBC Key Manager

(roles/cloudkms.expertRawAesCbc)

Enables raw AES-CBC keys management.

cloudkms.cryptoKeyVersions.manageRawAesCbcKeys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Expert Raw AES-CTR Key Manager

(roles/cloudkms.expertRawAesCtr)

Enables raw AES-CTR keys management.

cloudkms.cryptoKeyVersions.manageRawAesCtrKeys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Expert Raw PKCS#1 Key Manager

(roles/cloudkms.expertRawPKCS1)

Enables raw PKCS#1 keys management.

cloudkms.cryptoKeyVersions.manageRawPKCS1Keys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Importer

(roles/cloudkms.importer)

Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations

cloudkms.importJobs.create

cloudkms.importJobs.get

cloudkms.importJobs.list

cloudkms.importJobs.useToImport

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS Protected Resources Viewer

(roles/cloudkms.protectedResourcesViewer)

Enables viewing protected resources.

cloudkms.protectedResources.search

Cloud KMS CryptoKey Public Key Viewer

(roles/cloudkms.publicKeyViewer)

Enables GetPublicKey operations

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Signer

(roles/cloudkms.signer)

Enables Sign operations

cloudkms.cryptoKeyVersions.useToSign

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Signer/Verifier

(roles/cloudkms.signerVerifier)

Enables Sign, Verify, and GetPublicKey operations

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Verifier

(roles/cloudkms.verifier)

Enables Verify and GetPublicKey operations

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS Viewer

(roles/cloudkms.viewer)

Enables Get and List operations.

cloudkms.cryptoKeyVersions.get

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.list

cloudkms.ekmConfigs.get

cloudkms.ekmConnections.get

cloudkms.ekmConnections.list

cloudkms.importJobs.get

cloudkms.importJobs.list

cloudkms.keyRings.get

cloudkms.keyRings.list

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud Life Sciences roles

Permissions

Cloud Life Sciences Admin ^Beta

(roles/lifesciences.admin)

Full control of Cloud Life Sciences resources.

lifesciences.*

lifesciences.operations.cancel
lifesciences.operations.get
lifesciences.operations.list
lifesciences.workflows.run

Cloud Life Sciences Editor ^Beta

(roles/lifesciences.editor)

Access to read and edit Cloud Life Sciences resources.

lifesciences.*

lifesciences.operations.cancel
lifesciences.operations.get
lifesciences.operations.list
lifesciences.workflows.run

Cloud Life Sciences Viewer ^Beta

(roles/lifesciences.viewer)

Access to read Cloud Life Sciences resources.

lifesciences.operations.get

lifesciences.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Life Sciences Workflows Runner ^Beta

(roles/lifesciences.workflowsRunner)

Full access to operate on Cloud Life Sciences workflows.

lifesciences.*

lifesciences.operations.cancel
lifesciences.operations.get
lifesciences.operations.list
lifesciences.workflows.run

Cloud Managed Identities roles

Permissions

Google Cloud Managed Identities Admin

(roles/managedidentities.admin)

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.

managedidentities.*

managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update
managedidentities.domains.attachTrust
managedidentities.domains.checkMigrationPermission
managedidentities.domains.create
managedidentities.domains.createTagBinding
managedidentities.domains.delete
managedidentities.domains.deleteTagBinding
managedidentities.domains.detachTrust
managedidentities.domains.disableMigration
managedidentities.domains.domainJoinMachine
managedidentities.domains.enableMigration
managedidentities.domains.extendSchema
managedidentities.domains.get
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.domains.listEffectiveTags
managedidentities.domains.listTagBindings
managedidentities.domains.reconfigureTrust
managedidentities.domains.resetpassword
managedidentities.domains.restore
managedidentities.domains.setIamPolicy
managedidentities.domains.update
managedidentities.domains.updateLDAPSSettings
managedidentities.domains.validateTrust
managedidentities.locations.get
managedidentities.locations.list
managedidentities.operations.cancel
managedidentities.operations.delete
managedidentities.operations.get
managedidentities.operations.list
managedidentities.peerings.create
managedidentities.peerings.delete
managedidentities.peerings.get
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
managedidentities.peerings.setIamPolicy
managedidentities.peerings.update
managedidentities.sqlintegrations.get
managedidentities.sqlintegrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Cloud Managed Identities Backup Admin

(roles/managedidentities.backupAdmin)

Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level

managedidentities.backups.*

managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update

managedidentities.domains.get

managedidentities.locations.*

managedidentities.locations.get
managedidentities.locations.list

managedidentities.operations.*

managedidentities.operations.cancel
managedidentities.operations.delete
managedidentities.operations.get
managedidentities.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Cloud Managed Identities Backup Viewer

(roles/managedidentities.backupViewer)

Read-only access to Google Cloud Managed Identities Backup and related resources.

managedidentities.backups.get

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.domains.get

managedidentities.locations.*

managedidentities.locations.get
managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Cloud Managed Identities Domain Admin

(roles/managedidentities.domainAdmin)

Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.

managedidentities.backups.*

managedidentities.backups.create
managedidentities.backups.delete
managedidentities.backups.get
managedidentities.backups.getIamPolicy
managedidentities.backups.list
managedidentities.backups.setIamPolicy
managedidentities.backups.update

managedidentities.domains.attachTrust

managedidentities.domains.checkMigrationPermission

managedidentities.domains.createTagBinding

managedidentities.domains.delete

managedidentities.domains.deleteTagBinding

managedidentities.domains.detachTrust

managedidentities.domains.disableMigration

managedidentities.domains.domainJoinMachine

managedidentities.domains.enableMigration

managedidentities.domains.extendSchema

managedidentities.domains.get

managedidentities.domains.getIamPolicy

managedidentities.domains.listEffectiveTags

managedidentities.domains.listTagBindings

managedidentities.domains.reconfigureTrust

managedidentities.domains.resetpassword

managedidentities.domains.restore

managedidentities.domains.update

managedidentities.domains.updateLDAPSSettings

managedidentities.domains.validateTrust

managedidentities.locations.*

managedidentities.locations.get
managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

managedidentities.sqlintegrations.*

managedidentities.sqlintegrations.get
managedidentities.sqlintegrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Cloud Managed Identities Domain Join ^Beta

(roles/managedidentities.domainJoin)

Access to domain join VMs with Cloud AD

managedidentities.domains.domainJoinMachine

managedidentities.domains.get

Google Cloud Managed Identities Peering Admin

(roles/managedidentities.peeringAdmin)

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level

managedidentities.locations.*

managedidentities.locations.get
managedidentities.locations.list

managedidentities.operations.*

managedidentities.operations.cancel
managedidentities.operations.delete
managedidentities.operations.get
managedidentities.operations.list

managedidentities.peerings.*

managedidentities.peerings.create
managedidentities.peerings.delete
managedidentities.peerings.get
managedidentities.peerings.getIamPolicy
managedidentities.peerings.list
managedidentities.peerings.setIamPolicy
managedidentities.peerings.update

resourcemanager.projects.get

resourcemanager.projects.list

Google Cloud Managed Identities Peering Viewer

(roles/managedidentities.peeringViewer)

Read-only access to Google Cloud Managed Identities Peering and related resources.

managedidentities.locations.*

managedidentities.locations.get
managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

managedidentities.peerings.get

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Cloud Managed Identities Viewer

(roles/managedidentities.viewer)

Read-only access to Google Cloud Managed Identities Domains and related resources.

managedidentities.backups.get

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.domains.get

managedidentities.domains.getIamPolicy

managedidentities.domains.list

managedidentities.domains.listEffectiveTags

managedidentities.domains.listTagBindings

managedidentities.locations.*

managedidentities.locations.get
managedidentities.locations.list

managedidentities.operations.get

managedidentities.operations.list

managedidentities.peerings.get

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

managedidentities.sqlintegrations.*

managedidentities.sqlintegrations.get
managedidentities.sqlintegrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Marketplace roles

Permissions

Commerce Business Enablement Configuration Admin ^Beta

(roles/commercebusinessenablement.admin)

Admin of Various Provider Configuration resources

commercebusinessenablement.leadgenConfig.*

commercebusinessenablement.leadgenConfig.get
commercebusinessenablement.leadgenConfig.update

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Business Enablement PaymentConfig Admin ^Beta

(roles/commercebusinessenablement.paymentConfigAdmin)

Administration of Payment Configuration resource

commercebusinessenablement.paymentConfig.*

commercebusinessenablement.paymentConfig.get
commercebusinessenablement.paymentConfig.update

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Business Enablement PaymentConfig Viewer ^Beta

(roles/commercebusinessenablement.paymentConfigViewer)

Viewer of Payment Configuration resource

commercebusinessenablement.paymentConfig.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Business Enablement Reseller Discount Admin ^Beta

(roles/commercebusinessenablement.resellerDiscountAdmin)

Provides admin access to reseller discount offers

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerDiscountOffers.*

commercebusinessenablement.resellerDiscountOffers.cancel
commercebusinessenablement.resellerDiscountOffers.create
commercebusinessenablement.resellerDiscountOffers.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Business Enablement Reseller Discount Viewer ^Beta

(roles/commercebusinessenablement.resellerDiscountViewer)

Provides read-only access to reseller discount offers

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerDiscountOffers.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Business Enablement Configuration Viewer ^Beta

(roles/commercebusinessenablement.viewer)

Viewer of Various Provider Configuration resource

commercebusinessenablement.leadgenConfig.get

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerAccounts.get
commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Offer Catalog Offers Viewer ^Beta

(roles/commerceoffercatalog.offersViewer)

Allows viewing offers

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

Commerce Organization Governance Admin ^Beta

(roles/commerceorggovernance.admin)

Full access to Organization Governance APIs

commerceorggovernance.*

commerceorggovernance.collections.create
commerceorggovernance.collections.delete
commerceorggovernance.collections.get
commerceorggovernance.collections.list
commerceorggovernance.collections.update
commerceorggovernance.consumerSharingPolicies.get
commerceorggovernance.consumerSharingPolicies.update
commerceorggovernance.organizationSettings.get
commerceorggovernance.organizationSettings.update
commerceorggovernance.services.list

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Organization Governance Viewer ^Beta

(roles/commerceorggovernance.viewer)

Full access to Organization Governance read-only APIs.

commerceorggovernance.collections.get

commerceorggovernance.collections.list

commerceorggovernance.consumerSharingPolicies.get

commerceorggovernance.organizationSettings.get

commerceorggovernance.services.list

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Price Management Events Viewer ^Beta

(roles/commercepricemanagement.eventsViewer)

Allows viewing key events for an offer

commerceprice.events.*

commerceprice.events.get
commerceprice.events.list

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Price Management Private Offers Admin ^Beta

(roles/commercepricemanagement.privateOffersAdmin)

Allows managing private offers

commerceprice.*

commerceprice.events.get
commerceprice.events.list
commerceprice.privateoffers.cancel
commerceprice.privateoffers.create
commerceprice.privateoffers.delete
commerceprice.privateoffers.get
commerceprice.privateoffers.list
commerceprice.privateoffers.publish
commerceprice.privateoffers.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Commerce Price Management Viewer ^Beta

(roles/commercepricemanagement.viewer)

Allows viewing offers, free trials, skus

commerceprice.privateoffers.get

commerceprice.privateoffers.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Commerce Producer Admin ^Beta

(roles/commerceproducer.admin)

Grants full access to all resources in Cloud Commerce Producer API.

commercebusinessenablement.partnerInfo.get

resourcemanager.projects.get

resourcemanager.projects.list

Commerce Producer Viewer ^Beta

(roles/commerceproducer.viewer)

Grants read access to all resources in Cloud Commerce Producer API.

commercebusinessenablement.partnerInfo.get

resourcemanager.projects.get

resourcemanager.projects.list

Consumer Procurement Entitlement Manager ^Beta

(roles/consumerprocurement.entitlementManager)

Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.entitlements.*

consumerprocurement.entitlements.get
consumerprocurement.entitlements.list

consumerprocurement.freeTrials.*

consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

Consumer Procurement Entitlement Viewer ^Beta

(roles/consumerprocurement.entitlementViewer)

Allows inspecting entitlements and service states for a consumer project.

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.entitlements.*

consumerprocurement.entitlements.get
consumerprocurement.entitlements.list

consumerprocurement.freeTrials.get

consumerprocurement.freeTrials.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Consumer Procurement Events Viewer ^Beta

(roles/consumerprocurement.eventsViewer)

Allows viewing key events for an offer

consumerprocurement.events.*

consumerprocurement.events.get
consumerprocurement.events.list

Consumer Procurement Order Administrator ^Beta

(roles/consumerprocurement.orderAdmin)

Allows managing purchases.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

consumerprocurement.accounts.*

consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

consumerprocurement.events.get
consumerprocurement.events.list

consumerprocurement.orderAttributions.*

consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update

consumerprocurement.orders.*

consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place

Consumer Procurement Order Viewer ^Beta

(roles/consumerprocurement.orderViewer)

Allows inspecting purchases.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.credits.list

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

Consumer Procurement Administrator ^Beta

(roles/consumerprocurement.procurementAdmin)

Allows managing purchases, consents at both billing account and project level.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

consumerprocurement.*

consumerprocurement.accounts.create
consumerprocurement.accounts.delete
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement.consents.allowProjectGrant
consumerprocurement.consents.check
consumerprocurement.consents.grant
consumerprocurement.consents.list
consumerprocurement.consents.revoke
consumerprocurement.entitlements.get
consumerprocurement.entitlements.list
consumerprocurement.events.get
consumerprocurement.events.list
consumerprocurement.freeTrials.create
consumerprocurement.freeTrials.get
consumerprocurement.freeTrials.list
consumerprocurement.orderAttributions.get
consumerprocurement.orderAttributions.list
consumerprocurement.orderAttributions.update
consumerprocurement.orders.cancel
consumerprocurement.orders.get
consumerprocurement.orders.list
consumerprocurement.orders.modify
consumerprocurement.orders.place

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

Consumer Procurement Viewer ^Beta

(roles/consumerprocurement.procurementViewer)

Allows inspecting purchases, consents and entitlements and service states for a consumer project.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.credits.list

commerceoffercatalog.*

commerceoffercatalog.agreements.get
commerceoffercatalog.agreements.list
commerceoffercatalog.documents.get
commerceoffercatalog.documents.list
commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.entitlements.*

consumerprocurement.entitlements.get
consumerprocurement.entitlements.list

consumerprocurement.freeTrials.get

consumerprocurement.freeTrials.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Cloud Migration roles

Permissions

Velostrata Manager ^Beta

(roles/cloudmigration.inframanager)

Ability to create and manage Compute VMs to run Velostrata Infrastructure

cloudmigration.velostrataendpoints.connect

compute.addresses.*

compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.globalOperations.get

compute.images.get

compute.images.list

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.reset

compute.instances.setDiskAutoDelete

compute.instances.setLabels

compute.instances.setMachineType

compute.instances.setMetadata

compute.instances.setMinCpuPlatform

compute.instances.setScheduling

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.startWithEncryptionKey

compute.instances.stop

compute.instances.update

compute.instances.updateNetworkInterface

compute.instances.updateShieldedInstanceConfig

compute.instances.use

compute.licenseCodes.get

compute.licenseCodes.list

compute.licenseCodes.update

compute.licenseCodes.use

compute.licenses.get

compute.licenses.list

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.networks.use

compute.networks.useExternalIp

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.list

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.*

compute.zones.get
compute.zones.list

gkehub.endpoints.connect

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.buckets.update

Velostrata Storage Access ^Beta

(roles/cloudmigration.storageaccess)

Ability to access migration storage

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

Velostrata Manager Connection Agent ^Beta

(roles/cloudmigration.velostrataconnect)

Ability to set up connection between Velostrata Manager and Google

cloudmigration.velostrataendpoints.connect

gkehub.endpoints.connect

VM Migration Administrator ^Beta

(roles/vmmigration.admin)

Ability to view and edit all VM Migration objects

resourcemanager.projects.get

resourcemanager.projects.list

vmmigration.*

vmmigration.cloneJobs.create
vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cloneJobs.update
vmmigration.cutoverJobs.create
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.cutoverJobs.update
vmmigration.datacenterConnectors.create
vmmigration.datacenterConnectors.delete
vmmigration.datacenterConnectors.get
vmmigration.datacenterConnectors.list
vmmigration.datacenterConnectors.update
vmmigration.deployments.create
vmmigration.deployments.get
vmmigration.deployments.list
vmmigration.groups.create
vmmigration.groups.delete
vmmigration.groups.get
vmmigration.groups.list
vmmigration.groups.update
vmmigration.locations.get
vmmigration.locations.list
vmmigration.migratingVms.create
vmmigration.migratingVms.delete
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.migratingVms.update
vmmigration.operations.cancel
vmmigration.operations.delete
vmmigration.operations.get
vmmigration.operations.list
vmmigration.replicationCycles.get
vmmigration.replicationCycles.list
vmmigration.sources.create
vmmigration.sources.delete
vmmigration.sources.get
vmmigration.sources.list
vmmigration.sources.update
vmmigration.targets.create
vmmigration.targets.delete
vmmigration.targets.get
vmmigration.targets.list
vmmigration.targets.update
vmmigration.utilizationReports.create
vmmigration.utilizationReports.delete
vmmigration.utilizationReports.get
vmmigration.utilizationReports.list

VM Migration Viewer ^Beta

(roles/vmmigration.viewer)

Ability to view all VM Migration objects

resourcemanager.projects.get

resourcemanager.projects.list

vmmigration.cloneJobs.get

vmmigration.cloneJobs.list

vmmigration.cutoverJobs.get

vmmigration.cutoverJobs.list

vmmigration.datacenterConnectors.get

vmmigration.datacenterConnectors.list

vmmigration.deployments.get

vmmigration.deployments.list

vmmigration.groups.get

vmmigration.groups.list

vmmigration.locations.*

vmmigration.locations.get
vmmigration.locations.list

vmmigration.migratingVms.get

vmmigration.migratingVms.list

vmmigration.operations.get

vmmigration.operations.list

vmmigration.replicationCycles.*

vmmigration.replicationCycles.get
vmmigration.replicationCycles.list

vmmigration.sources.get

vmmigration.sources.list

vmmigration.targets.get

vmmigration.targets.list

vmmigration.utilizationReports.get

vmmigration.utilizationReports.list

Cloud Private Catalog roles

Permissions

Catalog Consumer ^Beta

(roles/cloudprivatecatalog.consumer)

Can browse catalogs in the target resource context.

cloudprivatecatalog.targets.get

resourcemanager.projects.get

resourcemanager.projects.list

Catalog Admin ^Beta

(roles/cloudprivatecatalogproducer.admin)

Can manage catalog and view its associations.

cloudprivatecatalog.targets.get

cloudprivatecatalogproducer.associations.*

cloudprivatecatalogproducer.associations.create
cloudprivatecatalogproducer.associations.delete
cloudprivatecatalogproducer.associations.get
cloudprivatecatalogproducer.associations.list

cloudprivatecatalogproducer.catalogAssociations.*

cloudprivatecatalogproducer.catalogAssociations.create
cloudprivatecatalogproducer.catalogAssociations.delete
cloudprivatecatalogproducer.catalogAssociations.get
cloudprivatecatalogproducer.catalogAssociations.list

cloudprivatecatalogproducer.catalogs.*

cloudprivatecatalogproducer.catalogs.create
cloudprivatecatalogproducer.catalogs.delete
cloudprivatecatalogproducer.catalogs.get
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.catalogs.setIamPolicy
cloudprivatecatalogproducer.catalogs.undelete
cloudprivatecatalogproducer.catalogs.update

cloudprivatecatalogproducer.producerCatalogs.*

cloudprivatecatalogproducer.producerCatalogs.attachProduct
cloudprivatecatalogproducer.producerCatalogs.create
cloudprivatecatalogproducer.producerCatalogs.delete
cloudprivatecatalogproducer.producerCatalogs.detachProduct
cloudprivatecatalogproducer.producerCatalogs.get
cloudprivatecatalogproducer.producerCatalogs.getIamPolicy
cloudprivatecatalogproducer.producerCatalogs.list
cloudprivatecatalogproducer.producerCatalogs.setIamPolicy
cloudprivatecatalogproducer.producerCatalogs.update

cloudprivatecatalogproducer.products.*

cloudprivatecatalogproducer.products.create
cloudprivatecatalogproducer.products.delete
cloudprivatecatalogproducer.products.get
cloudprivatecatalogproducer.products.getIamPolicy
cloudprivatecatalogproducer.products.list
cloudprivatecatalogproducer.products.setIamPolicy
cloudprivatecatalogproducer.products.update

cloudprivatecatalogproducer.targets.*

cloudprivatecatalogproducer.targets.associate
cloudprivatecatalogproducer.targets.unassociate

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Catalog Manager ^Beta

(roles/cloudprivatecatalogproducer.manager)

Can manage associations between a catalog and a target resource.

cloudprivatecatalog.targets.get

cloudprivatecatalogproducer.associations.*

cloudprivatecatalogproducer.associations.create
cloudprivatecatalogproducer.associations.delete
cloudprivatecatalogproducer.associations.get
cloudprivatecatalogproducer.associations.list

cloudprivatecatalogproducer.catalogAssociations.*

cloudprivatecatalogproducer.catalogAssociations.create
cloudprivatecatalogproducer.catalogAssociations.delete
cloudprivatecatalogproducer.catalogAssociations.get
cloudprivatecatalogproducer.catalogAssociations.list

cloudprivatecatalogproducer.catalogs.get

cloudprivatecatalogproducer.catalogs.list

cloudprivatecatalogproducer.producerCatalogs.get

cloudprivatecatalogproducer.producerCatalogs.list

cloudprivatecatalogproducer.targets.*

cloudprivatecatalogproducer.targets.associate
cloudprivatecatalogproducer.targets.unassociate

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Catalog Org Admin ^Beta

(roles/cloudprivatecatalogproducer.orgAdmin)

Can manage catalog org settings.

cloudprivatecatalog.targets.get

cloudprivatecatalogproducer.*

cloudprivatecatalogproducer.associations.create
cloudprivatecatalogproducer.associations.delete
cloudprivatecatalogproducer.associations.get
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogAssociations.create
cloudprivatecatalogproducer.catalogAssociations.delete
cloudprivatecatalogproducer.catalogAssociations.get
cloudprivatecatalogproducer.catalogAssociations.list
cloudprivatecatalogproducer.catalogs.create
cloudprivatecatalogproducer.catalogs.delete
cloudprivatecatalogproducer.catalogs.get
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.catalogs.setIamPolicy
cloudprivatecatalogproducer.catalogs.undelete
cloudprivatecatalogproducer.catalogs.update
cloudprivatecatalogproducer.producerCatalogs.attachProduct
cloudprivatecatalogproducer.producerCatalogs.create
cloudprivatecatalogproducer.producerCatalogs.delete
cloudprivatecatalogproducer.producerCatalogs.detachProduct
cloudprivatecatalogproducer.producerCatalogs.get
cloudprivatecatalogproducer.producerCatalogs.getIamPolicy
cloudprivatecatalogproducer.producerCatalogs.list
cloudprivatecatalogproducer.producerCatalogs.setIamPolicy
cloudprivatecatalogproducer.producerCatalogs.update
cloudprivatecatalogproducer.products.create
cloudprivatecatalogproducer.products.delete
cloudprivatecatalogproducer.products.get
cloudprivatecatalogproducer.products.getIamPolicy
cloudprivatecatalogproducer.products.list
cloudprivatecatalogproducer.products.setIamPolicy
cloudprivatecatalogproducer.products.update
cloudprivatecatalogproducer.settings.get
cloudprivatecatalogproducer.settings.update
cloudprivatecatalogproducer.targets.associate
cloudprivatecatalogproducer.targets.unassociate

commerceorggovernance.organizationSettings.*

commerceorggovernance.organizationSettings.get
commerceorggovernance.organizationSettings.update

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Profiler roles

Permissions

Cloud Profiler Agent

(roles/cloudprofiler.agent)

Cloud Profiler agents are allowed to register and provide the profiling data.

cloudprofiler.profiles.create

cloudprofiler.profiles.update

Cloud Profiler User

(roles/cloudprofiler.user)

Cloud Profiler users are allowed to query and view the profiling data.

cloudprofiler.profiles.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Cloud Run roles

Permissions

Cloud Run Admin

(roles/run.admin)

Full control over all Cloud Run resources.

Lowest-level resources where you can grant this role:

Cloud Run service

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update

recommender.runServiceIdentityRecommendations.*

recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityInsights.get
recommender.runServiceSecurityInsights.list
recommender.runServiceSecurityInsights.update

recommender.runServiceSecurityRecommendations.*

recommender.runServiceSecurityRecommendations.get
recommender.runServiceSecurityRecommendations.list
recommender.runServiceSecurityRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

run.*

run.configurations.get
run.configurations.list
run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.run
run.jobs.runWithOverrides
run.jobs.setIamPolicy
run.jobs.update
run.locations.list
run.operations.delete
run.operations.get
run.operations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.invoke
run.routes.list
run.services.create
run.services.createTagBinding
run.services.delete
run.services.deleteTagBinding
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.setIamPolicy
run.services.update
run.tasks.get
run.tasks.list

Cloud Run Developer

(roles/run.developer)

Read and write access to all Cloud Run resources.

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update

recommender.runServiceIdentityRecommendations.*

recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityInsights.get
recommender.runServiceSecurityInsights.list
recommender.runServiceSecurityInsights.update

recommender.runServiceSecurityRecommendations.*

recommender.runServiceSecurityRecommendations.get
recommender.runServiceSecurityRecommendations.list
recommender.runServiceSecurityRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

run.configurations.get
run.configurations.list

run.executions.*

run.executions.delete
run.executions.get
run.executions.list

run.jobs.create

run.jobs.delete

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.run

run.jobs.runWithOverrides

run.jobs.update

run.locations.list

run.operations.*

run.operations.delete
run.operations.get
run.operations.list

run.revisions.*

run.revisions.delete
run.revisions.get
run.revisions.list

run.routes.*

run.routes.get
run.routes.invoke
run.routes.list

run.services.create

run.services.delete

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.services.update

run.tasks.*

run.tasks.get
run.tasks.list

Cloud Run Invoker

(roles/run.invoker)

Can invoke a Cloud Run service.

Lowest-level resources where you can grant this role:

Cloud Run service

run.jobs.run

run.routes.invoke

Cloud Run Viewer

(roles/run.viewer)

Can view the state of all Cloud Run resources, including IAM policies.

Lowest-level resources where you can grant this role:

Cloud Run service

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

run.configurations.get
run.configurations.list

run.executions.get

run.executions.list

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.locations.list

run.operations.get

run.operations.list

run.revisions.get

run.revisions.list

run.routes.get

run.routes.list

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.tasks.*

run.tasks.get
run.tasks.list

Cloud Scheduler roles

Permissions

Cloud Scheduler Admin

(roles/cloudscheduler.admin)

Full access to jobs and executions.

Note that a Cloud Scheduler Admin (or any custom role with the permission cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the project.

appengine.applications.get

cloudscheduler.*

cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.enable
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.jobs.pause
cloudscheduler.jobs.run
cloudscheduler.jobs.update
cloudscheduler.locations.get
cloudscheduler.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Cloud Scheduler Job Runner

(roles/cloudscheduler.jobRunner)

Access to run jobs.

appengine.applications.get

cloudscheduler.jobs.fullView

cloudscheduler.jobs.run

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Cloud Scheduler Viewer

(roles/cloudscheduler.viewer)

Get and list access to jobs, executions, and locations.

appengine.applications.get

cloudscheduler.jobs.fullView

cloudscheduler.jobs.get

cloudscheduler.jobs.list

cloudscheduler.locations.*

cloudscheduler.locations.get
cloudscheduler.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Cloud Security Scanner roles

Permissions

Web Security Scanner Editor

(roles/cloudsecurityscanner.editor)

Full access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

cloudsecurityscanner.*

cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.get
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.create
cloudsecurityscanner.scans.delete
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
cloudsecurityscanner.scans.update

compute.addresses.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Web Security Scanner Runner

(roles/cloudsecurityscanner.runner)

Read access to Scan and ScanRun, plus the ability to start scans

Lowest-level resources where you can grant this role:

Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scanruns.stop

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

cloudsecurityscanner.scans.run

Web Security Scanner Viewer

(roles/cloudsecurityscanner.viewer)

Read access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

cloudsecurityscanner.results.get
cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Cloud Services roles

Permissions

Service Broker Admin

(roles/servicebroker.admin)

Full access to ServiceBroker resources.

servicebroker.*

servicebroker.bindingoperations.get
servicebroker.bindingoperations.list
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.bindings.setIamPolicy
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.catalogs.setIamPolicy
servicebroker.catalogs.validate
servicebroker.instanceoperations.get
servicebroker.instanceoperations.list
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.getIamPolicy
servicebroker.instances.list
servicebroker.instances.setIamPolicy
servicebroker.instances.update

Service Broker Operator

(roles/servicebroker.operator)

Operational access to the ServiceBroker resources.

servicebroker.bindingoperations.*

servicebroker.bindingoperations.get
servicebroker.bindingoperations.list

servicebroker.bindings.create

servicebroker.bindings.delete

servicebroker.bindings.get

servicebroker.bindings.list

servicebroker.catalogs.create

servicebroker.catalogs.delete

servicebroker.catalogs.get

servicebroker.catalogs.list

servicebroker.instanceoperations.*

servicebroker.instanceoperations.get
servicebroker.instanceoperations.list

servicebroker.instances.create

servicebroker.instances.delete

servicebroker.instances.get

servicebroker.instances.list

servicebroker.instances.update

Cloud Spanner roles

Permissions

Cloud Spanner Admin

(roles/spanner.admin)

Has complete access to all Cloud Spanner resources in a Google Cloud project. A principal with this role can:

Grant and revoke permissions to other principals for all Cloud Spanner resources in the project.
Allocate and delete chargeable Cloud Spanner resources.
Issue get/list/modify operations on Cloud Spanner resources.
Read from and write to all Cloud Spanner databases in the project.
Fetch project metadata.

Lowest-level resources where you can grant this role:

Project

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.*

spanner.backupOperations.cancel
spanner.backupOperations.get
spanner.backupOperations.list
spanner.backups.copy
spanner.backups.create
spanner.backups.delete
spanner.backups.get
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.restoreDatabase
spanner.backups.setIamPolicy
spanner.backups.update
spanner.databaseOperations.cancel
spanner.databaseOperations.delete
spanner.databaseOperations.get
spanner.databaseOperations.list
spanner.databaseRoles.list
spanner.databaseRoles.use
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginPartitionedDmlTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.create
spanner.databases.createBackup
spanner.databases.drop
spanner.databases.get
spanner.databases.getDdl
spanner.databases.getIamPolicy
spanner.databases.list
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.select
spanner.databases.setIamPolicy
spanner.databases.update
spanner.databases.updateDdl
spanner.databases.updateTag
spanner.databases.useDataBoost
spanner.databases.useRoleBasedAccess
spanner.databases.write
spanner.instanceConfigOperations.cancel
spanner.instanceConfigOperations.delete
spanner.instanceConfigOperations.get
spanner.instanceConfigOperations.list
spanner.instanceConfigs.create
spanner.instanceConfigs.delete
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instanceConfigs.update
spanner.instanceOperations.cancel
spanner.instanceOperations.delete
spanner.instanceOperations.get
spanner.instanceOperations.list
spanner.instances.create
spanner.instances.createTagBinding
spanner.instances.delete
spanner.instances.deleteTagBinding
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
spanner.instances.setIamPolicy
spanner.instances.update
spanner.instances.updateTag
spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Backup Admin

(roles/spanner.backupAdmin)

A principal with this role can:

Create, view, update, and delete backups.
View and manage a backup's allow policy.

This role cannot restore a database from a backup.

Lowest-level resources where you can grant this role:

Instance

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backupOperations.*

spanner.backupOperations.cancel
spanner.backupOperations.get
spanner.backupOperations.list

spanner.backups.copy

spanner.backups.create

spanner.backups.delete

spanner.backups.get

spanner.backups.getIamPolicy

spanner.backups.list

spanner.backups.setIamPolicy

spanner.backups.update

spanner.databases.createBackup

spanner.databases.get

spanner.databases.list

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

Cloud Spanner Backup Writer

(roles/spanner.backupWriter)

This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them.

Lowest-level resources where you can grant this role:

Instance

spanner.backupOperations.get

spanner.backupOperations.list

spanner.backups.copy

spanner.backups.create

spanner.backups.get

spanner.backups.list

spanner.databases.createBackup

spanner.databases.get

spanner.databases.list

spanner.instances.get

Cloud Spanner Database Admin

(roles/spanner.databaseAdmin)

A principal with this role can:

Get/list all Cloud Spanner instances in the project.
Create/list/drop databases in an instance.
Grant/revoke access to databases in the project.
Read from and write to all Cloud Spanner databases in the project.

Lowest-level resources where you can grant this role:

Instance

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.databaseOperations.*

spanner.databaseOperations.cancel
spanner.databaseOperations.delete
spanner.databaseOperations.get
spanner.databaseOperations.list

spanner.databaseRoles.*

spanner.databaseRoles.list
spanner.databaseRoles.use

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.create

spanner.databases.drop

spanner.databases.get

spanner.databases.getDdl

spanner.databases.getIamPolicy

spanner.databases.list

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.setIamPolicy

spanner.databases.update

spanner.databases.updateDdl

spanner.databases.updateTag

spanner.databases.useDataBoost

spanner.databases.useRoleBasedAccess

spanner.databases.write

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.getIamPolicy

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Database Reader

(roles/spanner.databaseReader)

A principal with this role can:

Read from the Cloud Spanner database.
Execute SQL queries on the database.
View schema for the database.

Lowest-level resources where you can grant this role:

Database

spanner.databases.beginReadOnlyTransaction

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.instances.get

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Database Role User

(roles/spanner.databaseRoleUser)

In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.

spanner.databaseRoles.use

Cloud Spanner Database User

(roles/spanner.databaseUser)

A principal with this role can:

Read from and write to the Cloud Spanner database.
Execute SQL queries on the database, including DML and Partitioned DML.
View and update schema for the database.

Lowest-level resources where you can grant this role:

Database

spanner.databaseOperations.*

spanner.databaseOperations.cancel
spanner.databaseOperations.delete
spanner.databaseOperations.get
spanner.databaseOperations.list

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.updateDdl

spanner.databases.updateTag

spanner.databases.write

spanner.instances.get

spanner.sessions.*

spanner.sessions.create
spanner.sessions.delete
spanner.sessions.get
spanner.sessions.list

Cloud Spanner Fine-grained Access User

(roles/spanner.fineGrainedAccessUser)

Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions.

spanner.databaseRoles.list

spanner.databases.useRoleBasedAccess

Cloud Spanner Restore Admin

(roles/spanner.restoreAdmin)

A principal with this role can restore databases from backups.

If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups.

Lowest-level resources where you can grant this role:

Instance

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backups.get

spanner.backups.list

spanner.backups.restoreDatabase

spanner.databaseOperations.cancel

spanner.databaseOperations.get

spanner.databaseOperations.list

spanner.databases.create

spanner.databases.get

spanner.databases.list

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

Cloud Spanner Viewer

(roles/spanner.viewer)

A principal with this role can:

View all Cloud Spanner instances (but cannot modify instances).
View all Cloud Spanner databases (but cannot modify or read from databases).

For example, you can combine this role with the roles/spanner.databaseUser role to grant a user with access to a specific database, but only view access to other instances and databases.

This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud console.

Lowest-level resources where you can grant this role:

Project

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.databases.list

spanner.instanceConfigs.get

spanner.instanceConfigs.list

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

Cloud SQL roles

Permissions

Cloud SQL Admin

(roles/cloudsql.admin)

Provides full control of Cloud SQL resources.

Lowest-level resources where you can grant this role:

Project

cloudsql.*

cloudsql.backupRuns.create
cloudsql.backupRuns.delete
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.create
cloudsql.databases.delete
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.instances.clone
cloudsql.instances.connect
cloudsql.instances.create
cloudsql.instances.createTagBinding
cloudsql.instances.delete
cloudsql.instances.deleteTagBinding
cloudsql.instances.demoteMaster
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.getDiskShrinkConfig
cloudsql.instances.import
cloudsql.instances.list
cloudsql.instances.listEffectiveTags
cloudsql.instances.listServerCas
cloudsql.instances.listTagBindings
cloudsql.instances.login
cloudsql.instances.migrate
cloudsql.instances.performDiskShrink
cloudsql.instances.promoteReplica
cloudsql.instances.reencrypt
cloudsql.instances.resetReplicaSize
cloudsql.instances.resetSslConfig
cloudsql.instances.restart
cloudsql.instances.restoreBackup
cloudsql.instances.rotateServerCa
cloudsql.instances.startReplica
cloudsql.instances.stopReplica
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.sslCerts.create
cloudsql.sslCerts.createEphemeral
cloudsql.sslCerts.delete
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.create
cloudsql.users.delete
cloudsql.users.get
cloudsql.users.list
cloudsql.users.update

recommender.cloudsqlIdleInstanceRecommendations.*

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.update

recommender.cloudsqlInstanceActivityInsights.*

recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceActivityInsights.update

recommender.cloudsqlInstanceCpuUsageInsights.*

recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.update

recommender.cloudsqlInstanceDiskUsageTrendInsights.*

recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update

recommender.cloudsqlInstanceMemoryUsageInsights.*

recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.update

recommender.cloudsqlInstanceOomProbabilityInsights.*

recommender.cloudsqlInstanceOomProbabilityInsights.get
recommender.cloudsqlInstanceOomProbabilityInsights.list
recommender.cloudsqlInstanceOomProbabilityInsights.update

recommender.cloudsqlInstanceOutOfDiskRecommendations.*

recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update

recommender.cloudsqlInstancePerformanceInsights.*

recommender.cloudsqlInstancePerformanceInsights.get
recommender.cloudsqlInstancePerformanceInsights.list
recommender.cloudsqlInstancePerformanceInsights.update

recommender.cloudsqlInstancePerformanceRecommendations.*

recommender.cloudsqlInstancePerformanceRecommendations.get
recommender.cloudsqlInstancePerformanceRecommendations.list
recommender.cloudsqlInstancePerformanceRecommendations.update

recommender.cloudsqlInstanceReliabilityInsights.*

recommender.cloudsqlInstanceReliabilityInsights.get
recommender.cloudsqlInstanceReliabilityInsights.list
recommender.cloudsqlInstanceReliabilityInsights.update

recommender.cloudsqlInstanceReliabilityRecommendations.*

recommender.cloudsqlInstanceReliabilityRecommendations.get
recommender.cloudsqlInstanceReliabilityRecommendations.list
recommender.cloudsqlInstanceReliabilityRecommendations.update

recommender.cloudsqlInstanceSecurityInsights.*

recommender.cloudsqlInstanceSecurityInsights.get
recommender.cloudsqlInstanceSecurityInsights.list
recommender.cloudsqlInstanceSecurityInsights.update

recommender.cloudsqlInstanceSecurityRecommendations.*

recommender.cloudsqlInstanceSecurityRecommendations.get
recommender.cloudsqlInstanceSecurityRecommendations.list
recommender.cloudsqlInstanceSecurityRecommendations.update

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update

recommender.cloudsqlOverprovisionedInstanceRecommendations.*

recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.update

recommender.cloudsqlUnderProvisionedInstanceRecommendations.*

recommender.cloudsqlUnderProvisionedInstanceRecommendations.get
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Cloud SQL Client

(roles/cloudsql.client)

Provides connectivity access to Cloud SQL instances.

Lowest-level resources where you can grant this role:

Project

cloudsql.instances.connect

cloudsql.instances.get

Cloud SQL Editor

(roles/cloudsql.editor)

Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.

Lowest-level resources where you can grant this role:

Project

cloudsql.backupRuns.create

cloudsql.backupRuns.get

cloudsql.backupRuns.list

cloudsql.databases.create

cloudsql.databases.get

cloudsql.databases.list

cloudsql.databases.update

cloudsql.instances.addServerCa

cloudsql.instances.connect

cloudsql.instances.export

cloudsql.instances.failover

cloudsql.instances.get

cloudsql.instances.getDiskShrinkConfig

cloudsql.instances.list

cloudsql.instances.listEffectiveTags

cloudsql.instances.listServerCas

cloudsql.instances.listTagBindings

cloudsql.instances.migrate

cloudsql.instances.performDiskShrink

cloudsql.instances.reencrypt

cloudsql.instances.resetReplicaSize

cloudsql.instances.restart

cloudsql.instances.rotateServerCa

cloudsql.instances.truncateLog

cloudsql.instances.update

cloudsql.sslCerts.get

cloudsql.sslCerts.list

cloudsql.users.get

cloudsql.users.list

recommender.cloudsqlIdleInstanceRecommendations.*

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.update

recommender.cloudsqlInstanceActivityInsights.*

recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceActivityInsights.update

recommender.cloudsqlInstanceCpuUsageInsights.*

recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.update

recommender.cloudsqlInstanceDiskUsageTrendInsights.*

recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update

recommender.cloudsqlInstanceMemoryUsageInsights.*

recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.update

recommender.cloudsqlInstanceOomProbabilityInsights.*

recommender.cloudsqlInstanceOomProbabilityInsights.get
recommender.cloudsqlInstanceOomProbabilityInsights.list
recommender.cloudsqlInstanceOomProbabilityInsights.update

recommender.cloudsqlInstanceOutOfDiskRecommendations.*

recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update

recommender.cloudsqlInstancePerformanceInsights.*

recommender.cloudsqlInstancePerformanceInsights.get
recommender.cloudsqlInstancePerformanceInsights.list
recommender.cloudsqlInstancePerformanceInsights.update

recommender.cloudsqlInstancePerformanceRecommendations.*

recommender.cloudsqlInstancePerformanceRecommendations.get
recommender.cloudsqlInstancePerformanceRecommendations.list
recommender.cloudsqlInstancePerformanceRecommendations.update

recommender.cloudsqlInstanceReliabilityInsights.*

recommender.cloudsqlInstanceReliabilityInsights.get
recommender.cloudsqlInstanceReliabilityInsights.list
recommender.cloudsqlInstanceReliabilityInsights.update

recommender.cloudsqlInstanceReliabilityRecommendations.*

recommender.cloudsqlInstanceReliabilityRecommendations.get
recommender.cloudsqlInstanceReliabilityRecommendations.list
recommender.cloudsqlInstanceReliabilityRecommendations.update

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update

recommender.cloudsqlOverprovisionedInstanceRecommendations.*

recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.update

recommender.cloudsqlUnderProvisionedInstanceRecommendations.*

recommender.cloudsqlUnderProvisionedInstanceRecommendations.get
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Cloud SQL Instance User

(roles/cloudsql.instanceUser)

Role allowing access to a Cloud SQL instance

cloudsql.instances.get

cloudsql.instances.login

Cloud SQL Viewer

(roles/cloudsql.viewer)

Provides read-only access to Cloud SQL resources.

Lowest-level resources where you can grant this role:

Project

cloudsql.backupRuns.get

cloudsql.backupRuns.list

cloudsql.databases.get

cloudsql.databases.list

cloudsql.instances.export

cloudsql.instances.get

cloudsql.instances.getDiskShrinkConfig

cloudsql.instances.list

cloudsql.instances.listEffectiveTags

cloudsql.instances.listServerCas

cloudsql.instances.listTagBindings

cloudsql.sslCerts.get

cloudsql.sslCerts.list

cloudsql.users.get

cloudsql.users.list

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceActivityInsights.get

recommender.cloudsqlInstanceActivityInsights.list

recommender.cloudsqlInstanceCpuUsageInsights.get

recommender.cloudsqlInstanceCpuUsageInsights.list

recommender.cloudsqlInstanceDiskUsageTrendInsights.get

recommender.cloudsqlInstanceDiskUsageTrendInsights.list

recommender.cloudsqlInstanceMemoryUsageInsights.get

recommender.cloudsqlInstanceMemoryUsageInsights.list

recommender.cloudsqlInstanceOomProbabilityInsights.get

recommender.cloudsqlInstanceOomProbabilityInsights.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.get

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceInsights.get

recommender.cloudsqlInstancePerformanceInsights.list

recommender.cloudsqlInstancePerformanceRecommendations.get

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityInsights.get

recommender.cloudsqlInstanceReliabilityInsights.list

recommender.cloudsqlInstanceReliabilityRecommendations.get

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.get

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Cloud Storage roles

Permissions

Storage Admin

(roles/storage.admin)

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

Lowest-level resources where you can grant this role:

Bucket

firebase.projects.get

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.setIamPolicy
storage.buckets.update

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update

Storage HMAC Key Admin

(roles/storage.hmacKeyAdmin)

Full control of Cloud Storage HMAC keys.

firebase.projects.get

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.hmacKeys.*

storage.hmacKeys.create
storage.hmacKeys.delete
storage.hmacKeys.get
storage.hmacKeys.list
storage.hmacKeys.update

Storage Insights Collector Service

(roles/storage.insightsCollectorService)

Read-only access to Cloud Storage Inventory metadata for Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.buckets.getObjectInsights

Storage Object Admin

(roles/storage.objectAdmin)

Grants full control of objects, including listing, creating, viewing, and deleting objects.

Lowest-level resources where you can grant this role:

Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update

Storage Object Creator

(roles/storage.objectCreator)

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

Lowest-level resources where you can grant this role:

Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.multipartUploads.abort

storage.multipartUploads.create

storage.multipartUploads.listParts

storage.objects.create

Storage Object Viewer

(roles/storage.objectViewer)

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

Lowest-level resources where you can grant this role:

Bucket

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.get

storage.objects.list

Storage Transfer Admin

(roles/storagetransfer.admin)

Create, update and manage transfer jobs and operations.

resourcemanager.projects.get

resourcemanager.projects.list

storagetransfer.*

storagetransfer.agentpools.create
storagetransfer.agentpools.delete
storagetransfer.agentpools.get
storagetransfer.agentpools.list
storagetransfer.agentpools.report
storagetransfer.agentpools.update
storagetransfer.jobs.create
storagetransfer.jobs.delete
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.run
storagetransfer.jobs.update
storagetransfer.operations.assign
storagetransfer.operations.cancel
storagetransfer.operations.get
storagetransfer.operations.list
storagetransfer.operations.pause
storagetransfer.operations.report
storagetransfer.operations.resume
storagetransfer.projects.getServiceAccount

Storage Transfer Agent

(roles/storagetransfer.transferAgent)

Perform transfers from an agent.

monitoring.timeSeries.create

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

storagetransfer.agentpools.report

storagetransfer.operations.assign

storagetransfer.operations.get

storagetransfer.operations.report

Storage Transfer User

(roles/storagetransfer.user)

Create and update storage transfer jobs and operations.

resourcemanager.projects.get

resourcemanager.projects.list

storagetransfer.agentpools.create

storagetransfer.agentpools.get

storagetransfer.agentpools.list

storagetransfer.agentpools.report

storagetransfer.agentpools.update

storagetransfer.jobs.create

storagetransfer.jobs.get

storagetransfer.jobs.list

storagetransfer.jobs.run

storagetransfer.jobs.update

storagetransfer.operations.*

storagetransfer.operations.assign
storagetransfer.operations.cancel
storagetransfer.operations.get
storagetransfer.operations.list
storagetransfer.operations.pause
storagetransfer.operations.report
storagetransfer.operations.resume

storagetransfer.projects.getServiceAccount

Storage Transfer Viewer

(roles/storagetransfer.viewer)

Read access to storage transfer jobs and operations.

resourcemanager.projects.get

resourcemanager.projects.list

storagetransfer.agentpools.get

storagetransfer.agentpools.list

storagetransfer.jobs.get

storagetransfer.jobs.list

storagetransfer.operations.get

storagetransfer.operations.list

storagetransfer.projects.getServiceAccount

Cloud Storage Legacy roles

Permissions

Storage Legacy Bucket Owner

(roles/storage.legacyBucketOwner)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.setIamPolicy

storage.buckets.update

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

Storage Legacy Bucket Reader

(roles/storage.legacyBucketReader)

Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.get

storage.multipartUploads.list

storage.objects.list

Storage Legacy Bucket Writer

(roles/storage.legacyBucketWriter)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.buckets.get

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.create

storage.objects.delete

storage.objects.list

Storage Legacy Object Owner

(roles/storage.legacyObjectOwner)

Grants permission to view and edit objects and their metadata, including ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.objects.get

storage.objects.getIamPolicy

storage.objects.setIamPolicy

storage.objects.update

Storage Legacy Object Reader

(roles/storage.legacyObjectReader)

Grants permission to view objects and their metadata, excluding ACLs.

Lowest-level resources where you can grant this role:

Bucket

storage.objects.get

Cloud Talent Solution roles

Permissions

Admin

(roles/cloudjobdiscovery.admin)

Access to Cloud Talent Solution Self-Service Tools.

cloudjobdiscovery.tools.access

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Job Editor

(roles/cloudjobdiscovery.jobsEditor)

Write access to all job data in Cloud Talent Solution.

cloudjobdiscovery.companies.*

cloudjobdiscovery.companies.create
cloudjobdiscovery.companies.delete
cloudjobdiscovery.companies.get
cloudjobdiscovery.companies.list
cloudjobdiscovery.companies.update

cloudjobdiscovery.events.create

cloudjobdiscovery.jobs.*

cloudjobdiscovery.jobs.create
cloudjobdiscovery.jobs.delete
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
cloudjobdiscovery.jobs.update

cloudjobdiscovery.tenants.*

cloudjobdiscovery.tenants.create
cloudjobdiscovery.tenants.delete
cloudjobdiscovery.tenants.get
cloudjobdiscovery.tenants.update

resourcemanager.projects.get

resourcemanager.projects.list

Job Viewer

(roles/cloudjobdiscovery.jobsViewer)

Read access to all job data in Cloud Talent Solution.

cloudjobdiscovery.companies.get

cloudjobdiscovery.companies.list

cloudjobdiscovery.jobs.get

cloudjobdiscovery.jobs.search

cloudjobdiscovery.tenants.get

resourcemanager.projects.get

resourcemanager.projects.list

Profile Editor

(roles/cloudjobdiscovery.profilesEditor)

Write access to all profile data in Cloud Talent Solution.

cloudjobdiscovery.events.create

cloudjobdiscovery.profiles.*

cloudjobdiscovery.profiles.create
cloudjobdiscovery.profiles.delete
cloudjobdiscovery.profiles.get
cloudjobdiscovery.profiles.search
cloudjobdiscovery.profiles.update

cloudjobdiscovery.tenants.*

cloudjobdiscovery.tenants.create
cloudjobdiscovery.tenants.delete
cloudjobdiscovery.tenants.get
cloudjobdiscovery.tenants.update

resourcemanager.projects.get

resourcemanager.projects.list

Profile Viewer

(roles/cloudjobdiscovery.profilesViewer)

Read access to all profile data in Cloud Talent Solution.

cloudjobdiscovery.profiles.get

cloudjobdiscovery.profiles.search

cloudjobdiscovery.tenants.get

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks roles

Permissions

Cloud Tasks Admin ^Beta

(roles/cloudtasks.admin)

Full access to queues and tasks.

cloudtasks.*

cloudtasks.locations.get
cloudtasks.locations.list
cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.pause
cloudtasks.queues.purge
cloudtasks.queues.resume
cloudtasks.queues.setIamPolicy
cloudtasks.queues.update
cloudtasks.tasks.create
cloudtasks.tasks.delete
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
cloudtasks.tasks.run

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks Enqueuer ^Beta

(roles/cloudtasks.enqueuer)

Access to create tasks.

cloudtasks.tasks.create

cloudtasks.tasks.fullView

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks Queue Admin ^Beta

(roles/cloudtasks.queueAdmin)

Admin access to queues.

cloudtasks.locations.*

cloudtasks.locations.get
cloudtasks.locations.list

cloudtasks.queues.*

cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.pause
cloudtasks.queues.purge
cloudtasks.queues.resume
cloudtasks.queues.setIamPolicy
cloudtasks.queues.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks Task Deleter ^Beta

(roles/cloudtasks.taskDeleter)

Access to delete tasks.

cloudtasks.tasks.delete

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks Task Runner ^Beta

(roles/cloudtasks.taskRunner)

Access to run tasks.

cloudtasks.tasks.fullView

cloudtasks.tasks.run

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks Viewer ^Beta

(roles/cloudtasks.viewer)

Get and list access to tasks, queues, and locations.

cloudtasks.locations.*

cloudtasks.locations.get
cloudtasks.locations.list

cloudtasks.queues.get

cloudtasks.queues.list

cloudtasks.tasks.fullView

cloudtasks.tasks.get

cloudtasks.tasks.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud TPU roles

Permissions

TPU Admin

(roles/tpu.admin)

Full access to TPU nodes and related resources.

resourcemanager.projects.get

resourcemanager.projects.list

tpu.*

tpu.acceleratortypes.get
tpu.acceleratortypes.list
tpu.locations.get
tpu.locations.list
tpu.nodes.create
tpu.nodes.delete
tpu.nodes.get
tpu.nodes.list
tpu.nodes.reimage
tpu.nodes.reset
tpu.nodes.simulateMaintenanceEvent
tpu.nodes.start
tpu.nodes.stop
tpu.nodes.update
tpu.operations.get
tpu.operations.list
tpu.runtimeversions.get
tpu.runtimeversions.list
tpu.tensorflowversions.get
tpu.tensorflowversions.list

TPU Viewer

(roles/tpu.viewer)

Read-only access to TPU nodes and related resources.

resourcemanager.projects.get

resourcemanager.projects.list

tpu.acceleratortypes.*

tpu.acceleratortypes.get
tpu.acceleratortypes.list

tpu.locations.*

tpu.locations.get
tpu.locations.list

tpu.nodes.get

tpu.nodes.list

tpu.operations.*

tpu.operations.get
tpu.operations.list

tpu.runtimeversions.*

tpu.runtimeversions.get
tpu.runtimeversions.list

tpu.tensorflowversions.*

tpu.tensorflowversions.get
tpu.tensorflowversions.list

TPU Shared VPC Agent

(roles/tpu.xpnAgent)

Can use shared VPC network (XPN) for the TPU VMs.

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.update

compute.globalOperations.get

compute.networks.get

compute.networks.list

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.routes.list

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

Cloud Trace roles

Permissions

Cloud Trace Admin

(roles/cloudtrace.admin)

Provides full access to the Trace console and read-write access to traces.

Lowest-level resources where you can grant this role:

Project

cloudtrace.*

cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.create
cloudtrace.tasks.delete
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traces.get
cloudtrace.traces.list
cloudtrace.traces.patch

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Trace Agent

(roles/cloudtrace.agent)

For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.

Lowest-level resources where you can grant this role:

Project

cloudtrace.traces.patch

Cloud Trace User

(roles/cloudtrace.user)

Provides full access to the Trace console and read access to traces.

Lowest-level resources where you can grant this role:

Project

cloudtrace.insights.*

cloudtrace.insights.get
cloudtrace.insights.list

cloudtrace.stats.get

cloudtrace.tasks.*

cloudtrace.tasks.create
cloudtrace.tasks.delete
cloudtrace.tasks.get
cloudtrace.tasks.list

cloudtrace.traces.get

cloudtrace.traces.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Translation roles

Permissions

Cloud Translation API Admin

(roles/cloudtranslate.admin)

Full access to all Cloud Translation resources

automl.models.get

automl.models.predict

cloudtranslate.*

cloudtranslate.customModels.create
cloudtranslate.customModels.delete
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.datasets.create
cloudtranslate.datasets.delete
cloudtranslate.datasets.export
cloudtranslate.datasets.get
cloudtranslate.datasets.import
cloudtranslate.datasets.list
cloudtranslate.generalModels.batchDocPredict
cloudtranslate.generalModels.batchPredict
cloudtranslate.generalModels.docPredict
cloudtranslate.generalModels.get
cloudtranslate.generalModels.predict
cloudtranslate.glossaries.batchDocPredict
cloudtranslate.glossaries.batchPredict
cloudtranslate.glossaries.create
cloudtranslate.glossaries.delete
cloudtranslate.glossaries.docPredict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
cloudtranslate.glossaries.update
cloudtranslate.glossaryentries.create
cloudtranslate.glossaryentries.delete
cloudtranslate.glossaryentries.get
cloudtranslate.glossaryentries.list
cloudtranslate.glossaryentries.update
cloudtranslate.languageDetectionModels.predict
cloudtranslate.locations.get
cloudtranslate.locations.list
cloudtranslate.operations.cancel
cloudtranslate.operations.delete
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Translation API Editor

(roles/cloudtranslate.editor)

Editor of all Cloud Translation resources

automl.models.get

automl.models.predict

cloudtranslate.*

cloudtranslate.customModels.create
cloudtranslate.customModels.delete
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.datasets.create
cloudtranslate.datasets.delete
cloudtranslate.datasets.export
cloudtranslate.datasets.get
cloudtranslate.datasets.import
cloudtranslate.datasets.list
cloudtranslate.generalModels.batchDocPredict
cloudtranslate.generalModels.batchPredict
cloudtranslate.generalModels.docPredict
cloudtranslate.generalModels.get
cloudtranslate.generalModels.predict
cloudtranslate.glossaries.batchDocPredict
cloudtranslate.glossaries.batchPredict
cloudtranslate.glossaries.create
cloudtranslate.glossaries.delete
cloudtranslate.glossaries.docPredict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
cloudtranslate.glossaries.update
cloudtranslate.glossaryentries.create
cloudtranslate.glossaryentries.delete
cloudtranslate.glossaryentries.get
cloudtranslate.glossaryentries.list
cloudtranslate.glossaryentries.update
cloudtranslate.languageDetectionModels.predict
cloudtranslate.locations.get
cloudtranslate.locations.list
cloudtranslate.operations.cancel
cloudtranslate.operations.delete
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Translation API User

(roles/cloudtranslate.user)

User of Cloud Translation and AutoML models

automl.models.get

automl.models.predict

cloudtranslate.customModels.get

cloudtranslate.customModels.list

cloudtranslate.customModels.predict

cloudtranslate.datasets.get

cloudtranslate.datasets.list

cloudtranslate.generalModels.*

cloudtranslate.generalModels.batchDocPredict
cloudtranslate.generalModels.batchPredict
cloudtranslate.generalModels.docPredict
cloudtranslate.generalModels.get
cloudtranslate.generalModels.predict

cloudtranslate.glossaries.batchDocPredict

cloudtranslate.glossaries.batchPredict

cloudtranslate.glossaries.docPredict

cloudtranslate.glossaries.get

cloudtranslate.glossaries.list

cloudtranslate.glossaries.predict

cloudtranslate.glossaryentries.get

cloudtranslate.glossaryentries.list

cloudtranslate.languageDetectionModels.predict

cloudtranslate.locations.*

cloudtranslate.locations.get
cloudtranslate.locations.list

cloudtranslate.operations.get

cloudtranslate.operations.list

cloudtranslate.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Translation API Viewer

(roles/cloudtranslate.viewer)

Viewer of all Translation resources

automl.models.get

cloudtranslate.customModels.get

cloudtranslate.customModels.list

cloudtranslate.datasets.get

cloudtranslate.datasets.list

cloudtranslate.generalModels.get

cloudtranslate.glossaries.get

cloudtranslate.glossaries.list

cloudtranslate.glossaryentries.get

cloudtranslate.glossaryentries.list

cloudtranslate.locations.*

cloudtranslate.locations.get
cloudtranslate.locations.list

cloudtranslate.operations.get

cloudtranslate.operations.list

cloudtranslate.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Workstations roles

Permissions

Cloud Workstations Admin

(roles/workstations.admin)

Grants CRUD access to all Workstation resources.

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.subnetworks.get

compute.subnetworks.list

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.get

workstations.workstationClusters.*

workstations.workstationClusters.create
workstations.workstationClusters.delete
workstations.workstationClusters.get
workstations.workstationClusters.list
workstations.workstationClusters.update

workstations.workstationConfigs.*

workstations.workstationConfigs.create
workstations.workstationConfigs.delete
workstations.workstationConfigs.get
workstations.workstationConfigs.getIamPolicy
workstations.workstationConfigs.list
workstations.workstationConfigs.setIamPolicy
workstations.workstationConfigs.update

workstations.workstations.create

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.getIamPolicy

workstations.workstations.list

workstations.workstations.setIamPolicy

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.update

Cloud Workstations Network Admin

(roles/workstations.networkAdmin)

Grants ability to connect a Workstation Cluster to a shared VPC network.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalOperations.get

compute.networks.get

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

Cloud Workstations Operation Viewer

(roles/workstations.operationViewer)

Grants ability to view Cloud Workstations API operations.

workstations.operations.get

Cloud Workstations User

(roles/workstations.user)

Grants runtime access to Workstation resources.

workstations.operations.get

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.use

Cloud Workstations Creator

(roles/workstations.workstationCreator)

Grants ability to create Workstation resources.

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.get

workstations.workstationClusters.get

workstations.workstationClusters.list

workstations.workstationConfigs.get

workstations.workstations.create

Cloud Workstations User (Deprecated)

(roles/workstations.workstationUser)

Grants runtime access to Workstation resources.

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.get

workstations.workstationClusters.get

workstations.workstationClusters.list

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.use

Compute Engine roles

Permissions

Compute Admin

(roles/compute.admin)

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

Lowest-level resources where you can grant this role:

Disk
Image
Instance
Instance template
Node group
Node template
Snapshot ^Beta

compute.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list
compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update
compute.backendBuckets.addSignedUrlKey
compute.backendBuckets.create
compute.backendBuckets.delete
compute.backendBuckets.deleteSignedUrlKey
compute.backendBuckets.get
compute.backendBuckets.getIamPolicy
compute.backendBuckets.list
compute.backendBuckets.setIamPolicy
compute.backendBuckets.setSecurityPolicy
compute.backendBuckets.update
compute.backendBuckets.use
compute.backendServices.addSignedUrlKey
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.deleteSignedUrlKey
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.backendServices.setIamPolicy
compute.backendServices.setSecurityPolicy
compute.backendServices.update
compute.backendServices.use
compute.commitments.create
compute.commitments.get
compute.commitments.list
compute.commitments.update
compute.commitments.updateReservations
compute.diskTypes.get
compute.diskTypes.list
compute.disks.addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.disks.removeResourcePolicies
compute.disks.resize
compute.disks.setIamPolicy
compute.disks.setLabels
compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.setLabels
compute.externalVpnGateways.use
compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.list
compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.forwardingRules.pscSetLabels
compute.forwardingRules.pscSetTarget
compute.forwardingRules.pscUpdate
compute.forwardingRules.setLabels
compute.forwardingRules.setTarget
compute.forwardingRules.update
compute.forwardingRules.use
compute.globalAddresses.create
compute.globalAddresses.createInternal
compute.globalAddresses.delete
compute.globalAddresses.deleteInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.setLabels
compute.globalAddresses.use
compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscCreate
compute.globalForwardingRules.pscDelete
compute.globalForwardingRules.pscGet
compute.globalForwardingRules.pscSetLabels
compute.globalForwardingRules.pscSetTarget
compute.globalForwardingRules.pscUpdate
compute.globalForwardingRules.setLabels
compute.globalForwardingRules.setTarget
compute.globalForwardingRules.update
compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use
compute.globalOperations.delete
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.globalPublicDelegatedPrefixes.create
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.globalPublicDelegatedPrefixes.use
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.healthChecks.useReadOnly
compute.httpHealthChecks.create
compute.httpHealthChecks.delete
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpHealthChecks.update
compute.httpHealthChecks.use
compute.httpHealthChecks.useReadOnly
compute.httpsHealthChecks.create
compute.httpsHealthChecks.delete
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.httpsHealthChecks.update
compute.httpsHealthChecks.use
compute.httpsHealthChecks.useReadOnly
compute.images.create
compute.images.createTagBinding
compute.images.delete
compute.images.deleteTagBinding
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.images.setIamPolicy
compute.images.setLabels
compute.images.update
compute.images.useReadOnly
compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly
compute.instances.addAccessConfig
compute.instances.addMaintenancePolicies
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.removeMaintenancePolicies
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly
compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.export
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly
compute.interconnectAttachments.create
compute.interconnectAttachments.delete
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectAttachments.setLabels
compute.interconnectAttachments.update
compute.interconnectAttachments.use
compute.interconnectLocations.get
compute.interconnectLocations.list
compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list
compute.interconnects.create
compute.interconnects.delete
compute.interconnects.get
compute.interconnects.list
compute.interconnects.setLabels
compute.interconnects.update
compute.interconnects.use
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.setIamPolicy
compute.licenseCodes.update
compute.licenseCodes.use
compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly
compute.machineTypes.get
compute.machineTypes.list
compute.maintenancePolicies.create
compute.maintenancePolicies.delete
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.maintenancePolicies.setIamPolicy
compute.maintenancePolicies.use
compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
compute.networkAttachments.list
compute.networkEdgeSecurityServices.create
compute.networkEdgeSecurityServices.delete
compute.networkEdgeSecurityServices.get
compute.networkEdgeSecurityServices.list
compute.networkEdgeSecurityServices.update
compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networkEndpointGroups.use
compute.networks.access
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.mirror
compute.networks.removePeering
compute.networks.setFirewallPolicy
compute.networks.switchToCustomMode
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.addNodes
compute.nodeGroups.create
compute.nodeGroups.delete
compute.nodeGroups.deleteNodes
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeGroups.setIamPolicy
compute.nodeGroups.setNodeTemplate
compute.nodeGroups.simulateMaintenanceEvent
compute.nodeGroups.update
compute.nodeTemplates.create
compute.nodeTemplates.delete
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTemplates.setIamPolicy
compute.nodeTypes.get
compute.nodeTypes.list
compute.organizations.administerXpn
compute.organizations.disableXpnHost
compute.organizations.disableXpnResource
compute.organizations.enableXpnHost
compute.organizations.enableXpnResource
compute.organizations.listAssociations
compute.organizations.setFirewallPolicy
compute.organizations.setSecurityPolicy
compute.oslogin.updateExternalUser
compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.packetMirrorings.update
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.projects.setDefaultNetworkTier
compute.projects.setDefaultServiceAccount
compute.projects.setUsageExportBucket
compute.publicAdvertisedPrefixes.create
compute.publicAdvertisedPrefixes.delete
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicAdvertisedPrefixes.update
compute.publicAdvertisedPrefixes.updatePolicy
compute.publicAdvertisedPrefixes.use
compute.publicDelegatedPrefixes.create
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.publicDelegatedPrefixes.use
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionBackendServices.setIamPolicy
compute.regionBackendServices.setSecurityPolicy
compute.regionBackendServices.update
compute.regionBackendServices.use
compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use
compute.regionHealthCheckServices.create
compute.regionHealthCheckServices.delete
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthCheckServices.update
compute.regionHealthCheckServices.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use
compute.regionNotificationEndpoints.create
compute.regionNotificationEndpoints.delete
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionNotificationEndpoints.update
compute.regionNotificationEndpoints.use
compute.regionOperations.delete
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
compute.regionSecurityPolicies.create
compute.regionSecurityPolicies.delete
compute.regionSecurityPolicies.get
compute.regionSecurityPolicies.list
compute.regionSecurityPolicies.update
compute.regionSecurityPolicies.use
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionSslPolicies.create
compute.regionSslPolicies.delete
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionSslPolicies.update
compute.regionSslPolicies.use
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.update
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.update
compute.regionTargetHttpsProxies.use
compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate
compute.regions.get
compute.regions.list
compute.reservations.create
compute.reservations.delete
compute.reservations.get
compute.reservations.list
compute.reservations.resize
compute.reservations.update
compute.resourcePolicies.create
compute.resourcePolicies.delete
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.resourcePolicies.setIamPolicy
compute.resourcePolicies.update
compute.resourcePolicies.use
compute.resourcePolicies.useReadOnly
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.update
compute.routers.use
compute.routes.create
compute.routes.delete
compute.routes.get
compute.routes.list
compute.securityPolicies.addAssociation
compute.securityPolicies.copyRules
compute.securityPolicies.create
compute.securityPolicies.delete
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.securityPolicies.move
compute.securityPolicies.removeAssociation
compute.securityPolicies.setIamPolicy
compute.securityPolicies.setLabels
compute.securityPolicies.update
compute.securityPolicies.use
compute.serviceAttachments.create
compute.serviceAttachments.delete
compute.serviceAttachments.get
compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.list
compute.serviceAttachments.setIamPolicy
compute.serviceAttachments.update
compute.serviceAttachments.use
compute.snapshots.create
compute.snapshots.createTagBinding
compute.snapshots.delete
compute.snapshots.deleteTagBinding
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.create
compute.sslPolicies.delete
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.sslPolicies.update
compute.sslPolicies.use
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.expandIpCidrRange
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.mirror
compute.subnetworks.setIamPolicy
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.update
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use
compute.targetHttpProxies.create
compute.targetHttpProxies.delete
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpProxies.setUrlMap
compute.targetHttpProxies.update
compute.targetHttpProxies.use
compute.targetHttpsProxies.create
compute.targetHttpsProxies.delete
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetHttpsProxies.setCertificateMap
compute.targetHttpsProxies.setQuicOverride
compute.targetHttpsProxies.setSslCertificates
compute.targetHttpsProxies.setSslPolicy
compute.targetHttpsProxies.setUrlMap
compute.targetHttpsProxies.update
compute.targetHttpsProxies.use
compute.targetInstances.create
compute.targetInstances.delete
compute.targetInstances.get
compute.targetInstances.list
compute.targetInstances.setSecurityPolicy
compute.targetInstances.use
compute.targetPools.addHealthCheck
compute.targetPools.addInstance
compute.targetPools.create
compute.targetPools.delete
compute.targetPools.get
compute.targetPools.list
compute.targetPools.removeHealthCheck
compute.targetPools.removeInstance
compute.targetPools.setSecurityPolicy
compute.targetPools.update
compute.targetPools.use
compute.targetSslProxies.create
compute.targetSslProxies.delete
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetSslProxies.setBackendService
compute.targetSslProxies.setCertificateMap
compute.targetSslProxies.setProxyHeader
compute.targetSslProxies.setSslCertificates
compute.targetSslProxies.setSslPolicy
compute.targetSslProxies.update
compute.targetSslProxies.use
compute.targetTcpProxies.create
compute.targetTcpProxies.delete
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetTcpProxies.update
compute.targetTcpProxies.use
compute.targetVpnGateways.create
compute.targetVpnGateways.delete
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.targetVpnGateways.setLabels
compute.targetVpnGateways.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.invalidateCache
compute.urlMaps.list
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.setLabels
compute.vpnGateways.use
compute.vpnTunnels.create
compute.vpnTunnels.delete
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.vpnTunnels.setLabels
compute.zoneOperations.delete
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zoneOperations.setIamPolicy
compute.zones.get
compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Image User

(roles/compute.imageUser)

Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

Lowest-level resources where you can grant this role:

Image^Beta

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Instance Admin (beta)

(roles/compute.instanceAdmin)

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

Lowest-level resources where you can grant this role:

Disk
Image
Instance
Instance template
Snapshot ^Beta

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use

compute.instanceGroups.*

compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use

compute.instanceTemplates.*

compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly

compute.instances.*

compute.instances.addAccessConfig
compute.instances.addMaintenancePolicies
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.removeMaintenancePolicies
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly

compute.licenses.get

compute.licenses.list

compute.machineImages.*

compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networkEndpointGroups.*

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regionNetworkEndpointGroups.*

compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.useReadOnly

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Instance Admin (v1)

(roles/compute.instanceAdmin.v1)

Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.

If you grant a user this role only at an instance level, then that user cannot create new instances.

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.list
compute.autoscalers.update

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.list

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.*

compute.disks.addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.disks.removeResourcePolicies
compute.disks.resize
compute.disks.setIamPolicy
compute.disks.setLabels
compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.*

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.*

compute.images.create
compute.images.createTagBinding
compute.images.delete
compute.images.deleteTagBinding
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.images.setIamPolicy
compute.images.setLabels
compute.images.update
compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use

compute.instanceGroups.*

compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use

compute.instanceTemplates.*

compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly

compute.instances.*

compute.instances.addAccessConfig
compute.instances.addMaintenancePolicies
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.removeMaintenancePolicies
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setName
compute.instances.setScheduling
compute.instances.setSecurityPolicy
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.simulateMaintenanceEvent
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly

compute.instantSnapshots.*

compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.export
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectLocations.get
compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.*

compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.setIamPolicy
compute.licenseCodes.update
compute.licenseCodes.use

compute.licenses.*

compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy

compute.machineImages.*

compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEndpointGroups.*

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.*

compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute.resourcePolicies.create
compute.resourcePolicies.delete
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.resourcePolicies.setIamPolicy
compute.resourcePolicies.update
compute.resourcePolicies.use
compute.resourcePolicies.useReadOnly

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.*

compute.snapshots.create
compute.snapshots.createTagBinding
compute.snapshots.delete
compute.snapshots.deleteTagBinding
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.snapshots.useReadOnly

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Load Balancer Admin

(roles/compute.loadBalancerAdmin)

Permissions to create, modify, and delete load balancers and associate resources.

For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.

Lowest-level resources where you can grant this role:

Instance^Beta

certificatemanager.certmaps.get

certificatemanager.certmaps.list

certificatemanager.certmaps.use

compute.addresses.*

compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal

compute.backendBuckets.*

compute.backendBuckets.addSignedUrlKey
compute.backendBuckets.create
compute.backendBuckets.delete
compute.backendBuckets.deleteSignedUrlKey
compute.backendBuckets.get
compute.backendBuckets.getIamPolicy
compute.backendBuckets.list
compute.backendBuckets.setIamPolicy
compute.backendBuckets.setSecurityPolicy
compute.backendBuckets.update
compute.backendBuckets.use

compute.backendServices.*

compute.backendServices.addSignedUrlKey
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.deleteSignedUrlKey
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.backendServices.setIamPolicy
compute.backendServices.setSecurityPolicy
compute.backendServices.update
compute.backendServices.use

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.forwardingRules.*

compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.list
compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.forwardingRules.pscSetLabels
compute.forwardingRules.pscSetTarget
compute.forwardingRules.pscUpdate
compute.forwardingRules.setLabels
compute.forwardingRules.setTarget
compute.forwardingRules.update
compute.forwardingRules.use

compute.globalAddresses.*

compute.globalAddresses.create
compute.globalAddresses.createInternal
compute.globalAddresses.delete
compute.globalAddresses.deleteInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.setLabels
compute.globalAddresses.use

compute.globalForwardingRules.*

compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscCreate
compute.globalForwardingRules.pscDelete
compute.globalForwardingRules.pscGet
compute.globalForwardingRules.pscSetLabels
compute.globalForwardingRules.pscSetTarget
compute.globalForwardingRules.pscUpdate
compute.globalForwardingRules.setLabels
compute.globalForwardingRules.setTarget
compute.globalForwardingRules.update

compute.globalNetworkEndpointGroups.*

compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.use

compute.healthChecks.*

compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.healthChecks.useReadOnly

compute.httpHealthChecks.*

compute.httpHealthChecks.create
compute.httpHealthChecks.delete
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpHealthChecks.update
compute.httpHealthChecks.use
compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.*

compute.httpsHealthChecks.create
compute.httpsHealthChecks.delete
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.httpsHealthChecks.update
compute.httpsHealthChecks.use
compute.httpsHealthChecks.useReadOnly

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroups.*

compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.use

compute.instances.useReadOnly

compute.networkEndpointGroups.*

compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.use

compute.projects.get

compute.regionBackendServices.*

compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionBackendServices.setIamPolicy
compute.regionBackendServices.setSecurityPolicy
compute.regionBackendServices.update
compute.regionBackendServices.use

compute.regionHealthCheckServices.*

compute.regionHealthCheckServices.create
compute.regionHealthCheckServices.delete
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthCheckServices.update
compute.regionHealthCheckServices.use

compute.regionHealthChecks.*

compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly

compute.regionNetworkEndpointGroups.*

compute.regionNetworkEndpointGroups.attachNetworkEndpoints
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.detachNetworkEndpoints
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.list
compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.*

compute.regionNotificationEndpoints.create
compute.regionNotificationEndpoints.delete
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionNotificationEndpoints.update
compute.regionNotificationEndpoints.use

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.use

compute.regionSslCertificates.*

compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list

compute.regionSslPolicies.*

compute.regionSslPolicies.create
compute.regionSslPolicies.delete
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionSslPolicies.update
compute.regionSslPolicies.use

compute.regionTargetHttpProxies.*

compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.update
compute.regionTargetHttpProxies.use

compute.regionTargetHttpsProxies.*

compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.update
compute.regionTargetHttpsProxies.use

compute.regionTargetTcpProxies.*

compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use

compute.regionUrlMaps.*

compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.use

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.*

compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslCertificates.list

compute.sslPolicies.*

compute.sslPolicies.create
compute.sslPolicies.delete
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.sslPolicies.update
compute.sslPolicies.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.targetGrpcProxies.*

compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use

compute.targetHttpProxies.*

compute.targetHttpProxies.create
compute.targetHttpProxies.delete
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpProxies.setUrlMap
compute.targetHttpProxies.update
compute.targetHttpProxies.use

compute.targetHttpsProxies.*

compute.targetHttpsProxies.create
compute.targetHttpsProxies.delete
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetHttpsProxies.setCertificateMap
compute.targetHttpsProxies.setQuicOverride
compute.targetHttpsProxies.setSslCertificates
compute.targetHttpsProxies.setSslPolicy
compute.targetHttpsProxies.setUrlMap
compute.targetHttpsProxies.update
compute.targetHttpsProxies.use

compute.targetInstances.*

compute.targetInstances.create
compute.targetInstances.delete
compute.targetInstances.get
compute.targetInstances.list
compute.targetInstances.setSecurityPolicy
compute.targetInstances.use

compute.targetPools.*

compute.targetPools.addHealthCheck
compute.targetPools.addInstance
compute.targetPools.create
compute.targetPools.delete
compute.targetPools.get
compute.targetPools.list
compute.targetPools.removeHealthCheck
compute.targetPools.removeInstance
compute.targetPools.setSecurityPolicy
compute.targetPools.update
compute.targetPools.use

compute.targetSslProxies.*

compute.targetSslProxies.create
compute.targetSslProxies.delete
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetSslProxies.setBackendService
compute.targetSslProxies.setCertificateMap
compute.targetSslProxies.setProxyHeader
compute.targetSslProxies.setSslCertificates
compute.targetSslProxies.setSslPolicy
compute.targetSslProxies.update
compute.targetSslProxies.use

compute.targetTcpProxies.*

compute.targetTcpProxies.create
compute.targetTcpProxies.delete
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetTcpProxies.update
compute.targetTcpProxies.use

compute.urlMaps.*

compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.invalidateCache
compute.urlMaps.list
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.use

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Load Balancer Services User

(roles/compute.loadBalancerServiceUser)

Permissions to use services from a load balancer in other projects.

compute.backendServices.get

compute.backendServices.list

compute.backendServices.use

compute.projects.get

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Network Admin

(roles/compute.networkAdmin)

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group. Or, if you have a combined team that manages both security and networking, then grant this role as well as the roles/compute.securityAdmin role to the combined team's group.

Lowest-level resources where you can grant this role:

Instance^Beta

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.*

compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.*

compute.backendBuckets.addSignedUrlKey
compute.backendBuckets.create
compute.backendBuckets.delete
compute.backendBuckets.deleteSignedUrlKey
compute.backendBuckets.get
compute.backendBuckets.getIamPolicy
compute.backendBuckets.list
compute.backendBuckets.setIamPolicy
compute.backendBuckets.setSecurityPolicy
compute.backendBuckets.update
compute.backendBuckets.use

compute.backendServices.*

compute.backendServices.addSignedUrlKey
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.deleteSignedUrlKey
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.backendServices.setIamPolicy
compute.backendServices.setSecurityPolicy
compute.backendServices.update
compute.backendServices.use

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.*

compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.setLabels
compute.externalVpnGateways.use

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.use

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.*

compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.list
compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.forwardingRules.pscSetLabels
compute.forwardingRules.pscSetTarget
compute.forwardingRules.pscUpdate
compute.forwardingRules.setLabels
compute.forwardingRules.setTarget
compute.forwardingRules.update
compute.forwardingRules.use

compute.globalAddresses.*

compute.globalAddresses.create
compute.globalAddresses.createInternal
compute.globalAddresses.delete
compute.globalAddresses.deleteInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.setLabels
compute.globalAddresses.use

compute.globalForwardingRules.*

compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.pscCreate
compute.globalForwardingRules.pscDelete
compute.globalForwardingRules.pscGet
compute.globalForwardingRules.pscSetLabels
compute.globalForwardingRules.pscSetTarget
compute.globalForwardingRules.pscUpdate
compute.globalForwardingRules.setLabels
compute.globalForwardingRules.setTarget
compute.globalForwardingRules.update

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.delete

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.globalPublicDelegatedPrefixes.update

compute.globalPublicDelegatedPrefixes.updatePolicy

compute.healthChecks.*

compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.healthChecks.useReadOnly

compute.httpHealthChecks.*

compute.httpHealthChecks.create
compute.httpHealthChecks.delete
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpHealthChecks.update
compute.httpHealthChecks.use
compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.*

compute.httpsHealthChecks.create
compute.httpsHealthChecks.delete
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.httpsHealthChecks.update
compute.httpsHealthChecks.use
compute.httpsHealthChecks.useReadOnly

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.update

compute.instanceGroupManagers.use

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceGroups.update

compute.instanceGroups.use

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instances.updateSecurity

compute.instances.use

compute.instances.useReadOnly

compute.interconnectAttachments.*

compute.interconnectAttachments.create
compute.interconnectAttachments.delete
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectAttachments.setLabels
compute.interconnectAttachments.update
compute.interconnectAttachments.use

compute.interconnectLocations.*

compute.interconnectLocations.get
compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list

compute.interconnects.*

compute.interconnects.create
compute.interconnects.delete
compute.interconnects.get
compute.interconnects.list
compute.interconnects.setLabels
compute.interconnects.update
compute.interconnects.use

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networkAttachments.*

compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
compute.networkAttachments.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.use

compute.networks.*

compute.networks.access
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.mirror
compute.networks.removePeering
compute.networks.setFirewallPolicy
compute.networks.switchToCustomMode
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicDelegatedPrefixes.delete

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.update

compute.publicDelegatedPrefixes.updatePolicy

compute.regionBackendServices.*

compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.getIamPolicy
compute.regionBackendServices.list
compute.regionBackendServices.setIamPolicy
compute.regionBackendServices.setSecurityPolicy
compute.regionBackendServices.update
compute.regionBackendServices.use

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.use

compute.regionHealthCheckServices.*

compute.regionHealthCheckServices.create
compute.regionHealthCheckServices.delete
compute.regionHealthCheckServices.get
compute.regionHealthCheckServices.list
compute.regionHealthCheckServices.update
compute.regionHealthCheckServices.use

compute.regionHealthChecks.*

compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.*

compute.regionNotificationEndpoints.create
compute.regionNotificationEndpoints.delete
compute.regionNotificationEndpoints.get
compute.regionNotificationEndpoints.list
compute.regionNotificationEndpoints.update
compute.regionNotificationEndpoints.use

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.use

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.*

compute.regionSslPolicies.create
compute.regionSslPolicies.delete
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionSslPolicies.update
compute.regionSslPolicies.use

compute.regionTargetHttpProxies.*

compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.update
compute.regionTargetHttpProxies.use

compute.regionTargetHttpsProxies.*

compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.update
compute.regionTargetHttpsProxies.use

compute.regionTargetTcpProxies.*

compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionTargetTcpProxies.use

compute.regionUrlMaps.*

compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.invalidateCache
compute.regionUrlMaps.list
compute.regionUrlMaps.update
compute.regionUrlMaps.use
compute.regionUrlMaps.validate

compute.regions.*

compute.regions.get
compute.regions.list

compute.routers.*

compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.update
compute.routers.use

compute.routes.*

compute.routes.create
compute.routes.delete
compute.routes.get
compute.routes.list

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.use

compute.serviceAttachments.*

compute.serviceAttachments.create
compute.serviceAttachments.delete
compute.serviceAttachments.get
compute.serviceAttachments.getIamPolicy
compute.serviceAttachments.list
compute.serviceAttachments.setIamPolicy
compute.serviceAttachments.update
compute.serviceAttachments.use

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.*

compute.sslPolicies.create
compute.sslPolicies.delete
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.sslPolicies.update
compute.sslPolicies.use

compute.subnetworks.*

compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.expandIpCidrRange
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.mirror
compute.subnetworks.setIamPolicy
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.update
compute.subnetworks.use
compute.subnetworks.useExternalIp

compute.targetGrpcProxies.*

compute.targetGrpcProxies.create
compute.targetGrpcProxies.delete
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetGrpcProxies.update
compute.targetGrpcProxies.use

compute.targetHttpProxies.*

compute.targetHttpProxies.create
compute.targetHttpProxies.delete
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpProxies.setUrlMap
compute.targetHttpProxies.update
compute.targetHttpProxies.use

compute.targetHttpsProxies.*

compute.targetHttpsProxies.create
compute.targetHttpsProxies.delete
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetHttpsProxies.setCertificateMap
compute.targetHttpsProxies.setQuicOverride
compute.targetHttpsProxies.setSslCertificates
compute.targetHttpsProxies.setSslPolicy
compute.targetHttpsProxies.setUrlMap
compute.targetHttpsProxies.update
compute.targetHttpsProxies.use

compute.targetInstances.*

compute.targetInstances.create
compute.targetInstances.delete
compute.targetInstances.get
compute.targetInstances.list
compute.targetInstances.setSecurityPolicy
compute.targetInstances.use

compute.targetPools.*

compute.targetPools.addHealthCheck
compute.targetPools.addInstance
compute.targetPools.create
compute.targetPools.delete
compute.targetPools.get
compute.targetPools.list
compute.targetPools.removeHealthCheck
compute.targetPools.removeInstance
compute.targetPools.setSecurityPolicy
compute.targetPools.update
compute.targetPools.use

compute.targetSslProxies.*

compute.targetSslProxies.create
compute.targetSslProxies.delete
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetSslProxies.setBackendService
compute.targetSslProxies.setCertificateMap
compute.targetSslProxies.setProxyHeader
compute.targetSslProxies.setSslCertificates
compute.targetSslProxies.setSslPolicy
compute.targetSslProxies.update
compute.targetSslProxies.use

compute.targetTcpProxies.*

compute.targetTcpProxies.create
compute.targetTcpProxies.delete
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetTcpProxies.update
compute.targetTcpProxies.use

compute.targetVpnGateways.*

compute.targetVpnGateways.create
compute.targetVpnGateways.delete
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.targetVpnGateways.setLabels
compute.targetVpnGateways.use

compute.urlMaps.*

compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.invalidateCache
compute.urlMaps.list
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate

compute.vpnGateways.*

compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.setLabels
compute.vpnGateways.use

compute.vpnTunnels.*

compute.vpnTunnels.create
compute.vpnTunnels.delete
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.vpnTunnels.setLabels

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

networkconnectivity.internalRanges.*

networkconnectivity.internalRanges.create
networkconnectivity.internalRanges.delete
networkconnectivity.internalRanges.get
networkconnectivity.internalRanges.getIamPolicy
networkconnectivity.internalRanges.list
networkconnectivity.internalRanges.setIamPolicy
networkconnectivity.internalRanges.update

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.*

networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.*

networkconnectivity.policyBasedRoutes.create
networkconnectivity.policyBasedRoutes.delete
networkconnectivity.policyBasedRoutes.get
networkconnectivity.policyBasedRoutes.getIamPolicy
networkconnectivity.policyBasedRoutes.list
networkconnectivity.policyBasedRoutes.setIamPolicy

networkconnectivity.serviceClasses.*

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update

networkconnectivity.serviceConnectionPolicies.*

networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update

networksecurity.*

networksecurity.authorizationPolicies.create
networksecurity.authorizationPolicies.delete
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.getIamPolicy
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.setIamPolicy
networksecurity.authorizationPolicies.update
networksecurity.authorizationPolicies.use
networksecurity.clientTlsPolicies.create
networksecurity.clientTlsPolicies.delete
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.getIamPolicy
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.setIamPolicy
networksecurity.clientTlsPolicies.update
networksecurity.clientTlsPolicies.use
networksecurity.firewallEndpointAssociations.create
networksecurity.firewallEndpointAssociations.delete
networksecurity.firewallEndpointAssociations.get
networksecurity.firewallEndpointAssociations.list
networksecurity.firewallEndpointAssociations.update
networksecurity.firewallEndpoints.create
networksecurity.firewallEndpoints.delete
networksecurity.firewallEndpoints.get
networksecurity.firewallEndpoints.list
networksecurity.firewallEndpoints.update
networksecurity.firewallEndpoints.use
networksecurity.gatewaySecurityPolicies.create
networksecurity.gatewaySecurityPolicies.delete
networksecurity.gatewaySecurityPolicies.get
networksecurity.gatewaySecurityPolicies.list
networksecurity.gatewaySecurityPolicies.update
networksecurity.gatewaySecurityPolicies.use
networksecurity.gatewaySecurityPolicyRules.create
networksecurity.gatewaySecurityPolicyRules.delete
networksecurity.gatewaySecurityPolicyRules.get
networksecurity.gatewaySecurityPolicyRules.list
networksecurity.gatewaySecurityPolicyRules.update
networksecurity.gatewaySecurityPolicyRules.use
networksecurity.locations.get
networksecurity.locations.list
networksecurity.operations.cancel
networksecurity.operations.delete
networksecurity.operations.get
networksecurity.operations.list
networksecurity.securityProfileGroups.create
networksecurity.securityProfileGroups.delete
networksecurity.securityProfileGroups.get
networksecurity.securityProfileGroups.list
networksecurity.securityProfileGroups.update
networksecurity.securityProfileGroups.use
networksecurity.securityProfiles.create
networksecurity.securityProfiles.delete
networksecurity.securityProfiles.get
networksecurity.securityProfiles.list
networksecurity.securityProfiles.update
networksecurity.securityProfiles.use
networksecurity.serverTlsPolicies.create
networksecurity.serverTlsPolicies.delete
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.getIamPolicy
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.setIamPolicy
networksecurity.serverTlsPolicies.update
networksecurity.serverTlsPolicies.use
networksecurity.tlsInspectionPolicies.create
networksecurity.tlsInspectionPolicies.delete
networksecurity.tlsInspectionPolicies.get
networksecurity.tlsInspectionPolicies.list
networksecurity.tlsInspectionPolicies.update
networksecurity.tlsInspectionPolicies.use
networksecurity.urlLists.create
networksecurity.urlLists.delete
networksecurity.urlLists.get
networksecurity.urlLists.list
networksecurity.urlLists.update
networksecurity.urlLists.use

networkservices.*

networkservices.endpointConfigSelectors.create
networkservices.endpointConfigSelectors.delete
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.getIamPolicy
networkservices.endpointConfigSelectors.list
networkservices.endpointConfigSelectors.setIamPolicy
networkservices.endpointConfigSelectors.update
networkservices.endpointConfigSelectors.use
networkservices.endpointPolicies.create
networkservices.endpointPolicies.delete
networkservices.endpointPolicies.get
networkservices.endpointPolicies.getIamPolicy
networkservices.endpointPolicies.list
networkservices.endpointPolicies.setIamPolicy
networkservices.endpointPolicies.update
networkservices.endpointPolicies.use
networkservices.gateways.create
networkservices.gateways.delete
networkservices.gateways.get
networkservices.gateways.list
networkservices.gateways.update
networkservices.gateways.use
networkservices.grpcRoutes.create
networkservices.grpcRoutes.delete
networkservices.grpcRoutes.get
networkservices.grpcRoutes.getIamPolicy
networkservices.grpcRoutes.list
networkservices.grpcRoutes.setIamPolicy
networkservices.grpcRoutes.update
networkservices.grpcRoutes.use
networkservices.httpFilters.create
networkservices.httpFilters.delete
networkservices.httpFilters.get
networkservices.httpFilters.getIamPolicy
networkservices.httpFilters.list
networkservices.httpFilters.setIamPolicy
networkservices.httpFilters.update
networkservices.httpFilters.use
networkservices.httpRoutes.create
networkservices.httpRoutes.delete
networkservices.httpRoutes.get
networkservices.httpRoutes.getIamPolicy
networkservices.httpRoutes.list
networkservices.httpRoutes.setIamPolicy
networkservices.httpRoutes.update
networkservices.httpRoutes.use
networkservices.httpfilters.create
networkservices.httpfilters.delete
networkservices.httpfilters.get
networkservices.httpfilters.getIamPolicy
networkservices.httpfilters.list
networkservices.httpfilters.setIamPolicy
networkservices.httpfilters.update
networkservices.httpfilters.use
networkservices.locations.get
networkservices.locations.list
networkservices.meshes.create
networkservices.meshes.delete
networkservices.meshes.get
networkservices.meshes.getIamPolicy
networkservices.meshes.list
networkservices.meshes.setIamPolicy
networkservices.meshes.update
networkservices.meshes.use
networkservices.operations.cancel
networkservices.operations.delete
networkservices.operations.get
networkservices.operations.list
networkservices.serviceBindings.create
networkservices.serviceBindings.delete
networkservices.serviceBindings.get
networkservices.serviceBindings.list
networkservices.serviceBindings.update
networkservices.tcpRoutes.create
networkservices.tcpRoutes.delete
networkservices.tcpRoutes.get
networkservices.tcpRoutes.getIamPolicy
networkservices.tcpRoutes.list
networkservices.tcpRoutes.setIamPolicy
networkservices.tcpRoutes.update
networkservices.tcpRoutes.use
networkservices.tlsRoutes.create
networkservices.tlsRoutes.delete
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.update
networkservices.tlsRoutes.use

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

servicenetworking.operations.get

servicenetworking.services.addPeering

servicenetworking.services.createPeeredDnsDomain

servicenetworking.services.deleteConnection

servicenetworking.services.deletePeeredDnsDomain

servicenetworking.services.disableVpcServiceControls

servicenetworking.services.enableVpcServiceControls

servicenetworking.services.get

servicenetworking.services.listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

trafficdirector.*

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics

Compute Network User

(roles/compute.networkUser)

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

Lowest-level resources where you can grant this role:

Project

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.useInternal

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.use

compute.firewalls.get

compute.firewalls.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectLocations.get
compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.interconnects.use

compute.networkAttachments.get

compute.networkAttachments.list

compute.networks.access

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.use

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zones.*

compute.zones.get
compute.zones.list

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.get

networkconnectivity.policyBasedRoutes.list

networksecurity.authorizationPolicies.get

networksecurity.authorizationPolicies.list

networksecurity.authorizationPolicies.use

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.use

networksecurity.firewallEndpointAssociations.get

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.get

networksecurity.firewallEndpoints.list

networksecurity.firewallEndpoints.use

networksecurity.gatewaySecurityPolicies.get

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicies.use

networksecurity.gatewaySecurityPolicyRules.get

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.gatewaySecurityPolicyRules.use

networksecurity.locations.*

networksecurity.locations.get
networksecurity.locations.list

networksecurity.operations.get

networksecurity.operations.list

networksecurity.securityProfileGroups.get

networksecurity.securityProfileGroups.list

networksecurity.securityProfileGroups.use

networksecurity.securityProfiles.get

networksecurity.securityProfiles.list

networksecurity.securityProfiles.use

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.use

networksecurity.tlsInspectionPolicies.get

networksecurity.tlsInspectionPolicies.list

networksecurity.tlsInspectionPolicies.use

networksecurity.urlLists.get

networksecurity.urlLists.list

networksecurity.urlLists.use

networkservices.endpointConfigSelectors.get

networkservices.endpointConfigSelectors.list

networkservices.endpointConfigSelectors.use

networkservices.endpointPolicies.get

networkservices.endpointPolicies.list

networkservices.endpointPolicies.use

networkservices.gateways.get

networkservices.gateways.list

networkservices.gateways.use

networkservices.grpcRoutes.get

networkservices.grpcRoutes.list

networkservices.grpcRoutes.use

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpFilters.use

networkservices.httpRoutes.get

networkservices.httpRoutes.list

networkservices.httpRoutes.use

networkservices.httpfilters.get

networkservices.httpfilters.list

networkservices.httpfilters.use

networkservices.locations.*

networkservices.locations.get
networkservices.locations.list

networkservices.meshes.get

networkservices.meshes.list

networkservices.meshes.use

networkservices.operations.get

networkservices.operations.list

networkservices.serviceBindings.get

networkservices.serviceBindings.list

networkservices.tcpRoutes.get

networkservices.tcpRoutes.list

networkservices.tcpRoutes.use

networkservices.tlsRoutes.get

networkservices.tlsRoutes.list

networkservices.tlsRoutes.use

resourcemanager.projects.get

resourcemanager.projects.list

servicenetworking.services.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Network Viewer

(roles/compute.networkViewer)

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.

Lowest-level resources where you can grant this role:

Instance^Beta

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectLocations.get
compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regions.*

compute.regions.get
compute.regions.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.list

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zones.*

compute.zones.get
compute.zones.list

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.get

networkconnectivity.policyBasedRoutes.list

networksecurity.authorizationPolicies.get

networksecurity.authorizationPolicies.list

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.firewallEndpointAssociations.get

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.get

networksecurity.firewallEndpoints.list

networksecurity.gatewaySecurityPolicies.get

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicyRules.get

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.locations.*

networksecurity.locations.get
networksecurity.locations.list

networksecurity.operations.get

networksecurity.operations.list

networksecurity.securityProfileGroups.get

networksecurity.securityProfileGroups.list

networksecurity.securityProfiles.get

networksecurity.securityProfiles.list

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.tlsInspectionPolicies.get

networksecurity.tlsInspectionPolicies.list

networksecurity.urlLists.get

networksecurity.urlLists.list

networkservices.endpointConfigSelectors.get

networkservices.endpointConfigSelectors.list

networkservices.endpointPolicies.get

networkservices.endpointPolicies.list

networkservices.gateways.get

networkservices.gateways.list

networkservices.grpcRoutes.get

networkservices.grpcRoutes.list

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpRoutes.get

networkservices.httpRoutes.list

networkservices.httpfilters.get

networkservices.httpfilters.list

networkservices.locations.*

networkservices.locations.get
networkservices.locations.list

networkservices.meshes.get

networkservices.meshes.list

networkservices.operations.get

networkservices.operations.list

networkservices.serviceBindings.get

networkservices.serviceBindings.list

networkservices.tcpRoutes.get

networkservices.tcpRoutes.list

networkservices.tlsRoutes.get

networkservices.tlsRoutes.list

resourcemanager.projects.get

resourcemanager.projects.list

servicenetworking.services.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

trafficdirector.*

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics

Compute Organization Firewall Policy Admin

(roles/compute.orgFirewallPolicyAdmin)

Full control of Compute Engine Organization Firewall Policies.

compute.firewallPolicies.cloneRules

compute.firewallPolicies.create

compute.firewallPolicies.delete

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.move

compute.firewallPolicies.setIamPolicy

compute.firewallPolicies.update

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.regionFirewallPolicies.*

compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionOperations.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Firewall Policy User

(roles/compute.orgFirewallPolicyUser)

View or use Compute Engine Firewall Policies to associate with the organization or folders.

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.projects.get

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Security Policy Admin

(roles/compute.orgSecurityPolicyAdmin)

Full control of Compute Engine Organization Security Policies.

compute.firewallPolicies.*

compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.securityPolicies.addAssociation

compute.securityPolicies.copyRules

compute.securityPolicies.create

compute.securityPolicies.delete

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.move

compute.securityPolicies.removeAssociation

compute.securityPolicies.setIamPolicy

compute.securityPolicies.update

compute.securityPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Security Policy User

(roles/compute.orgSecurityPolicyUser)

View or use Compute Engine Security Policies to associate with the organization or folders.

compute.firewallPolicies.addAssociation

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.removeAssociation

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.securityPolicies.addAssociation

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.removeAssociation

compute.securityPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Organization Resource Admin

(roles/compute.orgSecurityResourceAdmin)

Full control of Compute Engine Firewall Policy associations to the organization or folders.

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.organizations.listAssociations

compute.organizations.setFirewallPolicy

compute.organizations.setSecurityPolicy

compute.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute OS Admin Login

(roles/compute.osAdminLogin)

Access to log in to a Compute Engine instance as an administrator user.

Lowest-level resources where you can grant this role:

Instance^Beta

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.osAdminLogin

compute.instances.osLogin

compute.projects.get

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute OS Login

(roles/compute.osLogin)

Access to log in to a Compute Engine instance as a standard user.

Lowest-level resources where you can grant this role:

Instance^Beta

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.osLogin

compute.projects.get

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute OS Login External User

(roles/compute.osLoginExternalUser)

Available only at the organization level.

Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

Lowest-level resources where you can grant this role:

Organization

compute.oslogin.updateExternalUser

Compute packet mirroring admin

(roles/compute.packetMirroringAdmin)

Specify resources to be mirrored.

compute.instances.updateSecurity

compute.networks.mirror

compute.projects.get

compute.subnetworks.mirror

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute packet mirroring user

(roles/compute.packetMirroringUser)

Use Compute Engine packet mirrorings.

compute.packetMirrorings.*

compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.packetMirrorings.update

compute.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Public IP Admin

(roles/compute.publicIpAdmin)

Full control of public IP address management for Compute Engine.

compute.addresses.*

compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal

compute.globalAddresses.*

compute.globalAddresses.create
compute.globalAddresses.createInternal
compute.globalAddresses.delete
compute.globalAddresses.deleteInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.setLabels
compute.globalAddresses.use

compute.globalPublicDelegatedPrefixes.*

compute.globalPublicDelegatedPrefixes.create
compute.globalPublicDelegatedPrefixes.delete
compute.globalPublicDelegatedPrefixes.get
compute.globalPublicDelegatedPrefixes.list
compute.globalPublicDelegatedPrefixes.update
compute.globalPublicDelegatedPrefixes.updatePolicy
compute.globalPublicDelegatedPrefixes.use

compute.publicAdvertisedPrefixes.*

compute.publicAdvertisedPrefixes.create
compute.publicAdvertisedPrefixes.delete
compute.publicAdvertisedPrefixes.get
compute.publicAdvertisedPrefixes.list
compute.publicAdvertisedPrefixes.update
compute.publicAdvertisedPrefixes.updatePolicy
compute.publicAdvertisedPrefixes.use

compute.publicDelegatedPrefixes.*

compute.publicDelegatedPrefixes.create
compute.publicDelegatedPrefixes.delete
compute.publicDelegatedPrefixes.get
compute.publicDelegatedPrefixes.list
compute.publicDelegatedPrefixes.update
compute.publicDelegatedPrefixes.updatePolicy
compute.publicDelegatedPrefixes.use

resourcemanager.projects.get

resourcemanager.projects.list

Compute Security Admin

(roles/compute.securityAdmin)

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings.

Lowest-level resources where you can grant this role:

Instance^Beta

compute.backendBuckets.list

compute.backendServices.list

compute.firewallPolicies.*

compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.copyRules
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.move
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use

compute.firewalls.*

compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update

compute.globalOperations.get

compute.globalOperations.list

compute.instances.getEffectiveFirewalls

compute.instances.list

compute.instances.setShieldedInstanceIntegrityPolicy

compute.instances.setShieldedVmIntegrityPolicy

compute.instances.updateSecurity

compute.instances.updateShieldedInstanceConfig

compute.instances.updateShieldedVmConfig

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.updatePolicy

compute.packetMirrorings.*

compute.packetMirrorings.create
compute.packetMirrorings.delete
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.packetMirrorings.update

compute.projects.get

compute.regionBackendServices.list

compute.regionFirewallPolicies.*

compute.regionFirewallPolicies.cloneRules
compute.regionFirewallPolicies.create
compute.regionFirewallPolicies.delete
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.getIamPolicy
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.setIamPolicy
compute.regionFirewallPolicies.update
compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.*

compute.regionSecurityPolicies.create
compute.regionSecurityPolicies.delete
compute.regionSecurityPolicies.get
compute.regionSecurityPolicies.list
compute.regionSecurityPolicies.update
compute.regionSecurityPolicies.use

compute.regionSslCertificates.*

compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get
compute.regionSslCertificates.list

compute.regionSslPolicies.*

compute.regionSslPolicies.create
compute.regionSslPolicies.delete
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.regionSslPolicies.listAvailableFeatures
compute.regionSslPolicies.update
compute.regionSslPolicies.use

compute.regions.*

compute.regions.get
compute.regions.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.securityPolicies.*

compute.securityPolicies.addAssociation
compute.securityPolicies.copyRules
compute.securityPolicies.create
compute.securityPolicies.delete
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.securityPolicies.move
compute.securityPolicies.removeAssociation
compute.securityPolicies.setIamPolicy
compute.securityPolicies.setLabels
compute.securityPolicies.update
compute.securityPolicies.use

compute.sslCertificates.*

compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslCertificates.list

compute.sslPolicies.*

compute.sslPolicies.create
compute.sslPolicies.delete
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.sslPolicies.update
compute.sslPolicies.use

compute.subnetworks.get

compute.subnetworks.list

compute.targetInstances.list

compute.targetPools.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Sole Tenant Viewer

(roles/compute.soleTenantViewer)

Permissions to view sole tenancy node groups

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.nodeTypes.get
compute.nodeTypes.list

Compute Storage Admin

(roles/compute.storageAdmin)

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.

Lowest-level resources where you can grant this role:

Disk
Image
Snapshot ^Beta

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.*

compute.disks.addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.disks.removeResourcePolicies
compute.disks.resize
compute.disks.setIamPolicy
compute.disks.setLabels
compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly

compute.globalOperations.get

compute.globalOperations.list

compute.images.*

compute.images.create
compute.images.createTagBinding
compute.images.delete
compute.images.deleteTagBinding
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.images.setIamPolicy
compute.images.setLabels
compute.images.update
compute.images.useReadOnly

compute.instantSnapshots.*

compute.instantSnapshots.create
compute.instantSnapshots.delete
compute.instantSnapshots.export
compute.instantSnapshots.get
compute.instantSnapshots.getIamPolicy
compute.instantSnapshots.list
compute.instantSnapshots.setIamPolicy
compute.instantSnapshots.setLabels
compute.instantSnapshots.useReadOnly

compute.licenseCodes.*

compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.setIamPolicy
compute.licenseCodes.update
compute.licenseCodes.use

compute.licenses.*

compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy

compute.projects.get

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.regions.get
compute.regions.list

compute.resourcePolicies.*

compute.resourcePolicies.create
compute.resourcePolicies.delete
compute.resourcePolicies.get
compute.resourcePolicies.getIamPolicy
compute.resourcePolicies.list
compute.resourcePolicies.setIamPolicy
compute.resourcePolicies.update
compute.resourcePolicies.use
compute.resourcePolicies.useReadOnly

compute.snapshots.*

compute.snapshots.create
compute.snapshots.createTagBinding
compute.snapshots.delete
compute.snapshots.deleteTagBinding
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.snapshots.setIamPolicy
compute.snapshots.setLabels
compute.snapshots.useReadOnly

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Viewer

(roles/compute.viewer)

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them.

For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

Lowest-level resources where you can grant this role:

Disk
Image
Instance
Instance template
Node group
Node template
Snapshot ^Beta

compute.acceleratorTypes.*

compute.acceleratorTypes.get
compute.acceleratorTypes.list

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectLocations.get
compute.interconnectLocations.list

compute.interconnectRemoteLocations.*

compute.interconnectRemoteLocations.get
compute.interconnectRemoteLocations.list

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.nodeTypes.get
compute.nodeTypes.list

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.validate

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

compute.zones.get
compute.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Compute Shared VPC Admin

(roles/compute.xpnAdmin)

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

At the organization level, this role can only be granted by an organization admin.

Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (roles/compute.networkUser) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

Lowest-level resources where you can grant this role:

Folder

compute.globalOperations.get

compute.globalOperations.list

compute.organizations.administerXpn

compute.organizations.disableXpnHost

compute.organizations.disableXpnResource

compute.organizations.enableXpnHost

compute.organizations.enableXpnResource

compute.projects.get

compute.subnetworks.getIamPolicy

compute.subnetworks.setIamPolicy

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

GuestPolicy Admin ^Beta

(roles/osconfig.guestPolicyAdmin)

Full admin access to GuestPolicies

osconfig.guestPolicies.*

osconfig.guestPolicies.create
osconfig.guestPolicies.delete
osconfig.guestPolicies.get
osconfig.guestPolicies.list
osconfig.guestPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

GuestPolicy Editor ^Beta

(roles/osconfig.guestPolicyEditor)

Editor of GuestPolicy resources

osconfig.guestPolicies.get

osconfig.guestPolicies.list

osconfig.guestPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

GuestPolicy Viewer ^Beta

(roles/osconfig.guestPolicyViewer)

Viewer of GuestPolicy resources

osconfig.guestPolicies.get

osconfig.guestPolicies.list

resourcemanager.projects.get

resourcemanager.projects.list

InstanceOSPoliciesCompliance Viewer ^Beta

(roles/osconfig.instanceOSPoliciesComplianceViewer)

Viewer of OS Policies Compliance of VM instances

osconfig.instanceOSPoliciesCompliances.*

osconfig.instanceOSPoliciesCompliances.get
osconfig.instanceOSPoliciesCompliances.list

resourcemanager.projects.get

resourcemanager.projects.list

OS Inventory Viewer

(roles/osconfig.inventoryViewer)

Viewer of OS Inventories

osconfig.inventories.*

osconfig.inventories.get
osconfig.inventories.list

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignment Admin

(roles/osconfig.osPolicyAssignmentAdmin)

Full admin access to OS Policy Assignments

osconfig.osPolicyAssignments.*

osconfig.osPolicyAssignments.create
osconfig.osPolicyAssignments.delete
osconfig.osPolicyAssignments.get
osconfig.osPolicyAssignments.list
osconfig.osPolicyAssignments.update

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignment Editor

(roles/osconfig.osPolicyAssignmentEditor)

Editor of OS Policy Assignments

osconfig.osPolicyAssignments.get

osconfig.osPolicyAssignments.list

osconfig.osPolicyAssignments.update

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignmentReport Viewer

(roles/osconfig.osPolicyAssignmentReportViewer)

Viewer of OS policy assignment reports for VM instances

osconfig.osPolicyAssignmentReports.*

osconfig.osPolicyAssignmentReports.get
osconfig.osPolicyAssignmentReports.list

resourcemanager.projects.get

resourcemanager.projects.list

OSPolicyAssignment Viewer

(roles/osconfig.osPolicyAssignmentViewer)

Viewer of OS Policy Assignments

osconfig.osPolicyAssignments.get

osconfig.osPolicyAssignments.list

resourcemanager.projects.get

resourcemanager.projects.list

PatchDeployment Admin

(roles/osconfig.patchDeploymentAdmin)

Full admin access to PatchDeployments

osconfig.patchDeployments.*

osconfig.patchDeployments.create
osconfig.patchDeployments.delete
osconfig.patchDeployments.execute
osconfig.patchDeployments.get
osconfig.patchDeployments.list
osconfig.patchDeployments.pause
osconfig.patchDeployments.resume
osconfig.patchDeployments.update

resourcemanager.projects.get

resourcemanager.projects.list

PatchDeployment Viewer

(roles/osconfig.patchDeploymentViewer)

Viewer of PatchDeployment resources

osconfig.patchDeployments.get

osconfig.patchDeployments.list

resourcemanager.projects.get

resourcemanager.projects.list

Patch Job Executor

(roles/osconfig.patchJobExecutor)

Access to execute Patch Jobs.

osconfig.patchJobs.*

osconfig.patchJobs.exec
osconfig.patchJobs.get
osconfig.patchJobs.list

resourcemanager.projects.get

resourcemanager.projects.list

Patch Job Viewer

(roles/osconfig.patchJobViewer)

Get and list Patch Jobs.

osconfig.patchJobs.get

osconfig.patchJobs.list

resourcemanager.projects.get

resourcemanager.projects.list

OS VulnerabilityReport Viewer

(roles/osconfig.vulnerabilityReportViewer)

Viewer of OS VulnerabilityReports

osconfig.vulnerabilityReports.*

osconfig.vulnerabilityReports.get
osconfig.vulnerabilityReports.list

resourcemanager.projects.get

resourcemanager.projects.list

Container Analysis roles

Permissions

Container Analysis Admin

(roles/containeranalysis.admin)

Access to all Container Analysis resources.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.getIamPolicy

containeranalysis.notes.list

containeranalysis.notes.setIamPolicy

containeranalysis.notes.update

containeranalysis.occurrences.*

containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.getIamPolicy
containeranalysis.occurrences.list
containeranalysis.occurrences.setIamPolicy
containeranalysis.occurrences.update

resourcemanager.projects.get

resourcemanager.projects.list

Container Analysis Notes Attacher

(roles/containeranalysis.notes.attacher)

Can attach Container Analysis Occurrences to Notes.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.get

Container Analysis Notes Editor

(roles/containeranalysis.notes.editor)

Can edit Container Analysis Notes.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.update

resourcemanager.projects.get

resourcemanager.projects.list

Container Analysis Occurrences for Notes Viewer

(roles/containeranalysis.notes.occurrences.viewer)

Can view all Container Analysis Occurrences attached to a Note.

containeranalysis.notes.get

containeranalysis.notes.listOccurrences

Container Analysis Notes Viewer

(roles/containeranalysis.notes.viewer)

Can view Container Analysis Notes.

containeranalysis.notes.get

containeranalysis.notes.list

resourcemanager.projects.get

resourcemanager.projects.list

Container Analysis Occurrences Editor

(roles/containeranalysis.occurrences.editor)

Can edit Container Analysis Occurrences.

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

resourcemanager.projects.get

resourcemanager.projects.list

Container Analysis Occurrences Viewer

(roles/containeranalysis.occurrences.viewer)

Can view Container Analysis Occurrences.

containeranalysis.occurrences.get

containeranalysis.occurrences.list

resourcemanager.projects.get

resourcemanager.projects.list

Data Catalog roles

Permissions

Data Catalog Admin

(roles/datacatalog.admin)

Full access to all DataCatalog resources

bigquery.connections.get

bigquery.connections.updateTag

bigquery.datasets.get

bigquery.datasets.updateTag

bigquery.models.getMetadata

bigquery.models.updateTag

bigquery.routines.get

bigquery.routines.updateTag

bigquery.tables.get

bigquery.tables.updateTag

datacatalog.catalogs.searchAll

datacatalog.categories.getIamPolicy

datacatalog.categories.setIamPolicy

datacatalog.entries.*

datacatalog.entries.create
datacatalog.entries.createGlossary
datacatalog.entries.createGlossaryTerm
datacatalog.entries.delete
datacatalog.entries.deleteGlossary
datacatalog.entries.deleteGlossaryTerm
datacatalog.entries.get
datacatalog.entries.getIamPolicy
datacatalog.entries.list
datacatalog.entries.setIamPolicy
datacatalog.entries.update
datacatalog.entries.updateContacts
datacatalog.entries.updateGlossary
datacatalog.entries.updateGlossaryTerm
datacatalog.entries.updateOverview
datacatalog.entries.updateTag

datacatalog.entryGroups.*

datacatalog.entryGroups.create
datacatalog.entryGroups.delete
datacatalog.entryGroups.get
datacatalog.entryGroups.getIamPolicy
datacatalog.entryGroups.list
datacatalog.entryGroups.setIamPolicy
datacatalog.entryGroups.update
datacatalog.entryGroups.updateTag

datacatalog.relationships.*

datacatalog.relationships.create
datacatalog.relationships.createIsDescribedBy
datacatalog.relationships.createIsRelatedTo
datacatalog.relationships.createIsSynonymousTo
datacatalog.relationships.delete
datacatalog.relationships.deleteIsDescribedBy
datacatalog.relationships.deleteIsRelatedTo
datacatalog.relationships.deleteIsSynonymousTo
datacatalog.relationships.list

datacatalog.tagTemplates.*

datacatalog.tagTemplates.create
datacatalog.tagTemplates.delete
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getIamPolicy
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.setIamPolicy
datacatalog.tagTemplates.update
datacatalog.tagTemplates.use

datacatalog.taxonomies.*

datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
datacatalog.taxonomies.update

pubsub.topics.get

pubsub.topics.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

Policy Tag Admin

(roles/datacatalog.categoryAdmin)

Manage taxonomies

datacatalog.categories.getIamPolicy

datacatalog.categories.setIamPolicy

datacatalog.taxonomies.*

datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
datacatalog.taxonomies.update

resourcemanager.projects.get

resourcemanager.projects.list

Fine-Grained Reader

(roles/datacatalog.categoryFineGrainedReader)

Read access to sub-resources tagged by a policy tag, for example, BigQuery columns

datacatalog.categories.fineGrainedGet

DataCatalog Data Steward ^Beta

(roles/datacatalog.dataSteward)

Can update overview and data steward fields

datacatalog.entries.get

datacatalog.entries.list

datacatalog.entries.updateContacts

datacatalog.entries.updateOverview

datacatalog.entryGroups.get

resourcemanager.projects.get

resourcemanager.projects.list

DataCatalog EntryGroup Creator

(roles/datacatalog.entryGroupCreator)

Can create new entryGroups

datacatalog.entryGroups.create

datacatalog.entryGroups.get

datacatalog.entryGroups.list

resourcemanager.projects.get

resourcemanager.projects.list

DataCatalog EntryGroup Owner

(roles/datacatalog.entryGroupOwner)

Full access to entryGroups

datacatalog.entries.*

datacatalog.entries.create
datacatalog.entries.createGlossary
datacatalog.entries.createGlossaryTerm
datacatalog.entries.delete
datacatalog.entries.deleteGlossary
datacatalog.entries.deleteGlossaryTerm
datacatalog.entries.get
datacatalog.entries.getIamPolicy
datacatalog.entries.list
datacatalog.entries.setIamPolicy
datacatalog.entries.update
datacatalog.entries.updateContacts
datacatalog.entries.updateGlossary
datacatalog.entries.updateGlossaryTerm
datacatalog.entries.updateOverview
datacatalog.entries.updateTag

datacatalog.entryGroups.*

datacatalog.entryGroups.create
datacatalog.entryGroups.delete
datacatalog.entryGroups.get
datacatalog.entryGroups.getIamPolicy
datacatalog.entryGroups.list
datacatalog.entryGroups.setIamPolicy
datacatalog.entryGroups.update
datacatalog.entryGroups.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

DataCatalog Entry Owner

(roles/datacatalog.entryOwner)

Full access to entries

datacatalog.entries.*

datacatalog.entries.create
datacatalog.entries.createGlossary
datacatalog.entries.createGlossaryTerm
datacatalog.entries.delete
datacatalog.entries.deleteGlossary
datacatalog.entries.deleteGlossaryTerm
datacatalog.entries.get
datacatalog.entries.getIamPolicy
datacatalog.entries.list
datacatalog.entries.setIamPolicy
datacatalog.entries.update
datacatalog.entries.updateContacts
datacatalog.entries.updateGlossary
datacatalog.entries.updateGlossaryTerm
datacatalog.entries.updateOverview
datacatalog.entries.updateTag

datacatalog.entryGroups.get

resourcemanager.projects.get

resourcemanager.projects.list

DataCatalog Entry Viewer

(roles/datacatalog.entryViewer)

Read access to entries

datacatalog.entries.get

datacatalog.entries.list

datacatalog.entryGroups.get

resourcemanager.projects.get

resourcemanager.projects.list

DataCatalog Glossary Owner ^Beta

(roles/datacatalog.glossaryOwner)

Full access to glossaries

datacatalog.entries.*

datacatalog.entries.create
datacatalog.entries.createGlossary
datacatalog.entries.createGlossaryTerm
datacatalog.entries.delete
datacatalog.entries.deleteGlossary
datacatalog.entries.deleteGlossaryTerm
datacatalog.entries.get
datacatalog.entries.getIamPolicy
datacatalog.entries.list
datacatalog.entries.setIamPolicy
datacatalog.entries.update
datacatalog.entries.updateContacts
datacatalog.entries.updateGlossary
datacatalog.entries.updateGlossaryTerm
datacatalog.entries.updateOverview
datacatalog.entries.updateTag

datacatalog.relationships.*

datacatalog.relationships.create
datacatalog.relationships.createIsDescribedBy
datacatalog.relationships.createIsRelatedTo
datacatalog.relationships.createIsSynonymousTo
datacatalog.relationships.delete
datacatalog.relationships.deleteIsDescribedBy
datacatalog.relationships.deleteIsRelatedTo
datacatalog.relationships.deleteIsSynonymousTo
datacatalog.relationships.list

DataCatalog Glossary User ^Beta

(roles/datacatalog.glossaryUser)

Can view glossaries and associate terms to entries

datacatalog.entries.get

datacatalog.entries.list

datacatalog.relationships.*

datacatalog.relationships.create
datacatalog.relationships.createIsDescribedBy
datacatalog.relationships.createIsRelatedTo
datacatalog.relationships.createIsSynonymousTo
datacatalog.relationships.delete
datacatalog.relationships.deleteIsDescribedBy
datacatalog.relationships.deleteIsRelatedTo
datacatalog.relationships.deleteIsSynonymousTo
datacatalog.relationships.list

DataCatalog Search Admin ^Beta

(roles/datacatalog.searchAdmin)

Can search all metadata for a project/org in DataCatalog

datacatalog.catalogs.searchAll

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Data Catalog Tag Editor

(roles/datacatalog.tagEditor)

Access to modify metadata tags for entries, as well as BigQuery and Pub/Sub data assets

bigquery.connections.updateTag

bigquery.datasets.updateTag

bigquery.models.updateTag

bigquery.routines.updateTag

bigquery.tables.updateTag

datacatalog.entries.updateTag

datacatalog.entryGroups.updateTag

pubsub.topics.updateTag

Data Catalog TagTemplate Creator

(roles/datacatalog.tagTemplateCreator)

Access to create new tag templates

datacatalog.tagTemplates.create

datacatalog.tagTemplates.get

Data Catalog TagTemplate Owner

(roles/datacatalog.tagTemplateOwner)

Full access to tag templates

datacatalog.tagTemplates.*

datacatalog.tagTemplates.create
datacatalog.tagTemplates.delete
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getIamPolicy
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.setIamPolicy
datacatalog.tagTemplates.update
datacatalog.tagTemplates.use

resourcemanager.projects.get

resourcemanager.projects.list

Data Catalog TagTemplate User

(roles/datacatalog.tagTemplateUser)

Access to apply a tag template to an entry (to modify tags, see Data Catalog Tag Editor)

datacatalog.tagTemplates.get

datacatalog.tagTemplates.getTag

datacatalog.tagTemplates.use

resourcemanager.projects.get

resourcemanager.projects.list

Data Catalog TagTemplate Viewer

(roles/datacatalog.tagTemplateViewer)

Read access to templates and tags created using the templates

datacatalog.tagTemplates.get

datacatalog.tagTemplates.getTag

resourcemanager.projects.get

resourcemanager.projects.list

Data Catalog Viewer

(roles/datacatalog.viewer)

Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub

bigquery.connections.get

bigquery.datasets.get

bigquery.models.getMetadata

bigquery.routines.get

bigquery.tables.get

datacatalog.entries.get

datacatalog.entries.list

datacatalog.entryGroups.get

datacatalog.entryGroups.list

datacatalog.relationships.list

datacatalog.tagTemplates.get

datacatalog.tagTemplates.getTag

datacatalog.taxonomies.get

datacatalog.taxonomies.list

pubsub.topics.get

resourcemanager.projects.get

resourcemanager.projects.list

Data Connectors roles

Permissions

Connector Admin ^Beta

(roles/dataconnectors.connectorAdmin)

Full access to Data Connectors.

dataconnectors.*

dataconnectors.connectors.create
dataconnectors.connectors.delete
dataconnectors.connectors.get
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.setIamPolicy
dataconnectors.connectors.update
dataconnectors.connectors.use
dataconnectors.locations.get
dataconnectors.locations.list
dataconnectors.operations.cancel
dataconnectors.operations.delete
dataconnectors.operations.get
dataconnectors.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Connector User ^Beta

(roles/dataconnectors.connectorUser)

Access to use Data Connectors.

dataconnectors.connectors.get

dataconnectors.connectors.getIamPolicy

dataconnectors.connectors.list

dataconnectors.connectors.use

Data Migration roles

Permissions

Database Migration Admin

(roles/datamigration.admin)

Full access to all resources of Database Migration.

datamigration.*

datamigration.connectionprofiles.create
datamigration.connectionprofiles.delete
datamigration.connectionprofiles.get
datamigration.connectionprofiles.getIamPolicy
datamigration.connectionprofiles.list
datamigration.connectionprofiles.setIamPolicy
datamigration.connectionprofiles.update
datamigration.conversionworkspaces.commit
datamigration.conversionworkspaces.convert
datamigration.conversionworkspaces.create
datamigration.conversionworkspaces.delete
datamigration.conversionworkspaces.get
datamigration.conversionworkspaces.getIamPolicy
datamigration.conversionworkspaces.list
datamigration.conversionworkspaces.rollback
datamigration.conversionworkspaces.seed
datamigration.conversionworkspaces.setIamPolicy
datamigration.conversionworkspaces.update
datamigration.locations.fetchStaticIps
datamigration.locations.get
datamigration.locations.list
datamigration.mappingrules.getIamPolicy
datamigration.mappingrules.import
datamigration.mappingrules.setIamPolicy
datamigration.migrationjobs.create
datamigration.migrationjobs.delete
datamigration.migrationjobs.generateSshScript
datamigration.migrationjobs.generateTcpProxyScript
datamigration.migrationjobs.get
datamigration.migrationjobs.getIamPolicy
datamigration.migrationjobs.list
datamigration.migrationjobs.promote
datamigration.migrationjobs.restart
datamigration.migrationjobs.resume
datamigration.migrationjobs.setIamPolicy
datamigration.migrationjobs.start
datamigration.migrationjobs.stop
datamigration.migrationjobs.update
datamigration.migrationjobs.verify
datamigration.operations.cancel
datamigration.operations.delete
datamigration.operations.get
datamigration.operations.list
datamigration.privateconnections.create
datamigration.privateconnections.delete
datamigration.privateconnections.get
datamigration.privateconnections.getIamPolicy
datamigration.privateconnections.list
datamigration.privateconnections.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.list

Data Pipelines roles

Permissions

Data pipelines Admin

(roles/datapipelines.admin)

Administrator of Data pipelines resources

datapipelines.*

datapipelines.jobs.list
datapipelines.pipelines.create
datapipelines.pipelines.delete
datapipelines.pipelines.get
datapipelines.pipelines.list
datapipelines.pipelines.run
datapipelines.pipelines.stop
datapipelines.pipelines.update

resourcemanager.projects.get

resourcemanager.projects.list

Data pipelines Invoker

(roles/datapipelines.invoker)

Invoker of Data pipelines jobs

datapipelines.pipelines.run

resourcemanager.projects.get

resourcemanager.projects.list

Data pipelines Viewer

(roles/datapipelines.viewer)

Viewer of Data pipelines resources

datapipelines.jobs.list

datapipelines.pipelines.get

datapipelines.pipelines.list

resourcemanager.projects.get

resourcemanager.projects.list

Data Studio roles

Permissions

Data Studio Admin ^Beta

(roles/datastudio.admin)

Data Studio Admin

datastudio.*

datastudio.datasources.delete
datastudio.datasources.get
datastudio.datasources.getIamPolicy
datastudio.datasources.move
datastudio.datasources.restoreTrash
datastudio.datasources.search
datastudio.datasources.setIamPolicy
datastudio.datasources.settingsShare
datastudio.datasources.share
datastudio.datasources.trash
datastudio.datasources.update
datastudio.reports.delete
datastudio.reports.get
datastudio.reports.getIamPolicy
datastudio.reports.move
datastudio.reports.restoreTrash
datastudio.reports.search
datastudio.reports.setIamPolicy
datastudio.reports.settingsShare
datastudio.reports.share
datastudio.reports.trash
datastudio.reports.update
datastudio.workspaces.createUnder
datastudio.workspaces.delete
datastudio.workspaces.get
datastudio.workspaces.getIamPolicy
datastudio.workspaces.moveIn
datastudio.workspaces.moveOut
datastudio.workspaces.restoreTrash
datastudio.workspaces.search
datastudio.workspaces.setIamPolicy
datastudio.workspaces.trash
datastudio.workspaces.update

resourcemanager.projects.get

resourcemanager.projects.list

Data Studio Workspace Content Manager ^Beta

(roles/datastudio.contentManager)

Content Manager of a Data Studio resource

datastudio.datasources.get

datastudio.datasources.getIamPolicy

datastudio.datasources.restoreTrash

datastudio.datasources.search

datastudio.datasources.settingsShare

datastudio.datasources.share

datastudio.datasources.trash

datastudio.datasources.update

datastudio.reports.get

datastudio.reports.getIamPolicy

datastudio.reports.restoreTrash

datastudio.reports.search

datastudio.reports.settingsShare

datastudio.reports.share

datastudio.reports.trash

datastudio.reports.update

datastudio.workspaces.createUnder

datastudio.workspaces.get

datastudio.workspaces.getIamPolicy

datastudio.workspaces.moveIn

datastudio.workspaces.search

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

Data Studio Workspace Contributor ^Beta

(roles/datastudio.contributor)

Contributor of a Data Studio resource

datastudio.datasources.get

datastudio.datasources.getIamPolicy

datastudio.datasources.restoreTrash

datastudio.datasources.search

datastudio.datasources.settingsShare

datastudio.datasources.share

datastudio.datasources.update

datastudio.reports.get

datastudio.reports.getIamPolicy

datastudio.reports.restoreTrash

datastudio.reports.search

datastudio.reports.settingsShare

datastudio.reports.share

datastudio.reports.update

datastudio.workspaces.createUnder

datastudio.workspaces.get

datastudio.workspaces.getIamPolicy

datastudio.workspaces.moveIn

datastudio.workspaces.search

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

Data Studio Asset Editor ^Beta

(roles/datastudio.editor)

Editor of a Data Studio resource

datastudio.datasources.get

datastudio.datasources.getIamPolicy

datastudio.datasources.search

datastudio.datasources.update

datastudio.reports.get

datastudio.reports.getIamPolicy

datastudio.reports.search

datastudio.reports.update

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

Data Studio Workspace Manager ^Beta

(roles/datastudio.manager)

Manager of a Data Studio resource

datastudio.*

datastudio.datasources.delete
datastudio.datasources.get
datastudio.datasources.getIamPolicy
datastudio.datasources.move
datastudio.datasources.restoreTrash
datastudio.datasources.search
datastudio.datasources.setIamPolicy
datastudio.datasources.settingsShare
datastudio.datasources.share
datastudio.datasources.trash
datastudio.datasources.update
datastudio.reports.delete
datastudio.reports.get
datastudio.reports.getIamPolicy
datastudio.reports.move
datastudio.reports.restoreTrash
datastudio.reports.search
datastudio.reports.setIamPolicy
datastudio.reports.settingsShare
datastudio.reports.share
datastudio.reports.trash
datastudio.reports.update
datastudio.workspaces.createUnder
datastudio.workspaces.delete
datastudio.workspaces.get
datastudio.workspaces.getIamPolicy
datastudio.workspaces.moveIn
datastudio.workspaces.moveOut
datastudio.workspaces.restoreTrash
datastudio.workspaces.search
datastudio.workspaces.setIamPolicy
datastudio.workspaces.trash
datastudio.workspaces.update

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

Data Studio Asset Viewer ^Beta

(roles/datastudio.viewer)

Viewer of a Data Studio resource

datastudio.datasources.get

datastudio.datasources.search

datastudio.reports.get

datastudio.reports.search

resourcemanager.projects.get

Dataflow roles

Permissions

Dataflow Admin

(roles/dataflow.admin)

Minimal role for creating and managing dataflow jobs.

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

compute.machineTypes.get

compute.projects.get

compute.regions.list

compute.zones.list

dataflow.jobs.*

dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

dataflow.snapshots.delete
dataflow.snapshots.get
dataflow.snapshots.list

recommender.dataflowDiagnosticsInsights.*

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.objects.create

storage.objects.get

storage.objects.list

Dataflow Developer

(roles/dataflow.developer)

Provides the permissions necessary to execute and manipulate Dataflow jobs.

Lowest-level resources where you can grant this role:

Project

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

compute.projects.get

compute.regions.list

compute.zones.list

dataflow.jobs.*

dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

dataflow.snapshots.delete
dataflow.snapshots.get
dataflow.snapshots.list

recommender.dataflowDiagnosticsInsights.*

recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
recommender.dataflowDiagnosticsInsights.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

Dataflow Viewer

(roles/dataflow.viewer)

Provides read-only access to all Dataflow-related resources.

Lowest-level resources where you can grant this role:

Project

dataflow.jobs.get

dataflow.jobs.list

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.get

dataflow.snapshots.list

recommender.dataflowDiagnosticsInsights.get

recommender.dataflowDiagnosticsInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataflow Worker

(roles/dataflow.worker)

Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline.

Lowest-level resources where you can grant this role:

Project

autoscaling.sites.readRecommendations

autoscaling.sites.writeMetrics

autoscaling.sites.writeState

compute.instanceGroupManagers.update

compute.instances.delete

compute.instances.setDiskAutoDelete

dataflow.jobs.get

dataflow.shuffle.*

dataflow.shuffle.read
dataflow.shuffle.write

dataflow.streamingWorkItems.*

dataflow.streamingWorkItems.ImportState
dataflow.streamingWorkItems.commitWork
dataflow.streamingWorkItems.getData
dataflow.streamingWorkItems.getWork
dataflow.streamingWorkItems.getWorkerMetadata

dataflow.workItems.*

dataflow.workItems.lease
dataflow.workItems.sendMessage
dataflow.workItems.update

logging.logEntries.create

logging.logEntries.route

monitoring.timeSeries.create

storage.buckets.get

storage.objects.create

storage.objects.get

Dataform roles

Permissions

Dataform Admin ^Beta

(roles/dataform.admin)

Full access to all Dataform resources.

dataform.*

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

Dataform Editor ^Beta

(roles/dataform.editor)

Edit access to Workspaces and Read-only access to Repositories.

dataform.compilationResults.*

dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.releaseConfigs.get

dataform.releaseConfigs.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workflowConfigs.get

dataform.workflowConfigs.list

dataform.workflowInvocations.*

dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query

dataform.workspaces.commit

dataform.workspaces.create

dataform.workspaces.delete

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.installNpmPackages

dataform.workspaces.list

dataform.workspaces.makeDirectory

dataform.workspaces.moveDirectory

dataform.workspaces.moveFile

dataform.workspaces.pull

dataform.workspaces.push

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.removeDirectory

dataform.workspaces.removeFile

dataform.workspaces.reset

dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

Dataform Viewer ^Beta

(roles/dataform.viewer)

Read-only access to all Dataform resources.

dataform.compilationResults.get

dataform.compilationResults.list

dataform.compilationResults.query

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.releaseConfigs.get

dataform.releaseConfigs.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workflowConfigs.get

dataform.workflowConfigs.list

dataform.workflowInvocations.get

dataform.workflowInvocations.list

dataform.workflowInvocations.query

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

resourcemanager.projects.get

resourcemanager.projects.list

Dataprep roles

Permissions

Dataprep User ^Beta

(roles/dataprep.projects.user)

Use of Dataprep.

dataprep.projects.use

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Dataproc roles

Permissions

Dataproc Administrator

(roles/dataproc.admin)

Full control of Dataproc resources.

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.*

dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.setIamPolicy
dataproc.autoscalingPolicies.update
dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list

dataproc.clusters.*

dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.setIamPolicy
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use

dataproc.jobs.*

dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.*

dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.operations.setIamPolicy

dataproc.workflowTemplates.*

dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.setIamPolicy
dataproc.workflowTemplates.update

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Editor

(roles/dataproc.editor)

Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones.

Lowest-level resources where you can grant this role:

Project

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.start

dataproc.clusters.stop

dataproc.clusters.update

dataproc.clusters.use

dataproc.jobs.cancel

dataproc.jobs.create

dataproc.jobs.delete

dataproc.jobs.get

dataproc.jobs.list

dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.nodeGroups.create
dataproc.nodeGroups.get
dataproc.nodeGroups.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.workflowTemplates.create

dataproc.workflowTemplates.delete

dataproc.workflowTemplates.get

dataproc.workflowTemplates.instantiate

dataproc.workflowTemplates.instantiateInline

dataproc.workflowTemplates.list

dataproc.workflowTemplates.update

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Hub Agent

(roles/dataproc.hubAgent)

Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.

compute.instances.get

compute.instances.setMetadata

compute.instances.setTags

compute.zoneOperations.get

compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.use

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.create

logging.logEntries.list

logging.logEntries.route

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.create

logging.queries.delete

logging.queries.get

logging.queries.list

logging.queries.listShared

logging.queries.update

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.objects.get

storage.objects.list

Dataproc Viewer

(roles/dataproc.viewer)

Provides read-only access to Dataproc resources.

Lowest-level resources where you can grant this role:

Project

compute.machineTypes.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.batches.get

dataproc.batches.list

dataproc.clusters.get

dataproc.clusters.list

dataproc.jobs.get

dataproc.jobs.list

dataproc.nodeGroups.get

dataproc.operations.get

dataproc.operations.list

dataproc.workflowTemplates.get

dataproc.workflowTemplates.list

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Worker

(roles/dataproc.worker)

Provides worker access to Dataproc resources. Intended for service accounts.

dataproc.agents.*

dataproc.agents.create
dataproc.agents.delete
dataproc.agents.get
dataproc.agents.list
dataproc.agents.update

dataproc.tasks.*

dataproc.tasks.lease
dataproc.tasks.listInvalidatedLeases
dataproc.tasks.reportStatus

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

storage.buckets.get

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update

Dataproc Metastore roles

Permissions

Dataproc Metastore Admin

(roles/metastore.admin)

Full access to all Dataproc Metastore resources.

metastore.backups.*

metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.getIamPolicy
metastore.backups.list
metastore.backups.setIamPolicy
metastore.backups.use

metastore.federations.*

metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.federations.setIamPolicy
metastore.federations.update
metastore.federations.use

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.*

metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.setIamPolicy

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Metastore Editor

(roles/metastore.editor)

Read and write access to all Dataproc Metastore resources.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.federations.create

metastore.federations.delete

metastore.federations.get

metastore.federations.list

metastore.federations.update

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.*

metastore.operations.cancel
metastore.operations.delete
metastore.operations.get
metastore.operations.list

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

Metastore Federation Accessor

(roles/metastore.federationAccessor)

Access to the Metastore Federation resource.

metastore.federations.use

Dataproc Metastore Metadata Editor ^Beta

(roles/metastore.metadataEditor)

Access to read and modify the metadata of databases and tables under those databases.

metastore.databases.create

metastore.databases.delete

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.databases.update

metastore.services.get

metastore.services.use

metastore.tables.create

metastore.tables.delete

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

metastore.tables.update

Dataproc Metastore Metadata Mutate Admin ^Beta

(roles/metastore.metadataMutateAdmin)

Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.mutateMetadata

Dataproc Metastore Metadata Operator

(roles/metastore.metadataOperator)

Read-only access to Dataproc Metastore resources with additional metadata operations permission.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.imports.*

metastore.imports.create
metastore.imports.get
metastore.imports.list
metastore.imports.update

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

resourcemanager.projects.get

resourcemanager.projects.list

Dataproc Metastore Data Owner ^Beta

(roles/metastore.metadataOwner)

Full access to the metadata of databases and tables under those databases.

metastore.databases.*

metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.setIamPolicy
metastore.databases.update

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.use

metastore.tables.*

metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
metastore.tables.update

Dataproc Metastore Metadata Query Admin ^Beta

(roles/metastore.metadataQueryAdmin)

Access to query metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.queryMetadata

Dataproc Metastore Metadata User ^Beta

(roles/metastore.metadataUser)

Access to the Dataproc Metastore gRPC endpoint

metastore.databases.get

metastore.databases.list

metastore.services.get

metastore.services.use

Dataproc Metastore Metadata Viewer ^Beta

(roles/metastore.metadataViewer)

Access to read the metadata of databases and tables under those databases

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.services.get

metastore.services.use

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

Dataproc Metastore Viewer

(roles/metastore.user)

Read-only access to all Dataproc Metastore resources.

metastore.backups.get

metastore.backups.list

metastore.federations.get

metastore.federations.getIamPolicy

metastore.federations.list

metastore.imports.get

metastore.imports.list

metastore.locations.*

metastore.locations.get
metastore.locations.list

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

resourcemanager.projects.get

resourcemanager.projects.list

Datastore roles

Permissions

Cloud Datastore Import Export Admin

(roles/datastore.importExportAdmin)

Provides full access to manage imports and exports.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

datastore.databases.export

datastore.databases.getMetadata

datastore.databases.import

datastore.operations.cancel

datastore.operations.get

datastore.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Datastore Index Admin

(roles/datastore.indexAdmin)

Provides full access to manage index definitions.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

datastore.databases.getMetadata

datastore.indexes.*

datastore.indexes.create
datastore.indexes.delete
datastore.indexes.get
datastore.indexes.list
datastore.indexes.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Datastore Key Visualizer Viewer

(roles/datastore.keyVisualizerViewer)

Full access to Key Visualizer scans.

datastore.databases.getMetadata

datastore.keyVisualizerScans.*

datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Datastore Owner

(roles/datastore.owner)

Provides full access to Datastore resources.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

datastore.*

datastore.databases.create
datastore.databases.createTagBinding
datastore.databases.deleteTagBinding
datastore.databases.export
datastore.databases.get
datastore.databases.getMetadata
datastore.databases.import
datastore.databases.list
datastore.databases.listEffectiveTags
datastore.databases.listTagBindings
datastore.databases.update
datastore.entities.allocateIds
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update
datastore.indexes.create
datastore.indexes.delete
datastore.indexes.get
datastore.indexes.list
datastore.indexes.update
datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
datastore.locations.get
datastore.locations.list
datastore.namespaces.get
datastore.namespaces.list
datastore.operations.cancel
datastore.operations.delete
datastore.operations.get
datastore.operations.list
datastore.statistics.get
datastore.statistics.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Datastore User

(roles/datastore.user)

Provides read/write access to data in a Datastore database.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

datastore.databases.get

datastore.databases.getMetadata

datastore.databases.list

datastore.entities.*

datastore.entities.allocateIds
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update

datastore.indexes.list

datastore.namespaces.*

datastore.namespaces.get
datastore.namespaces.list

datastore.statistics.*

datastore.statistics.get
datastore.statistics.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Datastore Viewer

(roles/datastore.viewer)

Provides read access to Datastore resources.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

datastore.databases.get

datastore.databases.getMetadata

datastore.databases.list

datastore.entities.get

datastore.entities.list

datastore.indexes.get

datastore.indexes.list

datastore.namespaces.*

datastore.namespaces.get
datastore.namespaces.list

datastore.statistics.*

datastore.statistics.get
datastore.statistics.list

resourcemanager.projects.get

resourcemanager.projects.list

DataStream roles

Permissions

Datastream Admin ^Beta

(roles/datastream.admin)

Full access to all Datastream resources.

datastream.*

datastream.connectionProfiles.create
datastream.connectionProfiles.createTagBinding
datastream.connectionProfiles.delete
datastream.connectionProfiles.deleteTagBinding
datastream.connectionProfiles.destinationTypes
datastream.connectionProfiles.discover
datastream.connectionProfiles.get
datastream.connectionProfiles.getIamPolicy
datastream.connectionProfiles.list
datastream.connectionProfiles.listEffectiveTags
datastream.connectionProfiles.listStaticServiceIps
datastream.connectionProfiles.listTagBindings
datastream.connectionProfiles.setIamPolicy
datastream.connectionProfiles.sourceTypes
datastream.connectionProfiles.update
datastream.locations.fetchStaticIps
datastream.locations.get
datastream.locations.list
datastream.objects.get
datastream.objects.list
datastream.objects.startBackfillJob
datastream.objects.stopBackfillJob
datastream.operations.cancel
datastream.operations.delete
datastream.operations.get
datastream.operations.list
datastream.privateConnections.create
datastream.privateConnections.createTagBinding
datastream.privateConnections.delete
datastream.privateConnections.deleteTagBinding
datastream.privateConnections.get
datastream.privateConnections.getIamPolicy
datastream.privateConnections.list
datastream.privateConnections.listEffectiveTags
datastream.privateConnections.listTagBindings
datastream.privateConnections.setIamPolicy
datastream.routes.create
datastream.routes.delete
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.routes.setIamPolicy
datastream.streams.computeState
datastream.streams.create
datastream.streams.createTagBinding
datastream.streams.delete
datastream.streams.deleteTagBinding
datastream.streams.fetchErrors
datastream.streams.get
datastream.streams.getIamPolicy
datastream.streams.list
datastream.streams.listEffectiveTags
datastream.streams.listTagBindings
datastream.streams.pause
datastream.streams.resume
datastream.streams.setIamPolicy
datastream.streams.start
datastream.streams.update

resourcemanager.projects.get

resourcemanager.projects.list

Datastream Viewer ^Beta

(roles/datastream.viewer)

Read-only access to all Datastream resources.

datastream.connectionProfiles.destinationTypes

datastream.connectionProfiles.discover

datastream.connectionProfiles.get

datastream.connectionProfiles.getIamPolicy

datastream.connectionProfiles.list

datastream.connectionProfiles.listEffectiveTags

datastream.connectionProfiles.listStaticServiceIps

datastream.connectionProfiles.listTagBindings

datastream.connectionProfiles.sourceTypes

datastream.locations.*

datastream.locations.fetchStaticIps
datastream.locations.get
datastream.locations.list

datastream.objects.get

datastream.objects.list

datastream.operations.get

datastream.operations.list

datastream.privateConnections.get

datastream.privateConnections.getIamPolicy

datastream.privateConnections.list

datastream.privateConnections.listEffectiveTags

datastream.privateConnections.listTagBindings

datastream.routes.get

datastream.routes.getIamPolicy

datastream.routes.list

datastream.streams.fetchErrors

datastream.streams.get

datastream.streams.getIamPolicy

datastream.streams.list

datastream.streams.listEffectiveTags

datastream.streams.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

Deployment Manager roles

Permissions

Deployment Manager Editor

(roles/deploymentmanager.editor)

Provides the permissions necessary to create and manage deployments.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.*

deploymentmanager.compositeTypes.create
deploymentmanager.compositeTypes.delete
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.compositeTypes.update

deploymentmanager.deployments.cancelPreview

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.stop

deploymentmanager.deployments.update

deploymentmanager.manifests.*

deploymentmanager.manifests.get
deploymentmanager.manifests.list

deploymentmanager.operations.*

deploymentmanager.operations.get
deploymentmanager.operations.list

deploymentmanager.resources.*

deploymentmanager.resources.get
deploymentmanager.resources.list

deploymentmanager.typeProviders.*

deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.delete
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.typeProviders.update

deploymentmanager.types.*

deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Deployment Manager Type Editor

(roles/deploymentmanager.typeEditor)

Provides read and write access to all Type Registry resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.*

deploymentmanager.compositeTypes.create
deploymentmanager.compositeTypes.delete
deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.compositeTypes.update

deploymentmanager.operations.get

deploymentmanager.typeProviders.*

deploymentmanager.typeProviders.create
deploymentmanager.typeProviders.delete
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.typeProviders.update

deploymentmanager.types.*

deploymentmanager.types.create
deploymentmanager.types.delete
deploymentmanager.types.get
deploymentmanager.types.list
deploymentmanager.types.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

Deployment Manager Type Viewer

(roles/deploymentmanager.typeViewer)

Provides read-only access to all Type Registry resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

Deployment Manager Viewer

(roles/deploymentmanager.viewer)

Provides read-only access to all Deployment Manager-related resources.

Lowest-level resources where you can grant this role:

Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.manifests.*

deploymentmanager.manifests.get
deploymentmanager.manifests.list

deploymentmanager.operations.*

deploymentmanager.operations.get
deploymentmanager.operations.list

deploymentmanager.resources.*

deploymentmanager.resources.get
deploymentmanager.resources.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Dialogflow roles

Permissions

CX Premium Admin

(roles/dialogflow.aamAdmin)

An admin has access to all resources and can perform all administrative actions in an AAM project.

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.changelogs.get
dialogflow.changelogs.list

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.deployments.get
dialogflow.deployments.list

dialogflow.documents.get

dialogflow.documents.list

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

resourcemanager.projects.list

CX Premium Conversational Architect

(roles/dialogflow.aamConversationalArchitect)

A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.changelogs.get
dialogflow.changelogs.list

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.deployments.get
dialogflow.deployments.list

dialogflow.documents.get

dialogflow.documents.list

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

resourcemanager.projects.list

CX Premium Dialog Designer

(roles/dialogflow.aamDialogDesigner)

A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.changelogs.get
dialogflow.changelogs.list

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.deployments.get
dialogflow.deployments.list

dialogflow.documents.get

dialogflow.documents.list

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

resourcemanager.projects.list

CX Premium Lead Dialog Designer

(roles/dialogflow.aamLeadDialogDesigner)

A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.changelogs.get
dialogflow.changelogs.list

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.deployments.get
dialogflow.deployments.list

dialogflow.documents.get

dialogflow.documents.list

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

resourcemanager.projects.list

CX Premium Viewer

(roles/dialogflow.aamViewer)

A user can view the taxonomy and data reports in an AAM project.

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.changelogs.get
dialogflow.changelogs.list

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.deployments.get
dialogflow.deployments.list

dialogflow.documents.get

dialogflow.documents.list

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

resourcemanager.projects.list

Dialogflow API Admin

(roles/dialogflow.admin)

Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control.

Lowest-level resources where you can grant this role:

Project

dialogflow.*

dialogflow.agents.create
dialogflow.agents.delete
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.import
dialogflow.agents.list
dialogflow.agents.restore
dialogflow.agents.search
dialogflow.agents.searchResources
dialogflow.agents.train
dialogflow.agents.update
dialogflow.agents.validate
dialogflow.answerrecords.delete
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.answerrecords.update
dialogflow.callMatchers.create
dialogflow.callMatchers.delete
dialogflow.callMatchers.list
dialogflow.changelogs.get
dialogflow.changelogs.list
dialogflow.contexts.create
dialogflow.contexts.delete
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.contexts.update
dialogflow.conversationDatasets.create
dialogflow.conversationDatasets.delete
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.import
dialogflow.conversationDatasets.list
dialogflow.conversationModels.create
dialogflow.conversationModels.delete
dialogflow.conversationModels.deploy
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationModels.undeploy
dialogflow.conversationProfiles.create
dialogflow.conversationProfiles.delete
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversationProfiles.update
dialogflow.conversations.addPhoneNumber
dialogflow.conversations.complete
dialogflow.conversations.create
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.conversations.update
dialogflow.deployments.get
dialogflow.deployments.list
dialogflow.documents.create
dialogflow.documents.delete
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.create
dialogflow.entityTypes.createEntity
dialogflow.entityTypes.delete
dialogflow.entityTypes.deleteEntity
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.entityTypes.update
dialogflow.entityTypes.updateEntity
dialogflow.environments.create
dialogflow.environments.delete
dialogflow.environments.get
dialogflow.environments.getHistory
dialogflow.environments.list
dialogflow.environments.lookupHistory
dialogflow.environments.runContinuousTest
dialogflow.environments.update
dialogflow.experiments.create
dialogflow.experiments.delete
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.experiments.update
dialogflow.flows.create
dialogflow.flows.delete
dialogflow.flows.get
dialogflow.flows.list
dialogflow.flows.train
dialogflow.flows.update
dialogflow.flows.validate
dialogflow.fulfillments.get
dialogflow.fulfillments.update
dialogflow.integrations.create
dialogflow.integrations.delete
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.integrations.update
dialogflow.intents.create
dialogflow.intents.delete
dialogflow.intents.get
dialogflow.intents.list
dialogflow.intents.update
dialogflow.knowledgeBases.create
dialogflow.knowledgeBases.delete
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.knowledgeBases.update
dialogflow.messages.list
dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list
dialogflow.operations.get
dialogflow.pages.create
dialogflow.pages.delete
dialogflow.pages.get
dialogflow.pages.list
dialogflow.pages.update
dialogflow.participants.analyzeContent
dialogflow.participants.create
dialogflow.participants.get
dialogflow.participants.list
dialogflow.participants.suggest
dialogflow.participants.update
dialogflow.phoneNumberOrders.cancel
dialogflow.phoneNumberOrders.create
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumberOrders.update
dialogflow.phoneNumbers.delete
dialogflow.phoneNumbers.list
dialogflow.phoneNumbers.undelete
dialogflow.phoneNumbers.update
dialogflow.securitySettings.create
dialogflow.securitySettings.delete
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.securitySettings.update
dialogflow.sessionEntityTypes.create
dialogflow.sessionEntityTypes.delete
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
dialogflow.sessionEntityTypes.update
dialogflow.sessions.detectIntent
dialogflow.sessions.streamingDetectIntent
dialogflow.smartMessagingEntries.create
dialogflow.smartMessagingEntries.delete
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
dialogflow.testcases.calculateCoverage
dialogflow.testcases.create
dialogflow.testcases.delete
dialogflow.testcases.export
dialogflow.testcases.get
dialogflow.testcases.import
dialogflow.testcases.list
dialogflow.testcases.run
dialogflow.testcases.update
dialogflow.transitionRouteGroups.create
dialogflow.transitionRouteGroups.delete
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.transitionRouteGroups.update
dialogflow.versions.create
dialogflow.versions.delete
dialogflow.versions.get
dialogflow.versions.list
dialogflow.versions.load
dialogflow.versions.update
dialogflow.webhooks.create
dialogflow.webhooks.delete
dialogflow.webhooks.get
dialogflow.webhooks.list
dialogflow.webhooks.update

resourcemanager.projects.get

Dialogflow API Client

(roles/dialogflow.client)

Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control.

Lowest-level resources where you can grant this role:

Project

dialogflow.contexts.*

dialogflow.contexts.create
dialogflow.contexts.delete
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.contexts.update

dialogflow.conversations.*

dialogflow.conversations.addPhoneNumber
dialogflow.conversations.complete
dialogflow.conversations.create
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.conversations.update

dialogflow.environments.runContinuousTest

dialogflow.messages.list

dialogflow.participants.*

dialogflow.participants.analyzeContent
dialogflow.participants.create
dialogflow.participants.get
dialogflow.participants.list
dialogflow.participants.suggest
dialogflow.participants.update

dialogflow.sessionEntityTypes.*

dialogflow.sessionEntityTypes.create
dialogflow.sessionEntityTypes.delete
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
dialogflow.sessionEntityTypes.update

dialogflow.sessions.*

dialogflow.sessions.detectIntent
dialogflow.sessions.streamingDetectIntent

Dialogflow Console Agent Editor

(roles/dialogflow.consoleAgentEditor)

Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control.

Lowest-level resources where you can grant this role:

Project

actions.agentVersions.create

dialogflow.*

dialogflow.agents.create
dialogflow.agents.delete
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.import
dialogflow.agents.list
dialogflow.agents.restore
dialogflow.agents.search
dialogflow.agents.searchResources
dialogflow.agents.train
dialogflow.agents.update
dialogflow.agents.validate
dialogflow.answerrecords.delete
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.answerrecords.update
dialogflow.callMatchers.create
dialogflow.callMatchers.delete
dialogflow.callMatchers.list
dialogflow.changelogs.get
dialogflow.changelogs.list
dialogflow.contexts.create
dialogflow.contexts.delete
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.contexts.update
dialogflow.conversationDatasets.create
dialogflow.conversationDatasets.delete
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.import
dialogflow.conversationDatasets.list
dialogflow.conversationModels.create
dialogflow.conversationModels.delete
dialogflow.conversationModels.deploy
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationModels.undeploy
dialogflow.conversationProfiles.create
dialogflow.conversationProfiles.delete
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversationProfiles.update
dialogflow.conversations.addPhoneNumber
dialogflow.conversations.complete
dialogflow.conversations.create
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.conversations.update
dialogflow.deployments.get
dialogflow.deployments.list
dialogflow.documents.create
dialogflow.documents.delete
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.create
dialogflow.entityTypes.createEntity
dialogflow.entityTypes.delete
dialogflow.entityTypes.deleteEntity
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.entityTypes.update
dialogflow.entityTypes.updateEntity
dialogflow.environments.create
dialogflow.environments.delete
dialogflow.environments.get
dialogflow.environments.getHistory
dialogflow.environments.list
dialogflow.environments.lookupHistory
dialogflow.environments.runContinuousTest
dialogflow.environments.update
dialogflow.experiments.create
dialogflow.experiments.delete
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.experiments.update
dialogflow.flows.create
dialogflow.flows.delete
dialogflow.flows.get
dialogflow.flows.list
dialogflow.flows.train
dialogflow.flows.update
dialogflow.flows.validate
dialogflow.fulfillments.get
dialogflow.fulfillments.update
dialogflow.integrations.create
dialogflow.integrations.delete
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.integrations.update
dialogflow.intents.create
dialogflow.intents.delete
dialogflow.intents.get
dialogflow.intents.list
dialogflow.intents.update
dialogflow.knowledgeBases.create
dialogflow.knowledgeBases.delete
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.knowledgeBases.update
dialogflow.messages.list
dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list
dialogflow.operations.get
dialogflow.pages.create
dialogflow.pages.delete
dialogflow.pages.get
dialogflow.pages.list
dialogflow.pages.update
dialogflow.participants.analyzeContent
dialogflow.participants.create
dialogflow.participants.get
dialogflow.participants.list
dialogflow.participants.suggest
dialogflow.participants.update
dialogflow.phoneNumberOrders.cancel
dialogflow.phoneNumberOrders.create
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumberOrders.update
dialogflow.phoneNumbers.delete
dialogflow.phoneNumbers.list
dialogflow.phoneNumbers.undelete
dialogflow.phoneNumbers.update
dialogflow.securitySettings.create
dialogflow.securitySettings.delete
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.securitySettings.update
dialogflow.sessionEntityTypes.create
dialogflow.sessionEntityTypes.delete
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
dialogflow.sessionEntityTypes.update
dialogflow.sessions.detectIntent
dialogflow.sessions.streamingDetectIntent
dialogflow.smartMessagingEntries.create
dialogflow.smartMessagingEntries.delete
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
dialogflow.testcases.calculateCoverage
dialogflow.testcases.create
dialogflow.testcases.delete
dialogflow.testcases.export
dialogflow.testcases.get
dialogflow.testcases.import
dialogflow.testcases.list
dialogflow.testcases.run
dialogflow.testcases.update
dialogflow.transitionRouteGroups.create
dialogflow.transitionRouteGroups.delete
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.transitionRouteGroups.update
dialogflow.versions.create
dialogflow.versions.delete
dialogflow.versions.get
dialogflow.versions.list
dialogflow.versions.load
dialogflow.versions.update
dialogflow.webhooks.create
dialogflow.webhooks.delete
dialogflow.webhooks.get
dialogflow.webhooks.list
dialogflow.webhooks.update

resourcemanager.projects.get

Dialogflow Console Simulator User

(roles/dialogflow.consoleSimulatorUser)

Can perform query of dialogflow suggestions in the simulator in web console.

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.*

dialogflow.conversations.addPhoneNumber
dialogflow.conversations.complete
dialogflow.conversations.create
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.conversations.update

dialogflow.documents.get

dialogflow.documents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.participants.*

dialogflow.participants.analyzeContent
dialogflow.participants.create
dialogflow.participants.get
dialogflow.participants.list
dialogflow.participants.suggest
dialogflow.participants.update

dialogflow.sessions.detectIntent

resourcemanager.projects.get

resourcemanager.projects.list

Dialogflow Console Smart Messaging Allowlist Editor

(roles/dialogflow.consoleSmartMessagingAllowlistEditor)

Can edit allowlist for smart messaging associated with conversation model in the agent assist console

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.list

dialogflow.documents.get

dialogflow.documents.list

dialogflow.operations.get

dialogflow.smartMessagingEntries.*

dialogflow.smartMessagingEntries.create
dialogflow.smartMessagingEntries.delete
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list

resourcemanager.projects.get

resourcemanager.projects.list

Dialogflow Conversation Manager

(roles/dialogflow.conversationManager)

Can manage all the resources related to Dialogflow Conversations.

dialogflow.conversationProfiles.*

dialogflow.conversationProfiles.create
dialogflow.conversationProfiles.delete
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversationProfiles.update

dialogflow.conversations.*

dialogflow.conversations.addPhoneNumber
dialogflow.conversations.complete
dialogflow.conversations.create
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.conversations.update

dialogflow.participants.*

dialogflow.participants.analyzeContent
dialogflow.participants.create
dialogflow.participants.get
dialogflow.participants.list
dialogflow.participants.suggest
dialogflow.participants.update

Dialogflow Entity Type Admin

(roles/dialogflow.entityTypeAdmin)

Can read & write entity types.

dialogflow.entityTypes.*

dialogflow.entityTypes.create
dialogflow.entityTypes.createEntity
dialogflow.entityTypes.delete
dialogflow.entityTypes.deleteEntity
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.entityTypes.update
dialogflow.entityTypes.updateEntity

Dialogflow Environment editor

(roles/dialogflow.environmentEditor)

Can read & update environment and its sub-resources.

dialogflow.deployments.*

dialogflow.deployments.get
dialogflow.deployments.list

dialogflow.environments.get

dialogflow.environments.getHistory

dialogflow.environments.list

dialogflow.environments.lookupHistory

dialogflow.environments.runContinuousTest

dialogflow.environments.update

dialogflow.experiments.*

dialogflow.experiments.create
dialogflow.experiments.delete
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.experiments.update

Dialogflow Flow editor

(roles/dialogflow.flowEditor)

Can read & update flow and its sub-resources.

dialogflow.flows.get

dialogflow.flows.list

dialogflow.flows.train

dialogflow.flows.update

dialogflow.flows.validate

dialogflow.pages.*

dialogflow.pages.create
dialogflow.pages.delete
dialogflow.pages.get
dialogflow.pages.list
dialogflow.pages.update

dialogflow.transitionRouteGroups.*

dialogflow.transitionRouteGroups.create
dialogflow.transitionRouteGroups.delete
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.transitionRouteGroups.update

dialogflow.versions.*

dialogflow.versions.create
dialogflow.versions.delete
dialogflow.versions.get
dialogflow.versions.list
dialogflow.versions.load
dialogflow.versions.update

Dialogflow Integration Manager

(roles/dialogflow.integrationManager)

Can add, remove, enable and disable Dialogflow integrations.

dialogflow.integrations.*

dialogflow.integrations.create
dialogflow.integrations.delete
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.integrations.update

Dialogflow Intent Admin

(roles/dialogflow.intentAdmin)

Can read & write intents.

dialogflow.intents.*

dialogflow.intents.create
dialogflow.intents.delete
dialogflow.intents.get
dialogflow.intents.list
dialogflow.intents.update

Dialogflow API Reader

(roles/dialogflow.reader)

Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control.

Lowest-level resources where you can grant this role:

Project

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.changelogs.get
dialogflow.changelogs.list

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.deployments.get
dialogflow.deployments.list

dialogflow.documents.get

dialogflow.documents.list

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.modelEvaluations.get
dialogflow.modelEvaluations.list

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

Dialogflow Test Case Admin

(roles/dialogflow.testCaseAdmin)

Can read & write test cases.

dialogflow.testcases.*

dialogflow.testcases.calculateCoverage
dialogflow.testcases.create
dialogflow.testcases.delete
dialogflow.testcases.export
dialogflow.testcases.get
dialogflow.testcases.import
dialogflow.testcases.list
dialogflow.testcases.run
dialogflow.testcases.update

Dialogflow Webhook Admin

(roles/dialogflow.webhookAdmin)

Can read & write webhooks.

dialogflow.webhooks.*

dialogflow.webhooks.create
dialogflow.webhooks.delete
dialogflow.webhooks.get
dialogflow.webhooks.list
dialogflow.webhooks.update

DNS roles

Permissions

DNS Administrator

(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

Managed zone

compute.networks.get

compute.networks.list

dns.changes.*

dns.changes.create
dns.changes.get
dns.changes.list

dns.dnsKeys.*

dns.dnsKeys.get
dns.dnsKeys.list

dns.gkeClusters.*

dns.gkeClusters.bindDNSResponsePolicy
dns.gkeClusters.bindPrivateDNSZone

dns.managedZoneOperations.*

dns.managedZoneOperations.get
dns.managedZoneOperations.list

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

dns.networks.bindDNSResponsePolicy
dns.networks.bindPrivateDNSPolicy
dns.networks.bindPrivateDNSZone
dns.networks.targetWithPeeringZone
dns.networks.useHealthSignals

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.getIamPolicy

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.resourceRecordSets.update

dns.responsePolicies.*

dns.responsePolicies.create
dns.responsePolicies.delete
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicies.update

dns.responsePolicyRules.*

dns.responsePolicyRules.create
dns.responsePolicyRules.delete
dns.responsePolicyRules.get
dns.responsePolicyRules.list
dns.responsePolicyRules.update

resourcemanager.projects.get

resourcemanager.projects.list

DNS Peer

(roles/dns.peer)

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

DNS Reader

(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

Managed zone

compute.networks.get

dns.changes.get

dns.changes.list

dns.dnsKeys.*

dns.dnsKeys.get
dns.dnsKeys.list

dns.managedZoneOperations.*

dns.managedZoneOperations.get
dns.managedZoneOperations.list

dns.managedZones.get

dns.managedZones.list

dns.policies.get

dns.policies.list

dns.projects.get

dns.resourceRecordSets.get

dns.resourceRecordSets.list

dns.responsePolicies.get

dns.responsePolicies.list

dns.responsePolicyRules.get

dns.responsePolicyRules.list

resourcemanager.projects.get

resourcemanager.projects.list

Document AI roles

Permissions

Document AI Administrator ^Beta

(roles/documentai.admin)

Grants full access to all resources in Document AI

documentai.*

documentai.dataLabelingJobs.cancel
documentai.dataLabelingJobs.create
documentai.dataLabelingJobs.delete
documentai.dataLabelingJobs.list
documentai.dataLabelingJobs.update
documentai.datasetSchemas.get
documentai.datasetSchemas.update
documentai.datasets.createDocuments
documentai.datasets.deleteDocuments
documentai.datasets.get
documentai.datasets.getDocuments
documentai.datasets.listDocuments
documentai.datasets.update
documentai.datasets.updateDocuments
documentai.evaluationDocuments.get
documentai.evaluations.create
documentai.evaluations.get
documentai.evaluations.list
documentai.humanReviewConfigs.get
documentai.humanReviewConfigs.review
documentai.humanReviewConfigs.update
documentai.labelerPools.create
documentai.labelerPools.delete
documentai.labelerPools.get
documentai.labelerPools.list
documentai.labelerPools.update
documentai.locations.get
documentai.locations.list
documentai.operations.getLegacy
documentai.processedDocumentsSets.get
documentai.processedDocumentsSets.getDocuments
documentai.processedDocumentsSets.listDocuments
documentai.processorTypes.get
documentai.processorTypes.list
documentai.processorVersions.create
documentai.processorVersions.delete
documentai.processorVersions.get
documentai.processorVersions.list
documentai.processorVersions.processBatch
documentai.processorVersions.processOnline
documentai.processorVersions.update
documentai.processors.create
documentai.processors.delete
documentai.processors.fetchHumanReviewDetails
documentai.processors.get
documentai.processors.list
documentai.processors.processBatch
documentai.processors.processOnline
documentai.processors.update

resourcemanager.projects.get

resourcemanager.projects.list

Document AI API User ^Beta

(roles/documentai.apiUser)

Grants access to process documents in Document AI

documentai.humanReviewConfigs.review

documentai.operations.getLegacy

documentai.processorVersions.processBatch

documentai.processorVersions.processOnline

documentai.processors.processBatch

documentai.processors.processOnline

Document AI Editor ^Beta

(roles/documentai.editor)

Grants access to use all resources in Document AI

documentai.*

documentai.dataLabelingJobs.cancel
documentai.dataLabelingJobs.create
documentai.dataLabelingJobs.delete
documentai.dataLabelingJobs.list
documentai.dataLabelingJobs.update
documentai.datasetSchemas.get
documentai.datasetSchemas.update
documentai.datasets.createDocuments
documentai.datasets.deleteDocuments
documentai.datasets.get
documentai.datasets.getDocuments
documentai.datasets.listDocuments
documentai.datasets.update
documentai.datasets.updateDocuments
documentai.evaluationDocuments.get
documentai.evaluations.create
documentai.evaluations.get
documentai.evaluations.list
documentai.humanReviewConfigs.get
documentai.humanReviewConfigs.review
documentai.humanReviewConfigs.update
documentai.labelerPools.create
documentai.labelerPools.delete
documentai.labelerPools.get
documentai.labelerPools.list
documentai.labelerPools.update
documentai.locations.get
documentai.locations.list
documentai.operations.getLegacy
documentai.processedDocumentsSets.get
documentai.processedDocumentsSets.getDocuments
documentai.processedDocumentsSets.listDocuments
documentai.processorTypes.get
documentai.processorTypes.list
documentai.processorVersions.create
documentai.processorVersions.delete
documentai.processorVersions.get
documentai.processorVersions.list
documentai.processorVersions.processBatch
documentai.processorVersions.processOnline
documentai.processorVersions.update
documentai.processors.create
documentai.processors.delete
documentai.processors.fetchHumanReviewDetails
documentai.processors.get
documentai.processors.list
documentai.processors.processBatch
documentai.processors.processOnline
documentai.processors.update

resourcemanager.projects.get

resourcemanager.projects.list

Document AI Viewer ^Beta

(roles/documentai.viewer)

Grants access to view all resources and process documents in Document AI

documentai.dataLabelingJobs.list

documentai.datasetSchemas.get

documentai.datasets.get

documentai.datasets.getDocuments

documentai.datasets.listDocuments

documentai.evaluationDocuments.get

documentai.evaluations.get

documentai.evaluations.list

documentai.humanReviewConfigs.get

documentai.humanReviewConfigs.review

documentai.labelerPools.get

documentai.labelerPools.list

documentai.locations.*

documentai.locations.get
documentai.locations.list

documentai.operations.getLegacy

documentai.processedDocumentsSets.*

documentai.processedDocumentsSets.get
documentai.processedDocumentsSets.getDocuments
documentai.processedDocumentsSets.listDocuments

documentai.processorTypes.*

documentai.processorTypes.get
documentai.processorTypes.list

documentai.processorVersions.get

documentai.processorVersions.list

documentai.processorVersions.processBatch

documentai.processorVersions.processOnline

documentai.processors.fetchHumanReviewDetails

documentai.processors.get

documentai.processors.list

documentai.processors.processBatch

documentai.processors.processOnline

resourcemanager.projects.get

resourcemanager.projects.list

Earth Engine roles

Permissions

Earth Engine Resource Admin ^Beta

(roles/earthengine.admin)

Full access to all Earth Engine resource features

earthengine.*

earthengine.assets.create
earthengine.assets.delete
earthengine.assets.get
earthengine.assets.getIamPolicy
earthengine.assets.list
earthengine.assets.setIamPolicy
earthengine.assets.update
earthengine.computations.create
earthengine.config.get
earthengine.config.update
earthengine.exports.create
earthengine.featureviews.create
earthengine.filmstripthumbnails.create
earthengine.filmstripthumbnails.get
earthengine.imports.create
earthengine.maps.create
earthengine.maps.get
earthengine.operations.delete
earthengine.operations.get
earthengine.operations.list
earthengine.operations.update
earthengine.tables.create
earthengine.tables.get
earthengine.thumbnails.create
earthengine.thumbnails.get
earthengine.videothumbnails.create
earthengine.videothumbnails.get

resourcemanager.projects.get

resourcemanager.projects.list

Earth Engine Apps Publisher ^Beta

(roles/earthengine.appsPublisher)

Publisher of Earth Engine Apps

iam.serviceAccounts.create

iam.serviceAccounts.disable

iam.serviceAccounts.enable

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.setIamPolicy

resourcemanager.projects.get

serviceusage.services.get

Earth Engine Resource Viewer ^Beta

(roles/earthengine.viewer)

Viewer of all Earth Engine resources

earthengine.assets.get

earthengine.assets.getIamPolicy

earthengine.assets.list

earthengine.computations.create

earthengine.config.get

earthengine.filmstripthumbnails.get

earthengine.maps.get

earthengine.operations.get

earthengine.operations.list

earthengine.tables.get

earthengine.thumbnails.get

earthengine.videothumbnails.get

resourcemanager.projects.get

resourcemanager.projects.list

Earth Engine Resource Writer ^Beta

(roles/earthengine.writer)

Writer of all Earth Engine resources

earthengine.assets.create

earthengine.assets.delete

earthengine.assets.get

earthengine.assets.getIamPolicy

earthengine.assets.list

earthengine.assets.update

earthengine.computations.create

earthengine.config.*

earthengine.config.get
earthengine.config.update

earthengine.exports.create

earthengine.featureviews.create

earthengine.filmstripthumbnails.*

earthengine.filmstripthumbnails.create
earthengine.filmstripthumbnails.get

earthengine.imports.create

earthengine.maps.*

earthengine.maps.create
earthengine.maps.get

earthengine.operations.*

earthengine.operations.delete
earthengine.operations.get
earthengine.operations.list
earthengine.operations.update

earthengine.tables.*

earthengine.tables.create
earthengine.tables.get

earthengine.thumbnails.*

earthengine.thumbnails.create
earthengine.thumbnails.get

earthengine.videothumbnails.*

earthengine.videothumbnails.create
earthengine.videothumbnails.get

resourcemanager.projects.get

resourcemanager.projects.list

Edge Container roles

Permissions

Edge Container Admin

(roles/edgecontainer.admin)

Full access to Edge Container all resources.

edgecontainer.*

edgecontainer.clusters.create
edgecontainer.clusters.delete
edgecontainer.clusters.generateAccessToken
edgecontainer.clusters.get
edgecontainer.clusters.getIamPolicy
edgecontainer.clusters.list
edgecontainer.clusters.setIamPolicy
edgecontainer.clusters.update
edgecontainer.locations.get
edgecontainer.locations.list
edgecontainer.machines.create
edgecontainer.machines.delete
edgecontainer.machines.get
edgecontainer.machines.getIamPolicy
edgecontainer.machines.list
edgecontainer.machines.setIamPolicy
edgecontainer.machines.update
edgecontainer.machines.use
edgecontainer.nodePools.create
edgecontainer.nodePools.delete
edgecontainer.nodePools.get
edgecontainer.nodePools.getIamPolicy
edgecontainer.nodePools.list
edgecontainer.nodePools.setIamPolicy
edgecontainer.nodePools.update
edgecontainer.operations.cancel
edgecontainer.operations.delete
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.vpnConnections.create
edgecontainer.vpnConnections.delete
edgecontainer.vpnConnections.get
edgecontainer.vpnConnections.getIamPolicy
edgecontainer.vpnConnections.list
edgecontainer.vpnConnections.setIamPolicy
edgecontainer.vpnConnections.update

resourcemanager.projects.get

resourcemanager.projects.list

Edge Container Machine User

(roles/edgecontainer.machineUser)

Access to use Edge Container Machine resources.

edgecontainer.machines.get

edgecontainer.machines.getIamPolicy

edgecontainer.machines.list

edgecontainer.machines.use

resourcemanager.projects.get

resourcemanager.projects.list

Edge Container Viewer

(roles/edgecontainer.viewer)

Read-only access to Edge Container all resources.

edgecontainer.clusters.generateAccessToken

edgecontainer.clusters.get

edgecontainer.clusters.getIamPolicy

edgecontainer.clusters.list

edgecontainer.locations.*

edgecontainer.locations.get
edgecontainer.locations.list

edgecontainer.machines.get

edgecontainer.machines.getIamPolicy

edgecontainer.machines.list

edgecontainer.nodePools.get

edgecontainer.nodePools.getIamPolicy

edgecontainer.nodePools.list

edgecontainer.operations.get

edgecontainer.operations.list

edgecontainer.vpnConnections.get

edgecontainer.vpnConnections.getIamPolicy

edgecontainer.vpnConnections.list

resourcemanager.projects.get

resourcemanager.projects.list

Edge Network roles

Permissions

Edge Network Admin

(roles/edgenetwork.admin)

Full access to Edge Network all resources.

edgenetwork.*

edgenetwork.interconnectAttachments.create
edgenetwork.interconnectAttachments.delete
edgenetwork.interconnectAttachments.get
edgenetwork.interconnectAttachments.getIamPolicy
edgenetwork.interconnectAttachments.list
edgenetwork.interconnectAttachments.setIamPolicy
edgenetwork.interconnectAttachments.update
edgenetwork.interconnects.get
edgenetwork.interconnects.getDiagnostics
edgenetwork.interconnects.getIamPolicy
edgenetwork.interconnects.list
edgenetwork.interconnects.setIamPolicy
edgenetwork.locations.get
edgenetwork.locations.list
edgenetwork.networks.create
edgenetwork.networks.delete
edgenetwork.networks.get
edgenetwork.networks.getIamPolicy
edgenetwork.networks.getStatus
edgenetwork.networks.list
edgenetwork.networks.setIamPolicy
edgenetwork.networks.update
edgenetwork.operations.cancel
edgenetwork.operations.delete
edgenetwork.operations.get
edgenetwork.operations.list
edgenetwork.routers.create
edgenetwork.routers.delete
edgenetwork.routers.get
edgenetwork.routers.getIamPolicy
edgenetwork.routers.getRouterStatus
edgenetwork.routers.list
edgenetwork.routers.patch
edgenetwork.routers.setIamPolicy
edgenetwork.routers.update
edgenetwork.routes.create
edgenetwork.routes.delete
edgenetwork.routes.get
edgenetwork.routes.list
edgenetwork.subnetworks.create
edgenetwork.subnetworks.delete
edgenetwork.subnetworks.get
edgenetwork.subnetworks.getIamPolicy
edgenetwork.subnetworks.getStatus
edgenetwork.subnetworks.list
edgenetwork.subnetworks.setIamPolicy
edgenetwork.subnetworks.update
edgenetwork.zones.get
edgenetwork.zones.initialize
edgenetwork.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

Edge Network Viewer

(roles/edgenetwork.viewer)

Read-only access to Edge Network all resources.

edgenetwork.interconnectAttachments.get

edgenetwork.interconnectAttachments.getIamPolicy

edgenetwork.interconnectAttachments.list

edgenetwork.interconnects.get

edgenetwork.interconnects.getDiagnostics

edgenetwork.interconnects.getIamPolicy

edgenetwork.interconnects.list

edgenetwork.locations.*

edgenetwork.locations.get
edgenetwork.locations.list

edgenetwork.networks.get

edgenetwork.networks.getIamPolicy

edgenetwork.networks.getStatus

edgenetwork.networks.list

edgenetwork.operations.get

edgenetwork.operations.list

edgenetwork.routers.get

edgenetwork.routers.getIamPolicy

edgenetwork.routers.getRouterStatus

edgenetwork.routers.list

edgenetwork.routes.get

edgenetwork.routes.list

edgenetwork.subnetworks.get

edgenetwork.subnetworks.getIamPolicy

edgenetwork.subnetworks.getStatus

edgenetwork.subnetworks.list

edgenetwork.zones.get

edgenetwork.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

Endpoints roles

Permissions

Endpoints Portal Admin ^Beta

(roles/endpoints.portalAdmin)

Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the Google Cloud console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page.

Lowest-level resources where you can grant this role:

Project

endpoints.*

endpoints.portals.attachCustomDomain
endpoints.portals.detachCustomDomain
endpoints.portals.listCustomDomains
endpoints.portals.update

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

Enterprise Knowledge Graph roles

Permissions

Enterprise Knowledge Graph Admin ^Beta

(roles/enterpriseknowledgegraph.admin)

Administrator of Enterprise Knowledge Graph resources

enterpriseknowledgegraph.*

enterpriseknowledgegraph.cloudKnowledgeGraphEntities.lookup
enterpriseknowledgegraph.cloudKnowledgeGraphEntities.search
enterpriseknowledgegraph.entityReconciliationJobs.cancel
enterpriseknowledgegraph.entityReconciliationJobs.create
enterpriseknowledgegraph.entityReconciliationJobs.delete
enterpriseknowledgegraph.entityReconciliationJobs.get
enterpriseknowledgegraph.entityReconciliationJobs.list
enterpriseknowledgegraph.publicKnowledgeGraphEntities.lookup
enterpriseknowledgegraph.publicKnowledgeGraphEntities.search

resourcemanager.projects.get

resourcemanager.projects.list

Enterprise Knowledge Graph Editor ^Beta

(roles/enterpriseknowledgegraph.editor)

Editor of Enterprise Knowledge Graph resources

enterpriseknowledgegraph.*

enterpriseknowledgegraph.cloudKnowledgeGraphEntities.lookup
enterpriseknowledgegraph.cloudKnowledgeGraphEntities.search
enterpriseknowledgegraph.entityReconciliationJobs.cancel
enterpriseknowledgegraph.entityReconciliationJobs.create
enterpriseknowledgegraph.entityReconciliationJobs.delete
enterpriseknowledgegraph.entityReconciliationJobs.get
enterpriseknowledgegraph.entityReconciliationJobs.list
enterpriseknowledgegraph.publicKnowledgeGraphEntities.lookup
enterpriseknowledgegraph.publicKnowledgeGraphEntities.search

resourcemanager.projects.get

resourcemanager.projects.list

Enterprise Knowledge Graph Viewer ^Beta

(roles/enterpriseknowledgegraph.viewer)

Viewer of Enterprise Knowledge Graph resources

enterpriseknowledgegraph.cloudKnowledgeGraphEntities.*

enterpriseknowledgegraph.cloudKnowledgeGraphEntities.lookup
enterpriseknowledgegraph.cloudKnowledgeGraphEntities.search

enterpriseknowledgegraph.entityReconciliationJobs.get

enterpriseknowledgegraph.entityReconciliationJobs.list

enterpriseknowledgegraph.publicKnowledgeGraphEntities.*

enterpriseknowledgegraph.publicKnowledgeGraphEntities.lookup
enterpriseknowledgegraph.publicKnowledgeGraphEntities.search

resourcemanager.projects.get

resourcemanager.projects.list

Error Reporting roles

Permissions

Error Reporting Admin ^Beta

(roles/errorreporting.admin)

Provides full access to Error Reporting data.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

errorreporting.*

errorreporting.applications.list
errorreporting.errorEvents.create
errorreporting.errorEvents.delete
errorreporting.errorEvents.list
errorreporting.groupMetadata.get
errorreporting.groupMetadata.update
errorreporting.groups.list

logging.notificationRules.*

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

Error Reporting User ^Beta

(roles/errorreporting.user)

Provides the permissions to read and write Error Reporting data, except for sending new error events.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

errorreporting.applications.list

errorreporting.errorEvents.delete

errorreporting.errorEvents.list

errorreporting.groupMetadata.*

errorreporting.groupMetadata.get
errorreporting.groupMetadata.update

errorreporting.groups.list

logging.notificationRules.*

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

Error Reporting Viewer ^Beta

(roles/errorreporting.viewer)

Provides read-only access to Error Reporting data.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

errorreporting.applications.list

errorreporting.errorEvents.list

errorreporting.groupMetadata.get

errorreporting.groups.list

logging.notificationRules.get

logging.notificationRules.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

Error Reporting Writer ^Beta

(roles/errorreporting.writer)

Provides the permissions to send error events to Error Reporting.

Lowest-level resources where you can grant this role:

Service Account

errorreporting.errorEvents.create

Eventarc roles

Permissions

Eventarc Admin

(roles/eventarc.admin)

Full control over all Eventarc resources.

eventarc.*

eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
eventarc.events.receiveAuditLogWritten
eventarc.events.receiveEvent
eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update
eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.providers.get
eventarc.providers.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Connection Publisher ^Beta

(roles/eventarc.connectionPublisher)

Can publish events to Eventarc Channel Connections.

eventarc.channelConnections.get

eventarc.channelConnections.list

eventarc.channelConnections.publish

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Developer

(roles/eventarc.developer)

Access to read and write Eventarc resources.

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.googleChannelConfigs.*

eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update

eventarc.locations.*

eventarc.locations.get
eventarc.locations.list

eventarc.operations.*

eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list

eventarc.providers.*

eventarc.providers.get
eventarc.providers.list

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Event Receiver

(roles/eventarc.eventReceiver)

Can receive events from all event providers.

eventarc.events.*

eventarc.events.receiveAuditLogWritten
eventarc.events.receiveEvent

Eventarc Publisher ^Beta

(roles/eventarc.publisher)

Can publish events to Eventarc channels.

eventarc.channels.get

eventarc.channels.list

eventarc.channels.publish

resourcemanager.projects.get

resourcemanager.projects.list

Eventarc Viewer

(roles/eventarc.viewer)

Can view the state of all Eventarc resources, including IAM policies.

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

eventarc.locations.get
eventarc.locations.list

eventarc.operations.get

eventarc.operations.list

eventarc.providers.*

eventarc.providers.get
eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

resourcemanager.projects.get

resourcemanager.projects.list

Firebase roles

Permissions

Firebase Admin

(roles/firebase.admin)

Full access to Firebase products.

apikeys.keys.get

apikeys.keys.getKeyString

apikeys.keys.list

apikeys.keys.lookup

appengine.applications.get

automl.*

automl.annotationSpecs.create
automl.annotationSpecs.delete
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotationSpecs.update
automl.annotations.approve
automl.annotations.create
automl.annotations.list
automl.annotations.manipulate
automl.annotations.reject
automl.columnSpecs.get
automl.columnSpecs.list
automl.columnSpecs.update
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.getIamPolicy
automl.datasets.import
automl.datasets.list
automl.datasets.setIamPolicy
automl.datasets.update
automl.examples.delete
automl.examples.get
automl.examples.list
automl.examples.update
automl.files.delete
automl.files.list
automl.humanAnnotationTasks.create
automl.humanAnnotationTasks.delete
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.create
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.getIamPolicy
automl.models.list
automl.models.predict
automl.models.setIamPolicy
automl.models.undeploy
automl.operations.cancel
automl.operations.delete
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
automl.tableSpecs.update

clientauthconfig.brands.get

clientauthconfig.brands.list

clientauthconfig.brands.update

clientauthconfig.clients.create

clientauthconfig.clients.delete

clientauthconfig.clients.get

clientauthconfig.clients.list

clientauthconfig.clients.update

cloudbuild.builds.get

cloudbuild.builds.list

cloudconfig.*

cloudconfig.configs.get
cloudconfig.configs.update

cloudfunctions.*

cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.invoke
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy
cloudfunctions.functions.sourceCodeGet
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.locations.get
cloudfunctions.locations.list
cloudfunctions.operations.get
cloudfunctions.operations.list
cloudfunctions.runtimes.list

cloudmessaging.messages.create

cloudnotifications.activities.list

cloudtestservice.*

cloudtestservice.environmentcatalog.get
cloudtestservice.matrices.create
cloudtestservice.matrices.get
cloudtestservice.matrices.update

cloudtoolresults.*

cloudtoolresults.executions.create
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.executions.update
cloudtoolresults.histories.create
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.create
cloudtoolresults.settings.get
cloudtoolresults.settings.update
cloudtoolresults.steps.create
cloudtoolresults.steps.get
cloudtoolresults.steps.list
cloudtoolresults.steps.update

datastore.*

datastore.databases.create
datastore.databases.createTagBinding
datastore.databases.deleteTagBinding
datastore.databases.export
datastore.databases.get
datastore.databases.getMetadata
datastore.databases.import
datastore.databases.list
datastore.databases.listEffectiveTags
datastore.databases.listTagBindings
datastore.databases.update
datastore.entities.allocateIds
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update
datastore.indexes.create
datastore.indexes.delete
datastore.indexes.get
datastore.indexes.list
datastore.indexes.update
datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
datastore.locations.get
datastore.locations.list
datastore.namespaces.get
datastore.namespaces.list
datastore.operations.cancel
datastore.operations.delete
datastore.operations.get
datastore.operations.list
datastore.statistics.get
datastore.statistics.list

errorreporting.groups.list

eventarc.*

eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
eventarc.events.receiveAuditLogWritten
eventarc.events.receiveEvent
eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update
eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.providers.get
eventarc.providers.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update

fcmdata.deliverydata.list

firebase.*

firebase.billingPlans.get
firebase.billingPlans.update
firebase.clients.create
firebase.clients.delete
firebase.clients.get
firebase.clients.list
firebase.clients.undelete
firebase.clients.update
firebase.links.create
firebase.links.delete
firebase.links.list
firebase.links.update
firebase.playLinks.get
firebase.playLinks.list
firebase.playLinks.update
firebase.projects.delete
firebase.projects.get
firebase.projects.update

firebaseabt.*

firebaseabt.experimentresults.get
firebaseabt.experiments.create
firebaseabt.experiments.delete
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.experiments.update
firebaseabt.projectmetadata.get

firebaseanalytics.*

firebaseanalytics.resources.googleAnalyticsEdit
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseappcheck.*

firebaseappcheck.appAttestConfig.get
firebaseappcheck.appAttestConfig.update
firebaseappcheck.appCheckTokens.verify
firebaseappcheck.debugTokens.get
firebaseappcheck.debugTokens.update
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.deviceCheckConfig.update
firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.recaptchaV3Config.update
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.safetyNetConfig.update
firebaseappcheck.services.get
firebaseappcheck.services.update

firebaseappdistro.*

firebaseappdistro.groups.list
firebaseappdistro.groups.update
firebaseappdistro.releases.list
firebaseappdistro.releases.update
firebaseappdistro.testers.list
firebaseappdistro.testers.update

firebaseauth.*

firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.getHashConfig
firebaseauth.configs.getSecret
firebaseauth.configs.update
firebaseauth.users.create
firebaseauth.users.createSession
firebaseauth.users.delete
firebaseauth.users.get
firebaseauth.users.sendEmail
firebaseauth.users.update

firebasecrash.*

firebasecrash.issues.update
firebasecrash.reports.get

firebasecrashlytics.*

firebasecrashlytics.config.get
firebasecrashlytics.config.update
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.issues.update
firebasecrashlytics.sessions.get

firebasedatabase.*

firebasedatabase.instances.create
firebasedatabase.instances.delete
firebasedatabase.instances.disable
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedatabase.instances.reenable
firebasedatabase.instances.undelete
firebasedatabase.instances.update

firebasedynamiclinks.*

firebasedynamiclinks.destinations.list
firebasedynamiclinks.destinations.update
firebasedynamiclinks.domains.create
firebasedynamiclinks.domains.delete
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.domains.update
firebasedynamiclinks.links.create
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.links.update
firebasedynamiclinks.stats.get

firebaseextensions.*

firebaseextensions.configs.create
firebaseextensions.configs.delete
firebaseextensions.configs.list
firebaseextensions.configs.update

firebaseextensionspublisher.*

firebaseextensionspublisher.extensions.create
firebaseextensionspublisher.extensions.delete
firebaseextensionspublisher.extensions.get
firebaseextensionspublisher.extensions.list

firebasehosting.*

firebasehosting.sites.create
firebasehosting.sites.delete
firebasehosting.sites.get
firebasehosting.sites.list
firebasehosting.sites.update

firebaseinappmessaging.*

firebaseinappmessaging.campaigns.create
firebaseinappmessaging.campaigns.delete
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebaseinappmessaging.campaigns.update

firebasemessagingcampaigns.*

firebasemessagingcampaigns.campaigns.create
firebasemessagingcampaigns.campaigns.delete
firebasemessagingcampaigns.campaigns.get
firebasemessagingcampaigns.campaigns.list
firebasemessagingcampaigns.campaigns.start
firebasemessagingcampaigns.campaigns.stop
firebasemessagingcampaigns.campaigns.update

firebaseml.*

firebaseml.models.create
firebaseml.models.delete
firebaseml.models.get
firebaseml.models.list
firebaseml.models.update
firebaseml.modelversions.create
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaseml.modelversions.update

firebasenotifications.*

firebasenotifications.messages.create
firebasenotifications.messages.delete
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasenotifications.messages.update

firebaseperformance.*

firebaseperformance.config.update
firebaseperformance.data.get

firebaserules.*

firebaserules.releases.create
firebaserules.releases.delete
firebaserules.releases.get
firebaserules.releases.getExecutable
firebaserules.releases.list
firebaserules.releases.update
firebaserules.rulesets.create
firebaserules.rulesets.delete
firebaserules.rulesets.get
firebaserules.rulesets.list
firebaserules.rulesets.test

firebasestorage.*

firebasestorage.buckets.addFirebase
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.buckets.removeFirebase

logging.logEntries.list

monitoring.timeSeries.list

oauthconfig.verification.get

orgpolicy.policy.get

recommender.cloudFunctionsPerformanceInsights.*

recommender.cloudFunctionsPerformanceInsights.get
recommender.cloudFunctionsPerformanceInsights.list
recommender.cloudFunctionsPerformanceInsights.update

recommender.cloudFunctionsPerformanceRecommendations.*

recommender.cloudFunctionsPerformanceRecommendations.get
recommender.cloudFunctionsPerformanceRecommendations.list
recommender.cloudFunctionsPerformanceRecommendations.update

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update

recommender.runServiceIdentityRecommendations.*

recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityInsights.get
recommender.runServiceSecurityInsights.list
recommender.runServiceSecurityInsights.update

recommender.runServiceSecurityRecommendations.*

recommender.runServiceSecurityRecommendations.get
recommender.runServiceSecurityRecommendations.list
recommender.runServiceSecurityRecommendations.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.*

run.configurations.get
run.configurations.list
run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.run
run.jobs.runWithOverrides
run.jobs.setIamPolicy
run.jobs.update
run.locations.list
run.operations.delete
run.operations.get
run.operations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.invoke
run.routes.list
run.services.create
run.services.createTagBinding
run.services.delete
run.services.deleteTagBinding
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.setIamPolicy
run.services.update
run.tasks.get
run.tasks.list

runtimeconfig.configs.create

runtimeconfig.configs.delete

runtimeconfig.configs.get

runtimeconfig.configs.list

runtimeconfig.configs.update

runtimeconfig.operations.*

runtimeconfig.operations.get
runtimeconfig.operations.list

runtimeconfig.variables.create

runtimeconfig.variables.delete

runtimeconfig.variables.get

runtimeconfig.variables.list

runtimeconfig.variables.update

runtimeconfig.variables.watch

runtimeconfig.waiters.create

runtimeconfig.waiters.delete

runtimeconfig.waiters.get

runtimeconfig.waiters.list

runtimeconfig.waiters.update

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.setIamPolicy
storage.buckets.update

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update

Firebase Analytics Admin

(roles/firebase.analyticsAdmin)

Full access to Google Analytics for Firebase.

cloudnotifications.activities.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.*

firebaseanalytics.resources.googleAnalyticsEdit
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseextensions.configs.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

Firebase Analytics Viewer

(roles/firebase.analyticsViewer)

Read access to Google Analytics for Firebase.

cloudnotifications.activities.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseextensions.configs.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

Firebase Develop Admin

(roles/firebase.developAdmin)

Full access to Firebase Develop products and Analytics.

apikeys.keys.get

apikeys.keys.getKeyString

apikeys.keys.list

apikeys.keys.lookup

appengine.applications.get

automl.*

automl.annotationSpecs.create
automl.annotationSpecs.delete
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotationSpecs.update
automl.annotations.approve
automl.annotations.create
automl.annotations.list
automl.annotations.manipulate
automl.annotations.reject
automl.columnSpecs.get
automl.columnSpecs.list
automl.columnSpecs.update
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.getIamPolicy
automl.datasets.import
automl.datasets.list
automl.datasets.setIamPolicy
automl.datasets.update
automl.examples.delete
automl.examples.get
automl.examples.list
automl.examples.update
automl.files.delete
automl.files.list
automl.humanAnnotationTasks.create
automl.humanAnnotationTasks.delete
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.create
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.getIamPolicy
automl.models.list
automl.models.predict
automl.models.setIamPolicy
automl.models.undeploy
automl.operations.cancel
automl.operations.delete
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
automl.tableSpecs.update

clientauthconfig.brands.get

clientauthconfig.brands.list

clientauthconfig.brands.update

clientauthconfig.clients.get

clientauthconfig.clients.list

cloudbuild.builds.get

cloudbuild.builds.list

cloudfunctions.*

cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.invoke
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy
cloudfunctions.functions.sourceCodeGet
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.locations.get
cloudfunctions.locations.list
cloudfunctions.operations.get
cloudfunctions.operations.list
cloudfunctions.runtimes.list

cloudnotifications.activities.list

datastore.*

datastore.databases.create
datastore.databases.createTagBinding
datastore.databases.deleteTagBinding
datastore.databases.export
datastore.databases.get
datastore.databases.getMetadata
datastore.databases.import
datastore.databases.list
datastore.databases.listEffectiveTags
datastore.databases.listTagBindings
datastore.databases.update
datastore.entities.allocateIds
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update
datastore.indexes.create
datastore.indexes.delete
datastore.indexes.get
datastore.indexes.list
datastore.indexes.update
datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
datastore.locations.get
datastore.locations.list
datastore.namespaces.get
datastore.namespaces.list
datastore.operations.cancel
datastore.operations.delete
datastore.operations.get
datastore.operations.list
datastore.statistics.get
datastore.statistics.list

errorreporting.groups.list

eventarc.*

eventarc.channelConnections.create
eventarc.channelConnections.delete
eventarc.channelConnections.get
eventarc.channelConnections.getIamPolicy
eventarc.channelConnections.list
eventarc.channelConnections.publish
eventarc.channelConnections.setIamPolicy
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.setIamPolicy
eventarc.channels.undelete
eventarc.channels.update
eventarc.events.receiveAuditLogWritten
eventarc.events.receiveEvent
eventarc.googleChannelConfigs.get
eventarc.googleChannelConfigs.update
eventarc.locations.get
eventarc.locations.list
eventarc.operations.cancel
eventarc.operations.delete
eventarc.operations.get
eventarc.operations.list
eventarc.providers.get
eventarc.providers.list
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
eventarc.triggers.undelete
eventarc.triggers.update

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.*

firebaseanalytics.resources.googleAnalyticsEdit
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseappcheck.*

firebaseappcheck.appAttestConfig.get
firebaseappcheck.appAttestConfig.update
firebaseappcheck.appCheckTokens.verify
firebaseappcheck.debugTokens.get
firebaseappcheck.debugTokens.update
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.deviceCheckConfig.update
firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.recaptchaV3Config.update
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.safetyNetConfig.update
firebaseappcheck.services.get
firebaseappcheck.services.update

firebaseauth.*

firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.getHashConfig
firebaseauth.configs.getSecret
firebaseauth.configs.update
firebaseauth.users.create
firebaseauth.users.createSession
firebaseauth.users.delete
firebaseauth.users.get
firebaseauth.users.sendEmail
firebaseauth.users.update

firebasedatabase.*

firebasedatabase.instances.create
firebasedatabase.instances.delete
firebasedatabase.instances.disable
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedatabase.instances.reenable
firebasedatabase.instances.undelete
firebasedatabase.instances.update

firebaseextensions.configs.list

firebasehosting.*

firebasehosting.sites.create
firebasehosting.sites.delete
firebasehosting.sites.get
firebasehosting.sites.list
firebasehosting.sites.update

firebaseml.*

firebaseml.models.create
firebaseml.models.delete
firebaseml.models.get
firebaseml.models.list
firebaseml.models.update
firebaseml.modelversions.create
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaseml.modelversions.update

firebaserules.*

firebaserules.releases.create
firebaserules.releases.delete
firebaserules.releases.get
firebaserules.releases.getExecutable
firebaserules.releases.list
firebaserules.releases.update
firebaserules.rulesets.create
firebaserules.rulesets.delete
firebaserules.rulesets.get
firebaserules.rulesets.list
firebaserules.rulesets.test

firebasestorage.*

firebasestorage.buckets.addFirebase
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.buckets.removeFirebase

logging.logEntries.list

monitoring.timeSeries.list

oauthconfig.verification.get

orgpolicy.policy.get

recommender.cloudFunctionsPerformanceInsights.*

recommender.cloudFunctionsPerformanceInsights.get
recommender.cloudFunctionsPerformanceInsights.list
recommender.cloudFunctionsPerformanceInsights.update

recommender.cloudFunctionsPerformanceRecommendations.*

recommender.cloudFunctionsPerformanceRecommendations.get
recommender.cloudFunctionsPerformanceRecommendations.list
recommender.cloudFunctionsPerformanceRecommendations.update

recommender.iamPolicyInsights.*

recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyInsights.update

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.iamPolicyRecommendations.update

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityInsights.get
recommender.runServiceIdentityInsights.list
recommender.runServiceIdentityInsights.update

recommender.runServiceIdentityRecommendations.*

recommender.runServiceIdentityRecommendations.get
recommender.runServiceIdentityRecommendations.list
recommender.runServiceIdentityRecommendations.update

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityInsights.get
recommender.runServiceSecurityInsights.list
recommender.runServiceSecurityInsights.update

recommender.runServiceSecurityRecommendations.*

recommender.runServiceSecurityRecommendations.get
recommender.runServiceSecurityRecommendations.list
recommender.runServiceSecurityRecommendations.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.*

run.configurations.get
run.configurations.list
run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.run
run.jobs.runWithOverrides
run.jobs.setIamPolicy
run.jobs.update
run.locations.list
run.operations.delete
run.operations.get
run.operations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.invoke
run.routes.list
run.services.create
run.services.createTagBinding
run.services.delete
run.services.deleteTagBinding
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.setIamPolicy
run.services.update
run.tasks.get
run.tasks.list

runtimeconfig.configs.create

runtimeconfig.configs.delete

runtimeconfig.configs.get

runtimeconfig.configs.list

runtimeconfig.configs.update

runtimeconfig.operations.*

runtimeconfig.operations.get
runtimeconfig.operations.list

runtimeconfig.variables.create

runtimeconfig.variables.delete

runtimeconfig.variables.get

runtimeconfig.variables.list

runtimeconfig.variables.update

runtimeconfig.variables.watch

runtimeconfig.waiters.create

runtimeconfig.waiters.delete

runtimeconfig.waiters.get

runtimeconfig.waiters.list

runtimeconfig.waiters.update

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.buckets.*

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.setIamPolicy
storage.buckets.update

storage.multipartUploads.*

storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts

storage.objects.*

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update

Firebase Develop Viewer

(roles/firebase.developViewer)

Read access to Firebase Develop products and Analytics.

automl.annotationSpecs.get

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.get

automl.columnSpecs.list

automl.datasets.get

automl.datasets.list

automl.examples.get

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.get

automl.humanAnnotationTasks.list

automl.locations.get

automl.locations.list

automl.modelEvaluations.get

automl.modelEvaluations.list

automl.models.get

automl.models.list

automl.operations.get

automl.operations.list

automl.tableSpecs.get

automl.tableSpecs.list

clientauthconfig.brands.get

clientauthconfig.brands.list

cloudbuild.builds.get

cloudbuild.builds.list

cloudfunctions.functions.get

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.locations.*

cloudfunctions.locations.get
cloudfunctions.locations.list

cloudfunctions.operations.*

cloudfunctions.operations.get
cloudfunctions.operations.list

cloudfunctions.runtimes.list

cloudnotifications.activities.list

datastore.databases.get

datastore.databases.getMetadata

datastore.databases.list

datastore.entities.get

datastore.entities.list

datastore.indexes.get

datastore.indexes.list

datastore.namespaces.*

datastore.namespaces.get
datastore.namespaces.list

datastore.statistics.*

datastore.statistics.get
datastore.statistics.list

errorreporting.groups.list

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

eventarc.locations.get
eventarc.locations.list

eventarc.operations.get

eventarc.operations.list

eventarc.providers.*

eventarc.providers.get
eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseappcheck.appAttestConfig.get

firebaseappcheck.debugTokens.get

firebaseappcheck.deviceCheckConfig.get

firebaseappcheck.playIntegrityConfig.get

firebaseappcheck.recaptchaEnterpriseConfig.get

firebaseappcheck.recaptchaV3Config.get

firebaseappcheck.safetyNetConfig.get

firebaseappcheck.services.get

firebaseauth.configs.get

firebaseauth.users.get

firebasedatabase.instances.get

firebasedatabase.instances.list

firebaseextensions.configs.list

firebasehosting.sites.get

firebasehosting.sites.list

firebaseml.models.get

firebaseml.models.list

firebaseml.modelversions.get

firebaseml.modelversions.list

firebaserules.releases.get

firebaserules.releases.list

firebaserules.rulesets.get

firebaserules.rulesets.list

firebasestorage.buckets.get

firebasestorage.buckets.list

logging.logEntries.list

monitoring.timeSeries.list

oauthconfig.verification.get

recommender.cloudFunctionsPerformanceInsights.get

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.get

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.configurations.*

run.configurations.get
run.configurations.list

run.executions.get

run.executions.list

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.locations.list

run.operations.get

run.operations.list

run.revisions.get

run.revisions.list

run.routes.get

run.routes.list

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.tasks.*

run.tasks.get
run.tasks.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

Firebase Grow Admin

(roles/firebase.growthAdmin)

Full access to Firebase Grow products and Analytics.

clientauthconfig.clients.get

clientauthconfig.clients.list

cloudconfig.*

cloudconfig.configs.get
cloudconfig.configs.update

cloudmessaging.messages.create

cloudnotifications.activities.list

fcmdata.deliverydata.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseabt.*

firebaseabt.experimentresults.get
firebaseabt.experiments.create
firebaseabt.experiments.delete
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.experiments.update
firebaseabt.projectmetadata.get

firebaseanalytics.*

firebaseanalytics.resources.googleAnalyticsEdit
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebasedynamiclinks.*

firebasedynamiclinks.destinations.list
firebasedynamiclinks.destinations.update
firebasedynamiclinks.domains.create
firebasedynamiclinks.domains.delete
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.domains.update
firebasedynamiclinks.links.create
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.links.update
firebasedynamiclinks.stats.get

firebaseextensions.configs.list

firebaseinappmessaging.*

firebaseinappmessaging.campaigns.create
firebaseinappmessaging.campaigns.delete
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebaseinappmessaging.campaigns.update

firebasemessagingcampaigns.*

firebasemessagingcampaigns.campaigns.create
firebasemessagingcampaigns.campaigns.delete
firebasemessagingcampaigns.campaigns.get
firebasemessagingcampaigns.campaigns.list
firebasemessagingcampaigns.campaigns.start
firebasemessagingcampaigns.campaigns.stop
firebasemessagingcampaigns.campaigns.update

firebasenotifications.*

firebasenotifications.messages.create
firebasenotifications.messages.delete
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasenotifications.messages.update

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Firebase Grow Viewer

(roles/firebase.growthViewer)

Read access to Firebase Grow products and Analytics.

cloudconfig.configs.get

cloudnotifications.activities.list

fcmdata.deliverydata.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseabt.experimentresults.get

firebaseabt.experiments.get

firebaseabt.experiments.list

firebaseabt.projectmetadata.get

firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebasedynamiclinks.destinations.list

firebasedynamiclinks.domains.get

firebasedynamiclinks.domains.list

firebasedynamiclinks.links.get

firebasedynamiclinks.links.list

firebasedynamiclinks.stats.get

firebaseextensions.configs.list

firebaseinappmessaging.campaigns.get

firebaseinappmessaging.campaigns.list

firebasemessagingcampaigns.campaigns.get

firebasemessagingcampaigns.campaigns.list

firebasenotifications.messages.get

firebasenotifications.messages.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Firebase Quality Admin

(roles/firebase.qualityAdmin)

Full access to Firebase Quality products and Analytics.

cloudnotifications.activities.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.*

firebaseanalytics.resources.googleAnalyticsEdit
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseappdistro.*

firebaseappdistro.groups.list
firebaseappdistro.groups.update
firebaseappdistro.releases.list
firebaseappdistro.releases.update
firebaseappdistro.testers.list
firebaseappdistro.testers.update

firebasecrash.*

firebasecrash.issues.update
firebasecrash.reports.get

firebasecrashlytics.*

firebasecrashlytics.config.get
firebasecrashlytics.config.update
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.issues.update
firebasecrashlytics.sessions.get

firebaseextensions.configs.list

firebaseperformance.*

firebaseperformance.config.update
firebaseperformance.data.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Firebase Quality Viewer

(roles/firebase.qualityViewer)

Read access to Firebase Quality products and Analytics.

cloudnotifications.activities.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseappdistro.groups.list

firebaseappdistro.releases.list

firebaseappdistro.testers.list

firebasecrash.reports.get

firebasecrashlytics.config.get

firebasecrashlytics.data.get

firebasecrashlytics.issues.get

firebasecrashlytics.issues.list

firebasecrashlytics.sessions.get

firebaseextensions.configs.list

firebaseperformance.data.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Firebase Viewer

(roles/firebase.viewer)

Read-only access to Firebase products.

automl.annotationSpecs.get

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.get

automl.columnSpecs.list

automl.datasets.get

automl.datasets.list

automl.examples.get

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.get

automl.humanAnnotationTasks.list

automl.locations.get

automl.locations.list

automl.modelEvaluations.get

automl.modelEvaluations.list

automl.models.get

automl.models.list

automl.operations.get

automl.operations.list

automl.tableSpecs.get

automl.tableSpecs.list

clientauthconfig.brands.get

clientauthconfig.brands.list

cloudbuild.builds.get

cloudbuild.builds.list

cloudconfig.configs.get

cloudfunctions.functions.get

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.locations.*

cloudfunctions.locations.get
cloudfunctions.locations.list

cloudfunctions.operations.*

cloudfunctions.operations.get
cloudfunctions.operations.list

cloudfunctions.runtimes.list

cloudnotifications.activities.list

cloudtestservice.environmentcatalog.get

cloudtestservice.matrices.get

cloudtoolresults.executions.get

cloudtoolresults.executions.list

cloudtoolresults.histories.get

cloudtoolresults.histories.list

cloudtoolresults.settings.get

cloudtoolresults.steps.get

cloudtoolresults.steps.list

datastore.databases.get

datastore.databases.getMetadata

datastore.databases.list

datastore.entities.get

datastore.entities.list

datastore.indexes.get

datastore.indexes.list

datastore.namespaces.*

datastore.namespaces.get
datastore.namespaces.list

datastore.statistics.*

datastore.statistics.get
datastore.statistics.list

errorreporting.groups.list

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

eventarc.locations.get
eventarc.locations.list

eventarc.operations.get

eventarc.operations.list

eventarc.providers.*

eventarc.providers.get
eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

fcmdata.deliverydata.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseabt.experimentresults.get

firebaseabt.experiments.get

firebaseabt.experiments.list

firebaseabt.projectmetadata.get

firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseappcheck.appAttestConfig.get

firebaseappcheck.debugTokens.get

firebaseappcheck.deviceCheckConfig.get

firebaseappcheck.playIntegrityConfig.get

firebaseappcheck.recaptchaEnterpriseConfig.get

firebaseappcheck.recaptchaV3Config.get

firebaseappcheck.safetyNetConfig.get

firebaseappcheck.services.get

firebaseappdistro.groups.list

firebaseappdistro.releases.list

firebaseappdistro.testers.list

firebaseauth.configs.get

firebaseauth.users.get

firebasecrash.reports.get

firebasecrashlytics.config.get

firebasecrashlytics.data.get

firebasecrashlytics.issues.get

firebasecrashlytics.issues.list

firebasecrashlytics.sessions.get

firebasedatabase.instances.get

firebasedatabase.instances.list

firebasedynamiclinks.destinations.list

firebasedynamiclinks.domains.get

firebasedynamiclinks.domains.list

firebasedynamiclinks.links.get

firebasedynamiclinks.links.list

firebasedynamiclinks.stats.get

firebaseextensions.configs.list

firebaseextensionspublisher.extensions.get

firebaseextensionspublisher.extensions.list

firebasehosting.sites.get

firebasehosting.sites.list

firebaseinappmessaging.campaigns.get

firebaseinappmessaging.campaigns.list

firebasemessagingcampaigns.campaigns.get

firebasemessagingcampaigns.campaigns.list

firebaseml.models.get

firebaseml.models.list

firebaseml.modelversions.get

firebaseml.modelversions.list

firebasenotifications.messages.get

firebasenotifications.messages.list

firebaseperformance.data.get

firebaserules.releases.get

firebaserules.releases.list

firebaserules.rulesets.get

firebaserules.rulesets.list

firebasestorage.buckets.get

firebasestorage.buckets.list

logging.logEntries.list

monitoring.timeSeries.list

oauthconfig.verification.get

recommender.cloudFunctionsPerformanceInsights.get

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.get

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.configurations.*

run.configurations.get
run.configurations.list

run.executions.get

run.executions.list

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.locations.list

run.operations.get

run.operations.list

run.revisions.get

run.revisions.list

run.routes.get

run.routes.list

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.tasks.*

run.tasks.get
run.tasks.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

Firebase Products roles

Permissions

Firebase Remote Config Admin

(roles/cloudconfig.admin)

Full access to Firebase Remote Config resources.

cloudconfig.*

cloudconfig.configs.get
cloudconfig.configs.update

firebase.clients.get

firebase.clients.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Remote Config Viewer

(roles/cloudconfig.viewer)

Read access to Firebase Remote Config resources.

cloudconfig.configs.get

firebase.clients.get

firebase.clients.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Test Lab Admin

(roles/cloudtestservice.testAdmin)

Full access to all Test Lab features

cloudtestservice.*

cloudtestservice.environmentcatalog.get
cloudtestservice.matrices.create
cloudtestservice.matrices.get
cloudtestservice.matrices.update

cloudtoolresults.*

cloudtoolresults.executions.create
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.executions.update
cloudtoolresults.histories.create
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.create
cloudtoolresults.settings.get
cloudtoolresults.settings.update
cloudtoolresults.steps.create
cloudtoolresults.steps.get
cloudtoolresults.steps.list
cloudtoolresults.steps.update

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

storage.buckets.get

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

Firebase Test Lab Viewer

(roles/cloudtestservice.testViewer)

Read access to Test Lab features

cloudtestservice.environmentcatalog.get

cloudtestservice.matrices.get

cloudtoolresults.executions.get

cloudtoolresults.executions.list

cloudtoolresults.histories.get

cloudtoolresults.histories.list

cloudtoolresults.settings.get

cloudtoolresults.steps.get

cloudtoolresults.steps.list

firebase.clients.get

firebase.clients.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.get

storage.objects.list

Firebase A/B Testing Admin ^Beta

(roles/firebaseabt.admin)

Full read/write access to Firebase A/B Testing resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseabt.*

firebaseabt.experimentresults.get
firebaseabt.experiments.create
firebaseabt.experiments.delete
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.experiments.update
firebaseabt.projectmetadata.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase A/B Testing Viewer ^Beta

(roles/firebaseabt.viewer)

Read-only access to Firebase A/B Testing resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseabt.experimentresults.get

firebaseabt.experiments.get

firebaseabt.experiments.list

firebaseabt.projectmetadata.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase App Check Admin

(roles/firebaseappcheck.admin)

Full management of Firebase App Check.

firebaseappcheck.*

firebaseappcheck.appAttestConfig.get
firebaseappcheck.appAttestConfig.update
firebaseappcheck.appCheckTokens.verify
firebaseappcheck.debugTokens.get
firebaseappcheck.debugTokens.update
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.deviceCheckConfig.update
firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.recaptchaV3Config.update
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.safetyNetConfig.update
firebaseappcheck.services.get
firebaseappcheck.services.update

Firebase App Check Token Verifier

(roles/firebaseappcheck.tokenVerifier)

Access to token verification capabilities for Firebase App Check.

firebaseappcheck.appCheckTokens.verify

Firebase App Check Viewer

(roles/firebaseappcheck.viewer)

Read-only access for Firebase App Check.

firebaseappcheck.appAttestConfig.get

firebaseappcheck.debugTokens.get

firebaseappcheck.deviceCheckConfig.get

firebaseappcheck.playIntegrityConfig.get

firebaseappcheck.recaptchaEnterpriseConfig.get

firebaseappcheck.recaptchaV3Config.get

firebaseappcheck.safetyNetConfig.get

firebaseappcheck.services.get

Firebase App Distribution Admin

(roles/firebaseappdistro.admin)

Full read/write access to Firebase App Distribution resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseappdistro.*

firebaseappdistro.groups.list
firebaseappdistro.groups.update
firebaseappdistro.releases.list
firebaseappdistro.releases.update
firebaseappdistro.testers.list
firebaseappdistro.testers.update

resourcemanager.projects.get

resourcemanager.projects.list

Firebase App Distribution Viewer

(roles/firebaseappdistro.viewer)

Read-only access to Firebase App Distribution resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseappdistro.groups.list

firebaseappdistro.releases.list

firebaseappdistro.testers.list

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Authentication Admin

(roles/firebaseauth.admin)

Full read/write access to Firebase Authentication resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseauth.*

firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.getHashConfig
firebaseauth.configs.getSecret
firebaseauth.configs.update
firebaseauth.users.create
firebaseauth.users.createSession
firebaseauth.users.delete
firebaseauth.users.get
firebaseauth.users.sendEmail
firebaseauth.users.update

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Authentication Viewer

(roles/firebaseauth.viewer)

Read-only access to Firebase Authentication resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseauth.configs.get

firebaseauth.users.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Crashlytics Admin

(roles/firebasecrashlytics.admin)

Full read/write access to Firebase Crashlytics resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasecrashlytics.*

firebasecrashlytics.config.get
firebasecrashlytics.config.update
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.issues.update
firebasecrashlytics.sessions.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Crashlytics Viewer

(roles/firebasecrashlytics.viewer)

Read-only access to Firebase Crashlytics resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasecrashlytics.config.get

firebasecrashlytics.data.get

firebasecrashlytics.issues.get

firebasecrashlytics.issues.list

firebasecrashlytics.sessions.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Realtime Database Admin

(roles/firebasedatabase.admin)

Full read/write access to Firebase Realtime Database resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasedatabase.*

firebasedatabase.instances.create
firebasedatabase.instances.delete
firebasedatabase.instances.disable
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedatabase.instances.reenable
firebasedatabase.instances.undelete
firebasedatabase.instances.update

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Realtime Database Viewer

(roles/firebasedatabase.viewer)

Read-only access to Firebase Realtime Database resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasedatabase.instances.get

firebasedatabase.instances.list

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Dynamic Links Admin

(roles/firebasedynamiclinks.admin)

Full read/write access to Firebase Dynamic Links resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasedynamiclinks.*

firebasedynamiclinks.destinations.list
firebasedynamiclinks.destinations.update
firebasedynamiclinks.domains.create
firebasedynamiclinks.domains.delete
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.domains.update
firebasedynamiclinks.links.create
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.links.update
firebasedynamiclinks.stats.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Dynamic Links Viewer

(roles/firebasedynamiclinks.viewer)

Read-only access to Firebase Dynamic Links resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasedynamiclinks.destinations.list

firebasedynamiclinks.domains.get

firebasedynamiclinks.domains.list

firebasedynamiclinks.links.get

firebasedynamiclinks.links.list

firebasedynamiclinks.stats.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Extensions Publisher - Extensions Admin ^Beta

(roles/firebaseextensionspublisher.extensionsAdmin)

Fully manage Firebase Extensions

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseextensionspublisher.*

firebaseextensionspublisher.extensions.create
firebaseextensionspublisher.extensions.delete
firebaseextensionspublisher.extensions.get
firebaseextensionspublisher.extensions.list

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Extensions Publisher - Extensions Viewer ^Beta

(roles/firebaseextensionspublisher.extensionsViewer)

View Firebase Extensions

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseextensionspublisher.extensions.get

firebaseextensionspublisher.extensions.list

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Hosting Admin

(roles/firebasehosting.admin)

Full read/write access to Firebase Hosting resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasehosting.*

firebasehosting.sites.create
firebasehosting.sites.delete
firebasehosting.sites.get
firebasehosting.sites.list
firebasehosting.sites.update

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Hosting Viewer

(roles/firebasehosting.viewer)

Read-only access to Firebase Hosting resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasehosting.sites.get

firebasehosting.sites.list

resourcemanager.projects.get

resourcemanager.projects.list

Firebase In-App Messaging Admin ^Beta

(roles/firebaseinappmessaging.admin)

Full read/write access to Firebase In-App Messaging resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseinappmessaging.*

firebaseinappmessaging.campaigns.create
firebaseinappmessaging.campaigns.delete
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebaseinappmessaging.campaigns.update

resourcemanager.projects.get

resourcemanager.projects.list

Firebase In-App Messaging Viewer ^Beta

(roles/firebaseinappmessaging.viewer)

Read-only access to Firebase In-App Messaging resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseinappmessaging.campaigns.get

firebaseinappmessaging.campaigns.list

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Messaging Campaigns Admin ^Beta

(roles/firebasemessagingcampaigns.admin)

Full management of Firebase Messaging Campaigns.

firebasemessagingcampaigns.*

firebasemessagingcampaigns.campaigns.create
firebasemessagingcampaigns.campaigns.delete
firebasemessagingcampaigns.campaigns.get
firebasemessagingcampaigns.campaigns.list
firebasemessagingcampaigns.campaigns.start
firebasemessagingcampaigns.campaigns.stop
firebasemessagingcampaigns.campaigns.update

Firebase Messaging Campaigns Viewer ^Beta

(roles/firebasemessagingcampaigns.viewer)

Read-only access for Firebase Messaging Campaigns.

firebasemessagingcampaigns.campaigns.get

firebasemessagingcampaigns.campaigns.list

Firebase ML Kit Admin ^Beta

(roles/firebaseml.admin)

Full read/write access to Firebase ML Kit resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseml.*

firebaseml.models.create
firebaseml.models.delete
firebaseml.models.get
firebaseml.models.list
firebaseml.models.update
firebaseml.modelversions.create
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaseml.modelversions.update

resourcemanager.projects.get

resourcemanager.projects.list

Firebase ML Kit Viewer ^Beta

(roles/firebaseml.viewer)

Read-only access to Firebase ML Kit resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseml.models.get

firebaseml.models.list

firebaseml.modelversions.get

firebaseml.modelversions.list

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Cloud Messaging Admin

(roles/firebasenotifications.admin)

Full read/write access to Firebase Cloud Messaging resources.

fcmdata.deliverydata.list

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasenotifications.*

firebasenotifications.messages.create
firebasenotifications.messages.delete
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasenotifications.messages.update

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Cloud Messaging Viewer

(roles/firebasenotifications.viewer)

Read-only access to Firebase Cloud Messaging resources.

fcmdata.deliverydata.list

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasenotifications.messages.get

firebasenotifications.messages.list

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Performance Reporting Admin

(roles/firebaseperformance.admin)

Full access to firebaseperformance resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseperformance.*

firebaseperformance.config.update
firebaseperformance.data.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Performance Reporting Viewer

(roles/firebaseperformance.viewer)

Read-only access to firebaseperformance resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseperformance.data.get

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Rules Admin

(roles/firebaserules.admin)

Full management of Firebase Rules.

firebaserules.*

firebaserules.releases.create
firebaserules.releases.delete
firebaserules.releases.get
firebaserules.releases.getExecutable
firebaserules.releases.list
firebaserules.releases.update
firebaserules.rulesets.create
firebaserules.rulesets.delete
firebaserules.rulesets.get
firebaserules.rulesets.list
firebaserules.rulesets.test

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Rules System

(roles/firebaserules.system)

Read/write/list access for Datastore entities and Cloud Storage objects, as well as get/list/publish access for PubSub topics.

datastore.databases.get

datastore.entities.*

datastore.entities.allocateIds
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

Firebase Rules Viewer

(roles/firebaserules.viewer)

Read-only access on all resources with the ability to test Rulesets.

firebaserules.releases.get

firebaserules.releases.list

firebaserules.rulesets.get

firebaserules.rulesets.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Storage for Firebase Admin ^Beta

(roles/firebasestorage.admin)

Full management of Cloud Storage for Firebase.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasestorage.*

firebasestorage.buckets.addFirebase
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.buckets.removeFirebase

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Storage for Firebase Viewer ^Beta

(roles/firebasestorage.viewer)

Read-only access for Cloud Storage for Firebase.

firebasestorage.buckets.get

firebasestorage.buckets.list

resourcemanager.projects.get

resourcemanager.projects.list

Fleet Engine roles

Permissions

Fleet Engine Consumer SDK User

(roles/fleetengine.consumerSdkUser)

Limited read access to Fleet Engine resources

fleetengine.trips.get

fleetengine.vehicles.get

fleetengine.vehicles.search

fleetengine.vehicles.searchFuzzed

Fleet Engine Delivery Consumer User

(roles/fleetengine.deliveryConsumer)

Limited read access to Fleet Engine Delivery resources

fleetengine.tasks.searchWithTrackingId

fleetengine.tasktrackinginfo.get

Fleet Engine Delivery Fleet Reader User

(roles/fleetengine.deliveryFleetReader)

Grants read access to all Fleet Engine Delivery resources

fleetengine.deliveryvehicles.get

fleetengine.deliveryvehicles.list

fleetengine.tasks.get

fleetengine.tasks.list

fleetengine.tasks.searchWithTrackingId

fleetengine.tasktrackinginfo.get

Fleet Engine Delivery Super User

(roles/fleetengine.deliverySuperUser)

Full access to Fleet Engine DeliveryVehicles and Tasks resources.

fleetengine.deliveryvehicles.*

fleetengine.deliveryvehicles.create
fleetengine.deliveryvehicles.get
fleetengine.deliveryvehicles.list
fleetengine.deliveryvehicles.update
fleetengine.deliveryvehicles.updateLocation
fleetengine.deliveryvehicles.updateVehicleStops

fleetengine.tasks.*

fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.tasks.searchWithTrackingId
fleetengine.tasks.update

fleetengine.tasktrackinginfo.get

resourcemanager.projects.get

resourcemanager.projects.list

Fleet Engine Delivery Trusted Driver User

(roles/fleetengine.deliveryTrustedDriver)

Read and write access to Fleet Engine Delivery resources

fleetengine.deliveryvehicles.create

fleetengine.deliveryvehicles.get

fleetengine.deliveryvehicles.update

fleetengine.deliveryvehicles.updateLocation

fleetengine.deliveryvehicles.updateVehicleStops

fleetengine.tasks.create

fleetengine.tasks.update

Fleet Engine Delivery Untrusted Driver User

(roles/fleetengine.deliveryUntrustedDriver)

Limited write access to Fleet Engine Delivery Vehicle resources

fleetengine.deliveryvehicles.get

fleetengine.deliveryvehicles.updateLocation

Fleet Engine Driver SDK User

(roles/fleetengine.driverSdkUser)

Read and limited update access to Fleet Engine resources

fleetengine.trips.get

fleetengine.trips.search

fleetengine.trips.update

fleetengine.vehicles.get

fleetengine.vehicles.updateLocation

Fleet Engine Service Super User

(roles/fleetengine.serviceSuperUser)

Full access to all Fleet Engine resources.

fleetengine.trips.*

fleetengine.trips.create
fleetengine.trips.get
fleetengine.trips.search
fleetengine.trips.update
fleetengine.trips.updateState

fleetengine.vehicles.*

fleetengine.vehicles.create
fleetengine.vehicles.get
fleetengine.vehicles.list
fleetengine.vehicles.search
fleetengine.vehicles.searchFuzzed
fleetengine.vehicles.update
fleetengine.vehicles.updateLocation

resourcemanager.projects.get

resourcemanager.projects.list

Genomics roles

Permissions

Genomics Admin

(roles/genomics.admin)

Full access to genomics datasets and operations.

genomics.*

genomics.datasets.create
genomics.datasets.delete
genomics.datasets.get
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.datasets.setIamPolicy
genomics.datasets.update
genomics.operations.cancel
genomics.operations.create
genomics.operations.get
genomics.operations.list

Genomics Editor

(roles/genomics.editor)

Access to read and edit genomics datasets and operations.

genomics.datasets.create

genomics.datasets.delete

genomics.datasets.get

genomics.datasets.list

genomics.datasets.update

genomics.operations.*

genomics.operations.cancel
genomics.operations.create
genomics.operations.get
genomics.operations.list

Genomics Pipelines Runner

(roles/genomics.pipelinesRunner)

Full access to operate on genomics pipelines.

genomics.operations.*

genomics.operations.cancel
genomics.operations.create
genomics.operations.get
genomics.operations.list

Genomics Viewer

(roles/genomics.viewer)

Access to view genomics datasets and operations.

genomics.datasets.get

genomics.datasets.list

genomics.operations.get

genomics.operations.list

GKE Hub roles

Permissions

GKE Hub Admin

(roles/gkehub.admin)

Full access to GKE Hub resources.

gkehub.features.*

gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.features.update

gkehub.fleet.*

gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.fleet.update

gkehub.locations.*

gkehub.locations.get
gkehub.locations.list

gkehub.memberships.*

gkehub.memberships.create
gkehub.memberships.delete
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.memberships.setIamPolicy
gkehub.memberships.update

gkehub.operations.*

gkehub.operations.cancel
gkehub.operations.delete
gkehub.operations.get
gkehub.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

GKE Connect Agent

(roles/gkehub.connect)

Ability to set up GKE Connect between external clusters and Google.

gkehub.endpoints.connect

GKE Hub Editor

(roles/gkehub.editor)

Edit access to GKE Hub resources.

gkehub.features.create

gkehub.features.delete

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.features.update

gkehub.fleet.*

gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.fleet.update

gkehub.locations.*

gkehub.locations.get
gkehub.locations.list

gkehub.memberships.create

gkehub.memberships.delete

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.memberships.update

gkehub.operations.*

gkehub.operations.cancel
gkehub.operations.delete
gkehub.operations.get
gkehub.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Connect Gateway Admin

(roles/gkehub.gatewayAdmin)

Full access to Connect Gateway.

gkehub.gateway.*

gkehub.gateway.delete
gkehub.gateway.get
gkehub.gateway.getIamPolicy
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.gateway.setIamPolicy

serviceusage.services.get

Connect Gateway Editor

(roles/gkehub.gatewayEditor)

Edit access to Connect Gateway.

gkehub.gateway.delete

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

serviceusage.services.get

Connect Gateway Reader

(roles/gkehub.gatewayReader)

Read-only access to Connect Gateway.

gkehub.gateway.get

serviceusage.services.get

GKE Hub Viewer

(roles/gkehub.viewer)

Read-only access to GKE Hubs and related resources.

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.fleet.get

gkehub.locations.*

gkehub.locations.get
gkehub.locations.list

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.operations.get

gkehub.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

GKE on-prem roles

Permissions

GKE on-prem Admin

(roles/gkeonprem.admin)

Full access to GKE on-prem all resources.

gkeonprem.*

gkeonprem.bareMetalAdminClusters.connect
gkeonprem.bareMetalAdminClusters.create
gkeonprem.bareMetalAdminClusters.enroll
gkeonprem.bareMetalAdminClusters.get
gkeonprem.bareMetalAdminClusters.getIamPolicy
gkeonprem.bareMetalAdminClusters.list
gkeonprem.bareMetalAdminClusters.queryVersionConfig
gkeonprem.bareMetalAdminClusters.setIamPolicy
gkeonprem.bareMetalAdminClusters.unenroll
gkeonprem.bareMetalAdminClusters.update
gkeonprem.bareMetalClusters.create
gkeonprem.bareMetalClusters.delete
gkeonprem.bareMetalClusters.enroll
gkeonprem.bareMetalClusters.get
gkeonprem.bareMetalClusters.getIamPolicy
gkeonprem.bareMetalClusters.list
gkeonprem.bareMetalClusters.queryVersionConfig
gkeonprem.bareMetalClusters.setIamPolicy
gkeonprem.bareMetalClusters.unenroll
gkeonprem.bareMetalClusters.update
gkeonprem.bareMetalNodePools.create
gkeonprem.bareMetalNodePools.delete
gkeonprem.bareMetalNodePools.enroll
gkeonprem.bareMetalNodePools.get
gkeonprem.bareMetalNodePools.getIamPolicy
gkeonprem.bareMetalNodePools.list
gkeonprem.bareMetalNodePools.setIamPolicy
gkeonprem.bareMetalNodePools.unenroll
gkeonprem.bareMetalNodePools.update
gkeonprem.locations.get
gkeonprem.locations.list
gkeonprem.operations.cancel
gkeonprem.operations.delete
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareAdminClusters.connect
gkeonprem.vmwareAdminClusters.enroll
gkeonprem.vmwareAdminClusters.get
gkeonprem.vmwareAdminClusters.getIamPolicy
gkeonprem.vmwareAdminClusters.list
gkeonprem.vmwareAdminClusters.setIamPolicy
gkeonprem.vmwareAdminClusters.unenroll
gkeonprem.vmwareAdminClusters.update
gkeonprem.vmwareClusters.create
gkeonprem.vmwareClusters.delete
gkeonprem.vmwareClusters.enroll
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareClusters.queryVersionConfig
gkeonprem.vmwareClusters.setIamPolicy
gkeonprem.vmwareClusters.unenroll
gkeonprem.vmwareClusters.update
gkeonprem.vmwareNodePools.create
gkeonprem.vmwareNodePools.delete
gkeonprem.vmwareNodePools.enroll
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem.vmwareNodePools.setIamPolicy
gkeonprem.vmwareNodePools.unenroll
gkeonprem.vmwareNodePools.update

resourcemanager.projects.get

resourcemanager.projects.list

GKE on-prem Viewer

(roles/gkeonprem.viewer)

Read-only access to GKE on-prem all resources.

gkeonprem.bareMetalAdminClusters.connect

gkeonprem.bareMetalAdminClusters.get

gkeonprem.bareMetalAdminClusters.getIamPolicy

gkeonprem.bareMetalAdminClusters.list

gkeonprem.bareMetalAdminClusters.queryVersionConfig

gkeonprem.bareMetalClusters.get

gkeonprem.bareMetalClusters.getIamPolicy

gkeonprem.bareMetalClusters.list

gkeonprem.bareMetalClusters.queryVersionConfig

gkeonprem.bareMetalNodePools.get

gkeonprem.bareMetalNodePools.getIamPolicy

gkeonprem.bareMetalNodePools.list

gkeonprem.locations.*

gkeonprem.locations.get
gkeonprem.locations.list

gkeonprem.operations.get

gkeonprem.operations.list

gkeonprem.vmwareAdminClusters.connect

gkeonprem.vmwareAdminClusters.get

gkeonprem.vmwareAdminClusters.getIamPolicy

gkeonprem.vmwareAdminClusters.list

gkeonprem.vmwareClusters.get

gkeonprem.vmwareClusters.getIamPolicy

gkeonprem.vmwareClusters.list

gkeonprem.vmwareClusters.queryVersionConfig

gkeonprem.vmwareNodePools.get

gkeonprem.vmwareNodePools.getIamPolicy

gkeonprem.vmwareNodePools.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Workspace Add-ons roles

Permissions

Google Workspace Add-ons Developer

(roles/gsuiteaddons.developer)

Full access to Google Workspace Add-ons resources

gsuiteaddons.*

gsuiteaddons.authorizations.get
gsuiteaddons.deployments.create
gsuiteaddons.deployments.delete
gsuiteaddons.deployments.execute
gsuiteaddons.deployments.get
gsuiteaddons.deployments.install
gsuiteaddons.deployments.installStatus
gsuiteaddons.deployments.list
gsuiteaddons.deployments.uninstall
gsuiteaddons.deployments.update

resourcemanager.projects.get

resourcemanager.projects.list

Google Workspace Add-ons Reader

(roles/gsuiteaddons.reader)

Read-only access to Google Workspace Add-ons resources

gsuiteaddons.authorizations.get

gsuiteaddons.deployments.get

gsuiteaddons.deployments.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Workspace Add-ons Tester

(roles/gsuiteaddons.tester)

Testing execution access to Google Workspace Add-ons resources

gsuiteaddons.deployments.execute

gsuiteaddons.deployments.install

gsuiteaddons.deployments.installStatus

gsuiteaddons.deployments.uninstall

resourcemanager.projects.get

resourcemanager.projects.list

Hangouts Chat roles

Permissions

Chat Bots Owner

(roles/chat.owner)

Can view and modify bot configurations

chat.*

chat.bots.get
chat.bots.update

Chat Bots Viewer

(roles/chat.reader)

Can view bot configurations

chat.bots.get

IAM roles

Permissions

Deny Admin

(roles/iam.denyAdmin)

Deny admin role, with permissions to read and modify deny policies

Lowest-level resources where you can grant this role:

Organization

iam.denypolicies.*

iam.denypolicies.create
iam.denypolicies.delete
iam.denypolicies.get
iam.denypolicies.list
iam.denypolicies.update

Deny Reviewer

(roles/iam.denyReviewer)

Deny Reviewer role, with permissions to read deny policies

Lowest-level resources where you can grant this role:

Organization

iam.denypolicies.get

iam.denypolicies.list

Security Admin

(roles/iam.securityAdmin)

Security admin role, with permissions to get and set any IAM policy.

accessapproval.requests.list

accesscontextmanager.accessLevels.list

accesscontextmanager.accessPolicies.getIamPolicy

accesscontextmanager.accessPolicies.list

accesscontextmanager.accessPolicies.setIamPolicy

accesscontextmanager.accessZones.list

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.gcpUserAccessBindings.list

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.policies.setIamPolicy

accesscontextmanager.servicePerimeters.list

actions.agentVersions.list

advisorynotifications.*

advisorynotifications.notifications.get
advisorynotifications.notifications.list

aiplatform.annotationSpecs.list

aiplatform.annotations.list

aiplatform.artifacts.list

aiplatform.batchPredictionJobs.list

aiplatform.contexts.list

aiplatform.customJobs.list

aiplatform.dataItems.list

aiplatform.dataLabelingJobs.list

aiplatform.datasets.list

aiplatform.deploymentResourcePools.list

aiplatform.edgeDeploymentJobs.list

aiplatform.edgeDevices.list

aiplatform.endpoints.list

aiplatform.entityTypes.getIamPolicy

aiplatform.entityTypes.list

aiplatform.entityTypes.setIamPolicy

aiplatform.executions.list

aiplatform.featureOnlineStores.list

aiplatform.featureViewSyncs.list

aiplatform.featureViews.list

aiplatform.features.list

aiplatform.featurestores.getIamPolicy

aiplatform.featurestores.list

aiplatform.featurestores.setIamPolicy

aiplatform.humanInTheLoops.list

aiplatform.hyperparameterTuningJobs.list

aiplatform.indexEndpoints.list

aiplatform.indexes.list

aiplatform.locations.list

aiplatform.metadataSchemas.list

aiplatform.metadataStores.list

aiplatform.modelDeploymentMonitoringJobs.list

aiplatform.modelEvaluationSlices.list

aiplatform.modelEvaluations.list

aiplatform.models.list

aiplatform.nasJobs.list

aiplatform.nasTrialDetails.list

aiplatform.operations.list

aiplatform.pipelineJobs.list

aiplatform.schedules.list

aiplatform.specialistPools.list

aiplatform.studies.list

aiplatform.tensorboardExperiments.list

aiplatform.tensorboardRuns.list

aiplatform.tensorboardTimeSeries.list

aiplatform.tensorboards.list

aiplatform.trainingPipelines.list

aiplatform.trials.list

alloydb.backups.list

alloydb.clusters.list

alloydb.instances.list

alloydb.locations.list

alloydb.operations.list

alloydb.supportedDatabaseFlags.list

alloydb.users.list

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.dataExchanges.setIamPolicy

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

apigateway.apiconfigs.getIamPolicy

apigateway.apiconfigs.list

apigateway.apiconfigs.setIamPolicy

apigateway.apis.getIamPolicy

apigateway.apis.list

apigateway.apis.setIamPolicy

apigateway.gateways.getIamPolicy

apigateway.gateways.list

apigateway.gateways.setIamPolicy

apigateway.locations.list

apigateway.operations.list

apigee.apiproductattributes.list

apigee.apiproducts.list

apigee.appgroupapps.list

apigee.appgroups.list

apigee.apps.list

apigee.archivedeployments.list

apigee.caches.list

apigee.datacollectors.list

apigee.datastores.list

apigee.deployments.list

apigee.developerappattributes.list

apigee.developerapps.list

apigee.developerattributes.list

apigee.developers.list

apigee.developersubscriptions.list

apigee.endpointattachments.list

apigee.envgroupattachments.list

apigee.envgroups.list

apigee.environments.getIamPolicy

apigee.environments.list

apigee.environments.setIamPolicy

apigee.exports.list

apigee.flowhooks.list

apigee.hostqueries.list

apigee.hostsecurityreports.list

apigee.instanceattachments.list

apigee.instances.list

apigee.keystorealiases.list

apigee.keystores.list

apigee.keyvaluemapentries.list

apigee.keyvaluemaps.list

apigee.nataddresses.list

apigee.operations.list

apigee.organizations.list

apigee.portals.list

apigee.proxies.list

apigee.proxyrevisions.list

apigee.queries.list

apigee.rateplans.list

apigee.references.list

apigee.reports.list

apigee.resourcefiles.list

apigee.securityIncidents.list

apigee.securityProfiles.list

apigee.securityreports.list

apigee.sharedflowrevisions.list

apigee.sharedflows.list

apigee.targetservers.list

apigee.traceconfigoverrides.list

apigee.tracesessions.list

apigeeconnect.connections.list

apigeeregistry.apis.getIamPolicy

apigeeregistry.apis.list

apigeeregistry.apis.setIamPolicy

apigeeregistry.artifacts.getIamPolicy

apigeeregistry.artifacts.list

apigeeregistry.artifacts.setIamPolicy

apigeeregistry.deployments.list

apigeeregistry.locations.list

apigeeregistry.operations.list

apigeeregistry.specs.getIamPolicy

apigeeregistry.specs.list

apigeeregistry.specs.setIamPolicy

apigeeregistry.versions.getIamPolicy

apigeeregistry.versions.list

apigeeregistry.versions.setIamPolicy

apikeys.keys.list

appengine.instances.list

appengine.memcache.list

appengine.operations.list

appengine.services.list

appengine.versions.list

applianceactivation.rttCommands.list

artifactregistry.dockerimages.list

artifactregistry.files.list

artifactregistry.locations.list

artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.list

artifactregistry.packages.list

artifactregistry.pythonpackages.list

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.repositories.setIamPolicy

artifactregistry.tags.list

artifactregistry.versions.list

assuredworkloads.operations.list

assuredworkloads.violations.list

assuredworkloads.workload.list

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.list

automl.datasets.getIamPolicy

automl.datasets.list

automl.datasets.setIamPolicy

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.list

automl.locations.getIamPolicy

automl.locations.list

automl.locations.setIamPolicy

automl.modelEvaluations.list

automl.models.getIamPolicy

automl.models.list

automl.models.setIamPolicy

automl.operations.list

automl.tableSpecs.list

automlrecommendations.apiKeys.list

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.list

automlrecommendations.eventStores.list

automlrecommendations.events.list

automlrecommendations.placements.list

automlrecommendations.recommendations.list

autoscaling.sites.getIamPolicy

autoscaling.sites.setIamPolicy

backupdr.locations.list

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.setIamPolicy

backupdr.operations.list

baremetalsolution.instancequotas.list

baremetalsolution.instances.list

baremetalsolution.luns.list

baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.list

baremetalsolution.nfsshares.list

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.list

baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.list

baremetalsolution.volumesnapshots.list

batch.jobs.list

batch.locations.list

batch.operations.list

batch.tasks.list

beyondcorp.appConnections.getIamPolicy

beyondcorp.appConnections.list

beyondcorp.appConnections.setIamPolicy

beyondcorp.appConnectors.getIamPolicy

beyondcorp.appConnectors.list

beyondcorp.appConnectors.setIamPolicy

beyondcorp.appGateways.getIamPolicy

beyondcorp.appGateways.list

beyondcorp.appGateways.setIamPolicy

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientConnectorServices.setIamPolicy

beyondcorp.clientGateways.getIamPolicy

beyondcorp.clientGateways.list

beyondcorp.clientGateways.setIamPolicy

beyondcorp.locations.list

beyondcorp.operations.list

beyondcorp.subscriptions.list

biglake.catalogs.list

biglake.databases.list

biglake.locks.list

biglake.tables.list

bigquery.capacityCommitments.list

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.setIamPolicy

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.datasets.getIamPolicy

bigquery.datasets.setIamPolicy

bigquery.jobs.list

bigquery.models.list

bigquery.reservationAssignments.list

bigquery.reservations.list

bigquery.routines.list

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.savedqueries.list

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.setIamPolicy

bigquerymigration.locations.list

bigquerymigration.subtasks.list

bigquerymigration.workflows.list

bigtable.appProfiles.list

bigtable.backups.getIamPolicy

bigtable.backups.list

bigtable.backups.setIamPolicy

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.getIamPolicy

bigtable.instances.list

bigtable.instances.setIamPolicy

bigtable.keyvisualizer.list

bigtable.locations.list

bigtable.tables.getIamPolicy

bigtable.tables.list

bigtable.tables.setIamPolicy

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.setIamPolicy

billing.budgets.list

billing.credits.list

billing.resourceAssociations.list

billing.subscriptions.list

binaryauthorization.attestors.getIamPolicy

binaryauthorization.attestors.list

binaryauthorization.attestors.setIamPolicy

binaryauthorization.continuousValidationConfig.getIamPolicy

binaryauthorization.continuousValidationConfig.setIamPolicy

binaryauthorization.platformPolicies.list

binaryauthorization.policy.getIamPolicy

binaryauthorization.policy.setIamPolicy

blockchainnodeengine.blockchainNodes.list

blockchainnodeengine.locations.list

blockchainnodeengine.operations.list

carestudio.patients.list

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmapentries.setIamPolicy

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certmaps.setIamPolicy

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.certs.setIamPolicy

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.setIamPolicy

certificatemanager.locations.list

certificatemanager.operations.list

certificatemanager.trustconfigs.list

chronicle.collectors.list

chronicle.curatedRuleSetCategories.list

chronicle.curatedRuleSetDeployments.list

chronicle.curatedRuleSets.list

chronicle.curatedRules.list

chronicle.dashboards.list

chronicle.extensionValidationReports.list

chronicle.feedSourceTypeSchemas.list

chronicle.feeds.list

chronicle.forwarders.list

chronicle.logTypeSchemas.list

chronicle.operations.list

chronicle.parserExtensions.list

chronicle.parsers.list

chronicle.parsingErrors.list

chronicle.referenceLists.list

chronicle.retrohunts.list

chronicle.ruleDeployments.list

chronicle.ruleExecutionErrors.list

chronicle.rules.list

chronicle.validationErrors.list

clientauthconfig.brands.list

clientauthconfig.clients.list

cloud.locations.list

cloudasset.assets.searchAllResources

cloudasset.feeds.list

cloudasset.savedqueries.list

cloudbuild.builds.list

cloudbuild.connections.getIamPolicy

cloudbuild.connections.list

cloudbuild.connections.setIamPolicy

cloudbuild.integrations.list

cloudbuild.repositories.list

cloudbuild.workerpools.list

cloudcontrolspartner.customers.list

cloudcontrolspartner.violations.list

cloudcontrolspartner.workloads.list

clouddebugger.breakpoints.list

clouddebugger.debuggees.list

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.setIamPolicy

clouddeploy.jobRuns.list

clouddeploy.locations.list

clouddeploy.operations.list

clouddeploy.releases.list

clouddeploy.rollouts.list

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.setIamPolicy

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.functions.setIamPolicy

cloudfunctions.locations.list

cloudfunctions.operations.list

cloudfunctions.runtimes.list

cloudiot.devices.list

cloudiot.registries.getIamPolicy

cloudiot.registries.list

cloudiot.registries.setIamPolicy

cloudjobdiscovery.companies.list

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.cryptoKeys.setIamPolicy

cloudkms.ekmConfigs.getIamPolicy

cloudkms.ekmConfigs.setIamPolicy

cloudkms.ekmConnections.getIamPolicy

cloudkms.ekmConnections.list

cloudkms.ekmConnections.setIamPolicy

cloudkms.importJobs.getIamPolicy

cloudkms.importJobs.list

cloudkms.importJobs.setIamPolicy

cloudkms.keyRings.getIamPolicy

cloudkms.keyRings.list

cloudkms.keyRings.setIamPolicy

cloudkms.locations.list

cloudnotifications.activities.list

cloudonefs.isiloncloud.com/clusters.list

cloudonefs.isiloncloud.com/fileshares.list

cloudprivatecatalogproducer.associations.list

cloudprivatecatalogproducer.catalogAssociations.list

cloudprivatecatalogproducer.catalogs.getIamPolicy

cloudprivatecatalogproducer.catalogs.list

cloudprivatecatalogproducer.catalogs.setIamPolicy

cloudprivatecatalogproducer.producerCatalogs.getIamPolicy

cloudprivatecatalogproducer.producerCatalogs.list

cloudprivatecatalogproducer.producerCatalogs.setIamPolicy

cloudprivatecatalogproducer.products.getIamPolicy

cloudprivatecatalogproducer.products.list

cloudprivatecatalogproducer.products.setIamPolicy

cloudprofiler.profiles.list

cloudscheduler.jobs.list

cloudscheduler.locations.list

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.list

cloudsql.backupRuns.list

cloudsql.databases.list

cloudsql.instances.list

cloudsql.sslCerts.list

cloudsql.users.list

cloudsupport.accounts.getIamPolicy

cloudsupport.accounts.list

cloudsupport.accounts.setIamPolicy

cloudsupport.techCases.list

cloudtasks.locations.list

cloudtasks.queues.getIamPolicy

cloudtasks.queues.list

cloudtasks.queues.setIamPolicy

cloudtasks.tasks.list

cloudtoolresults.executions.list

cloudtoolresults.histories.list

cloudtoolresults.steps.list

cloudtrace.insights.list

cloudtrace.tasks.list

cloudtrace.traces.list

cloudtranslate.customModels.list

cloudtranslate.datasets.list

cloudtranslate.glossaries.list

cloudtranslate.glossaryentries.list

cloudtranslate.locations.list

cloudtranslate.operations.list

cloudvolumesgcp-api.netapp.com/activeDirectories.list

cloudvolumesgcp-api.netapp.com/ipRanges.list

cloudvolumesgcp-api.netapp.com/jobs.list

cloudvolumesgcp-api.netapp.com/regions.list

cloudvolumesgcp-api.netapp.com/serviceLevels.list

cloudvolumesgcp-api.netapp.com/snapshots.list

cloudvolumesgcp-api.netapp.com/volumereplication.list

cloudvolumesgcp-api.netapp.com/volumes.list

commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.resellerDiscountOffers.list

commerceoffercatalog.agreements.list

commerceoffercatalog.documents.list

commerceorggovernance.collections.list

commerceorggovernance.services.list

commerceprice.events.list

commerceprice.privateoffers.list

composer.dags.list

composer.environments.list

composer.imageversions.list

composer.operations.list

compute.acceleratorTypes.list

compute.addresses.list

compute.autoscalers.list

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.setIamPolicy

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.setIamPolicy

compute.commitments.list

compute.diskTypes.list

compute.disks.getIamPolicy

compute.disks.list

compute.disks.setIamPolicy

compute.externalVpnGateways.list

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.setIamPolicy

compute.firewalls.list

compute.forwardingRules.list

compute.globalAddresses.list

compute.globalForwardingRules.list

compute.globalNetworkEndpointGroups.list

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.list

compute.httpHealthChecks.list

compute.httpsHealthChecks.list

compute.images.getIamPolicy

compute.images.list

compute.images.setIamPolicy

compute.instanceGroupManagers.list

compute.instanceGroups.list

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instanceTemplates.setIamPolicy

compute.instances.getIamPolicy

compute.instances.list

compute.instances.setIamPolicy

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.instantSnapshots.setIamPolicy

compute.interconnectAttachments.list

compute.interconnectLocations.list

compute.interconnectRemoteLocations.list

compute.interconnects.list

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenseCodes.setIamPolicy

compute.licenses.getIamPolicy

compute.licenses.list

compute.licenses.setIamPolicy

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineImages.setIamPolicy

compute.machineTypes.list

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.maintenancePolicies.setIamPolicy

compute.networkAttachments.list

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networkEndpointGroups.setIamPolicy

compute.networks.list

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeGroups.setIamPolicy

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTemplates.setIamPolicy

compute.nodeTypes.list

compute.packetMirrorings.list

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.setIamPolicy

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.setIamPolicy

compute.regionHealthCheckServices.list

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.list

compute.regionNotificationEndpoints.list

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionOperations.setIamPolicy

compute.regionSecurityPolicies.list

compute.regionSslCertificates.list

compute.regionSslPolicies.list

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.list

compute.regions.list

compute.reservations.list

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.resourcePolicies.setIamPolicy

compute.routers.list

compute.routes.list

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.setIamPolicy

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.serviceAttachments.setIamPolicy

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.setIamPolicy

compute.sslCertificates.list

compute.sslPolicies.list

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.setIamPolicy

compute.targetGrpcProxies.list

compute.targetHttpProxies.list

compute.targetHttpsProxies.list

compute.targetInstances.list

compute.targetPools.list

compute.targetSslProxies.list

compute.targetTcpProxies.list

compute.targetVpnGateways.list

compute.urlMaps.list

compute.vpnGateways.list

compute.vpnTunnels.list

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zoneOperations.setIamPolicy

compute.zones.list

confidentialcomputing.locations.list

config.deployments.getIamPolicy

config.deployments.list

config.deployments.setIamPolicy

config.locations.list

config.operations.list

config.resources.list

config.revisions.list

connectors.actions.list

connectors.connections.getIamPolicy

connectors.connections.list

connectors.connections.setIamPolicy

connectors.connectors.list

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.endpointAttachments.setIamPolicy

connectors.entities.list

connectors.entityTypes.list

connectors.eventSubscriptions.list

connectors.eventtypes.list

connectors.locations.list

connectors.managedZones.getIamPolicy

connectors.managedZones.list

connectors.managedZones.setIamPolicy

connectors.operations.list

connectors.providers.list

connectors.versions.list

consumerprocurement.accounts.list

consumerprocurement.consents.list

consumerprocurement.entitlements.list

consumerprocurement.events.list

consumerprocurement.freeTrials.list

consumerprocurement.orderAttributions.list

consumerprocurement.orders.list

contactcenteraiplatform.contactCenters.list

contactcenteraiplatform.locations.list

contactcenteraiplatform.operations.list

contactcenterinsights.analyses.list

contactcenterinsights.conversations.list

contactcenterinsights.issueModels.list

contactcenterinsights.issues.list

contactcenterinsights.operations.list

contactcenterinsights.phraseMatchers.list

contactcenterinsights.views.list

container.apiServices.list

container.auditSinks.list

container.backendConfigs.list

container.bindings.list

container.certificateSigningRequests.list

container.clusterRoleBindings.list

container.clusterRoles.list

container.clusters.list

container.componentStatuses.list

container.configMaps.list

container.controllerRevisions.list

container.cronJobs.list

container.csiDrivers.list

container.csiNodeInfos.list

container.csiNodes.list

container.customResourceDefinitions.list

container.daemonSets.list

container.deployments.list

container.endpointSlices.list

container.endpoints.list

container.events.list

container.frontendConfigs.list

container.horizontalPodAutoscalers.list

container.ingresses.list

container.initializerConfigurations.list

container.jobs.list

container.leases.list

container.limitRanges.list

container.localSubjectAccessReviews.list

container.managedCertificates.list

container.mutatingWebhookConfigurations.list

container.namespaces.list

container.networkPolicies.list

container.nodes.list

container.operations.list

container.persistentVolumeClaims.list

container.persistentVolumes.list

container.petSets.list

container.podDisruptionBudgets.list

container.podPresets.list

container.podSecurityPolicies.list

container.podTemplates.list

container.pods.list

container.priorityClasses.list

container.replicaSets.list

container.replicationControllers.list

container.resourceQuotas.list

container.roleBindings.list

container.roles.list

container.runtimeClasses.list

container.scheduledJobs.list

container.selfSubjectAccessReviews.list

container.serviceAccounts.list

container.services.list

container.statefulSets.list

container.storageClasses.list

container.storageStates.list

container.storageVersionMigrations.list

container.subjectAccessReviews.list

container.thirdPartyObjects.list

container.thirdPartyResources.list

container.updateInfos.list

container.validatingWebhookConfigurations.list

container.volumeAttachments.list

container.volumeSnapshotClasses.list

container.volumeSnapshotContents.list

container.volumeSnapshots.list

containeranalysis.notes.getIamPolicy

containeranalysis.notes.list

containeranalysis.notes.setIamPolicy

containeranalysis.occurrences.getIamPolicy

containeranalysis.occurrences.list

containeranalysis.occurrences.setIamPolicy

containersecurity.clusterSummaries.list

containersecurity.findings.list

containersecurity.locations.list

containersecurity.workloadConfigAudits.list

contentwarehouse.documentSchemas.list

contentwarehouse.documents.getIamPolicy

contentwarehouse.documents.setIamPolicy

contentwarehouse.ruleSets.list

contentwarehouse.synonymSets.list

datacatalog.categories.getIamPolicy

datacatalog.categories.setIamPolicy

datacatalog.entries.getIamPolicy

datacatalog.entries.list

datacatalog.entries.setIamPolicy

datacatalog.entryGroups.getIamPolicy

datacatalog.entryGroups.list

datacatalog.entryGroups.setIamPolicy

datacatalog.relationships.list

datacatalog.tagTemplates.getIamPolicy

datacatalog.tagTemplates.setIamPolicy

datacatalog.taxonomies.getIamPolicy

datacatalog.taxonomies.list

datacatalog.taxonomies.setIamPolicy

dataconnectors.connectors.getIamPolicy

dataconnectors.connectors.list

dataconnectors.connectors.setIamPolicy

dataconnectors.locations.list

dataconnectors.operations.list

dataflow.jobs.list

dataflow.messages.list

dataflow.snapshots.list

dataform.compilationResults.list

dataform.locations.list

dataform.releaseConfigs.list

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.setIamPolicy

dataform.workflowConfigs.list

dataform.workflowInvocations.list

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.setIamPolicy

datafusion.artifacts.list

datafusion.instances.getIamPolicy

datafusion.instances.list

datafusion.instances.setIamPolicy

datafusion.locations.list

datafusion.operations.list

datafusion.pipelineConnections.list

datafusion.pipelines.list

datafusion.profiles.list

datafusion.secureKeys.list

datalabeling.annotateddatasets.list

datalabeling.annotationspecsets.list

datalabeling.dataitems.list

datalabeling.datasets.list

datalabeling.examples.list

datalabeling.instructions.list

datalabeling.operations.list

datalineage.events.list

datalineage.processes.list

datalineage.runs.list

datamigration.connectionprofiles.getIamPolicy

datamigration.connectionprofiles.list

datamigration.connectionprofiles.setIamPolicy

datamigration.conversionworkspaces.getIamPolicy

datamigration.conversionworkspaces.list

datamigration.conversionworkspaces.setIamPolicy

datamigration.locations.list

datamigration.mappingrules.getIamPolicy

datamigration.mappingrules.setIamPolicy

datamigration.migrationjobs.getIamPolicy

datamigration.migrationjobs.list

datamigration.migrationjobs.setIamPolicy

datamigration.operations.list

datamigration.privateconnections.getIamPolicy

datamigration.privateconnections.list

datamigration.privateconnections.setIamPolicy

datapipelines.jobs.list

datapipelines.pipelines.list

dataplex.assetActions.list

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.assets.setIamPolicy

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.content.setIamPolicy

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributeBindings.setIamPolicy

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataAttributes.setIamPolicy

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.dataTaxonomies.setIamPolicy

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.setIamPolicy

dataplex.entities.list

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.environments.setIamPolicy

dataplex.lakeActions.list

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.lakes.setIamPolicy

dataplex.locations.list

dataplex.operations.list

dataplex.partitions.list

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.tasks.setIamPolicy

dataplex.zoneActions.list

dataplex.zones.getIamPolicy

dataplex.zones.list

dataplex.zones.setIamPolicy

dataproc.agents.list

dataproc.autoscalingPolicies.getIamPolicy

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.setIamPolicy

dataproc.batches.list

dataproc.clusters.getIamPolicy

dataproc.clusters.list

dataproc.clusters.setIamPolicy

dataproc.jobs.getIamPolicy

dataproc.jobs.list

dataproc.jobs.setIamPolicy

dataproc.operations.getIamPolicy

dataproc.operations.list

dataproc.operations.setIamPolicy

dataproc.workflowTemplates.getIamPolicy

dataproc.workflowTemplates.list

dataproc.workflowTemplates.setIamPolicy

dataprocessing.datasources.list

dataprocessing.featurecontrols.list

dataprocessing.groupcontrols.list

datastore.databases.list

datastore.entities.list

datastore.indexes.list

datastore.keyVisualizerScans.list

datastore.locations.list

datastore.namespaces.list

datastore.operations.list

datastore.statistics.list

datastream.connectionProfiles.getIamPolicy

datastream.connectionProfiles.list

datastream.connectionProfiles.setIamPolicy

datastream.locations.list

datastream.objects.list

datastream.operations.list

datastream.privateConnections.getIamPolicy

datastream.privateConnections.list

datastream.privateConnections.setIamPolicy

datastream.routes.getIamPolicy

datastream.routes.list

datastream.routes.setIamPolicy

datastream.streams.getIamPolicy

datastream.streams.list

datastream.streams.setIamPolicy

datastudio.datasources.getIamPolicy

datastudio.datasources.setIamPolicy

datastudio.reports.getIamPolicy

datastudio.reports.setIamPolicy

datastudio.workspaces.getIamPolicy

datastudio.workspaces.setIamPolicy

deploymentmanager.compositeTypes.list

deploymentmanager.deployments.getIamPolicy

deploymentmanager.deployments.list

deploymentmanager.deployments.setIamPolicy

deploymentmanager.manifests.list

deploymentmanager.operations.list

deploymentmanager.resources.list

deploymentmanager.typeProviders.list

deploymentmanager.types.list

dialogflow.agents.list

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.list

dialogflow.contexts.list

dialogflow.conversationDatasets.list

dialogflow.conversationModels.list

dialogflow.conversationProfiles.list

dialogflow.conversations.list

dialogflow.deployments.list

dialogflow.documents.list

dialogflow.entityTypes.list

dialogflow.environments.list

dialogflow.experiments.list

dialogflow.flows.list

dialogflow.integrations.list

dialogflow.intents.list

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.list

dialogflow.pages.list

dialogflow.participants.list

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.list

dialogflow.testcases.list

dialogflow.transitionRouteGroups.list

dialogflow.versions.list

dialogflow.webhooks.list

discoveryengine.documents.list

discoveryengine.operations.list

dlp.analyzeRiskTemplates.list

dlp.columnDataProfiles.list

dlp.deidentifyTemplates.list

dlp.estimates.list

dlp.inspectFindings.list

dlp.inspectTemplates.list

dlp.jobTriggers.list

dlp.jobs.list

dlp.locations.list

dlp.projectDataProfiles.list

dlp.storedInfoTypes.list

dlp.subscriptions.list

dlp.tableDataProfiles.list

dns.changes.list

dns.dnsKeys.list

dns.managedZoneOperations.list

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.setIamPolicy

dns.policies.getIamPolicy

dns.policies.list

dns.policies.setIamPolicy

dns.resourceRecordSets.list

dns.responsePolicies.list

dns.responsePolicyRules.list

documentai.dataLabelingJobs.list

documentai.evaluations.list

documentai.labelerPools.list

documentai.locations.list

documentai.processorTypes.list

documentai.processorVersions.list

documentai.processors.list

domains.locations.list

domains.operations.list

domains.registrations.getIamPolicy

domains.registrations.list

domains.registrations.setIamPolicy

earthengine.assets.getIamPolicy

earthengine.assets.list

earthengine.assets.setIamPolicy

earthengine.operations.list

edgecontainer.clusters.getIamPolicy

edgecontainer.clusters.list

edgecontainer.clusters.setIamPolicy

edgecontainer.locations.list

edgecontainer.machines.getIamPolicy

edgecontainer.machines.list

edgecontainer.machines.setIamPolicy

edgecontainer.nodePools.getIamPolicy

edgecontainer.nodePools.list

edgecontainer.nodePools.setIamPolicy

edgecontainer.operations.list

edgecontainer.vpnConnections.getIamPolicy

edgecontainer.vpnConnections.list

edgecontainer.vpnConnections.setIamPolicy

edgenetwork.interconnectAttachments.getIamPolicy

edgenetwork.interconnectAttachments.list

edgenetwork.interconnectAttachments.setIamPolicy

edgenetwork.interconnects.getIamPolicy

edgenetwork.interconnects.list

edgenetwork.interconnects.setIamPolicy

edgenetwork.locations.list

edgenetwork.networks.getIamPolicy

edgenetwork.networks.list

edgenetwork.networks.setIamPolicy

edgenetwork.operations.list

edgenetwork.routers.getIamPolicy

edgenetwork.routers.list

edgenetwork.routers.setIamPolicy

edgenetwork.routes.list

edgenetwork.subnetworks.getIamPolicy

edgenetwork.subnetworks.list

edgenetwork.subnetworks.setIamPolicy

edgenetwork.zones.list

enterpriseknowledgegraph.entityReconciliationJobs.list

errorreporting.applications.list

errorreporting.errorEvents.list

errorreporting.groups.list

essentialcontacts.contacts.list

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.setIamPolicy

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.setIamPolicy

eventarc.locations.list

eventarc.operations.list

eventarc.providers.list

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.setIamPolicy

fcmdata.deliverydata.list

file.backups.list

file.instances.list

file.locations.list

file.operations.list

firebase.clients.list

firebase.links.list

firebase.playLinks.list

firebaseabt.experiments.list

firebaseappdistro.groups.list

firebaseappdistro.releases.list

firebaseappdistro.testers.list

firebasecrashlytics.issues.list

firebasedatabase.instances.list

firebasedynamiclinks.destinations.list

firebasedynamiclinks.domains.list

firebasedynamiclinks.links.list

firebaseextensions.configs.list

firebaseextensionspublisher.extensions.list

firebasehosting.sites.list

firebaseinappmessaging.campaigns.list

firebasemessagingcampaigns.campaigns.list

firebaseml.models.list

firebaseml.modelversions.list

firebasenotifications.messages.list

firebaserules.releases.list

firebaserules.rulesets.list

firebasestorage.buckets.list

fleetengine.deliveryvehicles.list

fleetengine.tasks.list

fleetengine.vehicles.list

gameservices.gameServerClusters.list

gameservices.gameServerConfigs.list

gameservices.gameServerDeployments.list

gameservices.locations.list

gameservices.operations.list

gameservices.realms.list

gcp.redisenterprise.com/databases.list

gcp.redisenterprise.com/subscriptions.list

genomics.datasets.getIamPolicy

genomics.datasets.list

genomics.datasets.setIamPolicy

genomics.operations.list

gkebackup.backupPlans.getIamPolicy

gkebackup.backupPlans.list

gkebackup.backupPlans.setIamPolicy

gkebackup.backups.list

gkebackup.locations.list

gkebackup.operations.list

gkebackup.restorePlans.getIamPolicy

gkebackup.restorePlans.list

gkebackup.restorePlans.setIamPolicy

gkebackup.restores.list

gkebackup.volumeBackups.list

gkebackup.volumeRestores.list

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.features.setIamPolicy

gkehub.gateway.getIamPolicy

gkehub.gateway.setIamPolicy

gkehub.locations.list

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.memberships.setIamPolicy

gkehub.operations.list

gkemulticloud.attachedClusters.list

gkemulticloud.awsClusters.list

gkemulticloud.awsNodePools.list

gkemulticloud.azureClients.list

gkemulticloud.azureClusters.list

gkemulticloud.azureNodePools.list

gkemulticloud.operations.list

gkeonprem.bareMetalAdminClusters.getIamPolicy

gkeonprem.bareMetalAdminClusters.list

gkeonprem.bareMetalAdminClusters.setIamPolicy

gkeonprem.bareMetalClusters.getIamPolicy

gkeonprem.bareMetalClusters.list

gkeonprem.bareMetalClusters.setIamPolicy

gkeonprem.bareMetalNodePools.getIamPolicy

gkeonprem.bareMetalNodePools.list

gkeonprem.bareMetalNodePools.setIamPolicy

gkeonprem.locations.list

gkeonprem.operations.list

gkeonprem.vmwareAdminClusters.getIamPolicy

gkeonprem.vmwareAdminClusters.list

gkeonprem.vmwareAdminClusters.setIamPolicy

gkeonprem.vmwareClusters.getIamPolicy

gkeonprem.vmwareClusters.list

gkeonprem.vmwareClusters.setIamPolicy

gkeonprem.vmwareNodePools.getIamPolicy

gkeonprem.vmwareNodePools.list

gkeonprem.vmwareNodePools.setIamPolicy

gsuiteaddons.deployments.list

healthcare.annotationStores.getIamPolicy

healthcare.annotationStores.list

healthcare.annotationStores.setIamPolicy

healthcare.annotations.list

healthcare.attributeDefinitions.list

healthcare.consentArtifacts.list

healthcare.consentStores.getIamPolicy

healthcare.consentStores.list

healthcare.consentStores.setIamPolicy

healthcare.consents.list

healthcare.datasets.getIamPolicy

healthcare.datasets.list

healthcare.datasets.setIamPolicy

healthcare.dicomStores.getIamPolicy

healthcare.dicomStores.list

healthcare.dicomStores.setIamPolicy

healthcare.fhirStores.getIamPolicy

healthcare.fhirStores.list

healthcare.fhirStores.setIamPolicy

healthcare.hl7V2Messages.list

healthcare.hl7V2Stores.getIamPolicy

healthcare.hl7V2Stores.list

healthcare.hl7V2Stores.setIamPolicy

healthcare.locations.list

healthcare.operations.list

healthcare.userDataMappings.list

iam.denypolicies.list

iam.googleapis.com/workforcePoolProviderKeys.list

iam.googleapis.com/workforcePoolProviders.list

iam.googleapis.com/workforcePools.getIamPolicy

iam.googleapis.com/workforcePools.list

iam.googleapis.com/workforcePools.setIamPolicy

iam.googleapis.com/workloadIdentityPoolProviderKeys.list

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPools.list

iam.roles.get

iam.roles.list

iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

iam.serviceAccounts.setIamPolicy

iap.tunnel.*

iap.tunnel.getIamPolicy
iap.tunnel.setIamPolicy

iap.tunnelDestGroups.getIamPolicy

iap.tunnelDestGroups.list

iap.tunnelDestGroups.setIamPolicy

iap.tunnelInstances.getIamPolicy

iap.tunnelInstances.setIamPolicy

iap.tunnelLocations.*

iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy

iap.tunnelZones.*

iap.tunnelZones.getIamPolicy
iap.tunnelZones.setIamPolicy

iap.web.getIamPolicy

iap.web.setIamPolicy

iap.webServiceVersions.getIamPolicy

iap.webServiceVersions.setIamPolicy

iap.webServices.getIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.getIamPolicy

iap.webTypes.setIamPolicy

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

identitytoolkit.tenants.setIamPolicy

ids.endpoints.getIamPolicy

ids.endpoints.list

ids.endpoints.setIamPolicy

ids.locations.list

ids.operations.list

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.apigeeSuspensions.list

integrations.authConfigs.list

integrations.certificates.list

integrations.executions.list

integrations.integrationVersions.list

integrations.integrations.list

integrations.securityAuthConfigs.list

integrations.securityExecutions.list

integrations.securityIntegTempVers.list

integrations.securityIntegrationVers.list

integrations.securityIntegrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

integrations.suspensions.list

issuerswitch.complaintTransactions.list

issuerswitch.financialTransactions.list

issuerswitch.mandateTransactions.list

issuerswitch.metadataTransactions.list

issuerswitch.operations.list

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.list

issuerswitch.rules.list

krmapihosting.krmApiHosts.getIamPolicy

krmapihosting.krmApiHosts.list

krmapihosting.krmApiHosts.setIamPolicy

krmapihosting.locations.list

krmapihosting.operations.list

lifesciences.operations.list

livestream.channels.list

livestream.events.list

livestream.inputs.list

livestream.locations.list

livestream.operations.list

logging.buckets.list

logging.exclusions.list

logging.links.list

logging.locations.list

logging.logEntries.list

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.list

logging.operations.list

logging.privateLogEntries.list

logging.queries.list

logging.sinks.list

logging.views.list

looker.backups.list

looker.instances.list

looker.locations.list

looker.operations.list

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.backups.setIamPolicy

managedidentities.domains.getIamPolicy

managedidentities.domains.list

managedidentities.domains.setIamPolicy

managedidentities.locations.list

managedidentities.operations.list

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

managedidentities.peerings.setIamPolicy

managedidentities.sqlintegrations.list

mapsadmin.clientMaps.list

mapsadmin.clientStyleSheetSnapshots.list

mapsadmin.clientStyles.list

mapsadmin.styleSnapshots.list

mapsplatformdatasets.datasets.list

memcache.instances.list

memcache.locations.list

memcache.operations.list

metastore.backups.getIamPolicy

metastore.backups.list

metastore.backups.setIamPolicy

metastore.databases.getIamPolicy

metastore.databases.list

metastore.databases.setIamPolicy

metastore.federations.getIamPolicy

metastore.federations.list

metastore.federations.setIamPolicy

metastore.imports.list

metastore.locations.list

metastore.operations.list

metastore.services.getIamPolicy

metastore.services.list

metastore.services.setIamPolicy

metastore.tables.getIamPolicy

metastore.tables.list

metastore.tables.setIamPolicy

migrationcenter.assets.list

migrationcenter.errorFrames.list

migrationcenter.groups.list

migrationcenter.importDataFiles.list

migrationcenter.importJobs.list

migrationcenter.locations.list

migrationcenter.operations.list

migrationcenter.preferenceSets.list

migrationcenter.reportConfigs.list

migrationcenter.reports.list

migrationcenter.sources.list

ml.jobs.getIamPolicy

ml.jobs.list

ml.jobs.setIamPolicy

ml.locations.list

ml.models.getIamPolicy

ml.models.list

ml.models.setIamPolicy

ml.operations.list

ml.studies.getIamPolicy

ml.studies.list

ml.studies.setIamPolicy

ml.trials.list

ml.versions.list

monitoring.alertPolicies.list

monitoring.dashboards.list

monitoring.groups.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.list

monitoring.publicWidgets.list

monitoring.services.list

monitoring.slos.list

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.list

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.groups.setIamPolicy

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.setIamPolicy

networkconnectivity.internalRanges.getIamPolicy

networkconnectivity.internalRanges.list

networkconnectivity.internalRanges.setIamPolicy

networkconnectivity.locations.list

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.getIamPolicy

networkconnectivity.policyBasedRoutes.list

networkconnectivity.policyBasedRoutes.setIamPolicy

networkconnectivity.serviceClasses.list

networkconnectivity.serviceConnectionMaps.list

networkconnectivity.serviceConnectionPolicies.list

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

networkconnectivity.spokes.setIamPolicy

networkmanagement.connectivitytests.getIamPolicy

networkmanagement.connectivitytests.list

networkmanagement.connectivitytests.setIamPolicy

networkmanagement.locations.list

networkmanagement.operations.list

networksecurity.authorizationPolicies.getIamPolicy

networksecurity.authorizationPolicies.list

networksecurity.authorizationPolicies.setIamPolicy

networksecurity.clientTlsPolicies.getIamPolicy

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.setIamPolicy

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.list

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.locations.list

networksecurity.operations.list

networksecurity.securityProfileGroups.list

networksecurity.securityProfiles.list

networksecurity.serverTlsPolicies.getIamPolicy

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.setIamPolicy

networksecurity.tlsInspectionPolicies.list

networksecurity.urlLists.list

networkservices.endpointConfigSelectors.getIamPolicy

networkservices.endpointConfigSelectors.list

networkservices.endpointConfigSelectors.setIamPolicy

networkservices.endpointPolicies.getIamPolicy

networkservices.endpointPolicies.list

networkservices.endpointPolicies.setIamPolicy

networkservices.gateways.list

networkservices.grpcRoutes.getIamPolicy

networkservices.grpcRoutes.list

networkservices.grpcRoutes.setIamPolicy

networkservices.httpFilters.getIamPolicy

networkservices.httpFilters.list

networkservices.httpFilters.setIamPolicy

networkservices.httpRoutes.getIamPolicy

networkservices.httpRoutes.list

networkservices.httpRoutes.setIamPolicy

networkservices.httpfilters.getIamPolicy

networkservices.httpfilters.list

networkservices.httpfilters.setIamPolicy

networkservices.locations.list

networkservices.meshes.getIamPolicy

networkservices.meshes.list

networkservices.meshes.setIamPolicy

networkservices.operations.list

networkservices.serviceBindings.list

networkservices.tcpRoutes.getIamPolicy

networkservices.tcpRoutes.list

networkservices.tcpRoutes.setIamPolicy

networkservices.tlsRoutes.list

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.environments.setIamPolicy

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.executions.setIamPolicy

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.instances.setIamPolicy

notebooks.locations.list

notebooks.operations.list

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.runtimes.setIamPolicy

notebooks.schedules.getIamPolicy

notebooks.schedules.list

notebooks.schedules.setIamPolicy

ondemandscanning.operations.list

opsconfigmonitoring.resourceMetadata.list

orgpolicy.constraints.list

orgpolicy.customConstraints.list

orgpolicy.policies.list

osconfig.guestPolicies.list

osconfig.instanceOSPoliciesCompliances.list

osconfig.inventories.list

osconfig.osPolicyAssignmentReports.list

osconfig.osPolicyAssignments.list

osconfig.patchDeployments.list

osconfig.patchJobs.list

osconfig.vulnerabilityReports.list

paymentsresellersubscription.products.list

paymentsresellersubscription.promotions.list

policysimulator.*

policysimulator.replayResults.list
policysimulator.replays.create
policysimulator.replays.get
policysimulator.replays.list
policysimulator.replays.run

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.caPools.setIamPolicy

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateAuthorities.setIamPolicy

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateRevocationLists.setIamPolicy

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificateTemplates.setIamPolicy

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.certificates.setIamPolicy

privateca.locations.list

privateca.operations.list

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

privateca.reusableConfigs.setIamPolicy

proximitybeacon.attachments.list

proximitybeacon.beacons.getIamPolicy

proximitybeacon.beacons.list

proximitybeacon.beacons.setIamPolicy

proximitybeacon.namespaces.getIamPolicy

proximitybeacon.namespaces.list

proximitybeacon.namespaces.setIamPolicy

pubsub.schemas.getIamPolicy

pubsub.schemas.list

pubsub.schemas.setIamPolicy

pubsub.snapshots.getIamPolicy

pubsub.snapshots.list

pubsub.snapshots.setIamPolicy

pubsub.subscriptions.getIamPolicy

pubsub.subscriptions.list

pubsub.subscriptions.setIamPolicy

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsub.topics.setIamPolicy

pubsublite.operations.list

pubsublite.reservations.list

pubsublite.subscriptions.list

pubsublite.topics.list

recaptchaenterprise.keys.list

recaptchaenterprise.relatedaccountgroupmemberships.list

recaptchaenterprise.relatedaccountgroups.list

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.bigqueryPartitionClusterRecommendations.list

recommender.bigqueryTableStatsInsights.list

recommender.cloudAssetInsights.list

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceActivityInsights.list

recommender.cloudsqlInstanceCpuUsageInsights.list

recommender.cloudsqlInstanceDiskUsageTrendInsights.list

recommender.cloudsqlInstanceMemoryUsageInsights.list

recommender.cloudsqlInstanceOomProbabilityInsights.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceInsights.list

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityInsights.list

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlInstanceSecurityInsights.list

recommender.cloudsqlInstanceSecurityRecommendations.list

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.list

recommender.computeAddressIdleResourceInsights.list

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceInsights.list

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeFirewallInsights.list

recommender.computeImageIdleResourceInsights.list

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceCpuUsageInsights.list

recommender.computeInstanceCpuUsagePredictionInsights.list

recommender.computeInstanceCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerCpuUsageInsights.list

recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list

recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceGroupManagerMemoryUsageInsights.list

recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.list

recommender.computeInstanceMemoryUsageInsights.list

recommender.computeInstanceMemoryUsagePredictionInsights.list

recommender.computeInstanceNetworkThroughputInsights.list

recommender.containerDiagnosisInsights.list

recommender.containerDiagnosisRecommendations.list

recommender.costInsights.list

recommender.dataflowDiagnosticsInsights.list

recommender.errorReportingInsights.list

recommender.errorReportingRecommendations.list

recommender.gmpGuidedExperienceInsights.list

recommender.gmpGuidedExperienceRecommendations.list

recommender.gmpProjectManagementInsights.list

recommender.gmpProjectManagementRecommendations.list

recommender.gmpProjectProductSuggestionsInsights.list

recommender.gmpProjectProductSuggestionsRecommendations.list

recommender.gmpProjectQuotaInsights.list

recommender.gmpProjectQuotaRecommendations.list

recommender.iamPolicyInsights.list

recommender.iamPolicyLateralMovementInsights.list

recommender.iamPolicyRecommendations.list

recommender.iamServiceAccountInsights.list

recommender.locations.list

recommender.loggingProductSuggestionContainerInsights.list

recommender.loggingProductSuggestionContainerRecommendations.list

recommender.monitoringProductSuggestionComputeInsights.list

recommender.monitoringProductSuggestionComputeRecommendations.list

recommender.networkAnalyzerCloudSqlInsights.list

recommender.networkAnalyzerDynamicRouteInsights.list

recommender.networkAnalyzerGkeConnectivityInsights.list

recommender.networkAnalyzerGkeIpAddressInsights.list

recommender.networkAnalyzerIpAddressInsights.list

recommender.networkAnalyzerLoadBalancerInsights.list

recommender.networkAnalyzerVpcConnectivityInsights.list

recommender.resourcemanagerProjectUtilizationInsights.list

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.resourcemanagerServiceLimitInsights.list

recommender.resourcemanagerServiceLimitRecommendations.list

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.list

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.list

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.list

recommender.usageCommitmentRecommendations.list

redis.instances.list

redis.locations.list

redis.operations.list

remotebuildexecution.instances.list

remotebuildexecution.workerpools.list

resourcemanager.folders.getIamPolicy

resourcemanager.folders.list

resourcemanager.folders.setIamPolicy

resourcemanager.hierarchyNodes.listTagBindings

resourcemanager.organizations.getIamPolicy

resourcemanager.organizations.setIamPolicy

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.projects.setIamPolicy

resourcemanager.tagHolds.list

resourcemanager.tagKeys.getIamPolicy

resourcemanager.tagKeys.list

resourcemanager.tagKeys.setIamPolicy

resourcemanager.tagValues.getIamPolicy

resourcemanager.tagValues.list

resourcemanager.tagValues.setIamPolicy

resourcesettings.settings.list

retail.catalogs.list

retail.controls.list

retail.models.list

retail.operations.list

retail.products.list

retail.servingConfigs.list

riskmanager.controlScoreBreakdowns.list

riskmanager.operations.list

riskmanager.policies.list

riskmanager.reports.list

rma.collectors.list

rma.locations.list

rma.operations.list

run.configurations.list

run.executions.list

run.jobs.getIamPolicy

run.jobs.list

run.jobs.setIamPolicy

run.locations.list

run.operations.list

run.revisions.list

run.routes.list

run.services.getIamPolicy

run.services.list

run.services.setIamPolicy

run.tasks.list

runapps.applications.list

runapps.deployments.list

runapps.locations.list

runapps.operations.list

runtimeconfig.configs.getIamPolicy

runtimeconfig.configs.list

runtimeconfig.configs.setIamPolicy

runtimeconfig.operations.list

runtimeconfig.variables.getIamPolicy

runtimeconfig.variables.list

runtimeconfig.variables.setIamPolicy

runtimeconfig.waiters.getIamPolicy

runtimeconfig.waiters.list

runtimeconfig.waiters.setIamPolicy

secretmanager.locations.list

secretmanager.secrets.getIamPolicy

secretmanager.secrets.list

secretmanager.secrets.setIamPolicy

secretmanager.versions.list

securedlandingzone.overwatches.list

securitycenter.assets.list

securitycenter.bigQueryExports.list

securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.findings.list

securitycenter.muteconfigs.list

securitycenter.notificationconfig.list

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.sources.getIamPolicy

securitycenter.sources.list

securitycenter.sources.setIamPolicy

servicebroker.bindingoperations.list

servicebroker.bindings.getIamPolicy

servicebroker.bindings.list

servicebroker.bindings.setIamPolicy

servicebroker.catalogs.getIamPolicy

servicebroker.catalogs.list

servicebroker.catalogs.setIamPolicy

servicebroker.instanceoperations.list

servicebroker.instances.getIamPolicy

servicebroker.instances.list

servicebroker.instances.setIamPolicy

serviceconsumermanagement.tenancyu.list

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.endpoints.setIamPolicy

servicedirectory.locations.list

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.namespaces.setIamPolicy

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.setIamPolicy

servicehealth.events.list

servicehealth.locations.list

servicehealth.organizationEvents.list

servicehealth.organizationImpacts.list

servicemanagement.services.getIamPolicy

servicemanagement.services.list

servicemanagement.services.setIamPolicy

servicenetworking.operations.list

servicesecurityinsights.clusterSecurityInfo.list

servicesecurityinsights.securityInfo.list

servicesecurityinsights.workloadPolicies.list

serviceusage.operations.list

serviceusage.services.list

source.repos.getIamPolicy

source.repos.list

source.repos.setIamPolicy

spanner.backupOperations.list

spanner.backups.getIamPolicy

spanner.backups.list

spanner.backups.setIamPolicy

spanner.databaseOperations.list

spanner.databaseRoles.list

spanner.databases.getIamPolicy

spanner.databases.list

spanner.databases.setIamPolicy

spanner.instanceConfigOperations.list

spanner.instanceConfigs.list

spanner.instanceOperations.list

spanner.instances.getIamPolicy

spanner.instances.list

spanner.instances.setIamPolicy

spanner.sessions.list

speakerid.phrases.list

speakerid.speakers.list

speech.customClasses.list

speech.locations.list

speech.operations.list

speech.phraseSets.list

speech.recognizers.list

stackdriver.resourceMetadata.list

storage.buckets.getIamPolicy

storage.buckets.list

storage.buckets.setIamPolicy

storage.hmacKeys.list

storage.multipartUploads.list

storage.objects.getIamPolicy

storage.objects.list

storage.objects.setIamPolicy

storageinsights.locations.list

storageinsights.operations.list

storageinsights.reportConfigs.list

storageinsights.reportDetails.list

storagetransfer.agentpools.list

storagetransfer.jobs.list

storagetransfer.operations.list

stream.locations.list

stream.operations.list

stream.streamContents.list

stream.streamInstances.list

timeseriesinsights.datasets.list

timeseriesinsights.locations.list

tpu.acceleratortypes.list

tpu.locations.list

tpu.nodes.list

tpu.operations.list

tpu.runtimeversions.list

tpu.tensorflowversions.list

transcoder.jobTemplates.list

transcoder.jobs.list

transferappliance.appliances.list

transferappliance.locations.list

transferappliance.operations.list

transferappliance.orders.list

transferappliance.savedAddresses.list

translationhub.portals.list

videostitcher.cdnKeys.list

videostitcher.liveAdTagDetails.list

videostitcher.slates.list

videostitcher.vodAdTagDetails.list

videostitcher.vodStitchDetails.list

visionai.analyses.getIamPolicy

visionai.analyses.list

visionai.analyses.setIamPolicy

visionai.annotations.list

visionai.applications.list

visionai.assets.list

visionai.clusters.getIamPolicy

visionai.clusters.list

visionai.clusters.setIamPolicy

visionai.corpora.list

visionai.dataSchemas.list

visionai.drafts.list

visionai.events.getIamPolicy

visionai.events.list

visionai.events.setIamPolicy

visionai.instances.list

visionai.locations.list

visionai.operations.list

visionai.operators.getIamPolicy

visionai.operators.list

visionai.operators.setIamPolicy

visionai.processors.list

visionai.searchConfigs.list

visionai.series.getIamPolicy

visionai.series.list

visionai.series.setIamPolicy

visionai.streams.getIamPolicy

visionai.streams.list

visionai.streams.setIamPolicy

visionai.uistreams.list

visualinspection.annotationSets.list

visualinspection.annotationSpecs.list

visualinspection.annotations.list

visualinspection.datasets.list

visualinspection.images.list

visualinspection.locations.list

visualinspection.modelEvaluations.list

visualinspection.models.list

visualinspection.modules.list

visualinspection.operations.list

visualinspection.solutionArtifacts.list

visualinspection.solutions.list

vmmigration.cloneJobs.list

vmmigration.cutoverJobs.list

vmmigration.datacenterConnectors.list

vmmigration.deployments.list

vmmigration.groups.list

vmmigration.locations.list

vmmigration.migratingVms.list

vmmigration.operations.list

vmmigration.replicationCycles.list

vmmigration.sources.list

vmmigration.targets.list

vmmigration.utilizationReports.list

vmwareengine.clusters.getIamPolicy

vmwareengine.clusters.list

vmwareengine.clusters.setIamPolicy

vmwareengine.hcxActivationKeys.getIamPolicy

vmwareengine.hcxActivationKeys.list

vmwareengine.hcxActivationKeys.setIamPolicy

vmwareengine.locations.list

vmwareengine.networkPolicies.list

vmwareengine.nodeTypes.list

vmwareengine.operations.list

vmwareengine.privateClouds.getIamPolicy

vmwareengine.privateClouds.list

vmwareengine.privateClouds.setIamPolicy

vmwareengine.privateConnections.list

vmwareengine.subnets.list

vmwareengine.vmwareEngineNetworks.list

vpcaccess.connectors.list

vpcaccess.locations.list

vpcaccess.operations.list

workflows.executions.list

workflows.locations.list

workflows.operations.list

workflows.workflows.list

workloadcertificate.locations.list

workloadcertificate.operations.list

workloadcertificate.workloadRegistrations.list

workloadmanager.evaluations.list

workloadmanager.executions.list

workloadmanager.locations.list

workloadmanager.operations.list

workloadmanager.results.list

workloadmanager.rules.list

workstations.workstationClusters.list

workstations.workstationConfigs.getIamPolicy

workstations.workstationConfigs.list

workstations.workstationConfigs.setIamPolicy

workstations.workstations.getIamPolicy

workstations.workstations.list

workstations.workstations.setIamPolicy

Security Reviewer

(roles/iam.securityReviewer)

Provides permissions to list all resources and allow policies on them.

accessapproval.requests.list

accesscontextmanager.accessLevels.list

accesscontextmanager.accessPolicies.getIamPolicy

accesscontextmanager.accessPolicies.list

accesscontextmanager.accessZones.list

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.gcpUserAccessBindings.list

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.list

actions.agentVersions.list

advisorynotifications.*

advisorynotifications.notifications.get
advisorynotifications.notifications.list

aiplatform.annotationSpecs.list

aiplatform.annotations.list

aiplatform.artifacts.list

aiplatform.batchPredictionJobs.list

aiplatform.contexts.list

aiplatform.customJobs.list

aiplatform.dataItems.list

aiplatform.dataLabelingJobs.list

aiplatform.datasets.list

aiplatform.deploymentResourcePools.list

aiplatform.edgeDeploymentJobs.list

aiplatform.edgeDevices.list

aiplatform.endpoints.list

aiplatform.entityTypes.getIamPolicy

aiplatform.entityTypes.list

aiplatform.executions.list

aiplatform.featureOnlineStores.list

aiplatform.featureViewSyncs.list

aiplatform.featureViews.list

aiplatform.features.list

aiplatform.featurestores.getIamPolicy

aiplatform.featurestores.list

aiplatform.humanInTheLoops.list

aiplatform.hyperparameterTuningJobs.list

aiplatform.indexEndpoints.list

aiplatform.indexes.list

aiplatform.locations.list

aiplatform.metadataSchemas.list

aiplatform.metadataStores.list

aiplatform.modelDeploymentMonitoringJobs.list

aiplatform.modelEvaluationSlices.list

aiplatform.modelEvaluations.list

aiplatform.models.list

aiplatform.nasJobs.list

aiplatform.nasTrialDetails.list

aiplatform.operations.list

aiplatform.pipelineJobs.list

aiplatform.schedules.list

aiplatform.specialistPools.list

aiplatform.studies.list

aiplatform.tensorboardExperiments.list

aiplatform.tensorboardRuns.list

aiplatform.tensorboardTimeSeries.list

aiplatform.tensorboards.list

aiplatform.trainingPipelines.list

aiplatform.trials.list

alloydb.backups.list

alloydb.clusters.list

alloydb.instances.list

alloydb.locations.list

alloydb.operations.list

alloydb.supportedDatabaseFlags.list

alloydb.users.list

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.getIamPolicy

analyticshub.listings.list

apigateway.apiconfigs.getIamPolicy

apigateway.apiconfigs.list

apigateway.apis.getIamPolicy

apigateway.apis.list

apigateway.gateways.getIamPolicy

apigateway.gateways.list

apigateway.locations.list

apigateway.operations.list

apigee.apiproductattributes.list

apigee.apiproducts.list

apigee.appgroupapps.list

apigee.appgroups.list

apigee.apps.list

apigee.archivedeployments.list

apigee.caches.list

apigee.datacollectors.list

apigee.datastores.list

apigee.deployments.list

apigee.developerappattributes.list

apigee.developerapps.list

apigee.developerattributes.list

apigee.developers.list

apigee.developersubscriptions.list

apigee.endpointattachments.list

apigee.envgroupattachments.list

apigee.envgroups.list

apigee.environments.getIamPolicy

apigee.environments.list

apigee.exports.list

apigee.flowhooks.list

apigee.hostqueries.list

apigee.hostsecurityreports.list

apigee.instanceattachments.list

apigee.instances.list

apigee.keystorealiases.list

apigee.keystores.list

apigee.keyvaluemapentries.list

apigee.keyvaluemaps.list

apigee.nataddresses.list

apigee.operations.list

apigee.organizations.list

apigee.portals.list

apigee.proxies.list

apigee.proxyrevisions.list

apigee.queries.list

apigee.rateplans.list

apigee.references.list

apigee.reports.list

apigee.resourcefiles.list

apigee.securityIncidents.list

apigee.securityProfiles.list

apigee.securityreports.list

apigee.sharedflowrevisions.list

apigee.sharedflows.list

apigee.targetservers.list

apigee.traceconfigoverrides.list

apigee.tracesessions.list

apigeeconnect.connections.list

apigeeregistry.apis.getIamPolicy

apigeeregistry.apis.list

apigeeregistry.artifacts.getIamPolicy

apigeeregistry.artifacts.list

apigeeregistry.deployments.list

apigeeregistry.locations.list

apigeeregistry.operations.list

apigeeregistry.specs.getIamPolicy

apigeeregistry.specs.list

apigeeregistry.versions.getIamPolicy

apigeeregistry.versions.list

apikeys.keys.list

appengine.instances.list

appengine.memcache.list

appengine.operations.list

appengine.services.list

appengine.versions.list

applianceactivation.rttCommands.list

artifactregistry.dockerimages.list

artifactregistry.files.list

artifactregistry.locations.list

artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.list

artifactregistry.packages.list

artifactregistry.pythonpackages.list

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.tags.list

artifactregistry.versions.list

assuredworkloads.operations.list

assuredworkloads.violations.list

assuredworkloads.workload.list

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.list

automl.datasets.getIamPolicy

automl.datasets.list

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.list

automl.locations.getIamPolicy

automl.locations.list

automl.modelEvaluations.list

automl.models.getIamPolicy

automl.models.list

automl.operations.list

automl.tableSpecs.list

automlrecommendations.apiKeys.list

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.list

automlrecommendations.eventStores.list

automlrecommendations.events.list

automlrecommendations.placements.list

automlrecommendations.recommendations.list

autoscaling.sites.getIamPolicy

backupdr.locations.list

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.operations.list

baremetalsolution.instancequotas.list

baremetalsolution.instances.list

baremetalsolution.luns.list

baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.list

baremetalsolution.nfsshares.list

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.list

baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.list

baremetalsolution.volumesnapshots.list

batch.jobs.list

batch.locations.list

batch.operations.list

batch.tasks.list

beyondcorp.appConnections.getIamPolicy

beyondcorp.appConnections.list

beyondcorp.appConnectors.getIamPolicy

beyondcorp.appConnectors.list

beyondcorp.appGateways.getIamPolicy

beyondcorp.appGateways.list

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientGateways.getIamPolicy

beyondcorp.clientGateways.list

beyondcorp.locations.list

beyondcorp.operations.list

beyondcorp.subscriptions.list

biglake.catalogs.list

biglake.databases.list

biglake.locks.list

biglake.tables.list

bigquery.capacityCommitments.list

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.datasets.getIamPolicy

bigquery.jobs.list

bigquery.models.list

bigquery.reservationAssignments.list

bigquery.reservations.list

bigquery.routines.list

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.savedqueries.list

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquerymigration.locations.list

bigquerymigration.subtasks.list

bigquerymigration.workflows.list

bigtable.appProfiles.list

bigtable.backups.getIamPolicy

bigtable.backups.list

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.getIamPolicy

bigtable.instances.list

bigtable.keyvisualizer.list

bigtable.locations.list

bigtable.tables.getIamPolicy

bigtable.tables.list

billing.accounts.getIamPolicy

billing.accounts.list

billing.budgets.list

billing.credits.list

billing.resourceAssociations.list

billing.subscriptions.list

binaryauthorization.attestors.getIamPolicy

binaryauthorization.attestors.list

binaryauthorization.continuousValidationConfig.getIamPolicy

binaryauthorization.platformPolicies.list

binaryauthorization.policy.getIamPolicy

blockchainnodeengine.blockchainNodes.list

blockchainnodeengine.locations.list

blockchainnodeengine.operations.list

carestudio.patients.list

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.locations.list

certificatemanager.operations.list

certificatemanager.trustconfigs.list

chronicle.collectors.list

chronicle.curatedRuleSetCategories.list

chronicle.curatedRuleSetDeployments.list

chronicle.curatedRuleSets.list

chronicle.curatedRules.list

chronicle.dashboards.list

chronicle.extensionValidationReports.list

chronicle.feedSourceTypeSchemas.list

chronicle.feeds.list

chronicle.forwarders.list

chronicle.logTypeSchemas.list

chronicle.operations.list

chronicle.parserExtensions.list

chronicle.parsers.list

chronicle.parsingErrors.list

chronicle.referenceLists.list

chronicle.retrohunts.list

chronicle.ruleDeployments.list

chronicle.ruleExecutionErrors.list

chronicle.rules.list

chronicle.validationErrors.list

clientauthconfig.brands.list

clientauthconfig.clients.list

cloud.locations.list

cloudasset.feeds.list

cloudasset.savedqueries.list

cloudbuild.builds.list

cloudbuild.connections.getIamPolicy

cloudbuild.connections.list

cloudbuild.integrations.list

cloudbuild.repositories.list

cloudbuild.workerpools.list

cloudcontrolspartner.customers.list

cloudcontrolspartner.violations.list

cloudcontrolspartner.workloads.list

clouddebugger.breakpoints.list

clouddebugger.debuggees.list

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.jobRuns.list

clouddeploy.locations.list

clouddeploy.operations.list

clouddeploy.releases.list

clouddeploy.rollouts.list

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.locations.list

cloudfunctions.operations.list

cloudfunctions.runtimes.list

cloudiot.devices.list

cloudiot.registries.getIamPolicy

cloudiot.registries.list

cloudjobdiscovery.companies.list

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.ekmConfigs.getIamPolicy

cloudkms.ekmConnections.getIamPolicy

cloudkms.ekmConnections.list

cloudkms.importJobs.getIamPolicy

cloudkms.importJobs.list

cloudkms.keyRings.getIamPolicy

cloudkms.keyRings.list

cloudkms.locations.list

cloudnotifications.activities.list

cloudonefs.isiloncloud.com/clusters.list

cloudonefs.isiloncloud.com/fileshares.list

cloudprivatecatalogproducer.associations.list

cloudprivatecatalogproducer.catalogAssociations.list

cloudprivatecatalogproducer.catalogs.getIamPolicy

cloudprivatecatalogproducer.catalogs.list

cloudprivatecatalogproducer.producerCatalogs.getIamPolicy

cloudprivatecatalogproducer.producerCatalogs.list

cloudprivatecatalogproducer.products.getIamPolicy

cloudprivatecatalogproducer.products.list

cloudprofiler.profiles.list

cloudscheduler.jobs.list

cloudscheduler.locations.list

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.list

cloudsql.backupRuns.list

cloudsql.databases.list

cloudsql.instances.list

cloudsql.sslCerts.list

cloudsql.users.list

cloudsupport.accounts.getIamPolicy

cloudsupport.accounts.list

cloudsupport.techCases.list

cloudtasks.locations.list

cloudtasks.queues.getIamPolicy

cloudtasks.queues.list

cloudtasks.tasks.list

cloudtoolresults.executions.list

cloudtoolresults.histories.list

cloudtoolresults.steps.list

cloudtrace.insights.list

cloudtrace.tasks.list

cloudtrace.traces.list

cloudtranslate.customModels.list

cloudtranslate.datasets.list

cloudtranslate.glossaries.list

cloudtranslate.glossaryentries.list

cloudtranslate.locations.list

cloudtranslate.operations.list

cloudvolumesgcp-api.netapp.com/activeDirectories.list

cloudvolumesgcp-api.netapp.com/ipRanges.list

cloudvolumesgcp-api.netapp.com/jobs.list

cloudvolumesgcp-api.netapp.com/regions.list

cloudvolumesgcp-api.netapp.com/serviceLevels.list

cloudvolumesgcp-api.netapp.com/snapshots.list

cloudvolumesgcp-api.netapp.com/volumereplication.list

cloudvolumesgcp-api.netapp.com/volumes.list

commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.resellerDiscountOffers.list

commerceoffercatalog.agreements.list

commerceoffercatalog.documents.list

commerceorggovernance.collections.list

commerceorggovernance.services.list

commerceprice.events.list

commerceprice.privateoffers.list

composer.dags.list

composer.environments.list

composer.imageversions.list

composer.operations.list

compute.acceleratorTypes.list

compute.addresses.list

compute.autoscalers.list

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.commitments.list

compute.diskTypes.list

compute.disks.getIamPolicy

compute.disks.list

compute.externalVpnGateways.list

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewalls.list

compute.forwardingRules.list

compute.globalAddresses.list

compute.globalForwardingRules.list

compute.globalNetworkEndpointGroups.list

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.list

compute.httpHealthChecks.list

compute.httpsHealthChecks.list

compute.images.getIamPolicy

compute.images.list

compute.instanceGroupManagers.list

compute.instanceGroups.list

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.getIamPolicy

compute.instances.list

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.list

compute.interconnectLocations.list

compute.interconnectRemoteLocations.list

compute.interconnects.list

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.list

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.list

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networks.list

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.list

compute.packetMirrorings.list

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionHealthCheckServices.list

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.list

compute.regionNotificationEndpoints.list

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.list

compute.regionSslCertificates.list

compute.regionSslPolicies.list

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.list

compute.regions.list

compute.reservations.list

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.list

compute.routes.list

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.sslCertificates.list

compute.sslPolicies.list

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.targetGrpcProxies.list

compute.targetHttpProxies.list

compute.targetHttpsProxies.list

compute.targetInstances.list

compute.targetPools.list

compute.targetSslProxies.list

compute.targetTcpProxies.list

compute.targetVpnGateways.list

compute.urlMaps.list

compute.vpnGateways.list

compute.vpnTunnels.list

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.list

confidentialcomputing.locations.list

config.deployments.getIamPolicy

config.deployments.list

config.locations.list

config.operations.list

config.resources.list

config.revisions.list

connectors.actions.list

connectors.connections.getIamPolicy

connectors.connections.list

connectors.connectors.list

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.entities.list

connectors.entityTypes.list

connectors.eventSubscriptions.list

connectors.eventtypes.list

connectors.locations.list

connectors.managedZones.getIamPolicy

connectors.managedZones.list

connectors.operations.list

connectors.providers.list

connectors.versions.list

consumerprocurement.accounts.list

consumerprocurement.consents.list

consumerprocurement.entitlements.list

consumerprocurement.events.list

consumerprocurement.freeTrials.list

consumerprocurement.orderAttributions.list

consumerprocurement.orders.list

contactcenteraiplatform.contactCenters.list

contactcenteraiplatform.locations.list

contactcenteraiplatform.operations.list

contactcenterinsights.analyses.list

contactcenterinsights.conversations.list

contactcenterinsights.issueModels.list

contactcenterinsights.issues.list

contactcenterinsights.operations.list

contactcenterinsights.phraseMatchers.list

contactcenterinsights.views.list

container.apiServices.list

container.auditSinks.list

container.backendConfigs.list

container.bindings.list

container.certificateSigningRequests.list

container.clusterRoleBindings.list

container.clusterRoles.list

container.clusters.list

container.componentStatuses.list

container.configMaps.list

container.controllerRevisions.list

container.cronJobs.list

container.csiDrivers.list

container.csiNodeInfos.list

container.csiNodes.list

container.customResourceDefinitions.list

container.daemonSets.list

container.deployments.list

container.endpointSlices.list

container.endpoints.list

container.events.list

container.frontendConfigs.list

container.horizontalPodAutoscalers.list

container.ingresses.list

container.initializerConfigurations.list

container.jobs.list

container.leases.list

container.limitRanges.list

container.localSubjectAccessReviews.list

container.managedCertificates.list

container.mutatingWebhookConfigurations.list

container.namespaces.list

container.networkPolicies.list

container.nodes.list

container.operations.list

container.persistentVolumeClaims.list

container.persistentVolumes.list

container.petSets.list

container.podDisruptionBudgets.list

container.podPresets.list

container.podSecurityPolicies.list

container.podTemplates.list

container.pods.list

container.priorityClasses.list

container.replicaSets.list

container.replicationControllers.list

container.resourceQuotas.list

container.roleBindings.list

container.roles.list

container.runtimeClasses.list

container.scheduledJobs.list

container.selfSubjectAccessReviews.list

container.serviceAccounts.list

container.services.list

container.statefulSets.list

container.storageClasses.list

container.storageStates.list

container.storageVersionMigrations.list

container.subjectAccessReviews.list

container.thirdPartyObjects.list

container.thirdPartyResources.list

container.updateInfos.list

container.validatingWebhookConfigurations.list

container.volumeAttachments.list

container.volumeSnapshotClasses.list

container.volumeSnapshotContents.list

container.volumeSnapshots.list

containeranalysis.notes.getIamPolicy

containeranalysis.notes.list

containeranalysis.occurrences.getIamPolicy

containeranalysis.occurrences.list

containersecurity.clusterSummaries.list

containersecurity.findings.list

containersecurity.locations.list

containersecurity.workloadConfigAudits.list

contentwarehouse.documentSchemas.list

contentwarehouse.documents.getIamPolicy

contentwarehouse.ruleSets.list

contentwarehouse.synonymSets.list

datacatalog.categories.getIamPolicy

datacatalog.entries.getIamPolicy

datacatalog.entries.list

datacatalog.entryGroups.getIamPolicy

datacatalog.entryGroups.list

datacatalog.relationships.list

datacatalog.tagTemplates.getIamPolicy

datacatalog.taxonomies.getIamPolicy

datacatalog.taxonomies.list

dataconnectors.connectors.getIamPolicy

dataconnectors.connectors.list

dataconnectors.locations.list

dataconnectors.operations.list

dataflow.jobs.list

dataflow.messages.list

dataflow.snapshots.list

dataform.compilationResults.list

dataform.locations.list

dataform.releaseConfigs.list

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.workflowConfigs.list

dataform.workflowInvocations.list

dataform.workspaces.getIamPolicy

dataform.workspaces.list

datafusion.artifacts.list

datafusion.instances.getIamPolicy

datafusion.instances.list

datafusion.locations.list

datafusion.operations.list

datafusion.pipelineConnections.list

datafusion.pipelines.list

datafusion.profiles.list

datafusion.secureKeys.list

datalabeling.annotateddatasets.list

datalabeling.annotationspecsets.list

datalabeling.dataitems.list

datalabeling.datasets.list

datalabeling.examples.list

datalabeling.instructions.list

datalabeling.operations.list

datalineage.events.list

datalineage.processes.list

datalineage.runs.list

datamigration.connectionprofiles.getIamPolicy

datamigration.connectionprofiles.list

datamigration.conversionworkspaces.getIamPolicy

datamigration.conversionworkspaces.list

datamigration.locations.list

datamigration.mappingrules.getIamPolicy

datamigration.migrationjobs.getIamPolicy

datamigration.migrationjobs.list

datamigration.operations.list

datamigration.privateconnections.getIamPolicy

datamigration.privateconnections.list

datapipelines.jobs.list

datapipelines.pipelines.list

dataplex.assetActions.list

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.entities.list

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.lakeActions.list

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.locations.list

dataplex.operations.list

dataplex.partitions.list

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.zoneActions.list

dataplex.zones.getIamPolicy

dataplex.zones.list

dataproc.agents.list

dataproc.autoscalingPolicies.getIamPolicy

dataproc.autoscalingPolicies.list

dataproc.batches.list

dataproc.clusters.getIamPolicy

dataproc.clusters.list

dataproc.jobs.getIamPolicy

dataproc.jobs.list

dataproc.operations.getIamPolicy

dataproc.operations.list

dataproc.workflowTemplates.getIamPolicy

dataproc.workflowTemplates.list

dataprocessing.datasources.list

dataprocessing.featurecontrols.list

dataprocessing.groupcontrols.list

datastore.databases.list

datastore.entities.list

datastore.indexes.list

datastore.keyVisualizerScans.list

datastore.locations.list

datastore.namespaces.list

datastore.operations.list

datastore.statistics.list

datastream.connectionProfiles.getIamPolicy

datastream.connectionProfiles.list

datastream.locations.list

datastream.objects.list

datastream.operations.list

datastream.privateConnections.getIamPolicy

datastream.privateConnections.list

datastream.routes.getIamPolicy

datastream.routes.list

datastream.streams.getIamPolicy

datastream.streams.list

datastudio.datasources.getIamPolicy

datastudio.reports.getIamPolicy

datastudio.workspaces.getIamPolicy

deploymentmanager.compositeTypes.list

deploymentmanager.deployments.getIamPolicy

deploymentmanager.deployments.list

deploymentmanager.manifests.list

deploymentmanager.operations.list

deploymentmanager.resources.list

deploymentmanager.typeProviders.list

deploymentmanager.types.list

dialogflow.agents.list

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.list

dialogflow.contexts.list

dialogflow.conversationDatasets.list

dialogflow.conversationModels.list

dialogflow.conversationProfiles.list

dialogflow.conversations.list

dialogflow.deployments.list

dialogflow.documents.list

dialogflow.entityTypes.list

dialogflow.environments.list

dialogflow.experiments.list

dialogflow.flows.list

dialogflow.integrations.list

dialogflow.intents.list

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.list

dialogflow.pages.list

dialogflow.participants.list

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.list

dialogflow.testcases.list

dialogflow.transitionRouteGroups.list

dialogflow.versions.list

dialogflow.webhooks.list

discoveryengine.documents.list

discoveryengine.operations.list

dlp.analyzeRiskTemplates.list

dlp.columnDataProfiles.list

dlp.deidentifyTemplates.list

dlp.estimates.list

dlp.inspectFindings.list

dlp.inspectTemplates.list

dlp.jobTriggers.list

dlp.jobs.list

dlp.locations.list

dlp.projectDataProfiles.list

dlp.storedInfoTypes.list

dlp.subscriptions.list

dlp.tableDataProfiles.list

dns.changes.list

dns.dnsKeys.list

dns.managedZoneOperations.list

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.policies.getIamPolicy

dns.policies.list

dns.resourceRecordSets.list

dns.responsePolicies.list

dns.responsePolicyRules.list

documentai.dataLabelingJobs.list

documentai.evaluations.list

documentai.labelerPools.list

documentai.locations.list

documentai.processorTypes.list

documentai.processorVersions.list

documentai.processors.list

domains.locations.list

domains.operations.list

domains.registrations.getIamPolicy

domains.registrations.list

earthengine.assets.getIamPolicy

earthengine.assets.list

earthengine.operations.list

edgecontainer.clusters.getIamPolicy

edgecontainer.clusters.list

edgecontainer.locations.list

edgecontainer.machines.getIamPolicy

edgecontainer.machines.list

edgecontainer.nodePools.getIamPolicy

edgecontainer.nodePools.list

edgecontainer.operations.list

edgecontainer.vpnConnections.getIamPolicy

edgecontainer.vpnConnections.list

edgenetwork.interconnectAttachments.getIamPolicy

edgenetwork.interconnectAttachments.list

edgenetwork.interconnects.getIamPolicy

edgenetwork.interconnects.list

edgenetwork.locations.list

edgenetwork.networks.getIamPolicy

edgenetwork.networks.list

edgenetwork.operations.list

edgenetwork.routers.getIamPolicy

edgenetwork.routers.list

edgenetwork.routes.list

edgenetwork.subnetworks.getIamPolicy

edgenetwork.subnetworks.list

edgenetwork.zones.list

enterpriseknowledgegraph.entityReconciliationJobs.list

errorreporting.applications.list

errorreporting.errorEvents.list

errorreporting.groups.list

essentialcontacts.contacts.list

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.locations.list

eventarc.operations.list

eventarc.providers.list

eventarc.triggers.getIamPolicy

eventarc.triggers.list

fcmdata.deliverydata.list

file.backups.list

file.instances.list

file.locations.list

file.operations.list

firebase.clients.list

firebase.links.list

firebase.playLinks.list

firebaseabt.experiments.list

firebaseappdistro.groups.list

firebaseappdistro.releases.list

firebaseappdistro.testers.list

firebasecrashlytics.issues.list

firebasedatabase.instances.list

firebasedynamiclinks.destinations.list

firebasedynamiclinks.domains.list

firebasedynamiclinks.links.list

firebaseextensions.configs.list

firebaseextensionspublisher.extensions.list

firebasehosting.sites.list

firebaseinappmessaging.campaigns.list

firebasemessagingcampaigns.campaigns.list

firebaseml.models.list

firebaseml.modelversions.list

firebasenotifications.messages.list

firebaserules.releases.list

firebaserules.rulesets.list

firebasestorage.buckets.list

fleetengine.deliveryvehicles.list

fleetengine.tasks.list

fleetengine.vehicles.list

gameservices.gameServerClusters.list

gameservices.gameServerConfigs.list

gameservices.gameServerDeployments.list

gameservices.locations.list

gameservices.operations.list

gameservices.realms.list

gcp.redisenterprise.com/databases.list

gcp.redisenterprise.com/subscriptions.list

genomics.datasets.getIamPolicy

genomics.datasets.list

genomics.operations.list

gkebackup.backupPlans.getIamPolicy

gkebackup.backupPlans.list

gkebackup.backups.list

gkebackup.locations.list

gkebackup.operations.list

gkebackup.restorePlans.getIamPolicy

gkebackup.restorePlans.list

gkebackup.restores.list

gkebackup.volumeBackups.list

gkebackup.volumeRestores.list

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.gateway.getIamPolicy

gkehub.locations.list

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.operations.list

gkemulticloud.attachedClusters.list

gkemulticloud.awsClusters.list

gkemulticloud.awsNodePools.list

gkemulticloud.azureClients.list

gkemulticloud.azureClusters.list

gkemulticloud.azureNodePools.list

gkemulticloud.operations.list

gkeonprem.bareMetalAdminClusters.getIamPolicy

gkeonprem.bareMetalAdminClusters.list

gkeonprem.bareMetalClusters.getIamPolicy

gkeonprem.bareMetalClusters.list

gkeonprem.bareMetalNodePools.getIamPolicy

gkeonprem.bareMetalNodePools.list

gkeonprem.locations.list

gkeonprem.operations.list

gkeonprem.vmwareAdminClusters.getIamPolicy

gkeonprem.vmwareAdminClusters.list

gkeonprem.vmwareClusters.getIamPolicy

gkeonprem.vmwareClusters.list

gkeonprem.vmwareNodePools.getIamPolicy

gkeonprem.vmwareNodePools.list

gsuiteaddons.deployments.list

healthcare.annotationStores.getIamPolicy

healthcare.annotationStores.list

healthcare.annotations.list

healthcare.attributeDefinitions.list

healthcare.consentArtifacts.list

healthcare.consentStores.getIamPolicy

healthcare.consentStores.list

healthcare.consents.list

healthcare.datasets.getIamPolicy

healthcare.datasets.list

healthcare.dicomStores.getIamPolicy

healthcare.dicomStores.list

healthcare.fhirStores.getIamPolicy

healthcare.fhirStores.list

healthcare.hl7V2Messages.list

healthcare.hl7V2Stores.getIamPolicy

healthcare.hl7V2Stores.list

healthcare.locations.list

healthcare.operations.list

healthcare.userDataMappings.list

iam.denypolicies.list

iam.googleapis.com/workforcePoolProviderKeys.list

iam.googleapis.com/workforcePoolProviders.list

iam.googleapis.com/workforcePools.getIamPolicy

iam.googleapis.com/workforcePools.list

iam.googleapis.com/workloadIdentityPoolProviderKeys.list

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPools.list

iam.roles.get

iam.roles.list

iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

iap.tunnel.getIamPolicy

iap.tunnelDestGroups.getIamPolicy

iap.tunnelDestGroups.list

iap.tunnelInstances.getIamPolicy

iap.tunnelLocations.getIamPolicy

iap.tunnelZones.getIamPolicy

iap.web.getIamPolicy

iap.webServiceVersions.getIamPolicy

iap.webServices.getIamPolicy

iap.webTypes.getIamPolicy

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

ids.endpoints.getIamPolicy

ids.endpoints.list

ids.locations.list

ids.operations.list

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.apigeeSuspensions.list

integrations.authConfigs.list

integrations.certificates.list

integrations.executions.list

integrations.integrationVersions.list

integrations.integrations.list

integrations.securityAuthConfigs.list

integrations.securityExecutions.list

integrations.securityIntegTempVers.list

integrations.securityIntegrationVers.list

integrations.securityIntegrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

integrations.suspensions.list

issuerswitch.complaintTransactions.list

issuerswitch.financialTransactions.list

issuerswitch.mandateTransactions.list

issuerswitch.metadataTransactions.list

issuerswitch.operations.list

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.list

issuerswitch.rules.list

krmapihosting.krmApiHosts.getIamPolicy

krmapihosting.krmApiHosts.list

krmapihosting.locations.list

krmapihosting.operations.list

lifesciences.operations.list

livestream.channels.list

livestream.events.list

livestream.inputs.list

livestream.locations.list

livestream.operations.list

logging.buckets.list

logging.exclusions.list

logging.links.list

logging.locations.list

logging.logEntries.list

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.list

logging.operations.list

logging.privateLogEntries.list

logging.queries.list

logging.sinks.list

logging.views.list

looker.backups.list

looker.instances.list

looker.locations.list

looker.operations.list

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.domains.getIamPolicy

managedidentities.domains.list

managedidentities.locations.list

managedidentities.operations.list

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

managedidentities.sqlintegrations.list

mapsadmin.clientMaps.list

mapsadmin.clientStyleSheetSnapshots.list

mapsadmin.clientStyles.list

mapsadmin.styleSnapshots.list

mapsplatformdatasets.datasets.list

memcache.instances.list

memcache.locations.list

memcache.operations.list

metastore.backups.getIamPolicy

metastore.backups.list

metastore.databases.getIamPolicy

metastore.databases.list

metastore.federations.getIamPolicy

metastore.federations.list

metastore.imports.list

metastore.locations.list

metastore.operations.list

metastore.services.getIamPolicy

metastore.services.list

metastore.tables.getIamPolicy

metastore.tables.list

migrationcenter.assets.list

migrationcenter.errorFrames.list

migrationcenter.groups.list

migrationcenter.importDataFiles.list

migrationcenter.importJobs.list

migrationcenter.locations.list

migrationcenter.operations.list

migrationcenter.preferenceSets.list

migrationcenter.reportConfigs.list

migrationcenter.reports.list

migrationcenter.sources.list

ml.jobs.getIamPolicy

ml.jobs.list

ml.locations.list

ml.models.getIamPolicy

ml.models.list

ml.operations.list

ml.studies.getIamPolicy

ml.studies.list

ml.trials.list

ml.versions.list

monitoring.alertPolicies.list

monitoring.dashboards.list

monitoring.groups.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.list

monitoring.publicWidgets.list

monitoring.services.list

monitoring.slos.list

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.list

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.internalRanges.getIamPolicy

networkconnectivity.internalRanges.list

networkconnectivity.locations.list

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.getIamPolicy

networkconnectivity.policyBasedRoutes.list

networkconnectivity.serviceClasses.list

networkconnectivity.serviceConnectionMaps.list

networkconnectivity.serviceConnectionPolicies.list

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

networkmanagement.connectivitytests.getIamPolicy

networkmanagement.connectivitytests.list

networkmanagement.locations.list

networkmanagement.operations.list

networksecurity.authorizationPolicies.getIamPolicy

networksecurity.authorizationPolicies.list

networksecurity.clientTlsPolicies.getIamPolicy

networksecurity.clientTlsPolicies.list

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.list

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.locations.list

networksecurity.operations.list

networksecurity.securityProfileGroups.list

networksecurity.securityProfiles.list

networksecurity.serverTlsPolicies.getIamPolicy

networksecurity.serverTlsPolicies.list

networksecurity.tlsInspectionPolicies.list

networksecurity.urlLists.list

networkservices.endpointConfigSelectors.getIamPolicy

networkservices.endpointConfigSelectors.list

networkservices.endpointPolicies.getIamPolicy

networkservices.endpointPolicies.list

networkservices.gateways.list

networkservices.grpcRoutes.getIamPolicy

networkservices.grpcRoutes.list

networkservices.httpFilters.getIamPolicy

networkservices.httpFilters.list

networkservices.httpRoutes.getIamPolicy

networkservices.httpRoutes.list

networkservices.httpfilters.getIamPolicy

networkservices.httpfilters.list

networkservices.locations.list

networkservices.meshes.getIamPolicy

networkservices.meshes.list

networkservices.operations.list

networkservices.serviceBindings.list

networkservices.tcpRoutes.getIamPolicy

networkservices.tcpRoutes.list

networkservices.tlsRoutes.list

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.list

notebooks.operations.list

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.getIamPolicy

notebooks.schedules.list

ondemandscanning.operations.list

opsconfigmonitoring.resourceMetadata.list

orgpolicy.constraints.list

orgpolicy.customConstraints.list

orgpolicy.policies.list

osconfig.guestPolicies.list

osconfig.instanceOSPoliciesCompliances.list

osconfig.inventories.list

osconfig.osPolicyAssignmentReports.list

osconfig.osPolicyAssignments.list

osconfig.patchDeployments.list

osconfig.patchJobs.list

osconfig.vulnerabilityReports.list

paymentsresellersubscription.products.list

paymentsresellersubscription.promotions.list

policysimulator.replayResults.list

policysimulator.replays.list

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.list

privateca.operations.list

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

proximitybeacon.attachments.list

proximitybeacon.beacons.getIamPolicy

proximitybeacon.beacons.list

proximitybeacon.namespaces.getIamPolicy

proximitybeacon.namespaces.list

pubsub.schemas.getIamPolicy

pubsub.schemas.list

pubsub.snapshots.getIamPolicy

pubsub.snapshots.list

pubsub.subscriptions.getIamPolicy

pubsub.subscriptions.list

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsublite.operations.list

pubsublite.reservations.list

pubsublite.subscriptions.list

pubsublite.topics.list

recaptchaenterprise.keys.list

recaptchaenterprise.relatedaccountgroupmemberships.list

recaptchaenterprise.relatedaccountgroups.list

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.bigqueryPartitionClusterRecommendations.list

recommender.bigqueryTableStatsInsights.list

recommender.cloudAssetInsights.list

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceActivityInsights.list

recommender.cloudsqlInstanceCpuUsageInsights.list

recommender.cloudsqlInstanceDiskUsageTrendInsights.list

recommender.cloudsqlInstanceMemoryUsageInsights.list

recommender.cloudsqlInstanceOomProbabilityInsights.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceInsights.list

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityInsights.list

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlInstanceSecurityInsights.list

recommender.cloudsqlInstanceSecurityRecommendations.list

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.list

recommender.computeAddressIdleResourceInsights.list

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceInsights.list

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeFirewallInsights.list

recommender.computeImageIdleResourceInsights.list

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceCpuUsageInsights.list

recommender.computeInstanceCpuUsagePredictionInsights.list

recommender.computeInstanceCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerCpuUsageInsights.list

recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list

recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceGroupManagerMemoryUsageInsights.list

recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.list

recommender.computeInstanceMemoryUsageInsights.list

recommender.computeInstanceMemoryUsagePredictionInsights.list

recommender.computeInstanceNetworkThroughputInsights.list

recommender.containerDiagnosisInsights.list

recommender.containerDiagnosisRecommendations.list

recommender.costInsights.list

recommender.dataflowDiagnosticsInsights.list

recommender.errorReportingInsights.list

recommender.errorReportingRecommendations.list

recommender.gmpGuidedExperienceInsights.list

recommender.gmpGuidedExperienceRecommendations.list

recommender.gmpProjectManagementInsights.list

recommender.gmpProjectManagementRecommendations.list

recommender.gmpProjectProductSuggestionsInsights.list

recommender.gmpProjectProductSuggestionsRecommendations.list

recommender.gmpProjectQuotaInsights.list

recommender.gmpProjectQuotaRecommendations.list

recommender.iamPolicyInsights.list

recommender.iamPolicyLateralMovementInsights.list

recommender.iamPolicyRecommendations.list

recommender.iamServiceAccountInsights.list

recommender.locations.list

recommender.loggingProductSuggestionContainerInsights.list

recommender.loggingProductSuggestionContainerRecommendations.list

recommender.monitoringProductSuggestionComputeInsights.list

recommender.monitoringProductSuggestionComputeRecommendations.list

recommender.networkAnalyzerCloudSqlInsights.list

recommender.networkAnalyzerDynamicRouteInsights.list

recommender.networkAnalyzerGkeConnectivityInsights.list

recommender.networkAnalyzerGkeIpAddressInsights.list

recommender.networkAnalyzerIpAddressInsights.list

recommender.networkAnalyzerLoadBalancerInsights.list

recommender.networkAnalyzerVpcConnectivityInsights.list

recommender.resourcemanagerProjectUtilizationInsights.list

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.resourcemanagerServiceLimitInsights.list

recommender.resourcemanagerServiceLimitRecommendations.list

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.list

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.list

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.list

recommender.usageCommitmentRecommendations.list

redis.instances.list

redis.locations.list

redis.operations.list

remotebuildexecution.instances.list

remotebuildexecution.workerpools.list

resourcemanager.folders.getIamPolicy

resourcemanager.folders.list

resourcemanager.hierarchyNodes.listTagBindings

resourcemanager.organizations.getIamPolicy

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.tagHolds.list

resourcemanager.tagKeys.getIamPolicy

resourcemanager.tagKeys.list

resourcemanager.tagValues.getIamPolicy

resourcemanager.tagValues.list

resourcesettings.settings.list

retail.catalogs.list

retail.controls.list

retail.models.list

retail.operations.list

retail.products.list

retail.servingConfigs.list

riskmanager.controlScoreBreakdowns.list

riskmanager.operations.list

riskmanager.policies.list

riskmanager.reports.list

rma.collectors.list

rma.locations.list

rma.operations.list

run.configurations.list

run.executions.list

run.jobs.getIamPolicy

run.jobs.list

run.locations.list

run.operations.list

run.revisions.list

run.routes.list

run.services.getIamPolicy

run.services.list

run.tasks.list

runapps.applications.list

runapps.deployments.list

runapps.locations.list

runapps.operations.list

runtimeconfig.configs.getIamPolicy

runtimeconfig.configs.list

runtimeconfig.operations.list

runtimeconfig.variables.getIamPolicy

runtimeconfig.variables.list

runtimeconfig.waiters.getIamPolicy

runtimeconfig.waiters.list

secretmanager.locations.list

secretmanager.secrets.getIamPolicy

secretmanager.secrets.list

secretmanager.versions.list

securedlandingzone.overwatches.list

securitycenter.assets.list

securitycenter.bigQueryExports.list

securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.findings.list

securitycenter.muteconfigs.list

securitycenter.notificationconfig.list

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.sources.getIamPolicy

securitycenter.sources.list

servicebroker.bindingoperations.list

servicebroker.bindings.getIamPolicy

servicebroker.bindings.list

servicebroker.catalogs.getIamPolicy

servicebroker.catalogs.list

servicebroker.instanceoperations.list

servicebroker.instances.getIamPolicy

servicebroker.instances.list

serviceconsumermanagement.tenancyu.list

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.locations.list

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicehealth.events.list

servicehealth.locations.list

servicehealth.organizationEvents.list

servicehealth.organizationImpacts.list

servicemanagement.services.getIamPolicy

servicemanagement.services.list

servicenetworking.operations.list

servicesecurityinsights.clusterSecurityInfo.list

servicesecurityinsights.securityInfo.list

servicesecurityinsights.workloadPolicies.list

serviceusage.operations.list

serviceusage.services.list

source.repos.getIamPolicy

source.repos.list

spanner.backupOperations.list

spanner.backups.getIamPolicy

spanner.backups.list

spanner.databaseOperations.list

spanner.databaseRoles.list

spanner.databases.getIamPolicy

spanner.databases.list

spanner.instanceConfigOperations.list

spanner.instanceConfigs.list

spanner.instanceOperations.list

spanner.instances.getIamPolicy

spanner.instances.list

spanner.sessions.list

speakerid.phrases.list

speakerid.speakers.list

speech.customClasses.list

speech.locations.list

speech.operations.list

speech.phraseSets.list

speech.recognizers.list

stackdriver.resourceMetadata.list

storage.buckets.getIamPolicy

storage.buckets.list

storage.hmacKeys.list

storage.multipartUploads.list

storage.objects.getIamPolicy

storage.objects.list

storageinsights.locations.list

storageinsights.operations.list

storageinsights.reportConfigs.list

storageinsights.reportDetails.list

storagetransfer.agentpools.list

storagetransfer.jobs.list

storagetransfer.operations.list

stream.locations.list

stream.operations.list

stream.streamContents.list

stream.streamInstances.list

timeseriesinsights.datasets.list

timeseriesinsights.locations.list

tpu.acceleratortypes.list

tpu.locations.list

tpu.nodes.list

tpu.operations.list

tpu.runtimeversions.list

tpu.tensorflowversions.list

transcoder.jobTemplates.list

transcoder.jobs.list

transferappliance.appliances.list

transferappliance.locations.list

transferappliance.operations.list

transferappliance.orders.list

transferappliance.savedAddresses.list

translationhub.portals.list

videostitcher.cdnKeys.list

videostitcher.liveAdTagDetails.list

videostitcher.slates.list

videostitcher.vodAdTagDetails.list

videostitcher.vodStitchDetails.list

visionai.analyses.getIamPolicy

visionai.analyses.list

visionai.annotations.list

visionai.applications.list

visionai.assets.list

visionai.clusters.getIamPolicy

visionai.clusters.list

visionai.corpora.list

visionai.dataSchemas.list

visionai.drafts.list

visionai.events.getIamPolicy

visionai.events.list

visionai.instances.list

visionai.locations.list

visionai.operations.list

visionai.operators.getIamPolicy

visionai.operators.list

visionai.processors.list

visionai.searchConfigs.list

visionai.series.getIamPolicy

visionai.series.list

visionai.streams.getIamPolicy

visionai.streams.list

visionai.uistreams.list

visualinspection.annotationSets.list

visualinspection.annotationSpecs.list

visualinspection.annotations.list

visualinspection.datasets.list

visualinspection.images.list

visualinspection.locations.list

visualinspection.modelEvaluations.list

visualinspection.models.list

visualinspection.modules.list

visualinspection.operations.list

visualinspection.solutionArtifacts.list

visualinspection.solutions.list

vmmigration.cloneJobs.list

vmmigration.cutoverJobs.list

vmmigration.datacenterConnectors.list

vmmigration.deployments.list

vmmigration.groups.list

vmmigration.locations.list

vmmigration.migratingVms.list

vmmigration.operations.list

vmmigration.replicationCycles.list

vmmigration.sources.list

vmmigration.targets.list

vmmigration.utilizationReports.list

vmwareengine.clusters.getIamPolicy

vmwareengine.clusters.list

vmwareengine.hcxActivationKeys.getIamPolicy

vmwareengine.hcxActivationKeys.list

vmwareengine.locations.list

vmwareengine.networkPolicies.list

vmwareengine.nodeTypes.list

vmwareengine.operations.list

vmwareengine.privateClouds.getIamPolicy

vmwareengine.privateClouds.list

vmwareengine.privateConnections.list

vmwareengine.subnets.list

vmwareengine.vmwareEngineNetworks.list

vpcaccess.connectors.list

vpcaccess.locations.list

vpcaccess.operations.list

workflows.executions.list

workflows.locations.list

workflows.operations.list

workflows.workflows.list

workloadcertificate.locations.list

workloadcertificate.operations.list

workloadcertificate.workloadRegistrations.list

workloadmanager.evaluations.list

workloadmanager.executions.list

workloadmanager.locations.list

workloadmanager.operations.list

workloadmanager.results.list

workloadmanager.rules.list

workstations.workstationClusters.list

workstations.workstationConfigs.getIamPolicy

workstations.workstationConfigs.list

workstations.workstations.getIamPolicy

workstations.workstations.list

KRM API Hosting roles

Permissions

Config Controller Admin

(roles/krmapihosting.admin)

Full access to all Config Controller resources.

krmapihosting.*

krmapihosting.krmApiHosts.create
krmapihosting.krmApiHosts.delete
krmapihosting.krmApiHosts.get
krmapihosting.krmApiHosts.getIamPolicy
krmapihosting.krmApiHosts.list
krmapihosting.krmApiHosts.setIamPolicy
krmapihosting.krmApiHosts.update
krmapihosting.locations.get
krmapihosting.locations.list
krmapihosting.operations.cancel
krmapihosting.operations.delete
krmapihosting.operations.get
krmapihosting.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Config Controller Viewer

(roles/krmapihosting.viewer)

Read-only access to all Config Controller resources.

krmapihosting.krmApiHosts.get

krmapihosting.krmApiHosts.getIamPolicy

krmapihosting.krmApiHosts.list

krmapihosting.locations.*

krmapihosting.locations.get
krmapihosting.locations.list

krmapihosting.operations.get

krmapihosting.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Kubernetes Engine roles

Permissions

Kubernetes Engine Admin

(roles/container.admin)

Provides access to full management of clusters and their Kubernetes API objects.

To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the user-managed service account that your nodes will use.

Lowest-level resources where you can grant this role:

Project

container.*

container.apiServices.create
container.apiServices.delete
container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.apiServices.update
container.apiServices.updateStatus
container.auditSinks.create
container.auditSinks.delete
container.auditSinks.get
container.auditSinks.list
container.auditSinks.update
container.backendConfigs.create
container.backendConfigs.delete
container.backendConfigs.get
container.backendConfigs.list
container.backendConfigs.update
container.bindings.create
container.bindings.delete
container.bindings.get
container.bindings.list
container.bindings.update
container.certificateSigningRequests.approve
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.getStatus
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.escalate
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.create
container.clusters.createTagBinding
container.clusters.delete
container.clusters.deleteTagBinding
container.clusters.get
container.clusters.getCredentials
container.clusters.impersonate
container.clusters.list
container.clusters.listEffectiveTags
container.clusters.listTagBindings
container.clusters.update
container.componentStatuses.get
container.componentStatuses.list
container.configMaps.create
container.configMaps.delete
container.configMaps.get
container.configMaps.list
container.configMaps.update
container.controllerRevisions.create
container.controllerRevisions.delete
container.controllerRevisions.get
container.controllerRevisions.list
container.controllerRevisions.update
container.cronJobs.create
container.cronJobs.delete
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.cronJobs.update
container.cronJobs.updateStatus
container.csiDrivers.create
container.csiDrivers.delete
container.csiDrivers.get
container.csiDrivers.list
container.csiDrivers.update
container.csiNodeInfos.create
container.csiNodeInfos.delete
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodeInfos.update
container.csiNodes.create
container.csiNodes.delete
container.csiNodes.get
container.csiNodes.list
container.csiNodes.update
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.customResourceDefinitions.updateStatus
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container.daemonSets.updateStatus
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.deployments.rollback
container.deployments.update
container.deployments.updateScale
container.deployments.updateStatus
container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update
container.endpoints.create
container.endpoints.delete
container.endpoints.get
container.endpoints.list
container.endpoints.update
container.events.create
container.events.delete
container.events.get
container.events.list
container.events.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update
container.horizontalPodAutoscalers.create
container.horizontalPodAutoscalers.delete
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.horizontalPodAutoscalers.update
container.horizontalPodAutoscalers.updateStatus
container.hostServiceAgent.use
container.ingresses.create
container.ingresses.delete
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.ingresses.update
container.ingresses.updateStatus
container.initializerConfigurations.create
container.initializerConfigurations.delete
container.initializerConfigurations.get
container.initializerConfigurations.list
container.initializerConfigurations.update
container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.jobs.update
container.jobs.updateStatus
container.leases.create
container.leases.delete
container.leases.get
container.leases.list
container.leases.update
container.limitRanges.create
container.limitRanges.delete
container.limitRanges.get
container.limitRanges.list
container.limitRanges.update
container.localSubjectAccessReviews.create
container.localSubjectAccessReviews.list
container.managedCertificates.create
container.managedCertificates.delete
container.managedCertificates.get
container.managedCertificates.list
container.managedCertificates.update
container.mutatingWebhookConfigurations.create
container.mutatingWebhookConfigurations.delete
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.mutatingWebhookConfigurations.update
container.namespaces.create
container.namespaces.delete
container.namespaces.finalize
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.namespaces.update
container.namespaces.updateStatus
container.networkPolicies.create
container.networkPolicies.delete
container.networkPolicies.get
container.networkPolicies.list
container.networkPolicies.update
container.nodes.create
container.nodes.delete
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.nodes.proxy
container.nodes.update
container.nodes.updateStatus
container.operations.get
container.operations.list
container.persistentVolumeClaims.create
container.persistentVolumeClaims.delete
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumeClaims.update
container.persistentVolumeClaims.updateStatus
container.persistentVolumes.create
container.persistentVolumes.delete
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.persistentVolumes.update
container.persistentVolumes.updateStatus
container.petSets.create
container.petSets.delete
container.petSets.get
container.petSets.list
container.petSets.update
container.petSets.updateStatus
container.podDisruptionBudgets.create
container.podDisruptionBudgets.delete
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podDisruptionBudgets.update
container.podDisruptionBudgets.updateStatus
container.podPresets.create
container.podPresets.delete
container.podPresets.get
container.podPresets.list
container.podPresets.update
container.podSecurityPolicies.create
container.podSecurityPolicies.delete
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podSecurityPolicies.update
container.podSecurityPolicies.use
container.podTemplates.create
container.podTemplates.delete
container.podTemplates.get
container.podTemplates.list
container.podTemplates.update
container.pods.attach
container.pods.create
container.pods.delete
container.pods.evict
container.pods.exec
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.initialize
container.pods.list
container.pods.portForward
container.pods.proxy
container.pods.update
container.pods.updateStatus
container.priorityClasses.create
container.priorityClasses.delete
container.priorityClasses.get
container.priorityClasses.list
container.priorityClasses.update
container.replicaSets.create
container.replicaSets.delete
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicaSets.update
container.replicaSets.updateScale
container.replicaSets.updateStatus
container.replicationControllers.create
container.replicationControllers.delete
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.replicationControllers.update
container.replicationControllers.updateScale
container.replicationControllers.updateStatus
container.resourceQuotas.create
container.resourceQuotas.delete
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.resourceQuotas.update
container.resourceQuotas.updateStatus
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update
container.roles.bind
container.roles.create
container.roles.delete
container.roles.escalate
container.roles.get
container.roles.list
container.roles.update
container.runtimeClasses.create
container.runtimeClasses.delete
container.runtimeClasses.get
container.runtimeClasses.list
container.runtimeClasses.update
container.scheduledJobs.create
container.scheduledJobs.delete
container.scheduledJobs.get
container.scheduledJobs.list
container.scheduledJobs.update
container.scheduledJobs.updateStatus
container.secrets.create
container.secrets.delete
container.secrets.get
container.secrets.list
container.secrets.update
container.selfSubjectAccessReviews.create
container.selfSubjectAccessReviews.list
container.selfSubjectRulesReviews.create
container.serviceAccounts.create
container.serviceAccounts.createToken
container.serviceAccounts.delete
container.serviceAccounts.get
container.serviceAccounts.list
container.serviceAccounts.update
container.services.create
container.services.delete
container.services.get
container.services.getStatus
container.services.list
container.services.proxy
container.services.update
container.services.updateStatus
container.statefulSets.create
container.statefulSets.delete
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.statefulSets.update
container.statefulSets.updateScale
container.statefulSets.updateStatus
container.storageClasses.create
container.storageClasses.delete
container.storageClasses.get
container.storageClasses.list
container.storageClasses.update
container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus
container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus
container.subjectAccessReviews.create
container.subjectAccessReviews.list
container.thirdPartyObjects.create
container.thirdPartyObjects.delete
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyObjects.update
container.thirdPartyResources.create
container.thirdPartyResources.delete
container.thirdPartyResources.get
container.thirdPartyResources.list
container.thirdPartyResources.update
container.tokenReviews.create
container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update
container.validatingWebhookConfigurations.create
container.validatingWebhookConfigurations.delete
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.validatingWebhookConfigurations.update
container.volumeAttachments.create
container.volumeAttachments.delete
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeAttachments.update
container.volumeAttachments.updateStatus
container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update
container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus
container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update

recommender.containerDiagnosisRecommendations.*

recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update

recommender.networkAnalyzerGkeIpAddressInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update

resourcemanager.projects.get

resourcemanager.projects.list

Kubernetes Engine Cluster Admin

(roles/container.clusterAdmin)

Provides access to management of clusters.

To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the user-managed service account that your nodes will use.

Lowest-level resources where you can grant this role:

Project

container.clusters.create

container.clusters.delete

container.clusters.get

container.clusters.list

container.clusters.update

container.operations.*

container.operations.get
container.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Kubernetes Engine Cluster Viewer

(roles/container.clusterViewer)

Provides access to get and list GKE clusters.

container.clusters.get

container.clusters.list

resourcemanager.projects.get

resourcemanager.projects.list

Kubernetes Engine Developer

(roles/container.developer)

Provides access to Kubernetes API objects inside clusters.

Lowest-level resources where you can grant this role:

Project

container.apiServices.*

container.apiServices.create
container.apiServices.delete
container.apiServices.get
container.apiServices.getStatus
container.apiServices.list
container.apiServices.update
container.apiServices.updateStatus

container.auditSinks.*

container.auditSinks.create
container.auditSinks.delete
container.auditSinks.get
container.auditSinks.list
container.auditSinks.update

container.backendConfigs.*

container.backendConfigs.create
container.backendConfigs.delete
container.backendConfigs.get
container.backendConfigs.list
container.backendConfigs.update

container.bindings.*

container.bindings.create
container.bindings.delete
container.bindings.get
container.bindings.list
container.bindings.update

container.certificateSigningRequests.create

container.certificateSigningRequests.delete

container.certificateSigningRequests.get

container.certificateSigningRequests.list

container.certificateSigningRequests.update

container.certificateSigningRequests.updateStatus

container.clusterRoleBindings.get

container.clusterRoleBindings.list

container.clusterRoles.get

container.clusterRoles.list

container.clusters.get

container.clusters.list

container.componentStatuses.*

container.componentStatuses.get
container.componentStatuses.list

container.configMaps.*

container.configMaps.create
container.configMaps.delete
container.configMaps.get
container.configMaps.list
container.configMaps.update

container.controllerRevisions.get

container.controllerRevisions.list

container.cronJobs.*

container.cronJobs.create
container.cronJobs.delete
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.cronJobs.update
container.cronJobs.updateStatus

container.csiDrivers.*

container.csiDrivers.create
container.csiDrivers.delete
container.csiDrivers.get
container.csiDrivers.list
container.csiDrivers.update

container.csiNodeInfos.*

container.csiNodeInfos.create
container.csiNodeInfos.delete
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodeInfos.update

container.csiNodes.*

container.csiNodes.create
container.csiNodes.delete
container.csiNodes.get
container.csiNodes.list
container.csiNodes.update

container.customResourceDefinitions.*

container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.getStatus
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.customResourceDefinitions.updateStatus

container.daemonSets.*

container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container.daemonSets.updateStatus

container.deployments.*

container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.deployments.rollback
container.deployments.update
container.deployments.updateScale
container.deployments.updateStatus

container.endpointSlices.*

container.endpointSlices.create
container.endpointSlices.delete
container.endpointSlices.get
container.endpointSlices.list
container.endpointSlices.update

container.endpoints.*

container.endpoints.create
container.endpoints.delete
container.endpoints.get
container.endpoints.list
container.endpoints.update

container.events.*

container.events.create
container.events.delete
container.events.get
container.events.list
container.events.update

container.frontendConfigs.*

container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.get
container.frontendConfigs.list
container.frontendConfigs.update

container.horizontalPodAutoscalers.*

container.horizontalPodAutoscalers.create
container.horizontalPodAutoscalers.delete
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.horizontalPodAutoscalers.update
container.horizontalPodAutoscalers.updateStatus

container.ingresses.*

container.ingresses.create
container.ingresses.delete
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.ingresses.update
container.ingresses.updateStatus

container.initializerConfigurations.*

container.initializerConfigurations.create
container.initializerConfigurations.delete
container.initializerConfigurations.get
container.initializerConfigurations.list
container.initializerConfigurations.update

container.jobs.*

container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.jobs.update
container.jobs.updateStatus

container.leases.*

container.leases.create
container.leases.delete
container.leases.get
container.leases.list
container.leases.update

container.limitRanges.*

container.limitRanges.create
container.limitRanges.delete
container.limitRanges.get
container.limitRanges.list
container.limitRanges.update

container.localSubjectAccessReviews.*

container.localSubjectAccessReviews.create
container.localSubjectAccessReviews.list

container.managedCertificates.*

container.managedCertificates.create
container.managedCertificates.delete
container.managedCertificates.get
container.managedCertificates.list
container.managedCertificates.update

container.mutatingWebhookConfigurations.get

container.mutatingWebhookConfigurations.list

container.namespaces.*

container.namespaces.create
container.namespaces.delete
container.namespaces.finalize
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.namespaces.update
container.namespaces.updateStatus

container.networkPolicies.*

container.networkPolicies.create
container.networkPolicies.delete
container.networkPolicies.get
container.networkPolicies.list
container.networkPolicies.update

container.nodes.*

container.nodes.create
container.nodes.delete
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.nodes.proxy
container.nodes.update
container.nodes.updateStatus

container.persistentVolumeClaims.*

container.persistentVolumeClaims.create
container.persistentVolumeClaims.delete
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumeClaims.update
container.persistentVolumeClaims.updateStatus

container.persistentVolumes.*

container.persistentVolumes.create
container.persistentVolumes.delete
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.persistentVolumes.update
container.persistentVolumes.updateStatus

container.petSets.*

container.petSets.create
container.petSets.delete
container.petSets.get
container.petSets.list
container.petSets.update
container.petSets.updateStatus

container.podDisruptionBudgets.*

container.podDisruptionBudgets.create
container.podDisruptionBudgets.delete
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podDisruptionBudgets.update
container.podDisruptionBudgets.updateStatus

container.podPresets.*

container.podPresets.create
container.podPresets.delete
container.podPresets.get
container.podPresets.list
container.podPresets.update

container.podSecurityPolicies.get

container.podSecurityPolicies.list

container.podTemplates.*

container.podTemplates.create
container.podTemplates.delete
container.podTemplates.get
container.podTemplates.list
container.podTemplates.update

container.pods.*

container.pods.attach
container.pods.create
container.pods.delete
container.pods.evict
container.pods.exec
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.initialize
container.pods.list
container.pods.portForward
container.pods.proxy
container.pods.update
container.pods.updateStatus

container.priorityClasses.*

container.priorityClasses.create
container.priorityClasses.delete
container.priorityClasses.get
container.priorityClasses.list
container.priorityClasses.update

container.replicaSets.*

container.replicaSets.create
container.replicaSets.delete
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicaSets.update
container.replicaSets.updateScale
container.replicaSets.updateStatus

container.replicationControllers.*

container.replicationControllers.create
container.replicationControllers.delete
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.replicationControllers.update
container.replicationControllers.updateScale
container.replicationControllers.updateStatus

container.resourceQuotas.*

container.resourceQuotas.create
container.resourceQuotas.delete
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.resourceQuotas.update
container.resourceQuotas.updateStatus

container.roleBindings.get

container.roleBindings.list

container.roles.get

container.roles.list

container.runtimeClasses.*

container.runtimeClasses.create
container.runtimeClasses.delete
container.runtimeClasses.get
container.runtimeClasses.list
container.runtimeClasses.update

container.scheduledJobs.*

container.scheduledJobs.create
container.scheduledJobs.delete
container.scheduledJobs.get
container.scheduledJobs.list
container.scheduledJobs.update
container.scheduledJobs.updateStatus

container.secrets.*

container.secrets.create
container.secrets.delete
container.secrets.get
container.secrets.list
container.secrets.update

container.selfSubjectAccessReviews.*

container.selfSubjectAccessReviews.create
container.selfSubjectAccessReviews.list

container.selfSubjectRulesReviews.create

container.serviceAccounts.*

container.serviceAccounts.create
container.serviceAccounts.createToken
container.serviceAccounts.delete
container.serviceAccounts.get
container.serviceAccounts.list
container.serviceAccounts.update

container.services.*

container.services.create
container.services.delete
container.services.get
container.services.getStatus
container.services.list
container.services.proxy
container.services.update
container.services.updateStatus

container.statefulSets.*

container.statefulSets.create
container.statefulSets.delete
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.statefulSets.update
container.statefulSets.updateScale
container.statefulSets.updateStatus

container.storageClasses.*

container.storageClasses.create
container.storageClasses.delete
container.storageClasses.get
container.storageClasses.list
container.storageClasses.update

container.storageStates.*

container.storageStates.create
container.storageStates.delete
container.storageStates.get
container.storageStates.getStatus
container.storageStates.list
container.storageStates.update
container.storageStates.updateStatus

container.storageVersionMigrations.*

container.storageVersionMigrations.create
container.storageVersionMigrations.delete
container.storageVersionMigrations.get
container.storageVersionMigrations.getStatus
container.storageVersionMigrations.list
container.storageVersionMigrations.update
container.storageVersionMigrations.updateStatus

container.subjectAccessReviews.*

container.subjectAccessReviews.create
container.subjectAccessReviews.list

container.thirdPartyObjects.*

container.thirdPartyObjects.create
container.thirdPartyObjects.delete
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyObjects.update

container.thirdPartyResources.*

container.thirdPartyResources.create
container.thirdPartyResources.delete
container.thirdPartyResources.get
container.thirdPartyResources.list
container.thirdPartyResources.update

container.tokenReviews.create

container.updateInfos.*

container.updateInfos.create
container.updateInfos.delete
container.updateInfos.get
container.updateInfos.list
container.updateInfos.update

container.validatingWebhookConfigurations.get

container.validatingWebhookConfigurations.list

container.volumeAttachments.*

container.volumeAttachments.create
container.volumeAttachments.delete
container.volumeAttachments.get
container.volumeAttachments.getStatus
container.volumeAttachments.list
container.volumeAttachments.update
container.volumeAttachments.updateStatus

container.volumeSnapshotClasses.*

container.volumeSnapshotClasses.create
container.volumeSnapshotClasses.delete
container.volumeSnapshotClasses.get
container.volumeSnapshotClasses.list
container.volumeSnapshotClasses.update

container.volumeSnapshotContents.*

container.volumeSnapshotContents.create
container.volumeSnapshotContents.delete
container.volumeSnapshotContents.get
container.volumeSnapshotContents.getStatus
container.volumeSnapshotContents.list
container.volumeSnapshotContents.update
container.volumeSnapshotContents.updateStatus

container.volumeSnapshots.*

container.volumeSnapshots.create
container.volumeSnapshots.delete
container.volumeSnapshots.get
container.volumeSnapshots.getStatus
container.volumeSnapshots.list
container.volumeSnapshots.update
container.volumeSnapshots.updateStatus

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisInsights.get
recommender.containerDiagnosisInsights.list
recommender.containerDiagnosisInsights.update

recommender.containerDiagnosisRecommendations.*

recommender.containerDiagnosisRecommendations.get
recommender.containerDiagnosisRecommendations.list
recommender.containerDiagnosisRecommendations.update

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeConnectivityInsights.get
recommender.networkAnalyzerGkeConnectivityInsights.list
recommender.networkAnalyzerGkeConnectivityInsights.update

recommender.networkAnalyzerGkeIpAddressInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.get
recommender.networkAnalyzerGkeIpAddressInsights.list
recommender.networkAnalyzerGkeIpAddressInsights.update

resourcemanager.projects.get

resourcemanager.projects.list

Kubernetes Engine Host Service Agent User

(roles/container.hostServiceAgentUser)

Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project.

compute.firewalls.get

container.hostServiceAgent.use

dns.networks.bindDNSResponsePolicy

dns.networks.bindPrivateDNSPolicy

dns.networks.bindPrivateDNSZone

dns.responsePolicies.*

dns.responsePolicies.create
dns.responsePolicies.delete
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicies.update

dns.responsePolicyRules.*

dns.responsePolicyRules.create
dns.responsePolicyRules.delete
dns.responsePolicyRules.get
dns.responsePolicyRules.list
dns.responsePolicyRules.update

Kubernetes Engine Node Service Account

(roles/container.nodeServiceAccount)

Least privilege role to use as the service account for GKE Nodes.

autoscaling.sites.writeMetrics

logging.logEntries.create

monitoring.metricDescriptors.create

monitoring.metricDescriptors.list

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

storage.objects.get

storage.objects.list

Kubernetes Engine Viewer

(roles/container.viewer)

Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects.

Lowest-level resources where you can grant this role:

Project

container.apiServices.get

container.apiServices.getStatus

container.apiServices.list

container.auditSinks.get

container.auditSinks.list

container.backendConfigs.get

container.backendConfigs.list

container.bindings.get

container.bindings.list

container.certificateSigningRequests.get

container.certificateSigningRequests.getStatus

container.certificateSigningRequests.list

container.clusterRoleBindings.get

container.clusterRoleBindings.list

container.clusterRoles.get

container.clusterRoles.list

container.clusters.get

container.clusters.list

container.componentStatuses.*

container.componentStatuses.get
container.componentStatuses.list

container.configMaps.get

container.configMaps.list

container.controllerRevisions.get

container.controllerRevisions.list

container.cronJobs.get

container.cronJobs.getStatus

container.cronJobs.list

container.csiDrivers.get

container.csiDrivers.list

container.csiNodeInfos.get

container.csiNodeInfos.list

container.csiNodes.get

container.csiNodes.list

container.customResourceDefinitions.get

container.customResourceDefinitions.getStatus

container.customResourceDefinitions.list

container.daemonSets.get

container.daemonSets.getStatus

container.daemonSets.list

container.deployments.get

container.deployments.getScale

container.deployments.getStatus

container.deployments.list

container.endpointSlices.get

container.endpointSlices.list

container.endpoints.get

container.endpoints.list

container.events.get

container.events.list

container.frontendConfigs.get

container.frontendConfigs.list

container.horizontalPodAutoscalers.get

container.horizontalPodAutoscalers.getStatus

container.horizontalPodAutoscalers.list

container.ingresses.get

container.ingresses.getStatus

container.ingresses.list

container.initializerConfigurations.get

container.initializerConfigurations.list

container.jobs.get

container.jobs.getStatus

container.jobs.list

container.leases.get

container.leases.list

container.limitRanges.get

container.limitRanges.list

container.managedCertificates.get

container.managedCertificates.list

container.mutatingWebhookConfigurations.get

container.mutatingWebhookConfigurations.list

container.namespaces.get

container.namespaces.getStatus

container.namespaces.list

container.networkPolicies.get

container.networkPolicies.list

container.nodes.get

container.nodes.getStatus

container.nodes.list

container.operations.*

container.operations.get
container.operations.list

container.persistentVolumeClaims.get

container.persistentVolumeClaims.getStatus

container.persistentVolumeClaims.list

container.persistentVolumes.get

container.persistentVolumes.getStatus

container.persistentVolumes.list

container.petSets.get

container.petSets.list

container.podDisruptionBudgets.get

container.podDisruptionBudgets.getStatus

container.podDisruptionBudgets.list

container.podPresets.get

container.podPresets.list

container.podSecurityPolicies.get

container.podSecurityPolicies.list

container.podTemplates.get

container.podTemplates.list

container.pods.get

container.pods.getStatus

container.pods.list

container.priorityClasses.get

container.priorityClasses.list

container.replicaSets.get

container.replicaSets.getScale

container.replicaSets.getStatus

container.replicaSets.list

container.replicationControllers.get

container.replicationControllers.getScale

container.replicationControllers.getStatus

container.replicationControllers.list

container.resourceQuotas.get

container.resourceQuotas.getStatus

container.resourceQuotas.list

container.roleBindings.get

container.roleBindings.list

container.roles.get

container.roles.list

container.runtimeClasses.get

container.runtimeClasses.list

container.scheduledJobs.get

container.scheduledJobs.list

container.serviceAccounts.get

container.serviceAccounts.list

container.services.get

container.services.getStatus

container.services.list

container.statefulSets.get

container.statefulSets.getScale

container.statefulSets.getStatus

container.statefulSets.list

container.storageClasses.get

container.storageClasses.list

container.storageStates.get

container.storageStates.getStatus

container.storageStates.list

container.storageVersionMigrations.get

container.storageVersionMigrations.getStatus

container.storageVersionMigrations.list

container.thirdPartyObjects.get

container.thirdPartyObjects.list

container.thirdPartyResources.get

container.thirdPartyResources.list

container.tokenReviews.create

container.updateInfos.get

container.updateInfos.list

container.validatingWebhookConfigurations.get

container.validatingWebhookConfigurations.list

container.volumeAttachments.get

container.volumeAttachments.getStatus

container.volumeAttachments.list

container.volumeSnapshotClasses.get

container.volumeSnapshotClasses.list

container.volumeSnapshotContents.get

container.volumeSnapshotContents.getStatus

container.volumeSnapshotContents.list

container.volumeSnapshots.get

container.volumeSnapshots.list

recommender.containerDiagnosisInsights.get

recommender.containerDiagnosisInsights.list

recommender.containerDiagnosisRecommendations.get

recommender.containerDiagnosisRecommendations.list

recommender.locations.*

recommender.locations.get
recommender.locations.list

recommender.networkAnalyzerGkeConnectivityInsights.get

recommender.networkAnalyzerGkeConnectivityInsights.list

recommender.networkAnalyzerGkeIpAddressInsights.get

recommender.networkAnalyzerGkeIpAddressInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

Live Stream roles

Permissions

Live Stream Editor

(roles/livestream.editor)

Full access to Live Stream resources.

livestream.*

livestream.channels.create
livestream.channels.delete
livestream.channels.get
livestream.channels.list
livestream.channels.start
livestream.channels.stop
livestream.channels.update
livestream.events.create
livestream.events.delete
livestream.events.get
livestream.events.list
livestream.inputs.create
livestream.inputs.delete
livestream.inputs.get
livestream.inputs.list
livestream.inputs.update
livestream.locations.get
livestream.locations.list
livestream.operations.cancel
livestream.operations.delete
livestream.operations.get
livestream.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Live Stream Viewer

(roles/livestream.viewer)

Read access to Live Stream resources.

livestream.channels.get

livestream.channels.list

livestream.events.get

livestream.events.list

livestream.inputs.get

livestream.inputs.list

livestream.locations.*

livestream.locations.get
livestream.locations.list

livestream.operations.get

livestream.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Logging roles

Permissions

Logging Admin

(roles/logging.admin)

Provides all permissions necessary to use all features of Cloud Logging.

Lowest-level resources where you can grant this role:

Project

logging.buckets.copyLogEntries

logging.buckets.create

logging.buckets.delete

logging.buckets.get

logging.buckets.list

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.list
logging.exclusions.update

logging.fields.access

logging.links.*

logging.links.create
logging.links.delete
logging.links.get
logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.*

logging.logEntries.create
logging.logEntries.download
logging.logEntries.list
logging.logEntries.route

logging.logMetrics.*

logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.list
logging.logMetrics.update

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.*

logging.logs.delete
logging.logs.list

logging.notificationRules.*

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update

logging.operations.*

logging.operations.cancel
logging.operations.get
logging.operations.list

logging.privateLogEntries.list

logging.queries.*

logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.share
logging.queries.update
logging.queries.updateShared

logging.settings.*

logging.settings.get
logging.settings.update

logging.sinks.*

logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update

logging.usage.get

logging.views.*

logging.views.access
logging.views.create
logging.views.delete
logging.views.get
logging.views.list
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues
logging.views.update

resourcemanager.projects.get

resourcemanager.projects.list

Logs Bucket Writer

(roles/logging.bucketWriter)

Ability to write logs to a log bucket.

Lowest-level resources where you can grant this role:

Project

logging.buckets.write

Logs Configuration Writer

(roles/logging.configWriter)

Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.

Lowest-level resources where you can grant this role:

Project

logging.buckets.create

logging.buckets.delete

logging.buckets.get

logging.buckets.list

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.list
logging.exclusions.update

logging.links.*

logging.links.create
logging.links.delete
logging.links.get
logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logMetrics.*

logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.list
logging.logMetrics.update

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.*

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update

logging.operations.*

logging.operations.cancel
logging.operations.get
logging.operations.list

logging.settings.*

logging.settings.get
logging.settings.update

logging.sinks.*

logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update

logging.views.create

logging.views.delete

logging.views.get

logging.views.list

logging.views.update

resourcemanager.projects.get

resourcemanager.projects.list

Log Field Accessor

(roles/logging.fieldAccessor)

Ability to read restricted fields in a log bucket.

Lowest-level resources where you can grant this role:

Project

logging.fields.access

Log Link Accessor

(roles/logging.linkViewer)

Ability to see links for a bucket.

logging.links.get

logging.links.list

Logs Writer

(roles/logging.logWriter)

Provides the permissions to write log entries.

Lowest-level resources where you can grant this role:

Project

logging.logEntries.create

logging.logEntries.route

Private Logs Viewer

(roles/logging.privateLogViewer)

Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.

Lowest-level resources where you can grant this role:

Project

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.privateLogEntries.list

logging.queries.create

logging.queries.delete

logging.queries.get

logging.queries.list

logging.queries.listShared

logging.queries.update

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.access

logging.views.get

logging.views.list

resourcemanager.projects.get

Logs View Accessor

(roles/logging.viewAccessor)

Ability to read logs in a view.

Lowest-level resources where you can grant this role:

Project

logging.logEntries.download

logging.views.access

logging.views.listLogs

logging.views.listResourceKeys

logging.views.listResourceValues

Logs Viewer

(roles/logging.viewer)

Provides access to view logs.

Lowest-level resources where you can grant this role:

Project

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.create

logging.queries.delete

logging.queries.get

logging.queries.list

logging.queries.listShared

logging.queries.update

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

resourcemanager.projects.get

Looker roles

Permissions

Looker Admin

(roles/looker.admin)

Full access to all Looker resources.

looker.*

looker.backups.create
looker.backups.delete
looker.backups.get
looker.backups.list
looker.instances.create
looker.instances.delete
looker.instances.export
looker.instances.get
looker.instances.import
looker.instances.list
looker.instances.login
looker.instances.update
looker.locations.get
looker.locations.list
looker.operations.cancel
looker.operations.delete
looker.operations.get
looker.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Looker Instance User

(roles/looker.instanceUser)

Access to log in to a Looker instance.

looker.instances.get

looker.instances.login

resourcemanager.projects.get

resourcemanager.projects.list

Looker Viewer

(roles/looker.viewer)

Read-only access to all Looker resources.

looker.backups.get

looker.backups.list

looker.instances.get

looker.instances.list

looker.instances.login

looker.locations.*

looker.locations.get
looker.locations.list

looker.operations.get

looker.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Maps API Admin roles

Permissions

Maps API Admin

(roles/mapsadmin.admin)

Read and Write all Maps Management and Maps Styles Resources.

mapsadmin.*

mapsadmin.clientMaps.create
mapsadmin.clientMaps.delete
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.clientMaps.update
mapsadmin.clientStyleActivationRules.update
mapsadmin.clientStyleSheetSnapshots.list
mapsadmin.clientStyleSheetSnapshots.update
mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update
mapsadmin.styleEditorConfigs.get
mapsadmin.styleSnapshots.list
mapsadmin.styleSnapshots.update

resourcemanager.projects.get

resourcemanager.projects.list

Maps API Viewer

(roles/mapsadmin.viewer)

Read all Maps Management and Maps Styles Resources.

mapsadmin.clientMaps.get

mapsadmin.clientMaps.list

mapsadmin.clientStyleSheetSnapshots.list

mapsadmin.clientStyles.get

mapsadmin.clientStyles.list

mapsadmin.styleEditorConfigs.get

mapsadmin.styleSnapshots.list

resourcemanager.projects.get

resourcemanager.projects.list

Memorystore Memcache roles

Permissions

Cloud Memorystore Memcached Admin

(roles/memcache.admin)

Full access to Memcached instances and related resources.

compute.networks.list

memcache.*

memcache.instances.applyParameters
memcache.instances.applySoftwareUpdate
memcache.instances.create
memcache.instances.delete
memcache.instances.get
memcache.instances.list
memcache.instances.rescheduleMaintenance
memcache.instances.update
memcache.instances.updateParameters
memcache.locations.get
memcache.locations.list
memcache.operations.cancel
memcache.operations.delete
memcache.operations.get
memcache.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Memorystore Memcached Editor

(roles/memcache.editor)

Read-Write access to Memcached instances and related resources.

memcache.instances.applyParameters

memcache.instances.get

memcache.instances.list

memcache.instances.update

memcache.instances.updateParameters

memcache.locations.*

memcache.locations.get
memcache.locations.list

memcache.operations.*

memcache.operations.cancel
memcache.operations.delete
memcache.operations.get
memcache.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Memorystore Memcached Viewer

(roles/memcache.viewer)

Read-only access to Memcached instances and related resources.

memcache.instances.get

memcache.instances.list

memcache.locations.*

memcache.locations.get
memcache.locations.list

memcache.operations.get

memcache.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Memorystore Redis roles

Permissions

Cloud Memorystore Redis Admin

(roles/redis.admin)

Full control for all Memorystore for Redis resources.

compute.networks.list

networkconnectivity.serviceConnectionPolicies.list

redis.*

redis.instances.create
redis.instances.delete
redis.instances.export
redis.instances.failover
redis.instances.get
redis.instances.getAuthString
redis.instances.import
redis.instances.list
redis.instances.rescheduleMaintenance
redis.instances.update
redis.instances.updateAuth
redis.instances.upgrade
redis.locations.get
redis.locations.list
redis.operations.cancel
redis.operations.delete
redis.operations.get
redis.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

Cloud Memorystore Redis Editor

(roles/redis.editor)

Manage Memorystore for Redis instances. Can't create or delete instances.

compute.networks.list

redis.instances.failover

redis.instances.get

redis.instances.list

redis.instances.update

redis.locations.*

redis.locations.get
redis.locations.list

redis.operations.*

redis.operations.cancel
redis.operations.delete
redis.operations.get
redis.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

Cloud Memorystore Redis Viewer

(roles/redis.viewer)

Read-only access to all Memorystore for Redis resources.

redis.instances.get

redis.instances.list

redis.locations.*

redis.locations.get
redis.locations.list

redis.operations.get

redis.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

Mesh Management roles

Permissions

Mesh Config Admin ^Beta

(roles/meshconfig.admin)

Full access to all mesh configuration resources

meshconfig.*

meshconfig.projects.get
meshconfig.projects.init

Mesh Config Viewer ^Beta

(roles/meshconfig.viewer)

Read access to mesh configuration

meshconfig.projects.get

Migration Center roles

Permissions

Migration Center Admin ^Beta

(roles/migrationcenter.admin)

Full access to Migration Center all resources.

migrationcenter.*

migrationcenter.assets.create
migrationcenter.assets.delete
migrationcenter.assets.get
migrationcenter.assets.list
migrationcenter.assets.reportFrames
migrationcenter.assets.update
migrationcenter.errorFrames.get
migrationcenter.errorFrames.list
migrationcenter.groups.create
migrationcenter.groups.delete
migrationcenter.groups.get
migrationcenter.groups.list
migrationcenter.groups.update
migrationcenter.importDataFiles.create
migrationcenter.importDataFiles.delete
migrationcenter.importDataFiles.get
migrationcenter.importDataFiles.list
migrationcenter.importJobs.create
migrationcenter.importJobs.delete
migrationcenter.importJobs.get
migrationcenter.importJobs.list
migrationcenter.importJobs.update
migrationcenter.locations.get
migrationcenter.locations.list
migrationcenter.operations.cancel
migrationcenter.operations.delete
migrationcenter.operations.get
migrationcenter.operations.list
migrationcenter.preferenceSets.create
migrationcenter.preferenceSets.delete
migrationcenter.preferenceSets.get
migrationcenter.preferenceSets.list
migrationcenter.preferenceSets.update
migrationcenter.reportConfigs.create
migrationcenter.reportConfigs.delete
migrationcenter.reportConfigs.get
migrationcenter.reportConfigs.list
migrationcenter.reports.create
migrationcenter.reports.delete
migrationcenter.reports.get
migrationcenter.reports.list
migrationcenter.settings.get
migrationcenter.settings.update
migrationcenter.sources.create
migrationcenter.sources.delete
migrationcenter.sources.get
migrationcenter.sources.list
migrationcenter.sources.update

resourcemanager.projects.get

resourcemanager.projects.list

rma.*

rma.annotations.create
rma.annotations.get
rma.collectors.create
rma.collectors.delete
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.get
rma.locations.list
rma.operations.cancel
rma.operations.delete
rma.operations.get
rma.operations.list

Migration Center Viewer ^Beta

(roles/migrationcenter.viewer)

Read-only access to Migration Center all resources.

migrationcenter.assets.get

migrationcenter.assets.list

migrationcenter.errorFrames.*

migrationcenter.errorFrames.get
migrationcenter.errorFrames.list

migrationcenter.groups.get

migrationcenter.groups.list

migrationcenter.importDataFiles.get

migrationcenter.importDataFiles.list

migrationcenter.importJobs.get

migrationcenter.importJobs.list

migrationcenter.locations.*

migrationcenter.locations.get
migrationcenter.locations.list

migrationcenter.operations.get

migrationcenter.operations.list

migrationcenter.preferenceSets.get

migrationcenter.preferenceSets.list

migrationcenter.reportConfigs.get

migrationcenter.reportConfigs.list

migrationcenter.reports.get

migrationcenter.reports.list

migrationcenter.settings.get

migrationcenter.sources.get

migrationcenter.sources.list

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.locations.*

rma.locations.get
rma.locations.list

rma.operations.get

rma.operations.list

Monitoring roles

Permissions

Monitoring Admin

(roles/monitoring.admin)

Provides the same access as the Monitoring Editor role (roles/monitoring.editor).

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.*

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.metricsScopes.link
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.getVerificationCode
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.publicWidgets.create
monitoring.publicWidgets.delete
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.publicWidgets.update
monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update
monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update
monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update
monitoring.timeSeries.create
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

opsconfigmonitoring.resourceMetadata.list
opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

stackdriver.*

stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.list
stackdriver.resourceMetadata.write

Monitoring AlertPolicy Editor

(roles/monitoring.alertPolicyEditor)

Read/write access to alerting policies.

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update

Monitoring AlertPolicy Viewer

(roles/monitoring.alertPolicyViewer)

Read-only access to alerting policies.

monitoring.alertPolicies.get

monitoring.alertPolicies.list

Monitoring Cloud Console Incident Editor ^Beta

(roles/monitoring.cloudConsoleIncidentEditor)

Read/write access to incidents from Cloud Console.

Monitoring Cloud Console Incident Viewer ^Beta

(roles/monitoring.cloudConsoleIncidentViewer)

Read access to incidents from Cloud Console.

Monitoring Dashboard Configuration Editor

(roles/monitoring.dashboardEditor)

Read/write access to dashboard configurations.

monitoring.dashboards.*

monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.update

Monitoring Dashboard Configuration Viewer

(roles/monitoring.dashboardViewer)

Read-only access to dashboard configurations.

monitoring.dashboards.get

monitoring.dashboards.list

Monitoring Editor

(roles/monitoring.editor)

Provides full access to information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update

monitoring.dashboards.*

monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.update

monitoring.groups.*

monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update

monitoring.metricDescriptors.*

monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

monitoring.publicWidgets.*

monitoring.publicWidgets.create
monitoring.publicWidgets.delete
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.publicWidgets.update

monitoring.services.*

monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update

monitoring.slos.*

monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update

monitoring.snoozes.*

monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.*

monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

opsconfigmonitoring.resourceMetadata.list
opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

stackdriver.*

stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.list
stackdriver.resourceMetadata.write

Monitoring Metric Writer

(roles/monitoring.metricWriter)

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

Lowest-level resources where you can grant this role:

Project

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

Monitoring Metrics Scopes Admin ^Beta

(roles/monitoring.metricsScopesAdmin)

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

Monitoring Metrics Scopes Viewer ^Beta

(roles/monitoring.metricsScopesViewer)

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get

resourcemanager.projects.list

Monitoring NotificationChannel Editor ^Beta

(roles/monitoring.notificationChannelEditor)

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

Monitoring NotificationChannel Viewer ^Beta

(roles/monitoring.notificationChannelViewer)

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

Monitoring Services Editor

(roles/monitoring.servicesEditor)

Read/write access to services.

monitoring.services.*

monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update

monitoring.slos.*

monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update

Monitoring Services Viewer

(roles/monitoring.servicesViewer)

Read-only access to services.

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

Monitoring Snooze Editor

(roles/monitoring.snoozeEditor)

monitoring.snoozes.*

monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update

Monitoring Snooze Viewer

(roles/monitoring.snoozeViewer)

monitoring.snoozes.get

monitoring.snoozes.list

Monitoring Uptime Check Configuration Editor ^Beta

(roles/monitoring.uptimeCheckConfigEditor)

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

Monitoring Uptime Check Configuration Viewer ^Beta

(roles/monitoring.uptimeCheckConfigViewer)

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

Monitoring Viewer

(roles/monitoring.viewer)

Provides read-only access to get and list information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

Network Connectivity roles

Permissions

Group User

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

Hub & Spoke Admin

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.groups.*

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

networkconnectivity.hubs.create
networkconnectivity.hubs.delete
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.listSpokes
networkconnectivity.hubs.setIamPolicy
networkconnectivity.hubs.update

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.*

networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Hub & Spoke Viewer

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

Spoke Admin

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Network Management roles

Permissions

Network Management Admin

(roles/networkmanagement.admin)

Full access to Network Management resources.

Lowest-level resources where you can grant this role:

Project

networkmanagement.*

networkmanagement.config.get
networkmanagement.config.startFreeTrial
networkmanagement.config.update
networkmanagement.connectivitytests.create
networkmanagement.connectivitytests.delete
networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.getIamPolicy
networkmanagement.connectivitytests.list
networkmanagement.connectivitytests.rerun
networkmanagement.connectivitytests.setIamPolicy
networkmanagement.connectivitytests.update
networkmanagement.locations.get
networkmanagement.locations.list
networkmanagement.operations.get
networkmanagement.operations.list
networkmanagement.topologygraphs.read

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Network Management Viewer

(roles/networkmanagement.viewer)

Read-only access to Network Management resources.

Lowest-level resources where you can grant this role:

Project

networkmanagement.config.get

networkmanagement.connectivitytests.get

networkmanagement.connectivitytests.getIamPolicy

networkmanagement.connectivitytests.list

networkmanagement.locations.*

networkmanagement.locations.get
networkmanagement.locations.list

networkmanagement.operations.*

networkmanagement.operations.get
networkmanagement.operations.list

networkmanagement.topologygraphs.read

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

On-Demand Scanning roles

Permissions

On-Demand Scanning Admin ^Beta

(roles/ondemandscanning.admin)

All permissions for On-Demand Scanning

ondemandscanning.*

ondemandscanning.operations.cancel
ondemandscanning.operations.delete
ondemandscanning.operations.get
ondemandscanning.operations.list
ondemandscanning.operations.wait
ondemandscanning.scans.analyzePackages
ondemandscanning.scans.listVulnerabilities
ondemandscanning.scans.scan

Ops Config Monitoring roles

Permissions

Ops Config Monitoring Resource Metadata Viewer ^Beta

(roles/opsconfigmonitoring.resourceMetadata.viewer)

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

Ops Config Monitoring Resource Metadata Writer ^Beta

(roles/opsconfigmonitoring.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

Organization Policy roles

Permissions

Access Transparency Admin

(roles/axt.admin)

Enable Access Transparency for Organization

Lowest-level resources where you can grant this role:

Project

axt.*

axt.labels.get
axt.labels.set

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Organization Policy Administrator

(roles/orgpolicy.policyAdmin)

Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.

Lowest-level resources where you can grant this role:

Organization

orgpolicy.*

orgpolicy.constraints.list
orgpolicy.customConstraints.create
orgpolicy.customConstraints.delete
orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
orgpolicy.customConstraints.update
orgpolicy.policies.create
orgpolicy.policies.delete
orgpolicy.policies.list
orgpolicy.policies.update
orgpolicy.policy.get
orgpolicy.policy.set

Organization Policy Viewer

(roles/orgpolicy.policyViewer)

Provides access to view Organization Policies on resources.

Lowest-level resources where you can grant this role:

Project

orgpolicy.constraints.list

orgpolicy.customConstraints.get

orgpolicy.customConstraints.list

orgpolicy.policies.list

orgpolicy.policy.get

Other roles

Permissions

Advisory Notifications Viewer

(roles/advisorynotifications.viewer)

Grants view access in Advisory Notifications

advisorynotifications.*

advisorynotifications.notifications.get
advisorynotifications.notifications.list

resourcemanager.organizations.get

Appliance troubleshooting commands approver ^Beta

(roles/applianceactivation.approver)

Grants access to approve commands to run on appliances

applianceactivation.rttCommands.approve

applianceactivation.rttCommands.get

resourcemanager.projects.get

resourcemanager.projects.list

On-appliance troubleshooting client ^Beta

(roles/applianceactivation.client)

Grants access to read commands for an appliance and send its result.

applianceactivation.rttCommands.get

applianceactivation.rttCommands.sendResult

Appliance troubleshooter ^Beta

(roles/applianceactivation.troubleshooter)

Grants access to send new commands to run on appliances and view the outputs

applianceactivation.rttCommands.create

applianceactivation.rttCommands.get

applianceactivation.rttCommands.list

resourcemanager.projects.get

resourcemanager.projects.list

Autoscaling Metrics Writer ^Beta

(roles/autoscaling.metricsWriter)

Access to write metrics for autoscaling site

autoscaling.sites.writeMetrics

Autoscaling Recommendations Reader ^Beta

(roles/autoscaling.recommendationsReader)

Access to read recommendations from autoscaling site

autoscaling.sites.readRecommendations

Autoscaling Site Admin ^Beta

(roles/autoscaling.sitesAdmin)

Full access to all autoscaling site features

autoscaling.*

autoscaling.sites.getIamPolicy
autoscaling.sites.readRecommendations
autoscaling.sites.setIamPolicy
autoscaling.sites.writeMetrics
autoscaling.sites.writeState

resourcemanager.projects.get

resourcemanager.projects.list

Autoscaling State Writer ^Beta

(roles/autoscaling.stateWriter)

Access to write state for autoscaling site

autoscaling.sites.writeState

Batch Agent Reporter ^Beta

(roles/batch.agentReporter)

Reporter of batch agent states.

batch.states.report

Batch Job Editor ^Beta

(roles/batch.jobsEditor)

Editor of batch Jobs

batch.jobs.*

batch.jobs.create
batch.jobs.delete
batch.jobs.get
batch.jobs.list

batch.locations.*

batch.locations.get
batch.locations.list

batch.operations.*

batch.operations.get
batch.operations.list

batch.tasks.*

batch.tasks.get
batch.tasks.list

resourcemanager.projects.get

resourcemanager.projects.list

Batch Job Viewer ^Beta

(roles/batch.jobsViewer)

Viewer of Batch Jobs, Task Groups and Tasks

batch.jobs.get

batch.jobs.list

batch.locations.*

batch.locations.get
batch.locations.list

batch.operations.*

batch.operations.get
batch.operations.list

batch.tasks.*

batch.tasks.get
batch.tasks.list

resourcemanager.projects.get

resourcemanager.projects.list

BigLake Admin

(roles/biglake.admin)

Provides full access to all BigLake resources.

biglake.*

biglake.catalogs.create
biglake.catalogs.delete
biglake.catalogs.get
biglake.catalogs.list
biglake.databases.create
biglake.databases.delete
biglake.databases.get
biglake.databases.list
biglake.databases.update
biglake.locks.check
biglake.locks.create
biglake.locks.delete
biglake.locks.list
biglake.tables.create
biglake.tables.delete
biglake.tables.get
biglake.tables.list
biglake.tables.lock
biglake.tables.update

resourcemanager.projects.get

resourcemanager.projects.list

BigLake Viewer

(roles/biglake.viewer)

Provides read-only access to all BigLake resources.

biglake.catalogs.get

biglake.catalogs.list

biglake.databases.get

biglake.databases.list

biglake.locks.list

biglake.tables.get

biglake.tables.list

resourcemanager.projects.get

resourcemanager.projects.list

MigrationWorkflow Editor

(roles/bigquerymigration.editor)

Editor of EDW migration workflows.

bigquerymigration.locations.*

bigquerymigration.locations.get
bigquerymigration.locations.list

bigquerymigration.subtasks.get

bigquerymigration.subtasks.list

bigquerymigration.workflows.create

bigquerymigration.workflows.delete

bigquerymigration.workflows.get

bigquerymigration.workflows.list

bigquerymigration.workflows.update

Task Orchestrator

(roles/bigquerymigration.orchestrator)

Orchestrator of EDW migration tasks.

bigquerymigration.subtasks.create

bigquerymigration.taskTypes.orchestrateTask

bigquerymigration.workflows.orchestrateTask

storage.objects.list

Migration Translation User

(roles/bigquerymigration.translationUser)

User of EDW migration interactive SQL translation service.

bigquerymigration.translation.translate

MigrationWorkflow Viewer

(roles/bigquerymigration.viewer)

Viewer of EDW migration MigrationWorkflow.

bigquerymigration.locations.*

bigquerymigration.locations.get
bigquerymigration.locations.list

bigquerymigration.subtasks.get

bigquerymigration.subtasks.list

bigquerymigration.workflows.get

bigquerymigration.workflows.list

Task Worker

(roles/bigquerymigration.worker)

Worker that executes EDW migration subtasks.

bigquerymigration.subtaskTypes.executeTask

bigquerymigration.subtasks.executeTask

storage.objects.create

storage.objects.get

storage.objects.list

Carbon Footprint Viewer

(roles/billing.carbonViewer)

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.list

Blockchain Node Engine Admin ^Beta

(roles/blockchainnodeengine.admin)

Full access to Blockchain Node Engine resources.

blockchainnodeengine.*

blockchainnodeengine.blockchainNodes.create
blockchainnodeengine.blockchainNodes.delete
blockchainnodeengine.blockchainNodes.get
blockchainnodeengine.blockchainNodes.list
blockchainnodeengine.blockchainNodes.update
blockchainnodeengine.locations.get
blockchainnodeengine.locations.list
blockchainnodeengine.operations.cancel
blockchainnodeengine.operations.delete
blockchainnodeengine.operations.get
blockchainnodeengine.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Blockchain Node Engine Viewer ^Beta

(roles/blockchainnodeengine.viewer)

Read-only access to Blockchain Node Engine resources.

blockchainnodeengine.blockchainNodes.get

blockchainnodeengine.blockchainNodes.list

blockchainnodeengine.locations.*

blockchainnodeengine.locations.get
blockchainnodeengine.locations.list

blockchainnodeengine.operations.get

blockchainnodeengine.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Care Studio Patients Viewer

(roles/carestudio.viewer)

This role can view all properties of Patients.

carestudio.*

carestudio.patients.get
carestudio.patients.list

resourcemanager.projects.get

resourcemanager.projects.list

Chronicle Service Admin

(roles/chroniclesm.admin)

Admins can view and modify Chronicle service details.

chroniclesm.*

chroniclesm.gcpAssociations.create
chroniclesm.gcpAssociations.delete
chroniclesm.gcpAssociations.get
chroniclesm.gcpSettings.get
chroniclesm.gcpSettings.update

Chronicle Service Viewer

(roles/chroniclesm.viewer)

Viewers can see Chronicle service details but not change them.

chroniclesm.gcpAssociations.get

chroniclesm.gcpSettings.get

Location reader ^Beta

(roles/cloud.locationReader)

Read and enumerate locations available for resource creation.

cloud.*

cloud.locations.get
cloud.locations.list

Cloud Controls Partner Admin ^Beta

(roles/cloudcontrolspartner.admin)

Full access to Cloud Controls Partner resources.

cloudcontrolspartner.customers.list

cloudcontrolspartner.ekmconnections.get

cloudcontrolspartner.partners.get

cloudcontrolspartner.violations.list

cloudcontrolspartner.workloads.list

Cloud Controls Partner Editor ^Beta

(roles/cloudcontrolspartner.editor)

Editor access to Cloud Controls Partner resources.

cloudcontrolspartner.*

cloudcontrolspartner.customers.get
cloudcontrolspartner.customers.list
cloudcontrolspartner.ekmconnections.get
cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.partners.get
cloudcontrolspartner.platformcontrols.get
cloudcontrolspartner.violations.get
cloudcontrolspartner.violations.list
cloudcontrolspartner.workloads.get
cloudcontrolspartner.workloads.list

Cloud Controls Partner Inspectability Reader ^Beta

(roles/cloudcontrolspartner.inspectabilityReader)

Readonly access to Cloud Controls Partner inspectability resources.

cloudcontrolspartner.customers.*

cloudcontrolspartner.customers.get
cloudcontrolspartner.customers.list

cloudcontrolspartner.inspectabilityevents.get

cloudcontrolspartner.platformcontrols.get

Cloud Controls Partner Monitoring Reader ^Beta

(roles/cloudcontrolspartner.monitoringReader)

Read-only access to Cloud Controls Partner monitoring resources.

cloudcontrolspartner.customers.*

cloudcontrolspartner.customers.get
cloudcontrolspartner.customers.list

cloudcontrolspartner.violations.*

cloudcontrolspartner.violations.get
cloudcontrolspartner.violations.list

cloudcontrolspartner.workloads.*

cloudcontrolspartner.workloads.get
cloudcontrolspartner.workloads.list

Cloud Controls Partner Reader ^Beta

(roles/cloudcontrolspartner.reader)

Read-only access to Cloud Controls Partner resources.

cloudcontrolspartner.*

cloudcontrolspartner.customers.get
cloudcontrolspartner.customers.list
cloudcontrolspartner.ekmconnections.get
cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.partners.get
cloudcontrolspartner.platformcontrols.get
cloudcontrolspartner.violations.get
cloudcontrolspartner.violations.list
cloudcontrolspartner.workloads.get
cloudcontrolspartner.workloads.list

Cloud Optimization AI Admin

(roles/cloudoptimization.admin)

Administrator of Cloud Optimization AI resources

cloudoptimization.*

cloudoptimization.operations.create
cloudoptimization.operations.get

Cloud Optimization AI Editor

(roles/cloudoptimization.editor)

Editor of Cloud Optimization AI resources

cloudoptimization.*

cloudoptimization.operations.create
cloudoptimization.operations.get

Cloud Optimization AI Viewer

(roles/cloudoptimization.viewer)

Viewer of Cloud Optimization AI resources

cloudoptimization.operations.get

Confidential Space Workload User

(roles/confidentialcomputing.workloadUser)

Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.

confidentialcomputing.*

confidentialcomputing.challenges.create
confidentialcomputing.challenges.verify
confidentialcomputing.locations.get
confidentialcomputing.locations.list

logging.logEntries.create

Contact Center AI Platform Admin

(roles/contactcenteraiplatform.admin)

Full access to Contact Center AI Platform resources.

contactcenteraiplatform.*

contactcenteraiplatform.contactCenters.create
contactcenteraiplatform.contactCenters.delete
contactcenteraiplatform.contactCenters.get
contactcenteraiplatform.contactCenters.list
contactcenteraiplatform.contactCenters.queryQuota
contactcenteraiplatform.contactCenters.update
contactcenteraiplatform.locations.get
contactcenteraiplatform.locations.list
contactcenteraiplatform.operations.cancel
contactcenteraiplatform.operations.delete
contactcenteraiplatform.operations.get
contactcenteraiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Contact Center AI Platform Viewer

(roles/contactcenteraiplatform.viewer)

Read-only access to Contact Center AI Platform resources.

contactcenteraiplatform.contactCenters.get

contactcenteraiplatform.contactCenters.list

contactcenteraiplatform.locations.*

contactcenteraiplatform.locations.get
contactcenteraiplatform.locations.list

contactcenteraiplatform.operations.get

contactcenteraiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Contact Center AI Insights editor

(roles/contactcenterinsights.editor)

Grants read and write access to all Contact Center AI Insights resources.

contactcenterinsights.*

contactcenterinsights.analyses.create
contactcenterinsights.analyses.delete
contactcenterinsights.analyses.get
contactcenterinsights.analyses.list
contactcenterinsights.conversations.create
contactcenterinsights.conversations.delete
contactcenterinsights.conversations.export
contactcenterinsights.conversations.get
contactcenterinsights.conversations.list
contactcenterinsights.conversations.update
contactcenterinsights.conversations.upload
contactcenterinsights.issueModels.create
contactcenterinsights.issueModels.delete
contactcenterinsights.issueModels.deploy
contactcenterinsights.issueModels.get
contactcenterinsights.issueModels.list
contactcenterinsights.issueModels.undeploy
contactcenterinsights.issueModels.update
contactcenterinsights.issues.create
contactcenterinsights.issues.delete
contactcenterinsights.issues.get
contactcenterinsights.issues.list
contactcenterinsights.issues.update
contactcenterinsights.operations.get
contactcenterinsights.operations.list
contactcenterinsights.phraseMatchers.create
contactcenterinsights.phraseMatchers.delete
contactcenterinsights.phraseMatchers.get
contactcenterinsights.phraseMatchers.list
contactcenterinsights.phraseMatchers.update
contactcenterinsights.settings.get
contactcenterinsights.settings.update
contactcenterinsights.views.create
contactcenterinsights.views.delete
contactcenterinsights.views.get
contactcenterinsights.views.list
contactcenterinsights.views.update

Contact Center AI Insights viewer

(roles/contactcenterinsights.viewer)

Grants read access to all Contact Center AI Insights resources.

contactcenterinsights.analyses.get

contactcenterinsights.analyses.list

contactcenterinsights.conversations.get

contactcenterinsights.conversations.list

contactcenterinsights.issueModels.get

contactcenterinsights.issueModels.list

contactcenterinsights.issues.get

contactcenterinsights.issues.list

contactcenterinsights.operations.*

contactcenterinsights.operations.get
contactcenterinsights.operations.list

contactcenterinsights.phraseMatchers.get

contactcenterinsights.phraseMatchers.list

contactcenterinsights.settings.get

contactcenterinsights.views.get

contactcenterinsights.views.list

GKE Security Posture Viewer ^Beta

(roles/containersecurity.viewer)

Read-only access to GKE Security Posture resources.

containersecurity.*

containersecurity.clusterSummaries.list
containersecurity.findings.list
containersecurity.locations.get
containersecurity.locations.list
containersecurity.workloadConfigAudits.list

resourcemanager.projects.get

resourcemanager.projects.list

Content Warehouse Admin

(roles/contentwarehouse.admin)

Grants full access to all the resources in Content Warehouse

contentwarehouse.*

contentwarehouse.documentSchemas.create
contentwarehouse.documentSchemas.delete
contentwarehouse.documentSchemas.get
contentwarehouse.documentSchemas.list
contentwarehouse.documentSchemas.update
contentwarehouse.documents.create
contentwarehouse.documents.delete
contentwarehouse.documents.get
contentwarehouse.documents.getIamPolicy
contentwarehouse.documents.setIamPolicy
contentwarehouse.documents.update
contentwarehouse.locations.initialize
contentwarehouse.operations.get
contentwarehouse.rawDocuments.download
contentwarehouse.rawDocuments.upload
contentwarehouse.ruleSets.create
contentwarehouse.ruleSets.delete
contentwarehouse.ruleSets.get
contentwarehouse.ruleSets.list
contentwarehouse.ruleSets.update
contentwarehouse.synonymSets.create
contentwarehouse.synonymSets.delete
contentwarehouse.synonymSets.get
contentwarehouse.synonymSets.list
contentwarehouse.synonymSets.update

resourcemanager.projects.get

resourcemanager.projects.list

Content Warehouse Document Admin

(roles/contentwarehouse.documentAdmin)

Grants full access to the document resource in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.*

contentwarehouse.documents.create
contentwarehouse.documents.delete
contentwarehouse.documents.get
contentwarehouse.documents.getIamPolicy
contentwarehouse.documents.setIamPolicy
contentwarehouse.documents.update

contentwarehouse.rawDocuments.*

contentwarehouse.rawDocuments.download
contentwarehouse.rawDocuments.upload

resourcemanager.projects.get

resourcemanager.projects.list

Content Warehouse document creator

(roles/contentwarehouse.documentCreator)

Grants access to create document in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documentSchemas.list

contentwarehouse.documents.create

resourcemanager.projects.get

resourcemanager.projects.list

Content Warehouse Document Editor

(roles/contentwarehouse.documentEditor)

Grants access to update document resource in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.documents.update

contentwarehouse.rawDocuments.*

contentwarehouse.rawDocuments.download
contentwarehouse.rawDocuments.upload

resourcemanager.projects.get

resourcemanager.projects.list

Content Warehouse document schema viewer

(roles/contentwarehouse.documentSchemaViewer)

Grants access to view the document schemas in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documentSchemas.list

resourcemanager.projects.get

resourcemanager.projects.list

Content Warehouse Viewer

(roles/contentwarehouse.documentViewer)

Grants access to view all the resources in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.rawDocuments.download

resourcemanager.projects.get

resourcemanager.projects.list

Data Lineage Administrator

(roles/datalineage.admin)

Grants full access to all resources in Data Lineage API

datalineage.*

datalineage.events.create
datalineage.events.delete
datalineage.events.get
datalineage.events.list
datalineage.locations.searchLinks
datalineage.operations.get
datalineage.processes.create
datalineage.processes.delete
datalineage.processes.get
datalineage.processes.list
datalineage.processes.update
datalineage.runs.create
datalineage.runs.delete
datalineage.runs.get
datalineage.runs.list
datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

Data Lineage Editor

(roles/datalineage.editor)

Grants edit access to all resources in Data Lineage API

datalineage.events.*

datalineage.events.create
datalineage.events.delete
datalineage.events.get
datalineage.events.list

datalineage.locations.searchLinks

datalineage.operations.get

datalineage.processes.create

datalineage.processes.get

datalineage.processes.list

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.list

datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

Data Lineage Events Producer

(roles/datalineage.producer)

Grants access to creating all resources in Data Lineage API

datalineage.events.create

datalineage.processes.create

datalineage.processes.get

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

Data Lineage Viewer

(roles/datalineage.viewer)

Grants read access to all resources in Data Lineage API

datalineage.events.get

datalineage.events.list

datalineage.locations.searchLinks

datalineage.processes.get

datalineage.processes.list

datalineage.runs.get

datalineage.runs.list

resourcemanager.projects.get

resourcemanager.projects.list

Data Processing Controls Resource Admin

(roles/dataprocessing.admin)

Data processing controls admin who can fully manage data processing controls settings and view all datasource data.

billing.accounts.get

billing.accounts.list

dataprocessing.*

dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.datasources.update
dataprocessing.featurecontrols.list
dataprocessing.featurecontrols.update
dataprocessing.groupcontrols.get
dataprocessing.groupcontrols.list
dataprocessing.groupcontrols.update

Data Processing Controls Data Source Manager

(roles/dataprocessing.dataSourceManager)

Data processing controls data source manager who can get, list, and update the underlying data.

dataprocessing.datasources.list

dataprocessing.datasources.update

Discovery Engine Admin ^Beta

(roles/discoveryengine.admin)

Grants full access to all discoveryengine resources.

discoveryengine.*

discoveryengine.conversations.converse
discoveryengine.dataStores.completeQuery
discoveryengine.documents.create
discoveryengine.documents.delete
discoveryengine.documents.get
discoveryengine.documents.import
discoveryengine.documents.list
discoveryengine.documents.update
discoveryengine.operations.get
discoveryengine.operations.list
discoveryengine.servingConfigs.recommend
discoveryengine.servingConfigs.search
discoveryengine.userEvents.create
discoveryengine.userEvents.import

Discovery Engine Editor ^Beta

(roles/discoveryengine.editor)

Grants read and write access to all discovery engine resources.

discoveryengine.*

discoveryengine.conversations.converse
discoveryengine.dataStores.completeQuery
discoveryengine.documents.create
discoveryengine.documents.delete
discoveryengine.documents.get
discoveryengine.documents.import
discoveryengine.documents.list
discoveryengine.documents.update
discoveryengine.operations.get
discoveryengine.operations.list
discoveryengine.servingConfigs.recommend
discoveryengine.servingConfigs.search
discoveryengine.userEvents.create
discoveryengine.userEvents.import

Discovery Engine Viewer ^Beta

(roles/discoveryengine.viewer)

Grants read access to all discovery engine resources.

discoveryengine.conversations.converse

discoveryengine.dataStores.completeQuery

discoveryengine.documents.get

discoveryengine.documents.list

discoveryengine.operations.*

discoveryengine.operations.get
discoveryengine.operations.list

discoveryengine.servingConfigs.*

discoveryengine.servingConfigs.recommend
discoveryengine.servingConfigs.search

Essential Contacts Admin

(roles/essentialcontacts.admin)

Full access to all essential contacts

essentialcontacts.*

essentialcontacts.contacts.create
essentialcontacts.contacts.delete
essentialcontacts.contacts.get
essentialcontacts.contacts.list
essentialcontacts.contacts.send
essentialcontacts.contacts.update

Essential Contacts Viewer

(roles/essentialcontacts.viewer)

Viewer for all essential contacts

essentialcontacts.contacts.get

essentialcontacts.contacts.list

Firebase Cloud Messaging API Admin ^Beta

(roles/firebasecloudmessaging.admin)

Full read/write access to Firebase Cloud Messaging API resources.

cloudmessaging.messages.create

fcmdata.deliverydata.list

resourcemanager.projects.get

resourcemanager.projects.list

Firebase Crash Symbol Uploader

(roles/firebasecrash.symbolMappingsAdmin)

Full read/write access to symbol mapping file resources for Firebase Crash Reporting.

firebase.clients.get

firebase.clients.list

resourcemanager.projects.get

Identity Platform Admin ^Beta

(roles/identityplatform.admin)

Full access to Identity Platform resources.

firebaseauth.*

firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.getHashConfig
firebaseauth.configs.getSecret
firebaseauth.configs.update
firebaseauth.users.create
firebaseauth.users.createSession
firebaseauth.users.delete
firebaseauth.users.get
firebaseauth.users.sendEmail
firebaseauth.users.update

identitytoolkit.*

identitytoolkit.tenants.create
identitytoolkit.tenants.delete
identitytoolkit.tenants.get
identitytoolkit.tenants.getIamPolicy
identitytoolkit.tenants.list
identitytoolkit.tenants.setIamPolicy
identitytoolkit.tenants.update

Identity Platform Viewer ^Beta

(roles/identityplatform.viewer)

Read access to Identity Platform resources.

firebaseauth.configs.get

firebaseauth.users.get

identitytoolkit.tenants.get

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

Identity Toolkit Admin

(roles/identitytoolkit.admin)

Full access to Identity Toolkit resources.

firebaseauth.*

firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.getHashConfig
firebaseauth.configs.getSecret
firebaseauth.configs.update
firebaseauth.users.create
firebaseauth.users.createSession
firebaseauth.users.delete
firebaseauth.users.get
firebaseauth.users.sendEmail
firebaseauth.users.update

identitytoolkit.*

identitytoolkit.tenants.create
identitytoolkit.tenants.delete
identitytoolkit.tenants.get
identitytoolkit.tenants.getIamPolicy
identitytoolkit.tenants.list
identitytoolkit.tenants.setIamPolicy
identitytoolkit.tenants.update

Identity Toolkit Viewer

(roles/identitytoolkit.viewer)

Read access to Identity Toolkit resources.

firebaseauth.configs.get

firebaseauth.users.get

identitytoolkit.tenants.get

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

Apigee Integration Admin

(roles/integrations.apigeeIntegrationAdminRole)

A user that has full access to all Apigee integrations.

connectors.actions.*

connectors.actions.execute
connectors.actions.list

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions

connectors.entityTypes.list

integrations.apigeeAuthConfigs.*

integrations.apigeeAuthConfigs.create
integrations.apigeeAuthConfigs.delete
integrations.apigeeAuthConfigs.get
integrations.apigeeAuthConfigs.list
integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.*

integrations.apigeeCertificates.create
integrations.apigeeCertificates.delete
integrations.apigeeCertificates.get
integrations.apigeeCertificates.list
integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrationVers.create
integrations.apigeeIntegrationVers.delete
integrations.apigeeIntegrationVers.deploy
integrations.apigeeIntegrationVers.get
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrationVers.update

integrations.apigeeIntegrations.*

integrations.apigeeIntegrations.invoke
integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.*

integrations.apigeeSfdcChannels.create
integrations.apigeeSfdcChannels.delete
integrations.apigeeSfdcChannels.get
integrations.apigeeSfdcChannels.list
integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.*

integrations.apigeeSfdcInstances.create
integrations.apigeeSfdcInstances.delete
integrations.apigeeSfdcInstances.get
integrations.apigeeSfdcInstances.list
integrations.apigeeSfdcInstances.update

integrations.apigeeSuspensions.*

integrations.apigeeSuspensions.lift
integrations.apigeeSuspensions.list
integrations.apigeeSuspensions.resolve

integrations.authConfigs.*

integrations.authConfigs.create
integrations.authConfigs.delete
integrations.authConfigs.get
integrations.authConfigs.list
integrations.authConfigs.update

integrations.certificates.*

integrations.certificates.create
integrations.certificates.delete
integrations.certificates.get
integrations.certificates.list
integrations.certificates.update

integrations.executions.*

integrations.executions.get
integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.*

integrations.integrations.create
integrations.integrations.delete
integrations.integrations.deploy
integrations.integrations.get
integrations.integrations.invoke
integrations.integrations.list
integrations.integrations.update

integrations.sfdcChannels.*

integrations.sfdcChannels.create
integrations.sfdcChannels.delete
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcChannels.update

integrations.sfdcInstances.*

integrations.sfdcInstances.create
integrations.sfdcInstances.delete
integrations.sfdcInstances.get
integrations.sfdcInstances.list
integrations.sfdcInstances.update

integrations.suspensions.*

integrations.suspensions.lift
integrations.suspensions.list
integrations.suspensions.resolve

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Integration Deployer

(roles/integrations.apigeeIntegrationDeployerRole)

A developer that can deploy/undeploy Apigee integrations to the integration runtime.

integrations.apigeeIntegrationVers.deploy

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.deploy

integrations.integrations.get

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Integration Editor

(roles/integrations.apigeeIntegrationEditorRole)

A developer that can list, create and update Apigee integrations.

connectors.actions.*

connectors.actions.execute
connectors.actions.list

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions

connectors.entityTypes.list

integrations.apigeeAuthConfigs.create

integrations.apigeeAuthConfigs.get

integrations.apigeeAuthConfigs.list

integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.create

integrations.apigeeCertificates.get

integrations.apigeeCertificates.list

integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrationVers.create
integrations.apigeeIntegrationVers.delete
integrations.apigeeIntegrationVers.deploy
integrations.apigeeIntegrationVers.get
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrationVers.update

integrations.apigeeIntegrations.*

integrations.apigeeIntegrations.invoke
integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.create

integrations.apigeeSfdcChannels.get

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.create

integrations.apigeeSfdcInstances.get

integrations.apigeeSfdcInstances.list

integrations.apigeeSfdcInstances.update

integrations.authConfigs.create

integrations.authConfigs.get

integrations.authConfigs.list

integrations.authConfigs.update

integrations.certificates.get

integrations.executions.*

integrations.executions.get
integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.create

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

integrations.integrations.update

integrations.sfdcChannels.*

integrations.sfdcChannels.create
integrations.sfdcChannels.delete
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcChannels.update

integrations.sfdcInstances.*

integrations.sfdcInstances.create
integrations.sfdcInstances.delete
integrations.sfdcInstances.get
integrations.sfdcInstances.list
integrations.sfdcInstances.update

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Integration Invoker

(roles/integrations.apigeeIntegrationInvokerRole)

A role that can invoke Apigee integrations.

connectors.actions.*

connectors.actions.execute
connectors.actions.list

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entities.create
connectors.entities.delete
connectors.entities.deleteEntitiesWithConditions
connectors.entities.get
connectors.entities.list
connectors.entities.update
connectors.entities.updateEntitiesWithConditions

connectors.entityTypes.list

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.*

integrations.apigeeIntegrations.invoke
integrations.apigeeIntegrations.list

integrations.executions.*

integrations.executions.get
integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.invoke

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Integration Viewer

(roles/integrations.apigeeIntegrationsViewer)

A developer that can list and view Apigee integrations.

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.authConfigs.get

integrations.authConfigs.list

integrations.certificates.get

integrations.certificates.list

integrations.executions.*

integrations.executions.get
integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

Apigee Integration Approver

(roles/integrations.apigeeSuspensionResolver)

A role that can approve / reject Apigee integrations that contain a suspension/wait task.

integrations.apigeeSuspensions.*

integrations.apigeeSuspensions.lift
integrations.apigeeSuspensions.list
integrations.apigeeSuspensions.resolve

integrations.suspensions.*

integrations.suspensions.lift
integrations.suspensions.list
integrations.suspensions.resolve

resourcemanager.projects.get

resourcemanager.projects.list

Certificate Viewer

(roles/integrations.certificateViewer)

A developer that can list and view Certificates.

integrations.certificates.get

resourcemanager.projects.get

resourcemanager.projects.list

Application Integration Admin

(roles/integrations.integrationAdmin)

A user that has full access (CRUD) to all integrations.

integrations.apigeeAuthConfigs.*

integrations.apigeeAuthConfigs.create
integrations.apigeeAuthConfigs.delete
integrations.apigeeAuthConfigs.get
integrations.apigeeAuthConfigs.list
integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.*

integrations.apigeeCertificates.create
integrations.apigeeCertificates.delete
integrations.apigeeCertificates.get
integrations.apigeeCertificates.list
integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrationVers.create
integrations.apigeeIntegrationVers.delete
integrations.apigeeIntegrationVers.deploy
integrations.apigeeIntegrationVers.get
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrationVers.update

integrations.apigeeIntegrations.*

integrations.apigeeIntegrations.invoke
integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.*

integrations.apigeeSfdcChannels.create
integrations.apigeeSfdcChannels.delete
integrations.apigeeSfdcChannels.get
integrations.apigeeSfdcChannels.list
integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.*

integrations.apigeeSfdcInstances.create
integrations.apigeeSfdcInstances.delete
integrations.apigeeSfdcInstances.get
integrations.apigeeSfdcInstances.list
integrations.apigeeSfdcInstances.update

integrations.apigeeSuspensions.*

integrations.apigeeSuspensions.lift
integrations.apigeeSuspensions.list
integrations.apigeeSuspensions.resolve

integrations.authConfigs.*

integrations.authConfigs.create
integrations.authConfigs.delete
integrations.authConfigs.get
integrations.authConfigs.list
integrations.authConfigs.update

integrations.certificates.*

integrations.certificates.create
integrations.certificates.delete
integrations.certificates.get
integrations.certificates.list
integrations.certificates.update

integrations.executions.*

integrations.executions.get
integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.*

integrations.integrations.create
integrations.integrations.delete
integrations.integrations.deploy
integrations.integrations.get
integrations.integrations.invoke
integrations.integrations.list
integrations.integrations.update

integrations.sfdcChannels.*

integrations.sfdcChannels.create
integrations.sfdcChannels.delete
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcChannels.update

integrations.sfdcInstances.*

integrations.sfdcInstances.create
integrations.sfdcInstances.delete
integrations.sfdcInstances.get
integrations.sfdcInstances.list
integrations.sfdcInstances.update

integrations.suspensions.*

integrations.suspensions.lift
integrations.suspensions.list
integrations.suspensions.resolve

resourcemanager.projects.get

resourcemanager.projects.list

Application Integration Deployer

(roles/integrations.integrationDeployer)

A developer that can deploy/undeploy integrations to the integration runtime.

integrations.apigeeIntegrationVers.deploy

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.deploy

integrations.integrations.get

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Application Integration Editor

(roles/integrations.integrationEditor)

A developer that can list, create and update integrations.

integrations.apigeeAuthConfigs.create

integrations.apigeeAuthConfigs.get

integrations.apigeeAuthConfigs.list

integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.create

integrations.apigeeCertificates.get

integrations.apigeeCertificates.list

integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrationVers.create
integrations.apigeeIntegrationVers.delete
integrations.apigeeIntegrationVers.deploy
integrations.apigeeIntegrationVers.get
integrations.apigeeIntegrationVers.list
integrations.apigeeIntegrationVers.update

integrations.apigeeIntegrations.*

integrations.apigeeIntegrations.invoke
integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.create

integrations.apigeeSfdcChannels.get

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.create

integrations.apigeeSfdcInstances.get

integrations.apigeeSfdcInstances.list

integrations.apigeeSfdcInstances.update

integrations.authConfigs.create

integrations.authConfigs.get

integrations.authConfigs.list

integrations.authConfigs.update

integrations.certificates.get

integrations.executions.*

integrations.executions.get
integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.create

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

integrations.integrations.update

integrations.sfdcChannels.*

integrations.sfdcChannels.create
integrations.sfdcChannels.delete
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcChannels.update

integrations.sfdcInstances.*

integrations.sfdcInstances.create
integrations.sfdcInstances.delete
integrations.sfdcInstances.get
integrations.sfdcInstances.list
integrations.sfdcInstances.update

resourcemanager.projects.get

resourcemanager.projects.list

Application Integration Invoker

(roles/integrations.integrationInvoker)

A role that can invoke integrations.

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.*

integrations.apigeeIntegrations.invoke
integrations.apigeeIntegrations.list

integrations.executions.*

integrations.executions.get
integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.invoke

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

Application Integration Viewer

(roles/integrations.integrationViewer)

A developer that can list and view integrations.

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.authConfigs.get

integrations.authConfigs.list

integrations.certificates.get

integrations.certificates.list

integrations.executions.*

integrations.executions.get
integrations.executions.list

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

Security Integration Admin ^Beta

(roles/integrations.securityIntegrationAdmin)

A user that has full access to all Security integrations.

integrations.securityAuthConfigs.*

integrations.securityAuthConfigs.create
integrations.securityAuthConfigs.delete
integrations.securityAuthConfigs.get
integrations.securityAuthConfigs.list
integrations.securityAuthConfigs.update

integrations.securityExecutions.*

integrations.securityExecutions.cancel
integrations.securityExecutions.get
integrations.securityExecutions.list

integrations.securityIntegTempVers.*

integrations.securityIntegTempVers.create
integrations.securityIntegTempVers.get
integrations.securityIntegTempVers.list

integrations.securityIntegrationVers.*

integrations.securityIntegrationVers.create
integrations.securityIntegrationVers.delete
integrations.securityIntegrationVers.deploy
integrations.securityIntegrationVers.get
integrations.securityIntegrationVers.list
integrations.securityIntegrationVers.update

integrations.securityIntegrations.*

integrations.securityIntegrations.invoke
integrations.securityIntegrations.list

Application Integration SFDC Instance Admin

(roles/integrations.sfdcInstanceAdmin)

A user that has full access (CRUD) to all SFDC instances.

integrations.sfdcChannels.*

integrations.sfdcChannels.create
integrations.sfdcChannels.delete
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcChannels.update

integrations.sfdcInstances.*

integrations.sfdcInstances.create
integrations.sfdcInstances.delete
integrations.sfdcInstances.get
integrations.sfdcInstances.list
integrations.sfdcInstances.update

resourcemanager.projects.get

resourcemanager.projects.list

Application Integration SFDC Instance Editor

(roles/integrations.sfdcInstanceEditor)

A developer that can list, create and update integrations.

integrations.sfdcChannels.create

integrations.sfdcChannels.get

integrations.sfdcChannels.list

integrations.sfdcChannels.update

integrations.sfdcInstances.create

integrations.sfdcInstances.get

integrations.sfdcInstances.list

integrations.sfdcInstances.update

resourcemanager.projects.get

resourcemanager.projects.list

Application Integration SFDC Instance Viewer

(roles/integrations.sfdcInstanceViewer)

A developer that can list and view SFDC instances.

integrations.sfdcChannels.get

integrations.sfdcChannels.list

integrations.sfdcInstances.get

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

Application Integration Approver

(roles/integrations.suspensionResolver)

A role that can resolve suspended integrations.

integrations.apigeeSuspensions.*

integrations.apigeeSuspensions.lift
integrations.apigeeSuspensions.list
integrations.apigeeSuspensions.resolve

integrations.suspensions.*

integrations.suspensions.lift
integrations.suspensions.list
integrations.suspensions.resolve

resourcemanager.projects.get

resourcemanager.projects.list

Issuerswitch Admin ^Beta

(roles/issuerswitch.admin)

Access to all issuer switch roles

issuerswitch.*

issuerswitch.complaintTransactions.list
issuerswitch.complaints.create
issuerswitch.complaints.resolve
issuerswitch.disputes.create
issuerswitch.disputes.resolve
issuerswitch.financialTransactions.list
issuerswitch.mandateTransactions.list
issuerswitch.metadataTransactions.list
issuerswitch.operations.cancel
issuerswitch.operations.delete
issuerswitch.operations.get
issuerswitch.operations.list
issuerswitch.operations.wait
issuerswitch.ruleMetadata.list
issuerswitch.ruleMetadataValues.create
issuerswitch.ruleMetadataValues.delete
issuerswitch.ruleMetadataValues.list
issuerswitch.rules.list

resourcemanager.projects.get

resourcemanager.projects.list

Issuerswitch Resolutions Admin ^Beta

(roles/issuerswitch.resolutionsAdmin)

Full access to issuer switch resolutions

issuerswitch.complaintTransactions.list

issuerswitch.complaints.*

issuerswitch.complaints.create
issuerswitch.complaints.resolve

issuerswitch.disputes.*

issuerswitch.disputes.create
issuerswitch.disputes.resolve

issuerswitch.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

Issuerswitch Rules Admin ^Beta

(roles/issuerswitch.rulesAdmin)

Full access to issuer switch rules

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.*

issuerswitch.ruleMetadataValues.create
issuerswitch.ruleMetadataValues.delete
issuerswitch.ruleMetadataValues.list

issuerswitch.rules.list

resourcemanager.projects.get

resourcemanager.projects.list

Issuerswitch Rules Viewer ^Beta

(roles/issuerswitch.rulesViewer)

This role can view rules and related metadata.

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.list

issuerswitch.rules.list

resourcemanager.projects.get

resourcemanager.projects.list

Issuerswitch Transactions Viewer ^Beta

(roles/issuerswitch.transactionsViewer)

This role can view all transactions

issuerswitch.complaintTransactions.list

issuerswitch.financialTransactions.list

issuerswitch.mandateTransactions.list

issuerswitch.metadataTransactions.list

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Maps Platform Datasets Admin ^Beta

(roles/mapsplatformdatasets.admin)

Grants read and write access to all the Maps Platform Datasets API resources

mapsadmin.clientStyles.*

mapsadmin.clientStyles.create
mapsadmin.clientStyles.delete
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.clientStyles.update

mapsplatformdatasets.*

mapsplatformdatasets.datasets.create
mapsplatformdatasets.datasets.delete
mapsplatformdatasets.datasets.export
mapsplatformdatasets.datasets.get
mapsplatformdatasets.datasets.import
mapsplatformdatasets.datasets.list
mapsplatformdatasets.datasets.update

resourcemanager.projects.get

resourcemanager.projects.list

Maps Platform Datasets Viewer ^Beta

(roles/mapsplatformdatasets.viewer)

Grants read-only access to all the Maps Platform Datasets API resources

mapsadmin.clientStyles.get

mapsadmin.clientStyles.list

mapsplatformdatasets.datasets.export

mapsplatformdatasets.datasets.get

mapsplatformdatasets.datasets.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Home Developer Console Admin

(roles/nestconsole.homeDeveloperAdmin)

Admin access to Google Home Developer Console resources

nestconsole.*

nestconsole.smarthomePreviews.update
nestconsole.smarthomeProjects.create
nestconsole.smarthomeProjects.delete
nestconsole.smarthomeProjects.get
nestconsole.smarthomeProjects.update
nestconsole.smarthomeVersions.create
nestconsole.smarthomeVersions.get
nestconsole.smarthomeVersions.submit

resourcemanager.projects.get

resourcemanager.projects.list

Google Home Developer Console Editor

(roles/nestconsole.homeDeveloperEditor)

Read-Write access to Google Home Developer Console resources

nestconsole.smarthomePreviews.update

nestconsole.smarthomeProjects.get

nestconsole.smarthomeProjects.update

nestconsole.smarthomeVersions.*

nestconsole.smarthomeVersions.create
nestconsole.smarthomeVersions.get
nestconsole.smarthomeVersions.submit

resourcemanager.projects.get

resourcemanager.projects.list

Google Home Developer Console Reader

(roles/nestconsole.homeDeveloperViewer)

Read-only access to Google Home Developer Console resources

nestconsole.smarthomeProjects.get

nestconsole.smarthomeVersions.get

resourcemanager.projects.get

resourcemanager.projects.list

OAuth Config Editor ^Beta

(roles/oauthconfig.editor)

Read/write access to OAuth config resources

clientauthconfig.*

clientauthconfig.brands.create
clientauthconfig.brands.delete
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update

oauthconfig.*

oauthconfig.clientpolicy.get
oauthconfig.testusers.get
oauthconfig.testusers.update
oauthconfig.verification.get
oauthconfig.verification.submit
oauthconfig.verification.update

OAuth Config Viewer ^Beta

(roles/oauthconfig.viewer)

Read-only access to OAuth config resources

clientauthconfig.brands.get

clientauthconfig.brands.list

clientauthconfig.clients.get

clientauthconfig.clients.list

oauthconfig.clientpolicy.get

oauthconfig.testusers.get

oauthconfig.verification.get

Payments Reseller Admin ^Beta

(roles/paymentsresellersubscription.partnerAdmin)

Full access to all Payments Reseller resources, including subscriptions, products and promotions

paymentsresellersubscription.*

paymentsresellersubscription.products.list
paymentsresellersubscription.promotions.list
paymentsresellersubscription.subscriptions.cancel
paymentsresellersubscription.subscriptions.extend
paymentsresellersubscription.subscriptions.get
paymentsresellersubscription.subscriptions.provision
paymentsresellersubscription.subscriptions.undoCancel

resourcemanager.projects.get

resourcemanager.projects.list

Payments Reseller Viewer ^Beta

(roles/paymentsresellersubscription.partnerViewer)

Read access to all Payments Reseller resources, including subscriptions, products and promotions

paymentsresellersubscription.products.list

paymentsresellersubscription.promotions.list

paymentsresellersubscription.subscriptions.get

resourcemanager.projects.get

resourcemanager.projects.list

Payments Reseller Products Viewer ^Beta

(roles/paymentsresellersubscription.productViewer)

Read access to Payments Reseller Product resource

paymentsresellersubscription.products.list

resourcemanager.projects.get

resourcemanager.projects.list

Payments Reseller Promotions Viewer ^Beta

(roles/paymentsresellersubscription.promotionViewer)

Read access to Payments Reseller Promotion resource

paymentsresellersubscription.promotions.list

resourcemanager.projects.get

resourcemanager.projects.list

Payments Reseller Subscriptions Editor ^Beta

(roles/paymentsresellersubscription.subscriptionEditor)

Write access to Payments Reseller Subscription resource

paymentsresellersubscription.subscriptions.*

paymentsresellersubscription.subscriptions.cancel
paymentsresellersubscription.subscriptions.extend
paymentsresellersubscription.subscriptions.get
paymentsresellersubscription.subscriptions.provision
paymentsresellersubscription.subscriptions.undoCancel

resourcemanager.projects.get

resourcemanager.projects.list

Payments Reseller Subscriptions Viewer ^Beta

(roles/paymentsresellersubscription.subscriptionViewer)

Read access to Payments Reseller Subscription resource

paymentsresellersubscription.subscriptions.get

resourcemanager.projects.get

resourcemanager.projects.list

Activity Analysis Viewer ^Beta

(roles/policyanalyzer.activityAnalysisViewer)

Viewer user that can read all activity analysis.

policyanalyzer.*

policyanalyzer.serviceAccountKeyLastAuthenticationActivities.query
policyanalyzer.serviceAccountLastAuthenticationActivities.query

Simulator Admin ^Beta

(roles/policysimulator.admin)

Admin user that can run and access replays.

policysimulator.*

policysimulator.replayResults.list
policysimulator.replays.create
policysimulator.replays.get
policysimulator.replays.list
policysimulator.replays.run

External Account Key Creator ^Beta

(roles/publicca.externalAccountKeyCreator)

This role can create a new externalAccountKey resource.

publicca.externalAccountKeys.create

resourcemanager.projects.get

resourcemanager.projects.list

Recommendations Exporter ^Beta

(roles/recommender.exporter)

Exporter of Recommendations

recommender.resources.export

Remote Build Execution Action Cache Writer ^Beta

(roles/remotebuildexecution.actionCacheWriter)

Remote Build Execution Action Cache Writer

remotebuildexecution.actions.set

remotebuildexecution.blobs.create

Remote Build Execution Artifact Admin ^Beta

(roles/remotebuildexecution.artifactAdmin)

Remote Build Execution Artifact Admin

remotebuildexecution.actions.create

remotebuildexecution.actions.delete

remotebuildexecution.actions.get

remotebuildexecution.blobs.*

remotebuildexecution.blobs.create
remotebuildexecution.blobs.get

remotebuildexecution.logstreams.*

remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.get
remotebuildexecution.logstreams.update

Remote Build Execution Artifact Creator ^Beta

(roles/remotebuildexecution.artifactCreator)

Remote Build Execution Artifact Creator

remotebuildexecution.actions.create

remotebuildexecution.actions.get

remotebuildexecution.blobs.*

remotebuildexecution.blobs.create
remotebuildexecution.blobs.get

remotebuildexecution.logstreams.*

remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.get
remotebuildexecution.logstreams.update

Remote Build Execution Artifact Viewer ^Beta

(roles/remotebuildexecution.artifactViewer)

Remote Build Execution Artifact Viewer

remotebuildexecution.actions.get

remotebuildexecution.blobs.get

remotebuildexecution.logstreams.get

Remote Build Execution Configuration Admin ^Beta

(roles/remotebuildexecution.configurationAdmin)

Remote Build Execution Configuration Admin

remotebuildexecution.instances.*

remotebuildexecution.instances.create
remotebuildexecution.instances.delete
remotebuildexecution.instances.get
remotebuildexecution.instances.list
remotebuildexecution.instances.update

remotebuildexecution.workerpools.*

remotebuildexecution.workerpools.create
remotebuildexecution.workerpools.delete
remotebuildexecution.workerpools.get
remotebuildexecution.workerpools.list
remotebuildexecution.workerpools.update

Remote Build Execution Configuration Viewer ^Beta

(roles/remotebuildexecution.configurationViewer)

Remote Build Execution Configuration Viewer

remotebuildexecution.instances.get

remotebuildexecution.instances.list

remotebuildexecution.workerpools.get

remotebuildexecution.workerpools.list

Remote Build Execution Logstream Writer ^Beta

(roles/remotebuildexecution.logstreamWriter)

Remote Build Execution Logstream Writer

remotebuildexecution.logstreams.create

remotebuildexecution.logstreams.update

Remote Build Execution Reservation Admin ^Beta

(roles/remotebuildexecution.reservationAdmin)

Remote Build Execution Reservation Admin

remotebuildexecution.actions.create

remotebuildexecution.actions.delete

remotebuildexecution.actions.get

Remote Build Execution Worker ^Beta

(roles/remotebuildexecution.worker)

Remote Build Execution Worker

remotebuildexecution.actions.update

remotebuildexecution.blobs.*

remotebuildexecution.blobs.create
remotebuildexecution.blobs.get

remotebuildexecution.botsessions.*

remotebuildexecution.botsessions.create
remotebuildexecution.botsessions.update

remotebuildexecution.logstreams.create

remotebuildexecution.logstreams.update

Retail Admin

(roles/retail.admin)

Full access to Retail api resources.

automlrecommendations.apiKeys.create

automlrecommendations.apiKeys.delete

automlrecommendations.catalogItems.*

automlrecommendations.catalogItems.create
automlrecommendations.catalogItems.delete
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogItems.update

automlrecommendations.catalogs.*

automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.catalogs.update

automlrecommendations.eventStores.getStats

automlrecommendations.events.create

automlrecommendations.events.list

automlrecommendations.events.purge

automlrecommendations.events.rejoin

automlrecommendations.placements.*

automlrecommendations.placements.create
automlrecommendations.placements.delete
automlrecommendations.placements.getStats
automlrecommendations.placements.list

automlrecommendations.recommendations.*

automlrecommendations.recommendations.create
automlrecommendations.recommendations.delete
automlrecommendations.recommendations.list
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update

retail.*

retail.attributesConfigs.addCatalogAttribute
retail.attributesConfigs.batchRemoveCatalogAttributes
retail.attributesConfigs.exportCatalogAttributes
retail.attributesConfigs.get
retail.attributesConfigs.importCatalogAttributes
retail.attributesConfigs.removeCatalogAttribute
retail.attributesConfigs.replaceCatalogAttribute
retail.attributesConfigs.update
retail.catalogs.completeQuery
retail.catalogs.import
retail.catalogs.list
retail.catalogs.update
retail.controls.create
retail.controls.delete
retail.controls.export
retail.controls.get
retail.controls.import
retail.controls.list
retail.controls.update
retail.models.create
retail.models.delete
retail.models.get
retail.models.list
retail.models.pause
retail.models.resume
retail.models.tune
retail.models.update
retail.operations.get
retail.operations.list
retail.placements.predict
retail.placements.search
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.purge
retail.products.setSponsorship
retail.products.update
retail.retailProjects.get
retail.servingConfigs.create
retail.servingConfigs.delete
retail.servingConfigs.get
retail.servingConfigs.list
retail.servingConfigs.predict
retail.servingConfigs.search
retail.servingConfigs.update
retail.userEvents.create
retail.userEvents.import
retail.userEvents.purge
retail.userEvents.rejoin

Retail Editor

(roles/retail.editor)

Full access to Retail api resources except purge, rejoin, and setSponsorship.

automlrecommendations.apiKeys.create

automlrecommendations.apiKeys.delete

automlrecommendations.catalogItems.*

automlrecommendations.catalogItems.create
automlrecommendations.catalogItems.delete
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogItems.update

automlrecommendations.catalogs.*

automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.catalogs.update

automlrecommendations.eventStores.getStats

automlrecommendations.events.create

automlrecommendations.events.list

automlrecommendations.placements.*

automlrecommendations.placements.create
automlrecommendations.placements.delete
automlrecommendations.placements.getStats
automlrecommendations.placements.list

automlrecommendations.recommendations.*

automlrecommendations.recommendations.create
automlrecommendations.recommendations.delete
automlrecommendations.recommendations.list
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update

retail.attributesConfigs.addCatalogAttribute

retail.attributesConfigs.exportCatalogAttributes

retail.attributesConfigs.get

retail.attributesConfigs.importCatalogAttributes

retail.attributesConfigs.replaceCatalogAttribute

retail.attributesConfigs.update

retail.catalogs.*

retail.catalogs.completeQuery
retail.catalogs.import
retail.catalogs.list
retail.catalogs.update

retail.controls.*

retail.controls.create
retail.controls.delete
retail.controls.export
retail.controls.get
retail.controls.import
retail.controls.list
retail.controls.update

retail.models.*

retail.models.create
retail.models.delete
retail.models.get
retail.models.list
retail.models.pause
retail.models.resume
retail.models.tune
retail.models.update

retail.operations.*

retail.operations.get
retail.operations.list

retail.placements.*

retail.placements.predict
retail.placements.search

retail.products.create

retail.products.delete

retail.products.export

retail.products.get

retail.products.import

retail.products.list

retail.products.update

retail.retailProjects.get

retail.servingConfigs.*

retail.servingConfigs.create
retail.servingConfigs.delete
retail.servingConfigs.get
retail.servingConfigs.list
retail.servingConfigs.predict
retail.servingConfigs.search
retail.servingConfigs.update

retail.userEvents.create

retail.userEvents.import

Retail Viewer

(roles/retail.viewer)

Grants access to read all resources in Retail.

automlrecommendations.catalogItems.get

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.getStats

automlrecommendations.catalogs.list

automlrecommendations.eventStores.getStats

automlrecommendations.events.list

automlrecommendations.placements.getStats

automlrecommendations.placements.list

automlrecommendations.recommendations.list

retail.attributesConfigs.exportCatalogAttributes

retail.attributesConfigs.get

retail.catalogs.completeQuery

retail.catalogs.list

retail.controls.export

retail.controls.get

retail.controls.list

retail.models.get

retail.models.list

retail.operations.*

retail.operations.get
retail.operations.list

retail.placements.*

retail.placements.predict
retail.placements.search

retail.products.export

retail.products.get

retail.products.list

retail.retailProjects.get

retail.servingConfigs.get

retail.servingConfigs.list

retail.servingConfigs.predict

retail.servingConfigs.search

RISC Configuration Admin ^Beta

(roles/riscconfigs.admin)

Read/write access to RISC config resources.

clientauthconfig.clients.list

riscconfigurationservice.*

riscconfigurationservice.riscconfigs.createOrUpdate
riscconfigurationservice.riscconfigs.delete
riscconfigurationservice.riscconfigs.get

RISC Configuration Viewer ^Beta

(roles/riscconfigs.viewer)

Read-only access to RISC config resources.

clientauthconfig.clients.list

riscconfigurationservice.riscconfigs.get

Serverless Integrations Developer ^Beta

(roles/runapps.developer)

Access to create and change Serverless Integrations and their configuration.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.*

runapps.applications.create
runapps.applications.delete
runapps.applications.get
runapps.applications.getStatus
runapps.applications.list
runapps.applications.update

runapps.deployments.get

runapps.deployments.list

runapps.locations.*

runapps.locations.get
runapps.locations.list

runapps.operations.*

runapps.operations.cancel
runapps.operations.delete
runapps.operations.get
runapps.operations.list

Serverless Integrations Operator ^Beta

(roles/runapps.operator)

Access to deploy Serverless Integrations.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.get

runapps.applications.getStatus

runapps.applications.list

runapps.deployments.*

runapps.deployments.create
runapps.deployments.get
runapps.deployments.list

runapps.locations.*

runapps.locations.get
runapps.locations.list

runapps.operations.*

runapps.operations.cancel
runapps.operations.delete
runapps.operations.get
runapps.operations.list

Serverless Integrations Viewer ^Beta

(roles/runapps.viewer)

Read-only access to Serverless Integrations resources.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.get

runapps.applications.getStatus

runapps.applications.list

runapps.deployments.get

runapps.deployments.list

runapps.locations.*

runapps.locations.get
runapps.locations.list

runapps.operations.get

runapps.operations.list

Cloud RuntimeConfig Admin

(roles/runtimeconfig.admin)

Full access to RuntimeConfig resources.

runtimeconfig.*

runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.configs.setIamPolicy
runtimeconfig.configs.update
runtimeconfig.operations.get
runtimeconfig.operations.list
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.variables.setIamPolicy
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
runtimeconfig.waiters.setIamPolicy
runtimeconfig.waiters.update

SLZ BQDW Blueprint Organization Level Remediator ^Beta

(roles/securedlandingzone.bqdwOrgRemediator)

Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

accesscontextmanager.servicePerimeters.update

SLZ BQDW Blueprint Project Level Remediator ^Beta

(roles/securedlandingzone.bqdwProjectRemediator)

Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.setIamPolicy

bigquery.datasets.update

cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.cryptoKeys.setIamPolicy

cloudkms.cryptoKeys.update

cloudkms.keyRings.getIamPolicy

cloudkms.keyRings.setIamPolicy

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsub.topics.setIamPolicy

pubsub.topics.update

resourcemanager.projects.update

serviceusage.services.use

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.buckets.setIamPolicy

storage.buckets.update

Overwatch Activator ^Beta

(roles/securedlandingzone.overwatchActivator)

This role can activate or suspend Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.overwatches.activate

securedlandingzone.overwatches.suspend

Overwatch Admin ^Beta

(roles/securedlandingzone.overwatchAdmin)

Full access to Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.*

securedlandingzone.operations.get
securedlandingzone.overwatches.activate
securedlandingzone.overwatches.create
securedlandingzone.overwatches.delete
securedlandingzone.overwatches.get
securedlandingzone.overwatches.list
securedlandingzone.overwatches.suspend
securedlandingzone.overwatches.update

Overwatch Viewer ^Beta

(roles/securedlandingzone.overwatchViewer)

This role can view all properties of Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.operations.get

securedlandingzone.overwatches.get

securedlandingzone.overwatches.list

Personalized Service Health Viewer ^Beta

(roles/servicehealth.viewer)

Readonly access to Personalized Service Health resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicehealth.*

servicehealth.events.get
servicehealth.events.list
servicehealth.locations.get
servicehealth.locations.list
servicehealth.organizationEvents.get
servicehealth.organizationEvents.list
servicehealth.organizationImpacts.get
servicehealth.organizationImpacts.list

Security Insights Viewer ^Beta

(roles/servicesecurityinsights.securityInsightsViewer)

Read-only access to Security Insights resources

servicesecurityinsights.*

servicesecurityinsights.clusterSecurityInfo.get
servicesecurityinsights.clusterSecurityInfo.list
servicesecurityinsights.policies.get
servicesecurityinsights.projectStates.get
servicesecurityinsights.securityInfo.list
servicesecurityinsights.securityViews.get
servicesecurityinsights.workloadPolicies.list
servicesecurityinsights.workloadSecurityInfo.get

Speaker ID Admin

(roles/speakerid.admin)

Grants full access to all Speaker ID resources, including project settings.

speakerid.*

speakerid.phrases.create
speakerid.phrases.delete
speakerid.phrases.get
speakerid.phrases.list
speakerid.settings.get
speakerid.settings.update
speakerid.speakers.create
speakerid.speakers.delete
speakerid.speakers.get
speakerid.speakers.list
speakerid.speakers.verify

Speaker ID Editor

(roles/speakerid.editor)

Grants access to read and write all Speaker ID resources.

speakerid.phrases.*

speakerid.phrases.create
speakerid.phrases.delete
speakerid.phrases.get
speakerid.phrases.list

speakerid.speakers.*

speakerid.speakers.create
speakerid.speakers.delete
speakerid.speakers.get
speakerid.speakers.list
speakerid.speakers.verify

Speaker ID Verifier

(roles/speakerid.verifier)

Grants read access to all Speaker ID resources, and allows verification.

speakerid.phrases.get

speakerid.phrases.list

speakerid.speakers.get

speakerid.speakers.list

speakerid.speakers.verify

Speaker ID Viewer

(roles/speakerid.viewer)

Grants read access to all Speaker ID resources.

speakerid.phrases.get

speakerid.phrases.list

speakerid.speakers.get

speakerid.speakers.list

Cloud Speech Administrator

(roles/speech.admin)

Grants full access to all resources in Speech-to-text

speech.*

speech.adaptations.execute
speech.config.get
speech.config.update
speech.customClasses.create
speech.customClasses.delete
speech.customClasses.get
speech.customClasses.list
speech.customClasses.undelete
speech.customClasses.update
speech.locations.get
speech.locations.list
speech.operations.cancel
speech.operations.delete
speech.operations.get
speech.operations.list
speech.operations.wait
speech.phraseSets.create
speech.phraseSets.delete
speech.phraseSets.get
speech.phraseSets.list
speech.phraseSets.undelete
speech.phraseSets.update
speech.recognizers.create
speech.recognizers.delete
speech.recognizers.get
speech.recognizers.list
speech.recognizers.recognize
speech.recognizers.undelete
speech.recognizers.update

Cloud Speech Client

(roles/speech.client)

Grants access to the recognition APIs.

speech.adaptations.execute

speech.customClasses.get

speech.customClasses.list

speech.locations.*

speech.locations.get
speech.locations.list

speech.operations.get

speech.operations.list

speech.operations.wait

speech.phraseSets.get

speech.phraseSets.list

speech.recognizers.get

speech.recognizers.list

speech.recognizers.recognize

Cloud Speech Editor

(roles/speech.editor)

Grants access to edit resources in Speech-to-text

speech.adaptations.execute

speech.customClasses.*

speech.customClasses.create
speech.customClasses.delete
speech.customClasses.get
speech.customClasses.list
speech.customClasses.undelete
speech.customClasses.update

speech.locations.*

speech.locations.get
speech.locations.list

speech.operations.*

speech.operations.cancel
speech.operations.delete
speech.operations.get
speech.operations.list
speech.operations.wait

speech.phraseSets.*

speech.phraseSets.create
speech.phraseSets.delete
speech.phraseSets.get
speech.phraseSets.list
speech.phraseSets.undelete
speech.phraseSets.update

speech.recognizers.*

speech.recognizers.create
speech.recognizers.delete
speech.recognizers.get
speech.recognizers.list
speech.recognizers.recognize
speech.recognizers.undelete
speech.recognizers.update

Storage Insights Admin

(roles/storageinsights.admin)

Full access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.*

storageinsights.locations.get
storageinsights.locations.list
storageinsights.operations.cancel
storageinsights.operations.delete
storageinsights.operations.get
storageinsights.operations.list
storageinsights.reportConfigs.create
storageinsights.reportConfigs.delete
storageinsights.reportConfigs.get
storageinsights.reportConfigs.list
storageinsights.reportConfigs.update
storageinsights.reportDetails.get
storageinsights.reportDetails.list

Storage Insights Viewer

(roles/storageinsights.viewer)

Read-only access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.locations.*

storageinsights.locations.get
storageinsights.locations.list

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

storageinsights.reportDetails.get
storageinsights.reportDetails.list

Subscribe with Google Developer ^Beta

(roles/subscribewithgoogledeveloper.developer)

Access DevTools for Subscribe with Google

resourcemanager.projects.get

resourcemanager.projects.list

subscribewithgoogledeveloper.tools.get

Timeseries Insights DataSet Editor ^Beta

(roles/timeseriesinsights.datasetsEditor)

Edit access to DataSets.

timeseriesinsights.*

timeseriesinsights.datasets.create
timeseriesinsights.datasets.delete
timeseriesinsights.datasets.evaluate
timeseriesinsights.datasets.list
timeseriesinsights.datasets.query
timeseriesinsights.datasets.update
timeseriesinsights.locations.get
timeseriesinsights.locations.list

Timeseries Insights DataSet Owner ^Beta

(roles/timeseriesinsights.datasetsOwner)

Full access to DataSets.

timeseriesinsights.*

timeseriesinsights.datasets.create
timeseriesinsights.datasets.delete
timeseriesinsights.datasets.evaluate
timeseriesinsights.datasets.list
timeseriesinsights.datasets.query
timeseriesinsights.datasets.update
timeseriesinsights.locations.get
timeseriesinsights.locations.list

Timeseries Insights DataSet Viewer ^Beta

(roles/timeseriesinsights.datasetsViewer)

Read-only access (List and Query) to DataSets.

timeseriesinsights.datasets.evaluate

timeseriesinsights.datasets.list

timeseriesinsights.datasets.query

timeseriesinsights.locations.*

timeseriesinsights.locations.get
timeseriesinsights.locations.list

Traffic Director Client ^Beta

(roles/trafficdirector.client)

Fetch service configurations and report metrics.

trafficdirector.*

trafficdirector.networks.getConfigs
trafficdirector.networks.reportMetrics

Translation Hub Admin ^Beta

(roles/translationhub.admin)

Admin of Translation Hub

automl.models.get

automl.models.list

automl.models.predict

cloudtranslate.customModels.get

cloudtranslate.customModels.list

cloudtranslate.customModels.predict

cloudtranslate.glossaries.create

cloudtranslate.glossaries.delete

cloudtranslate.glossaries.get

cloudtranslate.glossaries.list

cloudtranslate.glossaries.predict

resourcemanager.projects.get

resourcemanager.projects.list

translationhub.*

translationhub.portals.create
translationhub.portals.delete
translationhub.portals.get
translationhub.portals.list
translationhub.portals.update

Translation Hub Portal User ^Beta

(roles/translationhub.portalUser)

Portal user of Translation Hub

automl.models.get

automl.models.list

automl.models.predict

cloudtranslate.customModels.get

cloudtranslate.customModels.list

cloudtranslate.customModels.predict

cloudtranslate.glossaries.get

cloudtranslate.glossaries.list

cloudtranslate.glossaries.predict

resourcemanager.projects.get

resourcemanager.projects.list

translationhub.portals.get

translationhub.portals.list

VisionAI Admin ^Beta

(roles/visionai.admin)

Full access to Vision AI all resources.

resourcemanager.projects.get

resourcemanager.projects.list

visionai.*

visionai.analyses.create
visionai.analyses.delete
visionai.analyses.get
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.analyses.setIamPolicy
visionai.analyses.update
visionai.annotations.create
visionai.annotations.delete
visionai.annotations.get
visionai.annotations.list
visionai.annotations.update
visionai.applications.create
visionai.applications.delete
visionai.applications.deploy
visionai.applications.get
visionai.applications.list
visionai.applications.undeploy
visionai.applications.update
visionai.assets.clip
visionai.assets.create
visionai.assets.delete
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.ingest
visionai.assets.list
visionai.assets.search
visionai.assets.update
visionai.clusters.create
visionai.clusters.delete
visionai.clusters.get
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.clusters.setIamPolicy
visionai.clusters.update
visionai.clusters.watch
visionai.corpora.create
visionai.corpora.delete
visionai.corpora.get
visionai.corpora.list
visionai.corpora.suggest
visionai.corpora.update
visionai.dataSchemas.create
visionai.dataSchemas.delete
visionai.dataSchemas.get
visionai.dataSchemas.list
visionai.dataSchemas.update
visionai.dataSchemas.validate
visionai.drafts.create
visionai.drafts.delete
visionai.drafts.get
visionai.drafts.list
visionai.drafts.update
visionai.events.create
visionai.events.delete
visionai.events.get
visionai.events.getIamPolicy
visionai.events.list
visionai.events.setIamPolicy
visionai.events.update
visionai.instances.get
visionai.instances.list
visionai.locations.get
visionai.locations.list
visionai.operations.cancel
visionai.operations.delete
visionai.operations.get
visionai.operations.list
visionai.operations.wait
visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai.operators.getIamPolicy
visionai.operators.list
visionai.operators.setIamPolicy
visionai.operators.update
visionai.processors.create
visionai.processors.delete
visionai.processors.get
visionai.processors.list
visionai.processors.listPrebuilt
visionai.processors.update
visionai.searchConfigs.create
visionai.searchConfigs.delete
visionai.searchConfigs.get
visionai.searchConfigs.list
visionai.searchConfigs.update
visionai.series.acquireLease
visionai.series.create
visionai.series.delete
visionai.series.get
visionai.series.getIamPolicy
visionai.series.list
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.series.setIamPolicy
visionai.series.update
visionai.streams.create
visionai.streams.delete
visionai.streams.get
visionai.streams.getIamPolicy
visionai.streams.list
visionai.streams.receive
visionai.streams.send
visionai.streams.setIamPolicy
visionai.streams.update
visionai.uistreams.create
visionai.uistreams.delete
visionai.uistreams.generateStreamThumbnails
visionai.uistreams.get
visionai.uistreams.list

Vision AI Analysis Editor ^Beta

(roles/visionai.analysisEditor)

Access to read and write Vision AI Analyses.

visionai.analyses.create

visionai.analyses.delete

visionai.analyses.get

visionai.analyses.list

visionai.analyses.update

Vision AI Analysis Viewer ^Beta

(roles/visionai.analysisViewer)

Access to read Vision AI Analyses.

visionai.analyses.get

visionai.analyses.list

Vision AI Application Editor ^Beta

(roles/visionai.applicationEditor)

Access to read and write Vision AI Applications.

visionai.applications.*

visionai.applications.create
visionai.applications.delete
visionai.applications.deploy
visionai.applications.get
visionai.applications.list
visionai.applications.undeploy
visionai.applications.update

visionai.drafts.*

visionai.drafts.create
visionai.drafts.delete
visionai.drafts.get
visionai.drafts.list
visionai.drafts.update

visionai.instances.*

visionai.instances.get
visionai.instances.list

Vision AI Application Viewer ^Beta

(roles/visionai.applicationViewer)

Access to read Vision AI Applications.

visionai.applications.get

visionai.applications.list

visionai.drafts.get

visionai.drafts.list

visionai.instances.*

visionai.instances.get
visionai.instances.list

VisionAI Warehouse Asset Creator ^Beta

(roles/visionai.assetCreator)

Grants access to ingest media assets into the Warehouse.

visionai.assets.create

visionai.assets.ingest

Vision AI Cluster Editor ^Beta

(roles/visionai.clusterEditor)

Access to read and write Vision AI Cluster.

visionai.clusters.create

visionai.clusters.delete

visionai.clusters.get

visionai.clusters.list

visionai.clusters.update

visionai.clusters.watch

Vision AI Cluster Viewer ^Beta

(roles/visionai.clusterViewer)

Access to read Vision AI Clusters.

visionai.clusters.get

visionai.clusters.list

VisionAI Warehouse Corpus Administrator ^Beta

(roles/visionai.corpusAdmin)

Full control to everything in a corpus including corpus access control.

visionai.annotations.*

visionai.annotations.create
visionai.annotations.delete
visionai.annotations.get
visionai.annotations.list
visionai.annotations.update

visionai.assets.*

visionai.assets.clip
visionai.assets.create
visionai.assets.delete
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.ingest
visionai.assets.list
visionai.assets.search
visionai.assets.update

visionai.corpora.*

visionai.corpora.create
visionai.corpora.delete
visionai.corpora.get
visionai.corpora.list
visionai.corpora.suggest
visionai.corpora.update

visionai.dataSchemas.*

visionai.dataSchemas.create
visionai.dataSchemas.delete
visionai.dataSchemas.get
visionai.dataSchemas.list
visionai.dataSchemas.update
visionai.dataSchemas.validate

visionai.operations.get

visionai.operations.list

visionai.searchConfigs.*

visionai.searchConfigs.create
visionai.searchConfigs.delete
visionai.searchConfigs.get
visionai.searchConfigs.list
visionai.searchConfigs.update

VisionAI Warehouse Corpus Editor ^Beta

(roles/visionai.corpusEditor)

Read-write access to everything in a corpus.

visionai.annotations.*

visionai.annotations.create
visionai.annotations.delete
visionai.annotations.get
visionai.annotations.list
visionai.annotations.update

visionai.assets.*

visionai.assets.clip
visionai.assets.create
visionai.assets.delete
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.ingest
visionai.assets.list
visionai.assets.search
visionai.assets.update

visionai.corpora.*

visionai.corpora.create
visionai.corpora.delete
visionai.corpora.get
visionai.corpora.list
visionai.corpora.suggest
visionai.corpora.update

visionai.dataSchemas.*

visionai.dataSchemas.create
visionai.dataSchemas.delete
visionai.dataSchemas.get
visionai.dataSchemas.list
visionai.dataSchemas.update
visionai.dataSchemas.validate

visionai.operations.get

visionai.operations.list

visionai.searchConfigs.*

visionai.searchConfigs.create
visionai.searchConfigs.delete
visionai.searchConfigs.get
visionai.searchConfigs.list
visionai.searchConfigs.update

VisionAI Warehouse Corpus Viewer ^Beta

(roles/visionai.corpusViewer)

Grants access to view everything in a corpus.

visionai.annotations.get

visionai.annotations.list

visionai.assets.clip

visionai.assets.generateHlsUri

visionai.assets.get

visionai.assets.list

visionai.assets.search

visionai.corpora.get

visionai.corpora.list

visionai.corpora.suggest

visionai.dataSchemas.get

visionai.dataSchemas.list

visionai.dataSchemas.validate

visionai.operations.get

visionai.operations.list

visionai.searchConfigs.get

visionai.searchConfigs.list

VisionAI Warehouse Corpus Writer ^Beta

(roles/visionai.corpusWriter)

Grants access to create/update/delete everything in a corpus.

visionai.annotations.*

visionai.annotations.create
visionai.annotations.delete
visionai.annotations.get
visionai.annotations.list
visionai.annotations.update

visionai.assets.*

visionai.assets.clip
visionai.assets.create
visionai.assets.delete
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.ingest
visionai.assets.list
visionai.assets.search
visionai.assets.update

visionai.corpora.delete

visionai.corpora.update

visionai.dataSchemas.create

visionai.dataSchemas.delete

visionai.dataSchemas.update

visionai.operations.get

visionai.operations.list

visionai.searchConfigs.create

visionai.searchConfigs.delete

visionai.searchConfigs.update

VisionAI Editor ^Beta

(roles/visionai.editor)

Edit access to Vision AI all resources.

resourcemanager.projects.get

resourcemanager.projects.list

visionai.analyses.create

visionai.analyses.delete

visionai.analyses.get

visionai.analyses.getIamPolicy

visionai.analyses.list

visionai.analyses.update

visionai.annotations.*

visionai.annotations.create
visionai.annotations.delete
visionai.annotations.get
visionai.annotations.list
visionai.annotations.update

visionai.applications.*

visionai.applications.create
visionai.applications.delete
visionai.applications.deploy
visionai.applications.get
visionai.applications.list
visionai.applications.undeploy
visionai.applications.update

visionai.assets.*

visionai.assets.clip
visionai.assets.create
visionai.assets.delete
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.ingest
visionai.assets.list
visionai.assets.search
visionai.assets.update

visionai.clusters.create

visionai.clusters.delete

visionai.clusters.get

visionai.clusters.getIamPolicy

visionai.clusters.list

visionai.clusters.update

visionai.clusters.watch

visionai.corpora.*

visionai.corpora.create
visionai.corpora.delete
visionai.corpora.get
visionai.corpora.list
visionai.corpora.suggest
visionai.corpora.update

visionai.dataSchemas.*

visionai.dataSchemas.create
visionai.dataSchemas.delete
visionai.dataSchemas.get
visionai.dataSchemas.list
visionai.dataSchemas.update
visionai.dataSchemas.validate

visionai.drafts.*

visionai.drafts.create
visionai.drafts.delete
visionai.drafts.get
visionai.drafts.list
visionai.drafts.update

visionai.events.create

visionai.events.delete

visionai.events.get

visionai.events.getIamPolicy

visionai.events.list

visionai.events.update

visionai.instances.*

visionai.instances.get
visionai.instances.list

visionai.locations.*

visionai.locations.get
visionai.locations.list

visionai.operations.*

visionai.operations.cancel
visionai.operations.delete
visionai.operations.get
visionai.operations.list
visionai.operations.wait

visionai.operators.create

visionai.operators.delete

visionai.operators.get

visionai.operators.getIamPolicy

visionai.operators.list

visionai.operators.update

visionai.processors.*

visionai.processors.create
visionai.processors.delete
visionai.processors.get
visionai.processors.list
visionai.processors.listPrebuilt
visionai.processors.update

visionai.searchConfigs.*

visionai.searchConfigs.create
visionai.searchConfigs.delete
visionai.searchConfigs.get
visionai.searchConfigs.list
visionai.searchConfigs.update

visionai.series.acquireLease

visionai.series.create

visionai.series.delete

visionai.series.get

visionai.series.getIamPolicy

visionai.series.list

visionai.series.receive

visionai.series.releaseLease

visionai.series.renewLease

visionai.series.send

visionai.series.update

visionai.streams.create

visionai.streams.delete

visionai.streams.get

visionai.streams.getIamPolicy

visionai.streams.list

visionai.streams.receive

visionai.streams.send

visionai.streams.update

visionai.uistreams.*

visionai.uistreams.create
visionai.uistreams.delete
visionai.uistreams.generateStreamThumbnails
visionai.uistreams.get
visionai.uistreams.list

Vision AI Event Editor ^Beta

(roles/visionai.eventEditor)

Access to read and write Vision AI Events.

visionai.events.create

visionai.events.delete

visionai.events.get

visionai.events.list

visionai.events.update

Vision AI Event Viewer ^Beta

(roles/visionai.eventViewer)

Access to read Vision AI Events.

visionai.events.get

visionai.events.list

Vision AI Operator Editor ^Beta

(roles/visionai.operatorEditor)

Access to read and write Vision AI Operators.

visionai.operators.create

visionai.operators.delete

visionai.operators.get

visionai.operators.list

visionai.operators.update

Vision AI Operator Viewer ^Beta

(roles/visionai.operatorViewer)

Access to read Vision AI Operators.

visionai.operators.get

visionai.operators.list

Vision AI Packet Receiver ^Beta

(roles/visionai.packetReceiver)

Access to read Vision AI Series.

visionai.clusters.watch

visionai.series.acquireLease

visionai.series.receive

visionai.series.releaseLease

visionai.series.renewLease

visionai.streams.receive

Vision AI Packet Sender ^Beta

(roles/visionai.packetSender)

Packet sender to the series.

visionai.series.acquireLease

visionai.series.releaseLease

visionai.series.renewLease

visionai.series.send

visionai.streams.send

Vision AI Processor Editor ^Beta

(roles/visionai.processorEditor)

Access to read and write Vision AI Processors.

visionai.processors.*

visionai.processors.create
visionai.processors.delete
visionai.processors.get
visionai.processors.list
visionai.processors.listPrebuilt
visionai.processors.update

Vision AI Processor Viewer ^Beta

(roles/visionai.processorViewer)

Access to read Vision AI Processors.

visionai.processors.get

visionai.processors.list

visionai.processors.listPrebuilt

Vision AI RetailCatalog Editor ^Beta

(roles/visionai.retailcatalogEditor)

Access to read and write Vision AI RetailCatalogs.

Vision AI RetailCatalog Viewer ^Beta

(roles/visionai.retailcatalogViewer)

Access to read Vision AI RetailCatalogs.

Vision AI RetailEndpoint Editor ^Beta

(roles/visionai.retailendpointEditor)

Access to read and write Vision AI RetailEndpoints.

Vision AI RetailEndpoint Viewer ^Beta

(roles/visionai.retailendpointViewer)

Access to read Vision AI RetailEndpoints.

Vision AI Series Editor ^Beta

(roles/visionai.seriesEditor)

Access to read and write Vision AI Series.

visionai.clusters.watch

visionai.series.acquireLease

visionai.series.create

visionai.series.delete

visionai.series.get

visionai.series.list

visionai.series.receive

visionai.series.releaseLease

visionai.series.renewLease

visionai.series.send

visionai.series.update

visionai.streams.receive

visionai.streams.send

Vision AI Series Viewer ^Beta

(roles/visionai.seriesViewer)

Access to read Vision AI Series.

visionai.series.get

visionai.series.list

Vision AI Stream Editor ^Beta

(roles/visionai.streamEditor)

Access to read and write Vision AI Streams.

visionai.clusters.watch

visionai.series.acquireLease

visionai.series.receive

visionai.series.releaseLease

visionai.series.renewLease

visionai.series.send

visionai.streams.create

visionai.streams.delete

visionai.streams.get

visionai.streams.list

visionai.streams.receive

visionai.streams.send

visionai.streams.update

Vision AI Stream Viewer ^Beta

(roles/visionai.streamViewer)

Access to read Vision AI Streams.

visionai.streams.get

visionai.streams.list

Vision AI UI Stream Editor ^Beta

(roles/visionai.uiStreamEditor)

Access to read & write Vision AI UI Streams.

visionai.uistreams.*

visionai.uistreams.create
visionai.uistreams.delete
visionai.uistreams.generateStreamThumbnails
visionai.uistreams.get
visionai.uistreams.list

Vision AI UI Stream Viewer ^Beta

(roles/visionai.uiStreamViewer)

Access to read Vision AI UI Streams.

visionai.uistreams.get

visionai.uistreams.list

VisionAI Viewer ^Beta

(roles/visionai.viewer)

View access to Vision AI all resources.

resourcemanager.projects.get

resourcemanager.projects.list

visionai.analyses.get

visionai.analyses.getIamPolicy

visionai.analyses.list

visionai.annotations.get

visionai.annotations.list

visionai.applications.get

visionai.applications.list

visionai.assets.clip

visionai.assets.generateHlsUri

visionai.assets.get

visionai.assets.list

visionai.assets.search

visionai.clusters.get

visionai.clusters.getIamPolicy

visionai.clusters.list

visionai.corpora.get

visionai.corpora.list

visionai.corpora.suggest

visionai.dataSchemas.get

visionai.dataSchemas.list

visionai.dataSchemas.validate

visionai.drafts.get

visionai.drafts.list

visionai.events.get

visionai.events.getIamPolicy

visionai.events.list

visionai.instances.*

visionai.instances.get
visionai.instances.list

visionai.locations.*

visionai.locations.get
visionai.locations.list

visionai.operations.get

visionai.operations.list

visionai.operators.get

visionai.operators.getIamPolicy

visionai.operators.list

visionai.processors.get

visionai.processors.list

visionai.processors.listPrebuilt

visionai.searchConfigs.get

visionai.searchConfigs.list

visionai.series.get

visionai.series.getIamPolicy

visionai.series.list

visionai.streams.get

visionai.streams.getIamPolicy

visionai.streams.list

visionai.uistreams.get

visionai.uistreams.list

Visual Inspection AI Solution Editor

(roles/visualinspection.editor)

Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics

visualinspection.annotationSets.*

visualinspection.annotationSets.create
visualinspection.annotationSets.delete
visualinspection.annotationSets.get
visualinspection.annotationSets.list
visualinspection.annotationSets.update

visualinspection.annotationSpecs.*

visualinspection.annotationSpecs.create
visualinspection.annotationSpecs.delete
visualinspection.annotationSpecs.get
visualinspection.annotationSpecs.list

visualinspection.annotations.*

visualinspection.annotations.create
visualinspection.annotations.delete
visualinspection.annotations.get
visualinspection.annotations.list
visualinspection.annotations.update

visualinspection.datasets.*

visualinspection.datasets.create
visualinspection.datasets.delete
visualinspection.datasets.export
visualinspection.datasets.get
visualinspection.datasets.import
visualinspection.datasets.list
visualinspection.datasets.update

visualinspection.images.*

visualinspection.images.delete
visualinspection.images.get
visualinspection.images.list
visualinspection.images.update

visualinspection.locations.get

visualinspection.locations.list

visualinspection.modelEvaluations.*

visualinspection.modelEvaluations.get
visualinspection.modelEvaluations.list

visualinspection.models.*

visualinspection.models.create
visualinspection.models.delete
visualinspection.models.get
visualinspection.models.list
visualinspection.models.update
visualinspection.models.writePrediction

visualinspection.modules.*

visualinspection.modules.create
visualinspection.modules.delete
visualinspection.modules.get
visualinspection.modules.list
visualinspection.modules.update

visualinspection.operations.*

visualinspection.operations.get
visualinspection.operations.list

visualinspection.solutionArtifacts.*

visualinspection.solutionArtifacts.create
visualinspection.solutionArtifacts.delete
visualinspection.solutionArtifacts.get
visualinspection.solutionArtifacts.list
visualinspection.solutionArtifacts.predict
visualinspection.solutionArtifacts.update

visualinspection.solutions.*

visualinspection.solutions.create
visualinspection.solutions.delete
visualinspection.solutions.get
visualinspection.solutions.list

Visual Inspection AI Usage Metrics Reporter

(roles/visualinspection.usageMetricsReporter)

ReportUsageMetric access to Visual Inspection AI Service

visualinspection.locations.reportUsageMetrics

Visual Inspection AI Viewer

(roles/visualinspection.viewer)

Read access to Visual Inspection AI resources

visualinspection.annotationSets.get

visualinspection.annotationSets.list

visualinspection.annotationSpecs.get

visualinspection.annotationSpecs.list

visualinspection.annotations.get

visualinspection.annotations.list

visualinspection.datasets.export

visualinspection.datasets.get

visualinspection.datasets.list

visualinspection.images.get

visualinspection.images.list

visualinspection.locations.get

visualinspection.locations.list

visualinspection.modelEvaluations.*

visualinspection.modelEvaluations.get
visualinspection.modelEvaluations.list

visualinspection.models.get

visualinspection.models.list

visualinspection.modules.get

visualinspection.modules.list

visualinspection.operations.*

visualinspection.operations.get
visualinspection.operations.list

visualinspection.solutionArtifacts.get

visualinspection.solutionArtifacts.list

visualinspection.solutionArtifacts.predict

visualinspection.solutions.get

visualinspection.solutions.list

Project roles

Permissions

Browser

(roles/browser)

Read access to browse the hierarchy for a project, including the folder, organization, and allow policy. This role doesn't include permission to view resources in the project.

Lowest-level resources where you can grant this role:

Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

Proximity Beacon roles

Permissions

Beacon Attachment Editor

(roles/proximitybeacon.attachmentEditor)

Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.

proximitybeacon.attachments.*

proximitybeacon.attachments.create
proximitybeacon.attachments.delete
proximitybeacon.attachments.get
proximitybeacon.attachments.list

proximitybeacon.beacons.get

proximitybeacon.beacons.list

proximitybeacon.namespaces.list

resourcemanager.projects.get

resourcemanager.projects.list

Beacon Attachment Publisher

(roles/proximitybeacon.attachmentPublisher)

Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.

proximitybeacon.beacons.attach

proximitybeacon.beacons.get

proximitybeacon.beacons.list

resourcemanager.projects.get

resourcemanager.projects.list

Beacon Attachment Viewer

(roles/proximitybeacon.attachmentViewer)

Can view all attachments under a namespace; no beacon or namespace permissions.

proximitybeacon.attachments.get

proximitybeacon.attachments.list

resourcemanager.projects.get

resourcemanager.projects.list

Beacon Editor

(roles/proximitybeacon.beaconEditor)

Necessary access to register, modify, and view beacons; no attachment or namespace permissions.

proximitybeacon.beacons.create

proximitybeacon.beacons.get

proximitybeacon.beacons.list

proximitybeacon.beacons.update

resourcemanager.projects.get

resourcemanager.projects.list

Pub/Sub roles

Permissions

Pub/Sub Admin

(roles/pubsub.admin)

Provides full access to topics and subscriptions.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

pubsub.*

pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.setIamPolicy
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.setIamPolicy
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.subscriptions.setIamPolicy
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.setIamPolicy
pubsub.topics.update
pubsub.topics.updateTag

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Pub/Sub Editor

(roles/pubsub.editor)

Provides access to modify topics and subscriptions, and access to publish and consume messages.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.delete

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Pub/Sub Publisher

(roles/pubsub.publisher)

Provides access to publish messages to a topic.

Lowest-level resources where you can grant this role:

Topic

pubsub.topics.publish

Pub/Sub Subscriber

(roles/pubsub.subscriber)

Provides access to consume messages from a subscription and to attach subscriptions to a topic.

Lowest-level resources where you can grant this role:

Snapshot
Subscription
Topic

pubsub.snapshots.seek

pubsub.subscriptions.consume

pubsub.topics.attachSubscription

Pub/Sub Viewer

(roles/pubsub.viewer)

Provides access to view topics and subscriptions.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Pub/Sub Lite roles

Permissions

Pub/Sub Lite Admin

(roles/pubsublite.admin)

Full access to topics, subscriptions and reservations.

pubsublite.*

pubsublite.locations.openKafkaStream
pubsublite.operations.get
pubsublite.operations.list
pubsublite.reservations.attachTopic
pubsublite.reservations.create
pubsublite.reservations.delete
pubsublite.reservations.get
pubsublite.reservations.list
pubsublite.reservations.listTopics
pubsublite.reservations.update
pubsublite.subscriptions.create
pubsublite.subscriptions.delete
pubsublite.subscriptions.get
pubsublite.subscriptions.getCursor
pubsublite.subscriptions.list
pubsublite.subscriptions.seek
pubsublite.subscriptions.setCursor
pubsublite.subscriptions.subscribe
pubsublite.subscriptions.update
pubsublite.topics.computeHeadCursor
pubsublite.topics.computeMessageStats
pubsublite.topics.computeTimeCursor
pubsublite.topics.create
pubsublite.topics.delete
pubsublite.topics.get
pubsublite.topics.getPartitions
pubsublite.topics.list
pubsublite.topics.listSubscriptions
pubsublite.topics.publish
pubsublite.topics.subscribe
pubsublite.topics.update

Pub/Sub Lite Editor

(roles/pubsublite.editor)

Modify topics, subscriptions and reservations, publish and consume messages.

pubsublite.*

pubsublite.locations.openKafkaStream
pubsublite.operations.get
pubsublite.operations.list
pubsublite.reservations.attachTopic
pubsublite.reservations.create
pubsublite.reservations.delete
pubsublite.reservations.get
pubsublite.reservations.list
pubsublite.reservations.listTopics
pubsublite.reservations.update
pubsublite.subscriptions.create
pubsublite.subscriptions.delete
pubsublite.subscriptions.get
pubsublite.subscriptions.getCursor
pubsublite.subscriptions.list
pubsublite.subscriptions.seek
pubsublite.subscriptions.setCursor
pubsublite.subscriptions.subscribe
pubsublite.subscriptions.update
pubsublite.topics.computeHeadCursor
pubsublite.topics.computeMessageStats
pubsublite.topics.computeTimeCursor
pubsublite.topics.create
pubsublite.topics.delete
pubsublite.topics.get
pubsublite.topics.getPartitions
pubsublite.topics.list
pubsublite.topics.listSubscriptions
pubsublite.topics.publish
pubsublite.topics.subscribe
pubsublite.topics.update

Pub/Sub Lite Publisher

(roles/pubsublite.publisher)

Publish messages to a topic.

pubsublite.locations.openKafkaStream

pubsublite.topics.getPartitions

pubsublite.topics.publish

Pub/Sub Lite Subscriber

(roles/pubsublite.subscriber)

Subscribe to and read messages from a topic.

pubsublite.locations.openKafkaStream

pubsublite.operations.get

pubsublite.subscriptions.getCursor

pubsublite.subscriptions.seek

pubsublite.subscriptions.setCursor

pubsublite.subscriptions.subscribe

pubsublite.topics.computeHeadCursor

pubsublite.topics.computeMessageStats

pubsublite.topics.computeTimeCursor

pubsublite.topics.getPartitions

pubsublite.topics.subscribe

Pub/Sub Lite Viewer

(roles/pubsublite.viewer)

View topics, subscriptions and reservations.

pubsublite.operations.*

pubsublite.operations.get
pubsublite.operations.list

pubsublite.reservations.get

pubsublite.reservations.list

pubsublite.reservations.listTopics

pubsublite.subscriptions.get

pubsublite.subscriptions.getCursor

pubsublite.subscriptions.list

pubsublite.topics.get

pubsublite.topics.getPartitions

pubsublite.topics.list

pubsublite.topics.listSubscriptions

Rapid Migration Assessment roles

Permissions

Rapid Migration Assessment Admin

(roles/rma.admin)

Full access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.*

rma.annotations.create
rma.annotations.get
rma.collectors.create
rma.collectors.delete
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.get
rma.locations.list
rma.operations.cancel
rma.operations.delete
rma.operations.get
rma.operations.list

Rapid Migration Assessment Runner

(roles/rma.runner)

Update and Read access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.collectors.update

rma.locations.*

rma.locations.get
rma.locations.list

rma.operations.get

rma.operations.list

Rapid Migration Assessment Viewer

(roles/rma.viewer)

Read-only access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.locations.*

rma.locations.get
rma.locations.list

rma.operations.get

rma.operations.list

reCAPTCHA Enterprise roles

Permissions

reCAPTCHA Enterprise Admin ^Beta

(roles/recaptchaenterprise.admin)

Access to view and modify reCAPTCHA Enterprise keys

monitoring.timeSeries.list

recaptchaenterprise.keys.*

recaptchaenterprise.keys.create
recaptchaenterprise.keys.delete
recaptchaenterprise.keys.get
recaptchaenterprise.keys.list
recaptchaenterprise.keys.retrievelegacysecretkey
recaptchaenterprise.keys.update

recaptchaenterprise.metrics.get

recaptchaenterprise.projectmetadata.*

recaptchaenterprise.projectmetadata.get
recaptchaenterprise.projectmetadata.update

resourcemanager.projects.get

resourcemanager.projects.list

reCAPTCHA Enterprise Agent ^Beta

(roles/recaptchaenterprise.agent)

Access to create and annotate reCAPTCHA Enterprise assessments

recaptchaenterprise.assessments.*

recaptchaenterprise.assessments.annotate
recaptchaenterprise.assessments.create

recaptchaenterprise.relatedaccountgroupmemberships.list

recaptchaenterprise.relatedaccountgroups.list

resourcemanager.projects.get

resourcemanager.projects.list

reCAPTCHA Enterprise Viewer ^Beta

(roles/recaptchaenterprise.viewer)

Access to view reCAPTCHA Enterprise keys and metrics

monitoring.timeSeries.list

recaptchaenterprise.keys.get

recaptchaenterprise.keys.list

recaptchaenterprise.metrics.get

recaptchaenterprise.projectmetadata.get

resourcemanager.projects.get

resourcemanager.projects.list

Recommendations AI roles

Permissions

Recommendations AI Admin ^Beta

(roles/automlrecommendations.admin)

Full access to all Recommendations AI resources.

automlrecommendations.*

automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.delete
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.create
automlrecommendations.catalogItems.delete
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogItems.update
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.catalogs.update
automlrecommendations.eventStores.getStats
automlrecommendations.eventStores.list
automlrecommendations.events.create
automlrecommendations.events.get
automlrecommendations.events.list
automlrecommendations.events.purge
automlrecommendations.events.rejoin
automlrecommendations.placements.create
automlrecommendations.placements.delete
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.create
automlrecommendations.recommendations.delete
automlrecommendations.recommendations.list
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

retail.catalogs.list

retail.catalogs.update

retail.operations.*

retail.operations.get
retail.operations.list

retail.placements.*

retail.placements.predict
retail.placements.search

retail.products.create

retail.products.delete

retail.products.export

retail.products.get

retail.products.import

retail.products.list

retail.products.purge

retail.products.update

retail.retailProjects.get

retail.userEvents.*

retail.userEvents.create
retail.userEvents.import
retail.userEvents.purge
retail.userEvents.rejoin

serviceusage.services.get

serviceusage.services.list

Recommendations AI Admin Viewer ^Beta

(roles/automlrecommendations.adminViewer)

Viewer of all Recommendations AI resources.

automlrecommendations.apiKeys.list

automlrecommendations.catalogItems.get

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.getStats

automlrecommendations.catalogs.list

automlrecommendations.eventStores.*

automlrecommendations.eventStores.getStats
automlrecommendations.eventStores.list

automlrecommendations.events.get

automlrecommendations.events.list

automlrecommendations.placements.getStats

automlrecommendations.placements.list

automlrecommendations.recommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

retail.catalogs.list

retail.operations.*

retail.operations.get
retail.operations.list

retail.placements.*

retail.placements.predict
retail.placements.search

retail.products.export

retail.products.get

retail.products.list

retail.retailProjects.get

serviceusage.services.get

serviceusage.services.list

Recommendations AI Editor ^Beta

(roles/automlrecommendations.editor)

Editor of all Recommendations AI resources.

automlrecommendations.apiKeys.create

automlrecommendations.apiKeys.list

automlrecommendations.catalogItems.*

automlrecommendations.catalogItems.create
automlrecommendations.catalogItems.delete
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogItems.update

automlrecommendations.catalogs.getStats

automlrecommendations.catalogs.list

automlrecommendations.eventStores.*

automlrecommendations.eventStores.getStats
automlrecommendations.eventStores.list

automlrecommendations.events.create

automlrecommendations.events.get

automlrecommendations.events.list

automlrecommendations.placements.create

automlrecommendations.placements.getStats

automlrecommendations.placements.list

automlrecommendations.recommendations.create

automlrecommendations.recommendations.list

automlrecommendations.recommendations.pause

automlrecommendations.recommendations.resume

automlrecommendations.recommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

retail.catalogs.list

retail.catalogs.update

retail.operations.*

retail.operations.get
retail.operations.list

retail.placements.*

retail.placements.predict
retail.placements.search

retail.products.create

retail.products.delete

retail.products.export

retail.products.get

retail.products.import

retail.products.list

retail.products.update

retail.retailProjects.get

retail.userEvents.create

retail.userEvents.import

serviceusage.services.get

serviceusage.services.list

Recommendations AI Viewer ^Beta

(roles/automlrecommendations.viewer)

Viewer of all Recommendations AI resources except apiKeys. To view all resources, including apiKeys, grant the Recommendations AI Admin Viewer role (roles/automlrecommendations.adminViewer).

automlrecommendations.catalogItems.get

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.getStats

automlrecommendations.catalogs.list

automlrecommendations.eventStores.*

automlrecommendations.eventStores.getStats
automlrecommendations.eventStores.list

automlrecommendations.events.get

automlrecommendations.events.list

automlrecommendations.placements.getStats

automlrecommendations.placements.list

automlrecommendations.recommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

retail.catalogs.list

retail.operations.*

retail.operations.get
retail.operations.list

retail.placements.*

retail.placements.predict
retail.placements.search

retail.products.export

retail.products.get

retail.products.list

retail.retailProjects.get

serviceusage.services.get

serviceusage.services.list

Recommender roles

Permissions

BigQuery Slot Recommender Admin ^Beta

(roles/recommender.bigQueryCapacityCommitmentsAdmin)

Admin of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsInsights.update

recommender.bigqueryCapacityCommitmentsRecommendations.*

recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryCapacityCommitmentsRecommendations.update

recommender.locations.*

recommender.locations.get
recommender.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Recommender Billing Account Admin ^Beta

(roles/recommender.bigQueryCapacityCommitmentsBillingAccountAdmin)

Billing Account Admin of BigQuery Capacity Commitments insights and recommendations.

billing.accounts.get

billing.accounts.list

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsInsights.update

recommender.bigqueryCapacityCommitmentsRecommendations.*

recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryCapacityCommitmentsRecommendations.update

BigQuery Recommender Billing Account Viewer ^Beta

(roles/recommender.bigQueryCapacityCommitmentsBillingAccountViewer)

Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations.

billing.accounts.get

billing.accounts.list

recommender.bigqueryCapacityCommitmentsInsights.get

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.get

recommender.bigqueryCapacityCommitmentsRecommendations.list

BigQuery Recommender Project Admin ^Beta

(roles/recommender.bigQueryCapacityCommitmentsProjectAdmin)

Project Admin of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsInsights.update

recommender.bigqueryCapacityCommitmentsRecommendations.*

recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryCapacityCommitmentsRecommendations.update

recommender.locations.*

recommender.locations.get
recommender.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Recommender Project Viewer ^Beta

(roles/recommender.bigQueryCapacityCommitmentsProjectViewer)

Project Viewer of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.get

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.get

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.locations.*

recommender.locations.get
recommender.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Slot Recommender Viewer ^Beta

(roles/recommender.bigQueryCapacityCommitmentsViewer)

Viewer of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.get

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.get

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.locations.*

recommender.locations.get
recommender.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Partitioning Clustering Recommender Admin ^Beta

(roles/recommender.bigqueryPartitionClusterAdmin)

Admin of BigQuery Partitioning Clustering recommendations.

recommender.bigqueryPartitionClusterRecommendations.*

recommender.bigqueryPartitionClusterRecommendations.get
recommender.bigqueryPartitionClusterRecommendations.list
recommender.bigqueryPartitionClusterRecommendations.update

recommender.bigqueryTableStatsInsights.*

recommender.bigqueryTableStatsInsights.get
recommender.bigqueryTableStatsInsights.list
recommender.bigqueryTableStatsInsights.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Partitioning Clustering Recommender Viewer ^Beta

(roles/recommender.bigqueryPartitionClusterViewer)

Viewer of BigQuery Partitioning Clustering recommendations.

recommender.bigqueryPartitionClusterRecommendations.get

recommender.bigqueryPartitionClusterRecommendations.list

recommender.bigqueryTableStatsInsights.get

recommender.bigqueryTableStatsInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

Billing Account Usage Commitment Recommender Admin ^Beta

(roles/recommender.billingAccountCudAdmin)

Admin of Billing Account Usage Commitment Recommender.

billing.accounts.get

billing.accounts.list

recommender.commitmentUtilizationInsights.*

recommender.commitmentUtilizationInsights.get
recommender.commitmentUtilizationInsights.list
recommender.commitmentUtilizationInsights.update

recommender.usageCommitmentRecommendations.*

recommender.usageCommitmentRecommendations.get
recommender.usageCommitmentRecommendations.list
recommender.usageCommitmentRecommendations.update

Billing Account Usage Commitment Recommender Viewer ^Beta

(roles/recommender.billingAccountCudViewer)

Viewer of Billing Account Usage Commitment Recommender.

billing.accounts.get

billing.accounts.list

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

Cloud Asset Insights Admin

(roles/recommender.cloudAssetInsightsAdmin)

Admin of all Cloud Asset insights.

recommender.cloudAssetInsights.*

recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.cloudAssetInsights.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Asset Insights Viewer

(roles/recommender.cloudAssetInsightsViewer)

Viewer of all Cloud Asset insights.

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud SQL Recommender Admin ^Beta

(roles/recommender.cloudsqlAdmin)

Admin of Cloud SQL insights and recommendations.

recommender.cloudsqlIdleInstanceRecommendations.*

recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.update

recommender.cloudsqlInstanceActivityInsights.*

recommender.cloudsqlInstanceActivityInsights.get
recommender.cloudsqlInstanceActivityInsights.list
recommender.cloudsqlInstanceActivityInsights.update

recommender.cloudsqlInstanceCpuUsageInsights.*

recommender.cloudsqlInstanceCpuUsageInsights.get
recommender.cloudsqlInstanceCpuUsageInsights.list
recommender.cloudsqlInstanceCpuUsageInsights.update

recommender.cloudsqlInstanceDiskUsageTrendInsights.*

recommender.cloudsqlInstanceDiskUsageTrendInsights.get
recommender.cloudsqlInstanceDiskUsageTrendInsights.list
recommender.cloudsqlInstanceDiskUsageTrendInsights.update

recommender.cloudsqlInstanceMemoryUsageInsights.*

recommender.cloudsqlInstanceMemoryUsageInsights.get
recommender.cloudsqlInstanceMemoryUsageInsights.list
recommender.cloudsqlInstanceMemoryUsageInsights.update

recommender.cloudsqlInstanceOomProbabilityInsights.*

recommender.cloudsqlInstanceOomProbabilityInsights.get
recommender.cloudsqlInstanceOomProbabilityInsights.list
recommender.cloudsqlInstanceOomProbabilityInsights.update

recommender.cloudsqlInstanceOutOfDiskRecommendations.*

recommender.cloudsqlInstanceOutOfDiskRecommendations.get
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.update

recommender.cloudsqlInstancePerformanceInsights.*

recommender.cloudsqlInstancePerformanceInsights.get
recommender.cloudsqlInstancePerformanceInsights.list
recommender.cloudsqlInstancePerformanceInsights.update

recommender.cloudsqlInstancePerformanceRecommendations.*

recommender.cloudsqlInstancePerformanceRecommendations.get
recommender.cloudsqlInstancePerformanceRecommendations.list
recommender.cloudsqlInstancePerformanceRecommendations.update

recommender.cloudsqlInstanceReliabilityInsights.*

recommender.cloudsqlInstanceReliabilityInsights.get
recommender.cloudsqlInstanceReliabilityInsights.list
recommender.cloudsqlInstanceReliabilityInsights.update

recommender.cloudsqlInstanceReliabilityRecommendations.*

recommender.cloudsqlInstanceReliabilityRecommendations.get
recommender.cloudsqlInstanceReliabilityRecommendations.list
recommender.cloudsqlInstanceReliabilityRecommendations.update

recommender.cloudsqlInstanceSecurityInsights.*

recommender.cloudsqlInstanceSecurityInsights.get
recommender.cloudsqlInstanceSecurityInsights.list
recommender.cloudsqlInstanceSecurityInsights.update

recommender.cloudsqlInstanceSecurityRecommendations.*

recommender.cloudsqlInstanceSecurityRecommendations.get
recommender.cloudsqlInstanceSecurityRecommendations.list
recommender.cloudsqlInstanceSecurityRecommendations.update

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.update

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list
recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.update

recommender.cloudsqlOverprovisionedInstanceRecommendations.*

recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.update

recommender.cloudsqlUnderProvisionedInstanceRecommendations.*

recommender.cloudsqlUnderProvisionedInstanceRecommendations.get
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud SQL Recommender Viewer ^Beta

(roles/recommender.cloudsqlViewer)

Viewer of Cloud SQL insights and recommendations.

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceActivityInsights.get

recommender.cloudsqlInstanceActivityInsights.list

recommender.cloudsqlInstanceCpuUsageInsights.get

recommender.cloudsqlInstanceCpuUsageInsights.list

recommender.cloudsqlInstanceDiskUsageTrendInsights.get

recommender.cloudsqlInstanceDiskUsageTrendInsights.list

recommender.cloudsqlInstanceMemoryUsageInsights.get

recommender.cloudsqlInstanceMemoryUsageInsights.list

recommender.cloudsqlInstanceOomProbabilityInsights.get

recommender.cloudsqlInstanceOomProbabilityInsights.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.get

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceInsights.get

recommender.cloudsqlInstancePerformanceInsights.list

recommender.cloudsqlInstancePerformanceRecommendations.get

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityInsights.get

recommender.cloudsqlInstanceReliabilityInsights.list

recommender.cloudsqlInstanceReliabilityRecommendations.get

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlInstanceSecurityInsights.get

recommender.cloudsqlInstanceSecurityInsights.list

recommender.cloudsqlInstanceSecurityRecommendations.get