Understanding roles

A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to a member, grant it at least one role.

This page describes the IAM roles that you can grant to identities to access Google Cloud resources.

Prerequisite for this guide

Understand the basic concepts of IAM

Role types

There are three types of roles in IAM:

Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
Predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
Custom roles, which provide granular access according to a user-specified list of permissions.

To determine if one or more permissions are included in a basic, predefined, or custom role, you can use one of the following methods:

The gcloud iam roles describe command
The roles.get() API

The sections below describe each role type and provide examples of how to use them.

Basic roles

There are several basic roles that existed prior to the introduction of IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role. They were originally known as "primitive roles."

The following table summarizes the permissions that the basic roles include across all Google Cloud services:

Basic role definitions

Name	Title	Permissions
`roles/viewer`	Viewer	Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
`roles/editor`	Editor	All viewer permissions, plus permissions for actions that modify state, such as changing existing resources. Note: While the `roles/editor` role contains permissions to create and delete resources for most Google Cloud services, some services do not include these permissions. See the section above for more information on how to check if a role has the permissions that you need.
`roles/owner`	Owner	All editor permissions and permissions for the following actions: Manage roles and permissions for a project and all resources within the project. Set up billing for a project. Note: Granting the owner role at a resource level, such as a Pub/Sub topic, doesn't grant the owner role on the parent project. Granting the owner role at the organization level doesn't allow you to update the organization's metadata. However, it allows you to modify projects and other resources under that organization.

You can apply basic roles at the project or service resource levels by using the Cloud Console, the API, and the gcloud tool. See Granting, changing, and revoking access for instructions.

Invitation flow

You cannot grant the owner role to a member for a project using the Identity and Access Management API or the gcloud command-line tool. You can only add owners to a project using the Cloud Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project.

Note that invitation emails aren't sent in the following cases:

When you're granting a role other than the owner.
When an organization member adds another member of their organization as an owner of a project within that organization.

To see how to grant roles using the Cloud Console, see Granting, changing, and revoking access.

Predefined roles

In addition to the basic roles, IAM provides additional predefined roles that give granular access to specific Google Cloud resources and prevent unwanted access to other resources.

The following table lists these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the Google Cloud hierarchy. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.

Access Approval roles

Role	Title	Description	Permissions
`roles/accessapproval.approver`	Access Approval Approver ^Beta	Ability to view or act on access approval requests and view configuration	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.configEditor`	Access Approval Config Editor ^Beta	Ability update the Access Approval configuration	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.viewer`	Access Approval Viewer ^Beta	Ability to view access approval requests and configuration	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Access Context Manager roles

Role	Title	Description	Permissions
`roles/accesscontextmanager.gcpAccessAdmin`	Cloud Access Binding Admin	Create, edit, and change Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.*
`roles/accesscontextmanager.gcpAccessReader`	Cloud Access Binding Reader	Read access to Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.get accesscontextmanager.gcpUserAccessBindings.list
`roles/accesscontextmanager.policyAdmin`	Access Context Manager Admin	Full access to policies, access levels, and access zones	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.* accesscontextmanager.accessZones.* accesscontextmanager.policies.* accesscontextmanager.servicePerimeters.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyEditor`	Access Context Manager Editor	Edit access to policies. Create, edit, and change access levels and access zones.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyReader`	Access Context Manager Reader	Read access to policies, access levels, and access zones.	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.vpcScTroubleshooterViewer`	VPC Service Controls Troubleshooter Viewer		accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Actions roles

Role	Title	Description	Permissions	Lowest resource
`roles/actions.Admin`	Actions Admin	Access to edit and deploy an action	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
`roles/actions.Viewer`	Actions Viewer	Access to view an action	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

Android Management roles

Role	Title	Description	Permissions	Lowest resource
`roles/androidmanagement.user`	Android Management User	Full access to manage devices.	androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

API Gateway roles

Role	Title	Description	Permissions	Lowest resource
`roles/apigateway.admin`	ApiGateway Admin ^Beta	Full access to ApiGateway and related resources.	apigateway.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigateway.viewer`	ApiGateway Viewer ^Beta	Read-only access to ApiGateway and related resources.	apigateway.apiconfigs.get apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.* apigateway.operations.get apigateway.operations.list resourcemanager.projects.get resourcemanager.projects.list

Apigee roles

Role	Title	Description	Permissions
`roles/apigee.admin`	Apigee Organization Admin	Full access to all apigee resource features	apigee.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.analyticsAgent`	Apigee Analytics Agent	Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization	apigee.environments.getDataLocation
`roles/apigee.analyticsEditor`	Apigee Analytics Editor	Analytics editor for an Apigee Organization	apigee.datacollectors.* apigee.datastores.* apigee.environments.get apigee.environments.getStats apigee.exports.* apigee.hostqueries.* apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.analyticsViewer`	Apigee Analytics Viewer	Analytics viewer for an Apigee Organization	apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.environments.getStats apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.apiCreator`	Apigee API Creator	Creator of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.ingressconfigs.* apigee.keyvaluemaps.* apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.delete apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.update apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.deployer`	Apigee Deployer	Deployer of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.* apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.flowhooks.* apigee.ingressconfigs.* apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.developerAdmin`	Apigee Developer Admin	Developer admin of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.datacollectors.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developers.* apigee.environments.get apigee.environments.getStats apigee.hoststats.* apigee.organizations.get apigee.organizations.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.readOnlyAdmin`	Apigee Read-only Admin	Viewer of all apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee.developerappattributes.get apigee.developerappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developers.get apigee.developers.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.* apigee.ingressconfigs.* apigee.instanceattachments.get apigee.instanceattachments.list apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.operations.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.runtimeAgent`	Apigee Runtime Agent	Curated set of permissions for a runtime agent to access Apigee Organization resources	apigee.canaryevaluations.* apigee.ingressconfigs.* apigee.instances.reportStatus apigee.operations.*
`roles/apigee.synchronizerManager`	Apigee Synchronizer Manager	Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization	apigee.environments.get apigee.environments.manageRuntime apigee.ingressconfigs.*
`roles/apigeeconnect.Admin`	Apigee Connect Admin	Admin of Apigee Connect	apigeeconnect.connections.*
`roles/apigeeconnect.Agent`	Apigee Connect Agent	Ability to set up Apigee Connect agent between external clusters and Google.	apigeeconnect.endpoints.*

App Engine roles

Role	Title	Description	Permissions	Lowest resource
`roles/appengine.appAdmin`	App Engine Admin	Read/Write/Modify access to all application configuration and settings. To deploy new versions, you must also grant the Service Account User (`roles/iam.serviceAccountUser`) role. To use the `gcloud` tool to deploy, you must add the Storage Admin (`roles/compute.storageAdmin`) and Cloud Build Editor (`roles/cloudbuild.builds.editor`) roles.	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/appengine.appCreator`	App Engine Creator	Ability to create the App Engine resource for the project.	appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/appengine.appViewer`	App Engine Viewer	Read-only access to all application configuration and settings.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/appengine.codeViewer`	App Engine Code Viewer	Read-only access to all application configuration, settings, and deployed source code.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/appengine.deployer`	App Engine Deployer	Read-only access to all application configuration and settings. To deploy new versions, you must also grant the Service Account User (`roles/iam.serviceAccountUser`) role. To use the `gcloud` tool to deploy, you must add the Storage Admin (`roles/compute.storageAdmin`) and Cloud Build Editor (`roles/cloudbuild.builds.editor`) roles. Cannot modify existing versions other than deleting versions that are not receiving traffic.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/appengine.serviceAdmin`	App Engine Service Admin	Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version.	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	Project

Artifact Registry roles

Role	Title	Description	Permissions
`roles/artifactregistry.admin`	Artifact Registry Administrator ^Beta	Administrator access to create and manage repositories.	artifactregistry.*
`roles/artifactregistry.reader`	Artifact Registry Reader ^Beta	Access to read repository items.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
`roles/artifactregistry.repoAdmin`	Artifact Registry Repository Administrator ^Beta	Access to manage artifacts in repositories.	artifactregistry.files.* artifactregistry.packages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.*
`roles/artifactregistry.writer`	Artifact Registry Writer ^Beta	Access to read and write repository items.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list

Assured Workloads roles

Role	Title	Description	Permissions
`roles/assuredworkloads.admin`	Assured Workloads Administrator	Grants full access to Assured Workloads resources, including IAM policy administration.	assuredworkloads.* orgpolicy.* resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
`roles/assuredworkloads.editor`	Assured Workloads Editor	Grants access to read and write to Assured Workloads resources.	assuredworkloads.* orgpolicy.* resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
`roles/assuredworkloads.reader`	Assured Workloads Reader	Grants read access to all Assured Workloads resources.	assuredworkloads.operations.* assuredworkloads.workload.get assuredworkloads.workload.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

AutoML roles

Role	Title	Description	Permissions	Lowest resource
`roles/automl.admin`	AutoML Admin ^Beta	Full access to all AutoML resources	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	Dataset/Model
`roles/automl.editor`	AutoML Editor ^Beta	Editor of all AutoML resources	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	Dataset/Model
`roles/automl.predictor`	AutoML Predictor ^Beta	Predict using models	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list	Model
`roles/automl.viewer`	AutoML Viewer ^Beta	Viewer of all AutoML resources	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	Dataset/Model

BigQuery roles

Role	Title	Description	Permissions	Lowest resource
`roles/bigquery.admin`	BigQuery Admin	Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.	bigquery.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/bigquery.connectionAdmin`	BigQuery Connection Admin		bigquery.connections.*
`roles/bigquery.connectionUser`	BigQuery Connection User		bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
`roles/bigquery.dataEditor`	BigQuery Data Editor	When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list	Table or view
`roles/bigquery.dataOwner`	BigQuery Data Owner	When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	Table or view
`roles/bigquery.dataViewer`	BigQuery Data Viewer	When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Table or view
`roles/bigquery.jobUser`	BigQuery Job User	Provides permissions to run jobs, including queries, within the project.	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/bigquery.metadataViewer`	BigQuery Metadata Viewer	When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Table or view
`roles/bigquery.readSessionUser`	BigQuery Read Session User	Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceAdmin`	BigQuery Resource Admin	Administer all BigQuery resources.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceEditor`	BigQuery Resource Editor	Manage all BigQuery resources, but cannot make purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceViewer`	BigQuery Resource Viewer	View all BigQuery resources but cannot make changes or purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.user`	BigQuery User	When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A member with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (`roles/bigquery.dataOwner`) on these new datasets.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list	Dataset

Cloud Bigtable roles

Role	Title	Description	Permissions	Lowest resource
`roles/bigtable.admin`	Bigtable Administrator	Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance
`roles/bigtable.reader`	Bigtable Reader	Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance
`roles/bigtable.user`	Bigtable User	Provides read-write access to the data stored within tables. Intended for application developers or service accounts.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance
`roles/bigtable.viewer`	Bigtable Viewer	Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Cloud Bigtable.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance

Billing roles

Role	Title	Description	Permissions	Lowest resource
`roles/billing.admin`	Billing Account Administrator	Provides access to see and manage all aspects of billing accounts.	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* consumerprocurement.accounts.* consumerprocurement.orders.* dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* recommender.commitmentUtilizationInsights.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	Billing Account
`roles/billing.creator`	Billing Account Creator	Provides access to create billing accounts.	billing.accounts.create resourcemanager.organizations.get	Organization
`roles/billing.projectManager`	Project Billing Manager	Provides access to assign a project's billing account or disable its billing.	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	Project
`roles/billing.user`	Billing Account User	Provides access to associate projects with billing accounts.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create	Billing Account
`roles/billing.viewer`	Billing Account Viewer	View billing account cost information and transactions.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.groupcontrols.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list	Billing Account

Binary Authorization roles

Role	Title	Description	Permissions
`roles/binaryauthorization.attestorsAdmin`	Binary Authorization Attestor Admin ^Beta	Administrator of Binary Authorization Attestors	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsEditor`	Binary Authorization Attestor Editor ^Beta	Editor of Binary Authorization Attestors	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsVerifier`	Binary Authorization Attestor Image Verifier ^Beta	Caller of Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsViewer`	Binary Authorization Attestor Viewer ^Beta	Viewer of Binary Authorization Attestors	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyAdmin`	Binary Authorization Policy Administrator ^Beta	Administrator of Binary Authorization Policy	binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyEditor`	Binary Authorization Policy Editor ^Beta	Editor of Binary Authorization Policy	binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyViewer`	Binary Authorization Policy Viewer ^Beta	Viewer of Binary Authorization Policy	binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

Hangouts Chat roles

Role	Title	Description	Permissions	Lowest resource
`roles/chat.owner`	Chat Bots Owner	Can view and modify bot configurations	chat.*
`roles/chat.reader`	Chat Bots Viewer	Can view bot configurations	chat.bots.get

Cloud Asset roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudasset.owner`	Cloud Asset Owner	Full access to cloud assets metadata	cloudasset.*
`roles/cloudasset.viewer`	Cloud Asset Viewer	Read only access to cloud assets metadata	cloudasset.assets.*

Cloud Build roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudbuild.builds.builder`	Cloud Build Service Account	Provides access to perform builds.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list cloudbuild.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudbuild.builds.editor`	Cloud Build Editor	Provides access to create and cancel builds.	cloudbuild.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/cloudbuild.builds.viewer`	Cloud Build Viewer	Provides access to view builds.	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	Project

Cloud Data Fusion roles

Role	Title	Description	Permissions	Lowest resource
`roles/datafusion.admin`	Cloud Data Fusion Admin ^Beta	Full access to Cloud Data Fusion Instances and related resources.	datafusion.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datafusion.runner`	Cloud Data Fusion Runner ^Beta	Access to Cloud Data Fusion runtime resources.	datafusion.instances.runtime
`roles/datafusion.viewer`	Cloud Data Fusion Viewer ^Beta	Read-only access to Cloud Data Fusion Instances and related resources.	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.runtime datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list	Project

Cloud Debugger roles

Role	Title	Description	Permissions	Lowest resource
`roles/clouddebugger.agent`	Cloud Debugger Agent ^Beta	Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create	Service Account
`roles/clouddebugger.user`	Cloud Debugger User ^Beta	Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list	Project

Cloud Functions roles

Role	Title	Description	Permissions
`roles/cloudfunctions.admin`	Cloud Functions Admin	Full access to functions, operations and locations.	cloudfunctions.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.developer`	Cloud Functions Developer	Read and write access to all functions-related resources.	cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.invoker`	Cloud Functions Invoker	Ability to invoke HTTP functions with restricted access.	cloudfunctions.functions.invoke
`roles/cloudfunctions.viewer`	Cloud Functions Viewer	Read-only access to functions and locations.	cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud IAP roles

Role	Title	Description	Permissions	Lowest resource
`roles/iap.admin`	IAP Policy Admin	Provides full access to Identity-Aware Proxy resources.	iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy	Project
`roles/iap.httpsResourceAccessor`	IAP-secured Web App User	Provides permission to access HTTPS resources which use Identity-Aware Proxy.	iap.webServiceVersions.accessViaIAP	Project
`roles/iap.settingsAdmin`	IAP Settings Admin	Administrator of IAP Settings.	iap.projects.* iap.web.getSettings iap.web.updateSettings iap.webServiceVersions.getSettings iap.webServiceVersions.updateSettings iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings
`roles/iap.tunnelResourceAccessor`	IAP-secured Tunnel User	Access Tunnel resources which use Identity-Aware Proxy	iap.tunnelInstances.accessViaIAP

Cloud IoT roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudiot.admin`	Cloud IoT Admin	Full control of all Cloud IoT resources and permissions.	cloudiot.* cloudiottoken.*	Device
`roles/cloudiot.deviceController`	Cloud IoT Device Controller	Access to update the device configuration, but not to create or delete devices.	cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device
`roles/cloudiot.editor`	Cloud IoT Editor	Read-write access to all Cloud IoT resources.	cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.*	Device
`roles/cloudiot.provisioner`	Cloud IoT Provisioner	Access to create and delete devices from registries, but not to modify the registries.	cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device
`roles/cloudiot.viewer`	Cloud IoT Viewer	Read-only access to all Cloud IoT resources.	cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device

Cloud Talent Solution roles

Role	Title	Description	Permissions
`roles/cloudjobdiscovery.admin`	Admin	Access to Cloud Talent Solution Self-Service Tools.	cloudjobdiscovery.tools.* iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.jobsEditor`	Job Editor	Write access to all job data in Cloud Talent Solution.	cloudjobdiscovery.companies.* cloudjobdiscovery.events.* cloudjobdiscovery.jobs.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.jobsViewer`	Job Viewer	Read access to all job data in Cloud Talent Solution.	cloudjobdiscovery.companies.get cloudjobdiscovery.companies.list cloudjobdiscovery.jobs.get cloudjobdiscovery.jobs.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.profilesEditor`	Profile Editor	Write access to all profile data in Cloud Talent Solution.	cloudjobdiscovery.events.* cloudjobdiscovery.profiles.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.profilesViewer`	Profile Viewer	Read access to all profile data in Cloud Talent Solution.	cloudjobdiscovery.profiles.get cloudjobdiscovery.profiles.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list

Cloud KMS roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudkms.admin`	Cloud KMS Admin	Provides full access to Cloud KMS resources, except encrypt and decrypt operations.	cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeys.* cloudkms.importJobs.* cloudkms.keyRings.* resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyDecrypter`	Cloud KMS CryptoKey Decrypter	Provides ability to use Cloud KMS resources for decrypt operations only.	cloudkms.cryptoKeyVersions.useToDecrypt resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyEncrypter`	Cloud KMS CryptoKey Encrypter	Provides ability to use Cloud KMS resources for encrypt operations only.	cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyEncrypterDecrypter`	Cloud KMS CryptoKey Encrypter/Decrypter	Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get	CryptoKey
`roles/cloudkms.importer`	Cloud KMS Importer	Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations	cloudkms.importJobs.create cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.importJobs.useToImport resourcemanager.projects.get
`roles/cloudkms.publicKeyViewer`	Cloud KMS CryptoKey Public Key Viewer	Enables GetPublicKey operations	cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get
`roles/cloudkms.signer`	Cloud KMS CryptoKey Signer	Enables the AsymmetricSign operation	cloudkms.cryptoKeyVersions.useToSign resourcemanager.projects.get
`roles/cloudkms.signerVerifier`	Cloud KMS CryptoKey Signer/Verifier	Enables AsymmetricSign, and GetPublicKey operations	cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get

Cloud Marketplace roles

Role	Title	Description	Permissions
`roles/consumerprocurement.entitlementManager`	Consumer Procurement Entitlement Manager ^Beta	Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.	consumerprocurement.entitlements.* consumerprocurement.freeTrials.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.operations.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list
`roles/consumerprocurement.entitlementViewer`	Consumer Procurement Entitlement Viewer ^Beta	Allows inspecting entitlements and service states for a consumer project.	consumerprocurement.entitlements.* consumerprocurement.freeTrials.get consumerprocurement.freeTrials.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/consumerprocurement.orderAdmin`	Consumer Procurement Order Administrator ^Beta	Allows managing purchases.	consumerprocurement.accounts.* consumerprocurement.orders.*
`roles/consumerprocurement.orderViewer`	Consumer Procurement Order Viewer ^Beta	Allows inspecting purchases.	consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list

Cloud Migration roles

Role	Title	Description	Permissions
`roles/cloudmigration.inframanager`	Velostrata Manager ^Beta	Ability to create and manage Compute VMs to run Velostrata Infrastructure	cloudmigration.* compute.addresses.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.update compute.instances.updateNetworkInterface compute.instances.updateShieldedInstanceConfig compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.* gkehub.endpoints.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update
`roles/cloudmigration.storageaccess`	Velostrata Storage Access ^Beta	Ability to access migration storage	storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudmigration.velostrataconnect`	Velostrata Manager Connection Agent ^Beta	Ability to set up connection between Velostrata Manager and Google	cloudmigration.* gkehub.endpoints.*
`roles/vmmigration.admin`	VM Migration Administrator ^Beta	Ability to view and edit all VM Migration objects	vmmigration.*
`roles/vmmigration.viewer`	VM Migration Viewer ^Beta	Ability to view all VM Migration objects	vmmigration.deployments.get vmmigration.deployments.list

Cloud Private Catalog roles

Role	Title	Description	Permissions
`roles/cloudprivatecatalog.consumer`	Catalog Consumer ^Beta	Can browse catalogs in the target resource context.	cloudprivatecatalog.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudprivatecatalogproducer.admin`	Catalog Admin ^Beta	Can manage catalog and view its associations.	cloudprivatecatalog.* cloudprivatecatalogproducer.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudprivatecatalogproducer.manager`	Catalog Manager ^Beta	Can manage associations between a catalog and a target resource.	cloudprivatecatalog.* cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.get cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Cloud Profiler roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudprofiler.agent`	Cloud Profiler Agent	Cloud Profiler agents are allowed to register and provide the profiling data.	cloudprofiler.profiles.create cloudprofiler.profiles.update
`roles/cloudprofiler.user`	Cloud Profiler User	Cloud Profiler users are allowed to query and view the profiling data.	cloudprofiler.profiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Scheduler roles

Role	Title	Description	Permissions
`roles/cloudscheduler.admin`	Cloud Scheduler Admin	Full access to jobs and executions.	appengine.applications.get cloudscheduler.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/cloudscheduler.jobRunner`	Cloud Scheduler Job Runner	Access to run jobs.	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.run resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/cloudscheduler.viewer`	Cloud Scheduler Viewer	Get and list access to jobs, executions, and locations.	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.list cloudscheduler.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list

Cloud Security Scanner roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudsecurityscanner.editor`	Web Security Scanner Editor	Full access to all Web Security Scanner resources	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/cloudsecurityscanner.runner`	Web Security Scanner Runner	Read access to Scan and ScanRun, plus the ability to start scans	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run	Project
`roles/cloudsecurityscanner.viewer`	Web Security Scanner Viewer	Read access to all Web Security Scanner resources	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project

Cloud Services roles

Role	Title	Description	Permissions	Lowest resource
`roles/servicebroker.admin`	Service Broker Admin	Full access to ServiceBroker resources.	servicebroker.*
`roles/servicebroker.operator`	Service Broker Operator	Operational access to the ServiceBroker resources.	servicebroker.bindingoperations.* servicebroker.bindings.create servicebroker.bindings.delete servicebroker.bindings.get servicebroker.bindings.list servicebroker.catalogs.create servicebroker.catalogs.delete servicebroker.catalogs.get servicebroker.catalogs.list servicebroker.instanceoperations.* servicebroker.instances.create servicebroker.instances.delete servicebroker.instances.get servicebroker.instances.list servicebroker.instances.update

Cloud SQL roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudsql.admin`	Cloud SQL Admin	Provides full control of Cloud SQL resources.	cloudsql.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/cloudsql.client`	Cloud SQL Client	Provides connectivity access to Cloud SQL instances.	cloudsql.instances.connect cloudsql.instances.get	Project
`roles/cloudsql.editor`	Cloud SQL Editor	Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.	cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.instances.restart cloudsql.instances.rotateServerCa cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/cloudsql.instanceUser`	Cloud SQL Instance User	Role allowing access to a Cloud SQL instance	cloudsql.instances.get cloudsql.instances.login
`roles/cloudsql.viewer`	Cloud SQL Viewer	Provides read-only access to Cloud SQL resources.	cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project

Cloud Tasks roles

Role	Title	Description	Permissions
`roles/cloudtasks.admin`	Cloud Tasks Admin ^Beta	Full access to queues and tasks.	cloudtasks.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.enqueuer`	Cloud Tasks Enqueuer ^Beta	Access to create tasks.	cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.queueAdmin`	Cloud Tasks Queue Admin ^Beta	Admin access to queues.	cloudtasks.locations.* cloudtasks.queues.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.taskDeleter`	Cloud Tasks Task Deleter ^Beta	Access to delete tasks.	cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.taskRunner`	Cloud Tasks Task Runner ^Beta	Access to run tasks.	cloudtasks.tasks.fullView cloudtasks.tasks.run resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.viewer`	Cloud Tasks Viewer ^Beta	Get and list access to tasks, queues, and locations.	cloudtasks.locations.* cloudtasks.queues.get cloudtasks.queues.list cloudtasks.tasks.fullView cloudtasks.tasks.get cloudtasks.tasks.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Trace roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudtrace.admin`	Cloud Trace Admin	Provides full access to the Trace console and read-write access to traces.	cloudtrace.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/cloudtrace.agent`	Cloud Trace Agent	For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.	cloudtrace.traces.patch	Project
`roles/cloudtrace.user`	Cloud Trace User	Provides full access to the Trace console and read access to traces.	cloudtrace.insights.* cloudtrace.stats.* cloudtrace.tasks.* cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list	Project

Cloud Translation roles

Role	Title	Description	Permissions
`roles/cloudtranslate.admin`	Cloud Translation API Admin	Full access to all Cloud Translation resources	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.editor`	Cloud Translation API Editor	Editor of all Cloud Translation resources	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.user`	Cloud Translation API User	User of Cloud Translation and AutoML models	automl.models.get automl.models.predict cloudtranslate.generalModels.* cloudtranslate.glossaries.batchPredict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict cloudtranslate.languageDetectionModels.* cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.viewer`	Cloud Translation API Viewer	Viewer of all Translation resources	automl.models.get cloudtranslate.generalModels.get cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list

Workflows roles

Role	Title	Description	Permissions
`roles/workflows.admin`	Workflows Admin ^Beta	Full access to workflows and related resources.	resourcemanager.projects.get resourcemanager.projects.list workflows.*
`roles/workflows.editor`	Workflows Editor ^Beta	Read and write access to workflows and related resources.	resourcemanager.projects.get resourcemanager.projects.list workflows.executions.* workflows.locations.* workflows.operations.* workflows.workflows.create workflows.workflows.delete workflows.workflows.get workflows.workflows.getIamPolicy workflows.workflows.list workflows.workflows.update
`roles/workflows.invoker`	Workflows Invoker ^Beta	Access to execute workflows and manage the executions.	resourcemanager.projects.get resourcemanager.projects.list workflows.executions.*
`roles/workflows.viewer`	Workflows Viewer ^Beta	Read-only access to workflows and related resources.	resourcemanager.projects.get resourcemanager.projects.list workflows.executions.get workflows.executions.list workflows.locations.* workflows.operations.get workflows.operations.list workflows.workflows.get workflows.workflows.getIamPolicy workflows.workflows.list

Codelab API Keys roles

Role	Title	Description	Permissions
`roles/codelabapikeys.admin`	Codelab ApiKeys Admin ^Beta	Full access to API keys	resourcemanager.projects.get resourcemanager.projects.list
`roles/codelabapikeys.editor`	Codelab API Keys Editor ^Beta	This role can view and edit all properties of API keys.	resourcemanager.projects.get resourcemanager.projects.list
`roles/codelabapikeys.viewer`	Codelab API Keys Viewer ^Beta	This role can view all properties except change history of API keys.	resourcemanager.projects.get resourcemanager.projects.list

Cloud Composer roles

Role	Title	Description	Permissions	Lowest resource
`roles/composer.admin`	Composer Administrator	Provides full control of Cloud Composer resources.	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/composer.environmentAndStorageObjectAdmin`	Environment and Storage Object Administrator	Provides full control of Cloud Composer resources and of the objects in all project buckets.	composer.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.*	Project
`roles/composer.environmentAndStorageObjectViewer`	Environment User and Storage Object Viewer	Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list	Project
`roles/composer.user`	Composer User	Provides the permissions necessary to list and get Cloud Composer environments and operations.	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/composer.worker`	Composer Worker	Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.	artifactregistry.* cloudbuild.* container.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.*	Project

Compute Engine roles

Role	Title	Description	Permissions	Lowest resource
`roles/compute.admin`	Compute Admin	Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role.	compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot ^Beta
`roles/compute.imageUser`	Compute Image User	Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.	compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Image^Beta
`roles/compute.instanceAdmin`	Compute Instance Admin (beta)	Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM^BETA settings. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role. For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, instance, instanceTemplate, snapshot ^Beta
`roles/compute.instanceAdmin.v1`	Compute Instance Admin (v1)	Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.loadBalancerAdmin`	Compute Load Balancer Admin ^Beta	Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.	compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.networkAdmin`	Compute Network Admin	Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group.	compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.externalVpnGateways.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.instances.use compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.machineTypes.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.projects.get compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* networksecurity.* networkservices.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.networkUser`	Compute Network User	Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.	compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.externalVpnGateways.get compute.externalVpnGateways.list compute.externalVpnGateways.use compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.access compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.authorizationPolicies.use networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.use networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.use networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.use networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpFilters.use networkservices.httpfilters.get networkservices.httpfilters.list networkservices.httpfilters.use networkservices.locations.* networkservices.operations.get networkservices.operations.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/compute.networkViewer`	Compute Network Viewer	Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpfilters.get networkservices.httpfilters.list networkservices.locations.* networkservices.operations.get networkservices.operations.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.orgSecurityPolicyAdmin`	Compute Organization Security Policy Admin ^Beta	Full control of Compute Engine Organization Security Policies.	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityPolicyUser`	Compute Organization Security Policy User ^Beta	View or use Compute Engine Security Policies to associate with the organization or folders.	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.addAssociation compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.removeAssociation compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityResourceAdmin`	Compute Organization Resource Admin ^Beta	Full control of Compute Engine Security Policy associations to the organization or folders.	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.organizations.listAssociations compute.organizations.setSecurityPolicy compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.osAdminLogin`	Compute OS Admin Login	Access to log in to a Compute Engine instance as an administrator user.	compute.instances.get compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.osLogin`	Compute OS Login	Access to log in to a Compute Engine instance as a standard user.	compute.instances.get compute.instances.list compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.osLoginExternalUser`	Compute OS Login External User	Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.	compute.oslogin.*	Organization
`roles/compute.packetMirroringAdmin`	Compute packet mirroring admin	Specify resources to be mirrored.	compute.networks.mirror compute.projects.get compute.subnetworks.mirror resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.packetMirroringUser`	Compute packet mirroring user	Use Compute Engine packet mirrorings.	compute.packetMirrorings.* compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.publicIpAdmin`	Compute Public IP Admin ^Beta	Full control of public IP address management for Compute Engine.	compute.addresses.* compute.globalAddresses.* compute.globalPublicDelegatedPrefixes.* compute.publicAdvertisedPrefixes.* compute.publicDelegatedPrefixes.* resourcemanager.projects.get resourcemanager.projects.list
`roles/compute.securityAdmin`	Compute Security Admin	Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM^BETA settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group.	compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instances.getEffectiveFirewalls compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.updatePolicy compute.packetMirrorings.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.storageAdmin`	Compute Storage Admin	Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.	compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, snapshot ^Beta
`roles/compute.viewer`	Compute Viewer	Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot ^Beta
`roles/compute.xpnAdmin`	Compute Shared VPC Admin	Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin. Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (`roles/compute.networkUser`) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.	compute.globalOperations.get compute.globalOperations.list compute.organizations.administerXpn compute.organizations.disableXpnHost compute.organizations.disableXpnResource compute.organizations.enableXpnHost compute.organizations.enableXpnResource compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Folder
`roles/osconfig.assignmentAdmin`	Assignment Admin	Full admin access to Assignments	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.assignmentEditor`	Assignment Editor	Editor of Assignment resources	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.assignmentViewer`	Assignment Viewer	Viewer of Assignment resources	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyAdmin`	GuestPolicy Admin ^Beta	Full admin access to GuestPolicies	osconfig.guestPolicies.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyEditor`	GuestPolicy Editor ^Beta	Editor of GuestPolicy resources	osconfig.guestPolicies.get osconfig.guestPolicies.list osconfig.guestPolicies.update resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyViewer`	GuestPolicy Viewer ^Beta	Viewer of GuestPolicy resources	osconfig.guestPolicies.get osconfig.guestPolicies.list resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigAdmin`	OsConfig Admin	Full admin access to OsConfigs	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigEditor`	OsConfig Editor	Editor of OsConfig resources	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigViewer`	OsConfig Viewer	Viewer of OsConfig resources	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchDeploymentAdmin`	PatchDeployment Admin	Full admin access to PatchDeployments	osconfig.patchDeployments.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchDeploymentViewer`	PatchDeployment Viewer	Viewer of PatchDeployment resources	osconfig.patchDeployments.get osconfig.patchDeployments.list resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchJobExecutor`	Patch Job Executor	Access to execute Patch Jobs.	osconfig.patchJobs.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchJobViewer`	Patch Job Viewer	Get and list Patch Jobs.	osconfig.patchJobs.get osconfig.patchJobs.list resourcemanager.projects.get resourcemanager.projects.list

Kubernetes Engine roles

Role	Title	Description	Permissions	Lowest resource
`roles/container.admin`	Kubernetes Engine Admin	Provides access to full management of clusters and their Kubernetes API objects. To set a service account on nodes, you must also grant the Service Account User role (`roles/iam.serviceAccountUser`).	container.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/container.clusterAdmin`	Kubernetes Engine Cluster Admin	Provides access to management of clusters. To set a service account on nodes, you must also grant the Service Account User role (`roles/iam.serviceAccountUser`).	container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.operations.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/container.clusterViewer`	Kubernetes Engine Cluster Viewer	Get and list access to GKE Clusters.	container.clusters.get container.clusters.list resourcemanager.projects.get resourcemanager.projects.list
`roles/container.developer`	Kubernetes Engine Developer	Provides access to Kubernetes API objects inside clusters.	container.apiServices.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpoints.* container.events.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.limitRanges.* container.localSubjectAccessReviews.* container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/container.hostServiceAgentUser`	Kubernetes Engine Host Service Agent User	Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project.	compute.firewalls.get container.hostServiceAgent.*
`roles/container.viewer`	Kubernetes Engine Viewer	Provides read-only access to GKE resources.	container.apiServices.get container.apiServices.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getStatus container.deployments.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.limitRanges.get container.limitRanges.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list	Project

Container Analysis roles

Role	Title	Description	Permissions
`roles/containeranalysis.admin`	Container Analysis Admin	Access to all Container Analysis resources.	containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.notes.setIamPolicy containeranalysis.notes.update containeranalysis.occurrences.* resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.notes.attacher`	Container Analysis Notes Attacher	Can attach Container Analysis Occurrences to Notes.	containeranalysis.notes.attachOccurrence containeranalysis.notes.get
`roles/containeranalysis.notes.editor`	Container Analysis Notes Editor	Can edit Container Analysis Notes.	containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.notes.occurrences.viewer`	Container Analysis Occurrences for Notes Viewer		containeranalysis.notes.get containeranalysis.notes.listOccurrences
`roles/containeranalysis.notes.viewer`	Container Analysis Notes Viewer	Can view Container Analysis Notes.	containeranalysis.notes.get containeranalysis.notes.list resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.occurrences.editor`	Container Analysis Occurrences Editor	Can edit Container Analysis Occurrences.	containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.occurrences.viewer`	Container Analysis Occurrences Viewer	Can view Container Analysis Occurrences.	containeranalysis.occurrences.get containeranalysis.occurrences.list resourcemanager.projects.get resourcemanager.projects.list

Data Catalog roles

Role	Title	Description	Permissions
`roles/datacatalog.admin`	Data Catalog Admin	Full access to all DataCatalog resources	bigquery.datasets.get bigquery.datasets.updateTag bigquery.models.getMetadata bigquery.models.updateTag bigquery.tables.get bigquery.tables.updateTag datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.* datacatalog.entryGroups.* datacatalog.tagTemplates.* datacatalog.taxonomies.* pubsub.topics.get pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.categoryAdmin`	Policy Tag Admin ^Beta	Manage taxonomies	datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.taxonomies.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.categoryFineGrainedReader`	Fine-Grained Reader ^Beta	Read access to sub-resources tagged by a policy tag, for example, BigQuery columns	datacatalog.categories.fineGrainedGet
`roles/datacatalog.entryGroupCreator`	DataCatalog EntryGroup Creator	Can create new entryGroups	datacatalog.entryGroups.create datacatalog.entryGroups.get datacatalog.entryGroups.list resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryGroupOwner`	DataCatalog entryGroup Owner	Full access to entryGroups	datacatalog.entries.* datacatalog.entryGroups.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryOwner`	DataCatalog entry Owner	Full access to entries	datacatalog.entries.* datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryViewer`	DataCatalog Entry Viewer	Read access to entries	datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagEditor`	Data Catalog Tag Editor	Provides access to modify tags on Google Cloud assets for BigQuery and Pub/Sub	bigquery.datasets.updateTag bigquery.models.updateTag bigquery.tables.updateTag datacatalog.entries.updateTag pubsub.topics.updateTag
`roles/datacatalog.tagTemplateCreator`	Data Catalog TagTemplate Creator	Access to create new tag templates	datacatalog.tagTemplates.create datacatalog.tagTemplates.get
`roles/datacatalog.tagTemplateOwner`	Data Catalog TagTemplate Owner	Full access to tag templates	datacatalog.tagTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagTemplateUser`	Data Catalog TagTemplate User	Access to use templates to tag resources	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagTemplateViewer`	Data Catalog TagTemplate Viewer	Read access to templates and tags created using the templates	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.viewer`	Data Catalog Viewer	Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub	bigquery.datasets.get bigquery.models.getMetadata bigquery.tables.get datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get datacatalog.entryGroups.list datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.taxonomies.get datacatalog.taxonomies.list pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.list

Dataflow roles

Role	Title	Description	Permissions	Lowest resource
`roles/dataflow.admin`	Dataflow Admin	Minimal role for creating and managing dataflow jobs.	compute.machineTypes.get dataflow.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list
`roles/dataflow.developer`	Dataflow Developer	Provides the permissions necessary to execute and manipulate Dataflow jobs.	dataflow.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/dataflow.viewer`	Dataflow Viewer	Provides read-only access to all Dataflow-related resources.	dataflow.jobs.get dataflow.jobs.list dataflow.messages.* dataflow.metrics.* dataflow.snapshots.get dataflow.snapshots.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/dataflow.worker`	Dataflow Worker	Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline.	compute.instanceGroupManagers.update compute.instances.delete compute.instances.setDiskAutoDelete dataflow.jobs.get logging.logEntries.create storage.objects.create storage.objects.get	Project

Cloud Data Labeling roles

Role	Title	Description	Permissions
`roles/datalabeling.admin`	DataLabeling Service Admin ^Beta	Full access to all DataLabeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.editor`	DataLabeling Service Editor ^Beta	Editor of all DataLabeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.viewer`	DataLabeling Service Viewer ^Beta	Viewer of all DataLabeling resources	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Dataprep roles

Role	Title	Description	Permissions	Lowest resource
`roles/dataprep.projects.user`	Dataprep User ^Beta	Use of Dataprep.	dataprep.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Dataproc roles

Role	Title	Description	Permissions	Lowest resource
`roles/dataproc.admin`	Dataproc Administrator	Full control of Dataproc resources.	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.* dataproc.clusters.* dataproc.jobs.* dataproc.operations.* dataproc.workflowTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/dataproc.editor`	Dataproc Editor	Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones.	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/dataproc.viewer`	Dataproc Viewer	Provides read-only access to Dataproc resources.	compute.machineTypes.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.clusters.get dataproc.clusters.list dataproc.jobs.get dataproc.jobs.list dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.get dataproc.workflowTemplates.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/dataproc.worker`	Dataproc Worker	Provides worker access to Dataproc resources. Intended for service accounts.	dataproc.agents.* dataproc.tasks.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create storage.buckets.get storage.objects.*

Datastore roles

Role	Title	Description	Permissions	Lowest resource
`roles/datastore.importExportAdmin`	Cloud Datastore Import Export Admin	Provides full access to manage imports and exports.	appengine.applications.get datastore.databases.export datastore.databases.import datastore.operations.cancel datastore.operations.get datastore.operations.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datastore.indexAdmin`	Cloud Datastore Index Admin	Provides full access to manage index definitions.	appengine.applications.get datastore.indexes.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datastore.owner`	Cloud Datastore Owner	Provides full access to Datastore resources.	appengine.applications.get datastore.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datastore.user`	Cloud Datastore User	Provides read/write access to data in a Datastore database.	appengine.applications.get datastore.databases.get datastore.entities.* datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datastore.viewer`	Cloud Datastore Viewer	Provides read access to Datastore resources.	appengine.applications.get datastore.databases.get datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	Project

Deployment Manager roles

Role	Title	Description	Permissions	Lowest resource
`roles/deploymentmanager.editor`	Deployment Manager Editor	Provides the permissions necessary to create and manage deployments.	deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/deploymentmanager.typeEditor`	Deployment Manager Type Editor	Provides read and write access to all Type Registry resources.	deploymentmanager.compositeTypes.* deploymentmanager.operations.get deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	Project
`roles/deploymentmanager.typeViewer`	Deployment Manager Type Viewer	Provides read-only access to all Type Registry resources.	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	Project
`roles/deploymentmanager.viewer`	Deployment Manager Viewer	Provides read-only access to all Deployment Manager-related resources.	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project

Dialogflow roles

Role	Title	Description	Permissions	Lowest resource
`roles/dialogflow.admin`	Dialogflow API Admin	Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control.	dialogflow.* resourcemanager.projects.get	Project
`roles/dialogflow.client`	Dialogflow API Client	Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control.	dialogflow.contexts.* dialogflow.sessionEntityTypes.* dialogflow.sessions.*	Project
`roles/dialogflow.consoleAgentEditor`	Dialogflow Console Agent Editor	Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control.	actions.agentVersions.create dialogflow.* resourcemanager.projects.get	Project
`roles/dialogflow.reader`	Dialogflow API Reader	Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.contexts.get dialogflow.contexts.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.operations.* dialogflow.pages.get dialogflow.pages.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get	Project

Cloud DLP roles

Role	Title	Description	Permissions
`roles/dlp.admin`	DLP Administrator	Administer DLP including jobs and templates.	dlp.* serviceusage.services.use
`roles/dlp.analyzeRiskTemplatesEditor`	DLP Analyze Risk Templates Editor	Edit DLP analyze risk templates.	dlp.analyzeRiskTemplates.*
`roles/dlp.analyzeRiskTemplatesReader`	DLP Analyze Risk Templates Reader	Read DLP analyze risk templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
`roles/dlp.deidentifyTemplatesEditor`	DLP De-identify Templates Editor	Edit DLP de-identify templates.	dlp.deidentifyTemplates.*
`roles/dlp.deidentifyTemplatesReader`	DLP De-identify Templates Reader	Read DLP de-identify templates.	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
`roles/dlp.inspectFindingsReader`	DLP Inspect Findings Reader	Read DLP stored findings.	dlp.inspectFindings.*
`roles/dlp.inspectTemplatesEditor`	DLP Inspect Templates Editor	Edit DLP inspect templates.	dlp.inspectTemplates.*
`roles/dlp.inspectTemplatesReader`	DLP Inspect Templates Reader	Read DLP inspect templates.	dlp.inspectTemplates.get dlp.inspectTemplates.list
`roles/dlp.jobTriggersEditor`	DLP Job Triggers Editor	Edit job triggers configurations.	dlp.jobTriggers.*
`roles/dlp.jobTriggersReader`	DLP Job Triggers Reader	Read job triggers.	dlp.jobTriggers.get dlp.jobTriggers.list
`roles/dlp.jobsEditor`	DLP Jobs Editor	Edit and create jobs	dlp.jobs.* dlp.kms.*
`roles/dlp.jobsReader`	DLP Jobs Reader	Read jobs	dlp.jobs.get dlp.jobs.list
`roles/dlp.reader`	DLP Reader	Read DLP entities, such as jobs and templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.* dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.storedInfoTypesEditor`	DLP Stored InfoTypes Editor	Edit DLP stored info types.	dlp.storedInfoTypes.*
`roles/dlp.storedInfoTypesReader`	DLP Stored InfoTypes Reader	Read DLP stored info types.	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.user`	DLP User	Inspect, Redact, and De-identify Content	dlp.kms.* serviceusage.services.use

DNS roles

Role	Title	Description	Permissions	Lowest resource
`roles/dns.admin`	DNS Administrator	Provides read-write access to all Cloud DNS resources.	compute.networks.get compute.networks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/dns.peer`	DNS Peer	Access to target networks with DNS peering zones	dns.networks.targetWithPeeringZone
`roles/dns.reader`	DNS Reader	Provides read-only access to all Cloud DNS resources.	compute.networks.get dns.changes.get dns.changes.list dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list dns.projects.* dns.resourceRecordSets.list resourcemanager.projects.get resourcemanager.projects.list	Project

Endpoints roles

Role	Title	Description	Permissions	Lowest resource
`roles/endpoints.portalAdmin`	Endpoints Portal Admin ^Beta	Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the Cloud Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page.	endpoints.* resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get	Project

Error Reporting roles

Role	Title	Description	Permissions	Lowest resource
`roles/errorreporting.admin`	Error Reporting Admin ^Beta	Provides full access to Error Reporting data.	cloudnotifications.* errorreporting.*	Project
`roles/errorreporting.user`	Error Reporting User ^Beta	Provides the permissions to read and write Error Reporting data, except for sending new error events.	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.delete errorreporting.errorEvents.list errorreporting.groupMetadata.* errorreporting.groups.*	Project
`roles/errorreporting.viewer`	Error Reporting Viewer ^Beta	Provides read-only access to Error Reporting data.	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groupMetadata.get errorreporting.groups.*	Project
`roles/errorreporting.writer`	Errors Writer ^Beta	Provides the permissions to send error events to Error Reporting.	errorreporting.errorEvents.create	Service Account

Eventarc roles

Role	Title	Description	Permissions	Lowest resource
`roles/eventarc.admin`	Eventarc Admin ^Beta	Full control over all Eventarc resources.	eventarc.* resourcemanager.projects.get resourcemanager.projects.list
`roles/eventarc.viewer`	Eventarc Viewer ^Beta	Can view the state of all Eventarc resources, including IAM policies.	eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Filestore roles

Role	Title	Description	Permissions	Lowest resource
`roles/file.editor`	Cloud Filestore Editor ^Beta	Read-write access to Filestore instances and related resources.	file.*
`roles/file.viewer`	Cloud Filestore Viewer ^Beta	Read-only access to Filestore instances and related resources.	file.backups.get file.backups.list file.instances.get file.instances.list file.locations.* file.operations.get file.operations.list

Firebase roles

Role	Title	Description	Permissions
`roles/firebase.admin`	Firebase Admin	Full access to Firebase products.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.delete clientauthconfig.clients.get clientauthconfig.clients.list clientauthconfig.clients.update cloudconfig.* cloudfunctions.* cloudmessaging.* cloudnotifications.* cloudtestservice.* cloudtoolresults.* datastore.* errorreporting.groups.* firebase.* firebaseabt.* firebaseanalytics.* firebaseappdistro.* firebaseauth.* firebasecrash.* firebasecrashlytics.* firebasedatabase.* firebasedynamiclinks.* firebaseextensions.* firebasehosting.* firebaseinappmessaging.* firebaseml.* firebasenotifications.* firebaseperformance.* firebasepredictions.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.*
`roles/firebase.analyticsAdmin`	Firebase Analytics Admin	Full access to Google Analytics for Firebase.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/firebase.analyticsViewer`	Firebase Analytics Viewer	Read access to Google Analytics for Firebase.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/firebase.developAdmin`	Firebase Develop Admin	Full access to Firebase Develop products and Analytics.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.get clientauthconfig.clients.list cloudfunctions.* cloudnotifications.* datastore.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseauth.* firebasedatabase.* firebaseextensions.configs.list firebasehosting.* firebaseml.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.*
`roles/firebase.developViewer`	Firebase Develop Viewer	Read access to Firebase Develop products and Analytics.	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseauth.configs.get firebaseauth.users.get firebasedatabase.instances.get firebasedatabase.instances.list firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list
`roles/firebase.growthAdmin`	Firebase Grow Admin	Full access to Firebase Grow products and Analytics.	clientauthconfig.clients.get clientauthconfig.clients.list cloudconfig.* cloudmessaging.* cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.* firebaseanalytics.* firebasedynamiclinks.* firebaseextensions.configs.list firebaseinappmessaging.* firebasenotifications.* firebasepredictions.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.growthViewer`	Firebase Grow Viewer	Read access to Firebase Grow products and Analytics.	cloudconfig.configs.get cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebasenotifications.messages.get firebasenotifications.messages.list firebasepredictions.predictions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.qualityAdmin`	Firebase Quality Admin	Full access to Firebase Quality products and Analytics.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseappdistro.* firebasecrash.* firebasecrashlytics.* firebaseextensions.configs.list firebaseperformance.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.qualityViewer`	Firebase Quality Viewer	Read access to Firebase Quality products and Analytics.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebaseextensions.configs.list firebaseperformance.data.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.viewer`	Firebase Viewer	Read-only access to Firebase products.	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudconfig.configs.get cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebaseauth.configs.get firebaseauth.users.get firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebasedatabase.instances.get firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebasenotifications.messages.get firebasenotifications.messages.list firebaseperformance.data.* firebasepredictions.predictions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list

Firebase Products roles

Role	Title	Description	Permissions
`roles/cloudconfig.admin`	Firebase Remote Config Admin	Full access to Firebase Remote Config resources.	cloudconfig.* firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudconfig.viewer`	Firebase Remote Config Viewer	Read access to Firebase Remote Config resources.	cloudconfig.configs.get firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtestservice.testAdmin`	Firebase Test Lab Admin	Full access to all Test Lab features	cloudtestservice.* cloudtoolresults.* firebase.billingPlans.get firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.get storage.buckets.update storage.objects.create storage.objects.get storage.objects.list
`roles/cloudtestservice.testViewer`	Firebase Test Lab Viewer	Read access to Test Lab features	cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
`roles/firebaseabt.admin`	Firebase A/B Testing Admin ^Beta	Full read/write access to Firebase A/B Testing resources.	firebase.clients.get firebase.projects.get firebaseabt.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseabt.viewer`	Firebase A/B Testing Viewer ^Beta	Read-only access to Firebase A/B Testing resources.	firebase.clients.get firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseappdistro.admin`	Firebase App Distribution Admin ^Beta	Full read/write access to Firebase App Distribution resources.	firebase.clients.get firebase.projects.get firebaseappdistro.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseappdistro.viewer`	Firebase App Distribution Viewer ^Beta	Read-only access to Firebase App Distribution resources.	firebase.clients.get firebase.projects.get firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseauth.admin`	Firebase Authentication Admin	Full read/write access to Firebase Authentication resources.	firebase.clients.get firebase.projects.get firebaseauth.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseauth.viewer`	Firebase Authentication Viewer	Read-only access to Firebase Authentication resources.	firebase.clients.get firebase.projects.get firebaseauth.configs.get firebaseauth.users.get resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasecrashlytics.admin`	Firebase Crashlytics Admin	Full read/write access to Firebase Crashlytics resources.	firebase.clients.get firebase.projects.get firebasecrashlytics.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasecrashlytics.viewer`	Firebase Crashlytics Viewer	Read-only access to Firebase Crashlytics resources.	firebase.clients.get firebase.projects.get firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedatabase.admin`	Firebase Realtime Database Admin	Full read/write access to Firebase Realtime Database resources.	firebase.clients.get firebase.projects.get firebasedatabase.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedatabase.viewer`	Firebase Realtime Database Viewer	Read-only access to Firebase Realtime Database resources.	firebase.clients.get firebase.projects.get firebasedatabase.instances.get firebasedatabase.instances.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedynamiclinks.admin`	Firebase Dynamic Links Admin	Full read/write access to Firebase Dynamic Links resources.	firebase.clients.get firebase.projects.get firebasedynamiclinks.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedynamiclinks.viewer`	Firebase Dynamic Links Viewer	Read-only access to Firebase Dynamic Links resources.	firebase.clients.get firebase.projects.get firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasehosting.admin`	Firebase Hosting Admin	Full read/write access to Firebase Hosting resources.	firebase.clients.get firebase.projects.get firebasehosting.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasehosting.viewer`	Firebase Hosting Viewer	Read-only access to Firebase Hosting resources.	firebase.clients.get firebase.projects.get firebasehosting.sites.get firebasehosting.sites.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseinappmessaging.admin`	Firebase In-App Messaging Admin ^Beta	Full read/write access to Firebase In-App Messaging resources.	firebase.clients.get firebase.projects.get firebaseinappmessaging.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseinappmessaging.viewer`	Firebase In-App Messaging Viewer ^Beta	Read-only access to Firebase In-App Messaging resources.	firebase.clients.get firebase.projects.get firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseml.admin`	Firebase ML Kit Admin ^Beta	Full read/write access to Firebase ML Kit resources.	firebase.clients.get firebase.projects.get firebaseml.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseml.viewer`	Firebase ML Kit Viewer ^Beta	Read-only access to Firebase ML Kit resources.	firebase.clients.get firebase.projects.get firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasenotifications.admin`	Firebase Cloud Messaging Admin	Full read/write access to Firebase Cloud Messaging resources.	firebase.clients.get firebase.projects.get firebasenotifications.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasenotifications.viewer`	Firebase Cloud Messaging Viewer	Read-only access to Firebase Cloud Messaging resources.	firebase.clients.get firebase.projects.get firebasenotifications.messages.get firebasenotifications.messages.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseperformance.admin`	Firebase Performance Reporting Admin	Full access to firebaseperformance resources.	firebase.clients.get firebase.projects.get firebaseperformance.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseperformance.viewer`	Firebase Performance Reporting Viewer	Read-only access to firebaseperformance resources.	firebase.clients.get firebase.projects.get firebaseperformance.data.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasepredictions.admin`	Firebase Predictions Admin	Full read/write access to Firebase Predictions resources.	firebase.clients.get firebase.projects.get firebasepredictions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasepredictions.viewer`	Firebase Predictions Viewer	Read-only access to Firebase Predictions resources.	firebase.clients.get firebase.projects.get firebasepredictions.predictions.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaserules.admin`	Firebase Rules Admin	Full management of Firebase Rules.	firebaserules.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaserules.viewer`	Firebase Rules Viewer	Read-only access on all resources with the ability to test Rulesets.	firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Game Services roles

Role	Title	Description	Permissions	Lowest resource
`roles/gameservices.admin`	Game Services API Admin	Full access to Game Services API and related resources.	gameservices.* resourcemanager.projects.get resourcemanager.projects.list
`roles/gameservices.viewer`	Game Services API Viewer	Read-only access to Game Services API and related resources.	gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list

Genomics roles

Role	Title	Description	Permissions
`roles/genomics.admin`	Genomics Admin	Full access to genomics datasets and operations.	genomics.*
`roles/genomics.editor`	Genomics Editor	Access to read and edit genomics datasets and operations.	genomics.datasets.create genomics.datasets.delete genomics.datasets.get genomics.datasets.list genomics.datasets.update genomics.operations.*
`roles/genomics.pipelinesRunner`	Genomics Pipelines Runner	Full access to operate on genomics pipelines.	genomics.operations.*
`roles/genomics.viewer`	Genomics Viewer	Access to view genomics datasets and operations.	genomics.datasets.get genomics.datasets.list genomics.operations.get genomics.operations.list

GKE Hub roles

Role	Title	Description	Permissions
`roles/gkehub.admin`	GKE Hub Admin	Full access to GKE Hub resources.	gkehub.features.* gkehub.locations.* gkehub.memberships.* gkehub.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/gkehub.connect`	GKE Hub Connection Agent	Ability to set up GKE Connect between external clusters and Google.	gkehub.endpoints.*
`roles/gkehub.gatewayAdmin`	Connect Gateway Admin	Full access to Connect Gateway.	gkehub.gateway.*
`roles/gkehub.viewer`	GKE Hub Viewer	Read-only access to GKE Hubs and related resources.	gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Healthcare roles

Role	Title	Description	Permissions
`roles/healthcare.annotationEditor`	Healthcare Annotation Editor	Create, delete, update, read and list annotations.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationReader`	Healthcare Annotation Reader	Read and list annotations in an Annotation store.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.get healthcare.annotations.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationStoreAdmin`	Healthcare Annotation Administrator	Administer Annotation stores.	healthcare.annotationStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationStoreViewer`	Healthcare Annotation Store Viewer	List Annotation Stores in a dataset.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.attributeDefinitionEditor`	Healthcare Attribute Definition Editor ^Beta	Edit AttributeDefinition objects.	healthcare.attributeDefinitions.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.attributeDefinitionReader`	Healthcare Attribute Definition Reader ^Beta	Read AttributeDefinition objects in a consent store.	healthcare.attributeDefinitions.get healthcare.attributeDefinitions.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentArtifactAdmin`	Healthcare Consent Artifact Administrator ^Beta	Administer ConsentArtifact objects.	healthcare.consentArtifacts.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentArtifactEditor`	Healthcare Consent Artifact Editor ^Beta	Edit ConsentArtifact objects.	healthcare.consentArtifacts.create healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentArtifactReader`	Healthcare Consent Artifact Reader ^Beta	Read ConsentArtifact objects in a consent store.	healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentEditor`	Healthcare Consent Editor ^Beta	Edit Consent objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentReader`	Healthcare Consent Reader ^Beta	Read Consent objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.get healthcare.consents.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentStoreAdmin`	Healthcare Consent Store Administrator ^Beta	Administer Consent stores.	healthcare.consentStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.consentStoreViewer`	Healthcare Consent Store Viewer ^Beta	List Consent Stores in a dataset.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.datasetAdmin`	Healthcare Dataset Administrator	Administer Healthcare Datasets.	healthcare.datasets.* healthcare.locations.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.datasetViewer`	Healthcare Dataset Viewer	List the Healthcare Datasets in a project.	healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomEditor`	Healthcare DICOM Editor	Edit DICOM images individually and in bulk.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomStoreAdmin`	Healthcare DICOM Store Administrator	Administer DICOM stores.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.deidentify healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomStoreViewer`	Healthcare DICOM Store Viewer	List DICOM Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomViewer`	Healthcare DICOM Viewer	Retrieve DICOM images from a DICOM store.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirResourceEditor`	Healthcare FHIR Resource Editor	Create, delete, update, read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.translateConceptMap healthcare.fhirResources.update healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirResourceReader`	Healthcare FHIR Resource Reader	Read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare.fhirResources.translateConceptMap healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirStoreAdmin`	Healthcare FHIR Store Administrator	Administer FHIR resource stores.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare.fhirStores.create healthcare.fhirStores.deidentify healthcare.fhirStores.delete healthcare.fhirStores.export healthcare.fhirStores.get healthcare.fhirStores.getIamPolicy healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.fhirStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirStoreViewer`	Healthcare FHIR Store Viewer	List FHIR Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Consumer`	Healthcare HL7v2 Message Consumer	List and read HL7v2 messages, update message labels, and publish new messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.create healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare.hl7V2Messages.update healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Editor`	Healthcare HL7v2 Message Editor	Read, write, and delete access to HL7v2 messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Ingest`	Healthcare HL7v2 Message Ingest	Ingest HL7v2 messages received from a source network.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.ingest healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2StoreAdmin`	Healthcare HL7v2 Store Administrator	Administer HL7v2 Stores.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2StoreViewer`	Healthcare HL7v2 Store Viewer	View HL7v2 Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.userDataMappingEditor`	Healthcare User Data Mapping Editor ^Beta	Edit UserDataMapping objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.* resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.userDataMappingReader`	Healthcare User Data Mapping Reader ^Beta	Read UserDataMapping objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.get healthcare.userDataMappings.list resourcemanager.projects.get resourcemanager.projects.list

IAM roles

Role	Title	Description	Permissions	Lowest resource
`roles/iam.securityAdmin`	Security Admin	Security admin role, with permissions to get and set any IAM policy.	accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.setIamPolicy accesscontextmanager.accessZones.list accesscontextmanager.gcpUserAccessBindings.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.setIamPolicy accesscontextmanager.servicePerimeters.list actions.agentVersions.list aiplatform.annotationSpecs.list aiplatform.annotations.list aiplatform.batchPredictionJobs.list aiplatform.customJobs.list aiplatform.dataItems.list aiplatform.dataLabelingJobs.list aiplatform.datasets.list aiplatform.endpoints.list aiplatform.hyperparameterTuningJobs.list aiplatform.locations.list aiplatform.modelEvaluationSlices.list aiplatform.modelEvaluations.list aiplatform.models.list aiplatform.operations.* aiplatform.specialistPools.list aiplatform.trainingPipelines.list apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apiconfigs.setIamPolicy apigateway.apis.getIamPolicy apigateway.apis.list apigateway.apis.setIamPolicy apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.gateways.setIamPolicy apigateway.locations.list apigateway.operations.list apigee.apiproductattributes.list apigee.apiproducts.list apigee.apps.list apigee.caches.list apigee.datacollectors.list apigee.datastores.list apigee.deployments.list apigee.developerappattributes.list apigee.developerapps.list apigee.developerattributes.list apigee.developers.list apigee.envgroupattachments.list apigee.envgroups.list apigee.environments.getIamPolicy apigee.environments.list apigee.environments.setIamPolicy apigee.exports.list apigee.flowhooks.list apigee.hostqueries.list apigee.instanceattachments.list apigee.instances.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemaps.list apigee.operations.list apigee.organizations.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.sharedflowrevisions.list apigee.sharedflows.list apigee.targetservers.list apigee.tracesessions.list apigeeconnect.connections.* apikeys.keys.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list artifactregistry.files.list artifactregistry.packages.list artifactregistry.repositories.getIamPolicy artifactregistry.repositories.list artifactregistry.repositories.setIamPolicy artifactregistry.tags.list artifactregistry.versions.list assuredworkloads.operations.list assuredworkloads.workload.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.datasets.setIamPolicy automl.examples.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.locations.setIamPolicy automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.models.setIamPolicy automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.list bigquery.capacityCommitments.list bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.setIamPolicy bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy bigquery.jobs.list bigquery.models.list bigquery.reservationAssignments.list bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.list bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.setIamPolicy bigtable.appProfiles.list bigtable.backups.getIamPolicy bigtable.backups.list bigtable.backups.setIamPolicy bigtable.clusters.list bigtable.instances.getIamPolicy bigtable.instances.list bigtable.instances.setIamPolicy bigtable.keyvisualizer.list bigtable.locations.* bigtable.tables.getIamPolicy bigtable.tables.list bigtable.tables.setIamPolicy billing.accounts.getIamPolicy billing.accounts.list billing.accounts.setIamPolicy billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.list binaryauthorization.attestors.getIamPolicy binaryauthorization.attestors.list binaryauthorization.attestors.setIamPolicy binaryauthorization.policy.getIamPolicy binaryauthorization.policy.setIamPolicy clientauthconfig.brands.list clientauthconfig.clients.list cloudasset.feeds.list cloudbuild.builds.list clouddebugger.breakpoints.list clouddebugger.debuggees.list cloudfunctions.functions.getIamPolicy cloudfunctions.functions.list cloudfunctions.functions.setIamPolicy cloudfunctions.locations.* cloudfunctions.operations.list cloudiot.devices.list cloudiot.registries.getIamPolicy cloudiot.registries.list cloudiot.registries.setIamPolicy cloudjobdiscovery.companies.list cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.cryptoKeys.setIamPolicy cloudkms.importJobs.getIamPolicy cloudkms.importJobs.list cloudkms.importJobs.setIamPolicy cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudkms.keyRings.setIamPolicy cloudnotifications.* cloudprivatecatalogproducer.associations.list cloudprivatecatalogproducer.catalogs.getIamPolicy cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.catalogs.setIamPolicy cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.list cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.list cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport.accounts.getIamPolicy cloudsupport.accounts.list cloudsupport.accounts.setIamPolicy cloudsupport.techCases.list cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.queues.setIamPolicy cloudtasks.tasks.list cloudtoolresults.executions.list cloudtoolresults.histories.list cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate.glossaries.list cloudtranslate.locations.list cloudtranslate.operations.list cloudvolumesgcp-api.netapp.com/activeDirectories.list cloudvolumesgcp-api.netapp.com/ipRanges.* cloudvolumesgcp-api.netapp.com/jobs.list cloudvolumesgcp-api.netapp.com/regions.* cloudvolumesgcp-api.netapp.com/serviceLevels.* cloudvolumesgcp-api.netapp.com/snapshots.list cloudvolumesgcp-api.netapp.com/volumes.list composer.environments.list composer.imageversions.* composer.operations.list compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute.backendBuckets.list compute.backendServices.list compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.disks.setIamPolicy compute.externalVpnGateways.list compute.firewalls.list compute.forwardingRules.list compute.globalAddresses.list compute.globalForwardingRules.list compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.globalPublicDelegatedPrefixes.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.images.setIamPolicy compute.instanceGroupManagers.list compute.instanceGroups.list compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instanceTemplates.setIamPolicy compute.instances.getIamPolicy compute.instances.list compute.instances.setIamPolicy compute.interconnectAttachments.list compute.interconnectLocations.list compute.interconnects.list compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenseCodes.setIamPolicy compute.licenses.getIamPolicy compute.licenses.list compute.licenses.setIamPolicy compute.machineImages.getIamPolicy compute.machineImages.list compute.machineImages.setIamPolicy compute.machineTypes.list compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.maintenancePolicies.setIamPolicy compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.setIamPolicy compute.networks.list compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeGroups.setIamPolicy compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTemplates.setIamPolicy compute.nodeTypes.list compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.list compute.regionBackendServices.list compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.list compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionOperations.setIamPolicy compute.regions.list compute.reservations.list compute.resourcePolicies.list compute.routers.list compute.routes.list compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.securityPolicies.setIamPolicy compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.setIamPolicy compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.setIamPolicy compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zoneOperations.setIamPolicy compute.zones.list consumerprocurement.accounts.list consumerprocurement.entitlements.list consumerprocurement.freeTrials.list consumerprocurement.orders.list container.apiServices.list container.backendConfigs.list container.bindings.list container.certificateSigningRequests.list container.clusterRoleBindings.list container.clusterRoles.list container.clusters.list container.componentStatuses.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.csiDrivers.list container.csiNodes.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpoints.list container.events.list container.horizontalPodAutoscalers.list container.ingresses.list container.initializerConfigurations.list container.jobs.list container.limitRanges.list container.localSubjectAccessReviews.list container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container.persistentVolumeClaims.list container.persistentVolumes.list container.petSets.list container.podDisruptionBudgets.list container.podPresets.list container.podSecurityPolicies.list container.podTemplates.list container.pods.list container.replicaSets.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.runtimeClasses.list container.scheduledJobs.list container.selfSubjectAccessReviews.list container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.subjectAccessReviews.list container.thirdPartyObjects.list container.thirdPartyResources.list containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.notes.setIamPolicy containeranalysis.occurrences.getIamPolicy containeranalysis.occurrences.list containeranalysis.occurrences.setIamPolicy datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.getIamPolicy datacatalog.entries.list datacatalog.entries.setIamPolicy datacatalog.entryGroups.getIamPolicy datacatalog.entryGroups.list datacatalog.entryGroups.setIamPolicy datacatalog.tagTemplates.getIamPolicy datacatalog.tagTemplates.setIamPolicy datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.list datacatalog.taxonomies.setIamPolicy dataflow.jobs.list dataflow.messages.* dataflow.snapshots.list datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.setIamPolicy datafusion.locations.list datafusion.operations.list datalabeling.annotateddatasets.list datalabeling.annotationspecsets.list datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list dataproc.agents.list dataproc.autoscalingPolicies.getIamPolicy dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.setIamPolicy dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.clusters.setIamPolicy dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.jobs.setIamPolicy dataproc.operations.getIamPolicy dataproc.operations.list dataproc.operations.setIamPolicy dataproc.workflowTemplates.getIamPolicy dataproc.workflowTemplates.list dataproc.workflowTemplates.setIamPolicy dataprocessing.featurecontrols.list dataprocessing.groupcontrols.list datastore.databases.getIamPolicy datastore.databases.list datastore.databases.setIamPolicy datastore.entities.list datastore.indexes.list datastore.locations.list datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.namespaces.setIamPolicy datastore.operations.list datastore.statistics.list deploymentmanager.compositeTypes.list deploymentmanager.deployments.getIamPolicy deploymentmanager.deployments.list deploymentmanager.deployments.setIamPolicy deploymentmanager.manifests.list deploymentmanager.operations.list deploymentmanager.resources.list deploymentmanager.typeProviders.list deploymentmanager.types.list dialogflow.agents.list dialogflow.contexts.list dialogflow.documents.list dialogflow.entityTypes.list dialogflow.environments.list dialogflow.flows.list dialogflow.intents.list dialogflow.knowledgeBases.list dialogflow.pages.list dialogflow.sessionEntityTypes.list dialogflow.transitionRouteGroups.list dialogflow.versions.list dialogflow.webhooks.list dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.list dlp.inspectFindings.* dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.storedInfoTypes.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.list dns.policies.getIamPolicy dns.policies.list dns.policies.setIamPolicy dns.resourceRecordSets.list domains.locations.list domains.operations.list domains.registrations.getIamPolicy domains.registrations.list domains.registrations.setIamPolicy errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groups.* essentialcontacts.contacts.list eventarc.locations.list eventarc.operations.list eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.setIamPolicy file.backups.list file.instances.list file.locations.list file.operations.list firebase.links.list firebaseabt.experiments.list firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrashlytics.issues.list firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.list firebasedynamiclinks.links.list firebaseextensions.configs.list firebasehosting.sites.list firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.list firebaseml.models.list firebaseml.modelversions.list firebasenotifications.messages.list firebasepredictions.predictions.list firebaserules.releases.list firebaserules.rulesets.list gameservices.gameServerClusters.list gameservices.gameServerConfigs.list gameservices.gameServerDeployments.list gameservices.locations.list gameservices.operations.list gameservices.realms.list gcp.redisenterprise.com/databases.list gcp.redisenterprise.com/subscriptions.list genomics.datasets.getIamPolicy genomics.datasets.list genomics.datasets.setIamPolicy genomics.operations.list gkehub.features.getIamPolicy gkehub.features.list gkehub.features.setIamPolicy gkehub.gateway.getIamPolicy gkehub.gateway.setIamPolicy gkehub.locations.list gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.memberships.setIamPolicy gkehub.operations.list healthcare.annotationStores.getIamPolicy healthcare.annotationStores.list healthcare.annotationStores.setIamPolicy healthcare.annotations.list healthcare.attributeDefinitions.list healthcare.consentArtifacts.list healthcare.consentStores.getIamPolicy healthcare.consentStores.list healthcare.consentStores.setIamPolicy healthcare.consents.list healthcare.datasets.getIamPolicy healthcare.datasets.list healthcare.datasets.setIamPolicy healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.fhirStores.getIamPolicy healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.hl7V2Messages.list healthcare.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.list healthcare.hl7V2Stores.setIamPolicy healthcare.locations.list healthcare.operations.list healthcare.userDataMappings.list iam.googleapis.com/workloadIdentityPoolProviders.list iam.googleapis.com/workloadIdentityPools.list iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy identityplatform.workloadPoolProviders.list identityplatform.workloadPools.list lifesciences.operations.list logging.buckets.list logging.exclusions.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.queries.list logging.sinks.list managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.domains.setIamPolicy managedidentities.locations.list managedidentities.operations.list memcache.instances.list memcache.locations.list memcache.operations.list ml.jobs.getIamPolicy ml.jobs.list ml.jobs.setIamPolicy ml.locations.list ml.models.getIamPolicy ml.models.list ml.models.setIamPolicy ml.operations.list ml.studies.getIamPolicy ml.studies.list ml.studies.setIamPolicy ml.trials.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.list monitoring.publicWidgets.list monitoring.services.list monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.list networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.connectivitytests.setIamPolicy networkmanagement.locations.list networkmanagement.operations.list networksecurity.authorizationPolicies.getIamPolicy networksecurity.authorizationPolicies.list networksecurity.authorizationPolicies.setIamPolicy networksecurity.clientTlsPolicies.getIamPolicy networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.setIamPolicy networksecurity.locations.list networksecurity.operations.list networksecurity.serverTlsPolicies.getIamPolicy networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.setIamPolicy networkservices.endpointConfigSelectors.getIamPolicy networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.setIamPolicy networkservices.httpFilters.getIamPolicy networkservices.httpFilters.list networkservices.httpFilters.setIamPolicy networkservices.httpfilters.getIamPolicy networkservices.httpfilters.list networkservices.httpfilters.setIamPolicy networkservices.locations.list networkservices.operations.list notebooks.environments.getIamPolicy notebooks.environments.list notebooks.environments.setIamPolicy notebooks.instances.getIamPolicy notebooks.instances.list notebooks.instances.setIamPolicy notebooks.locations.list notebooks.operations.list osconfig.guestPolicies.list osconfig.patchDeployments.list osconfig.patchJobs.list privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.setIamPolicy privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.setIamPolicy privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.setIamPolicy privateca.locations.list privateca.operations.list privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.setIamPolicy proximitybeacon.attachments.list proximitybeacon.beacons.getIamPolicy proximitybeacon.beacons.list proximitybeacon.beacons.setIamPolicy proximitybeacon.namespaces.getIamPolicy proximitybeacon.namespaces.list proximitybeacon.namespaces.setIamPolicy pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.snapshots.setIamPolicy pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list pubsub.subscriptions.setIamPolicy pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy pubsublite.subscriptions.list pubsublite.topics.list recaptchaenterprise.keys.list recommender.commitmentUtilizationInsights.list recommender.computeDiskIdleResourceInsights.list recommender.computeDiskIdleResourceRecommendations.list recommender.computeFirewallInsights.list recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.list recommender.iamPolicyInsights.list recommender.iamPolicyRecommendations.list recommender.iamServiceAccountInsights.list recommender.locations.list recommender.usageCommitmentRecommendations.list redis.instances.list redis.locations.list redis.operations.list remotebuildexecution.instances.list remotebuildexecution.workerpools.list resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.organizations.getIamPolicy resourcemanager.organizations.setIamPolicy resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy run.configurations.list run.locations.* run.revisions.list run.routes.list run.services.getIamPolicy run.services.list run.services.setIamPolicy runtimeconfig.configs.getIamPolicy runtimeconfig.configs.list runtimeconfig.configs.setIamPolicy runtimeconfig.operations.list runtimeconfig.variables.getIamPolicy runtimeconfig.variables.list runtimeconfig.variables.setIamPolicy runtimeconfig.waiters.getIamPolicy runtimeconfig.waiters.list runtimeconfig.waiters.setIamPolicy secretmanager.locations.list secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.secrets.setIamPolicy secretmanager.versions.list securitycenter.assets.list securitycenter.findings.list securitycenter.notificationconfig.list securitycenter.sources.getIamPolicy securitycenter.sources.list securitycenter.sources.setIamPolicy servicebroker.bindingoperations.list servicebroker.bindings.getIamPolicy servicebroker.bindings.list servicebroker.bindings.setIamPolicy servicebroker.catalogs.getIamPolicy servicebroker.catalogs.list servicebroker.catalogs.setIamPolicy servicebroker.instanceoperations.list servicebroker.instances.getIamPolicy servicebroker.instances.list servicebroker.instances.setIamPolicy serviceconsumermanagement.tenancyu.list servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.endpoints.setIamPolicy servicedirectory.locations.list servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.namespaces.setIamPolicy servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.setIamPolicy servicemanagement.consumerSettings.getIamPolicy servicemanagement.consumerSettings.list servicemanagement.consumerSettings.setIamPolicy servicemanagement.services.getIamPolicy servicemanagement.services.list servicemanagement.services.setIamPolicy servicenetworking.operations.list serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list source.repos.setIamPolicy spanner.backupOperations.list spanner.backups.getIamPolicy spanner.backups.list spanner.backups.setIamPolicy spanner.databaseOperations.list spanner.databases.getIamPolicy spanner.databases.list spanner.databases.setIamPolicy spanner.instanceConfigs.list spanner.instanceOperations.list spanner.instances.getIamPolicy spanner.instances.list spanner.instances.setIamPolicy spanner.sessions.list storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy storage.hmacKeys.list storage.objects.getIamPolicy storage.objects.list storage.objects.setIamPolicy storagetransfer.jobs.list storagetransfer.operations.list tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.tensorflowversions.list transcoder.jobTemplates.list transcoder.jobs.list vmmigration.deployments.list vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.list workflows.executions.list workflows.locations.list workflows.operations.list workflows.workflows.getIamPolicy workflows.workflows.list workflows.workflows.setIamPolicy
`roles/iam.securityReviewer`	Security Reviewer	Provides permissions to list all resources and IAM policies on them.	accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.list accesscontextmanager.gcpUserAccessBindings.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.list actions.agentVersions.list aiplatform.annotationSpecs.list aiplatform.annotations.list aiplatform.batchPredictionJobs.list aiplatform.customJobs.list aiplatform.dataItems.list aiplatform.dataLabelingJobs.list aiplatform.datasets.list aiplatform.endpoints.list aiplatform.hyperparameterTuningJobs.list aiplatform.locations.list aiplatform.modelEvaluationSlices.list aiplatform.modelEvaluations.list aiplatform.models.list aiplatform.operations.* aiplatform.specialistPools.list aiplatform.trainingPipelines.list apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.list apigateway.operations.list apigee.apiproductattributes.list apigee.apiproducts.list apigee.apps.list apigee.caches.list apigee.datacollectors.list apigee.datastores.list apigee.deployments.list apigee.developerappattributes.list apigee.developerapps.list apigee.developerattributes.list apigee.developers.list apigee.envgroupattachments.list apigee.envgroups.list apigee.environments.getIamPolicy apigee.environments.list apigee.exports.list apigee.flowhooks.list apigee.hostqueries.list apigee.instanceattachments.list apigee.instances.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemaps.list apigee.operations.list apigee.organizations.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.sharedflowrevisions.list apigee.sharedflows.list apigee.targetservers.list apigee.tracesessions.list apigeeconnect.connections.* apikeys.keys.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list artifactregistry.files.list artifactregistry.packages.list artifactregistry.repositories.getIamPolicy artifactregistry.repositories.list artifactregistry.tags.list artifactregistry.versions.list assuredworkloads.operations.list assuredworkloads.workload.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.examples.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.list bigquery.capacityCommitments.list bigquery.connections.getIamPolicy bigquery.connections.list bigquery.datasets.getIamPolicy bigquery.jobs.list bigquery.models.list bigquery.reservationAssignments.list bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.list bigquery.tables.getIamPolicy bigquery.tables.list bigtable.appProfiles.list bigtable.backups.getIamPolicy bigtable.backups.list bigtable.clusters.list bigtable.instances.getIamPolicy bigtable.instances.list bigtable.keyvisualizer.list bigtable.locations.* bigtable.tables.getIamPolicy bigtable.tables.list billing.accounts.getIamPolicy billing.accounts.list billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.list binaryauthorization.attestors.getIamPolicy binaryauthorization.attestors.list binaryauthorization.policy.getIamPolicy clientauthconfig.brands.list clientauthconfig.clients.list cloudasset.feeds.list cloudbuild.builds.list clouddebugger.breakpoints.list clouddebugger.debuggees.list cloudfunctions.functions.getIamPolicy cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.list cloudiot.devices.list cloudiot.registries.getIamPolicy cloudiot.registries.list cloudjobdiscovery.companies.list cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.importJobs.getIamPolicy cloudkms.importJobs.list cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudnotifications.* cloudprivatecatalogproducer.associations.list cloudprivatecatalogproducer.catalogs.getIamPolicy cloudprivatecatalogproducer.catalogs.list cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.list cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.list cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport.accounts.getIamPolicy cloudsupport.accounts.list cloudsupport.techCases.list cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.tasks.list cloudtoolresults.executions.list cloudtoolresults.histories.list cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate.glossaries.list cloudtranslate.locations.list cloudtranslate.operations.list cloudvolumesgcp-api.netapp.com/activeDirectories.list cloudvolumesgcp-api.netapp.com/ipRanges.* cloudvolumesgcp-api.netapp.com/jobs.list cloudvolumesgcp-api.netapp.com/regions.* cloudvolumesgcp-api.netapp.com/serviceLevels.* cloudvolumesgcp-api.netapp.com/snapshots.list cloudvolumesgcp-api.netapp.com/volumes.list composer.environments.list composer.imageversions.* composer.operations.list compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute.backendBuckets.list compute.backendServices.list compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.list compute.firewalls.list compute.forwardingRules.list compute.globalAddresses.list compute.globalForwardingRules.list compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.list compute.instanceGroups.list compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.getIamPolicy compute.instances.list compute.interconnectAttachments.list compute.interconnectLocations.list compute.interconnects.list compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.list compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.list compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.list compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.list compute.regionBackendServices.list compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.list compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.list compute.reservations.list compute.resourcePolicies.list compute.routers.list compute.routes.list compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.list consumerprocurement.accounts.list consumerprocurement.entitlements.list consumerprocurement.freeTrials.list consumerprocurement.orders.list container.apiServices.list container.backendConfigs.list container.bindings.list container.certificateSigningRequests.list container.clusterRoleBindings.list container.clusterRoles.list container.clusters.list container.componentStatuses.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.csiDrivers.list container.csiNodes.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpoints.list container.events.list container.horizontalPodAutoscalers.list container.ingresses.list container.initializerConfigurations.list container.jobs.list container.limitRanges.list container.localSubjectAccessReviews.list container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container.persistentVolumeClaims.list container.persistentVolumes.list container.petSets.list container.podDisruptionBudgets.list container.podPresets.list container.podSecurityPolicies.list container.podTemplates.list container.pods.list container.replicaSets.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.runtimeClasses.list container.scheduledJobs.list container.selfSubjectAccessReviews.list container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.subjectAccessReviews.list container.thirdPartyObjects.list container.thirdPartyResources.list containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.occurrences.getIamPolicy containeranalysis.occurrences.list datacatalog.categories.getIamPolicy datacatalog.entries.getIamPolicy datacatalog.entries.list datacatalog.entryGroups.getIamPolicy datacatalog.entryGroups.list datacatalog.tagTemplates.getIamPolicy datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.list dataflow.jobs.list dataflow.messages.* dataflow.snapshots.list datafusion.instances.getIamPolicy datafusion.instances.list datafusion.locations.list datafusion.operations.list datalabeling.annotateddatasets.list datalabeling.annotationspecsets.list datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list dataproc.agents.list dataproc.autoscalingPolicies.getIamPolicy dataproc.autoscalingPolicies.list dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.operations.getIamPolicy dataproc.operations.list dataproc.workflowTemplates.getIamPolicy dataproc.workflowTemplates.list dataprocessing.featurecontrols.list dataprocessing.groupcontrols.list datastore.databases.getIamPolicy datastore.databases.list datastore.entities.list datastore.indexes.list datastore.locations.list datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.operations.list datastore.statistics.list deploymentmanager.compositeTypes.list deploymentmanager.deployments.getIamPolicy deploymentmanager.deployments.list deploymentmanager.manifests.list deploymentmanager.operations.list deploymentmanager.resources.list deploymentmanager.typeProviders.list deploymentmanager.types.list dialogflow.agents.list dialogflow.contexts.list dialogflow.documents.list dialogflow.entityTypes.list dialogflow.environments.list dialogflow.flows.list dialogflow.intents.list dialogflow.knowledgeBases.list dialogflow.pages.list dialogflow.sessionEntityTypes.list dialogflow.transitionRouteGroups.list dialogflow.versions.list dialogflow.webhooks.list dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.list dlp.inspectFindings.* dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.storedInfoTypes.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.list dns.policies.getIamPolicy dns.policies.list dns.resourceRecordSets.list domains.locations.list domains.operations.list domains.registrations.getIamPolicy domains.registrations.list errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groups.* essentialcontacts.contacts.list eventarc.locations.list eventarc.operations.list eventarc.triggers.getIamPolicy eventarc.triggers.list file.backups.list file.instances.list file.locations.list file.operations.list firebase.links.list firebaseabt.experiments.list firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrashlytics.issues.list firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.list firebasedynamiclinks.links.list firebaseextensions.configs.list firebasehosting.sites.list firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.list firebaseml.models.list firebaseml.modelversions.list firebasenotifications.messages.list firebasepredictions.predictions.list firebaserules.releases.list firebaserules.rulesets.list gameservices.gameServerClusters.list gameservices.gameServerConfigs.list gameservices.gameServerDeployments.list gameservices.locations.list gameservices.operations.list gameservices.realms.list gcp.redisenterprise.com/databases.list gcp.redisenterprise.com/subscriptions.list genomics.datasets.getIamPolicy genomics.datasets.list genomics.operations.list gkehub.features.getIamPolicy gkehub.features.list gkehub.gateway.getIamPolicy gkehub.locations.list gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.list healthcare.annotationStores.getIamPolicy healthcare.annotationStores.list healthcare.annotations.list healthcare.attributeDefinitions.list healthcare.consentArtifacts.list healthcare.consentStores.getIamPolicy healthcare.consentStores.list healthcare.consents.list healthcare.datasets.getIamPolicy healthcare.datasets.list healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.fhirStores.getIamPolicy healthcare.fhirStores.list healthcare.hl7V2Messages.list healthcare.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.list healthcare.locations.list healthcare.operations.list healthcare.userDataMappings.list iam.googleapis.com/workloadIdentityPoolProviders.list iam.googleapis.com/workloadIdentityPools.list iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iap.tunnel.getIamPolicy iap.tunnelInstances.getIamPolicy iap.tunnelZones.getIamPolicy iap.web.getIamPolicy iap.webServiceVersions.getIamPolicy iap.webServices.getIamPolicy iap.webTypes.getIamPolicy identityplatform.workloadPoolProviders.list identityplatform.workloadPools.list lifesciences.operations.list logging.buckets.list logging.exclusions.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.queries.list logging.sinks.list managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.locations.list managedidentities.operations.list memcache.instances.list memcache.locations.list memcache.operations.list ml.jobs.getIamPolicy ml.jobs.list ml.locations.list ml.models.getIamPolicy ml.models.list ml.operations.list ml.studies.getIamPolicy ml.studies.list ml.trials.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.list monitoring.publicWidgets.list monitoring.services.list monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.list networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.locations.list networkmanagement.operations.list networksecurity.authorizationPolicies.getIamPolicy networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.getIamPolicy networksecurity.clientTlsPolicies.list networksecurity.locations.list networksecurity.operations.list networksecurity.serverTlsPolicies.getIamPolicy networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.getIamPolicy networkservices.endpointConfigSelectors.list networkservices.httpFilters.getIamPolicy networkservices.httpFilters.list networkservices.httpfilters.getIamPolicy networkservices.httpfilters.list networkservices.locations.list networkservices.operations.list notebooks.environments.getIamPolicy notebooks.environments.list notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.list notebooks.operations.list osconfig.guestPolicies.list osconfig.patchDeployments.list osconfig.patchJobs.list privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.list privateca.operations.list privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list proximitybeacon.attachments.list proximitybeacon.beacons.getIamPolicy proximitybeacon.beacons.list proximitybeacon.namespaces.getIamPolicy proximitybeacon.namespaces.list pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list pubsub.topics.getIamPolicy pubsub.topics.list pubsublite.subscriptions.list pubsublite.topics.list recaptchaenterprise.keys.list recommender.commitmentUtilizationInsights.list recommender.computeDiskIdleResourceInsights.list recommender.computeDiskIdleResourceRecommendations.list recommender.computeFirewallInsights.list recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.list recommender.iamPolicyInsights.list recommender.iamPolicyRecommendations.list recommender.iamServiceAccountInsights.list recommender.locations.list recommender.usageCommitmentRecommendations.list redis.instances.list redis.locations.list redis.operations.list remotebuildexecution.instances.list remotebuildexecution.workerpools.list resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.organizations.getIamPolicy resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.configurations.list run.locations.* run.revisions.list run.routes.list run.services.getIamPolicy run.services.list runtimeconfig.configs.getIamPolicy runtimeconfig.configs.list runtimeconfig.operations.list runtimeconfig.variables.getIamPolicy runtimeconfig.variables.list runtimeconfig.waiters.getIamPolicy runtimeconfig.waiters.list secretmanager.locations.list secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.versions.list securitycenter.assets.list securitycenter.findings.list securitycenter.notificationconfig.list securitycenter.sources.getIamPolicy securitycenter.sources.list servicebroker.bindingoperations.list servicebroker.bindings.getIamPolicy servicebroker.bindings.list servicebroker.catalogs.getIamPolicy servicebroker.catalogs.list servicebroker.instanceoperations.list servicebroker.instances.getIamPolicy servicebroker.instances.list serviceconsumermanagement.tenancyu.list servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.locations.list servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.services.getIamPolicy servicedirectory.services.list servicemanagement.consumerSettings.getIamPolicy servicemanagement.consumerSettings.list servicemanagement.services.getIamPolicy servicemanagement.services.list servicenetworking.operations.list serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list spanner.backupOperations.list spanner.backups.getIamPolicy spanner.backups.list spanner.databaseOperations.list spanner.databases.getIamPolicy spanner.databases.list spanner.instanceConfigs.list spanner.instanceOperations.list spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.list storage.buckets.getIamPolicy storage.buckets.list storage.hmacKeys.list storage.objects.getIamPolicy storage.objects.list storagetransfer.jobs.list storagetransfer.operations.list tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.tensorflowversions.list transcoder.jobTemplates.list transcoder.jobs.list vmmigration.deployments.list vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.list workflows.executions.list workflows.locations.list workflows.operations.list workflows.workflows.getIamPolicy workflows.workflows.list	Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot ^Beta

Roles roles

Role	Title	Description	Permissions	Lowest resource
`roles/iam.organizationRoleAdmin`	Organization Role Administrator	Provides access to administer all custom roles in the organization and the projects below it.	iam.roles.* resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Organization
`roles/iam.organizationRoleViewer`	Organization Role Viewer	Provides read access to all custom roles in the organization and the projects below it.	iam.roles.get iam.roles.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Project
`roles/iam.roleAdmin`	Role Administrator	Provides access to all custom roles in the project.	iam.roles.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy	Project
`roles/iam.roleViewer`	Role Viewer	Provides read access to all custom roles in the project.	iam.roles.get iam.roles.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy	Project

Service Accounts roles

Role	Title	Description	Permissions	Lowest resource
`roles/iam.serviceAccountAdmin`	Service Account Admin	Create and manage service accounts.	iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.disable iam.serviceAccounts.enable iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iam.serviceAccounts.undelete iam.serviceAccounts.update resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/iam.serviceAccountCreator`	Create Service Accounts	Access to create service accounts.	iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/iam.serviceAccountDeleter`	Delete Service Accounts	Access to delete service accounts.	iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/iam.serviceAccountKeyAdmin`	Service Account Key Admin	Create and manage (and rotate) service account keys.	iam.serviceAccountKeys.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/iam.serviceAccountTokenCreator`	Service Account Token Creator	Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/iam.serviceAccountUser`	Service Account User	Run operations as the service account.	iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/iam.workloadIdentityUser`	Workload Identity User	Impersonate service accounts from GKE Workloads	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.list

Workload Identity Pools roles

Role	Title	Description	Permissions	Lowest resource
`roles/iam.workloadIdentityPoolAdmin`	IAM Workload Identity Pool Admin ^Beta	Full rights to create and manage workload identity pools.	iam.workloadIdentityPoolProviders.* iam.workloadIdentityPools.* resourcemanager.projects.get resourcemanager.projects.list
`roles/iam.workloadIdentityPoolViewer`	IAM Workload Identity Pool Viewer ^Beta	Read access to workload identity pools.	iam.googleapis.com/workloadIdentityPoolProviders.get iam.googleapis.com/workloadIdentityPoolProviders.list iam.googleapis.com/workloadIdentityPools.get iam.googleapis.com/workloadIdentityPools.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Life Sciences roles

Role	Title	Description	Permissions
`roles/lifesciences.admin`	Cloud Life Sciences Admin ^Beta	Full control of Cloud Life Sciences resources.	lifesciences.*
`roles/lifesciences.editor`	Cloud Life Sciences Editor ^Beta	Access to read and edit Cloud Life Sciences resources.	lifesciences.*
`roles/lifesciences.viewer`	Cloud Life Sciences Viewer ^Beta	Access to read Cloud Life Sciences resources.	lifesciences.operations.get lifesciences.operations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/lifesciences.workflowsRunner`	Cloud Life Sciences Workflows Runner ^Beta	Full access to operate on Cloud Life Sciences workflows.	lifesciences.*

Logging roles

Role	Title	Description	Permissions	Lowest resource
`roles/logging.admin`	Logging Admin	Provides all permissions necessary to use all features of Cloud Logging.	logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.logEntries.* logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.* logging.privateLogEntries.* logging.queries.* logging.sinks.* logging.usage.* logging.views.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/logging.bucketWriter`	Logs Bucket Writer	Ability to write logs to a log bucket.	logging.buckets.write
`roles/logging.configWriter`	Logs Configuration Writer	Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.	logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/logging.logWriter`	Logs Writer	Provides the permissions to write log entries.	logging.logEntries.create	Project
`roles/logging.privateLogViewer`	Private Logs Viewer	Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.	logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.queries.* logging.sinks.get logging.sinks.list logging.usage.* logging.views.* resourcemanager.projects.get	Project
`roles/logging.viewAccessor`	Logs View Accessor	Ability to read logs in a view.	logging.views.*
`roles/logging.viewer`	Logs Viewer	Provides access to view logs.	logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.queries.* logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.projects.get	Project

Cloud Managed Identities roles

Role	Title	Description	Permissions
`roles/managedidentities.admin`	Google Cloud Managed Identities Admin	Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.	managedidentities.* resourcemanager.projects.get resourcemanager.projects.list
`roles/managedidentities.domainAdmin`	Google Cloud Managed Identities Domain Admin	Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.	managedidentities.domains.attachTrust managedidentities.domains.delete managedidentities.domains.detachTrust managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.reconfigureTrust managedidentities.domains.resetpassword managedidentities.domains.update managedidentities.domains.validateTrust managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/managedidentities.viewer`	Google Cloud Managed Identities Viewer	Read-only access to Google Cloud Managed Identities Domains and related resources.	managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list resourcemanager.projects.get resourcemanager.projects.list

Memorystore Memcache roles

Role	Title	Description	Permissions
`roles/memcache.admin`	Cloud Memorystore Memcached Admin ^Beta	Full access to Memcached instances and related resources.	compute.networks.list memcache.* resourcemanager.projects.get resourcemanager.projects.list
`roles/memcache.editor`	Cloud Memorystore Memcached Editor ^Beta	Read-Write access to Memcached instances and related resources.	memcache.instances.applyParameters memcache.instances.get memcache.instances.list memcache.instances.update memcache.instances.updateParameters memcache.locations.* memcache.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/memcache.viewer`	Cloud Memorystore Memcached Viewer ^Beta	Read-only access to Memcached instances and related resources.	memcache.instances.get memcache.instances.list memcache.locations.* memcache.operations.get memcache.operations.list resourcemanager.projects.get resourcemanager.projects.list

Machine Learning Engine roles

Role	Title	Description	Permissions	Lowest resource
`roles/ml.admin`	ML Engine Admin	Provides full access to AI Platform resources, and its jobs, operations, models, and versions.	ml.* resourcemanager.projects.get	Project
`roles/ml.developer`	ML Engine Developer	Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.	ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.* ml.studies.* ml.trials.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get	Project
`roles/ml.jobOwner`	ML Engine Job Owner	Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.	ml.jobs.*	Job
`roles/ml.modelOwner`	ML Engine Model Owner	Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.	ml.models.* ml.versions.*	Model
`roles/ml.modelUser`	ML Engine Model User	Provides permissions to read the model and its versions, and use them for prediction.	ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict	Model
`roles/ml.operationOwner`	ML Engine Operation Owner	Provides full access to all permissions for a particular operation resource.	ml.operations.*	Operation
`roles/ml.viewer`	ML Engine Viewer	Provides read-only access to AI Platform resources.	ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.* ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get	Project

Monitoring roles

Role	Title	Description	Permissions	Lowest resource
`roles/monitoring.admin`	Monitoring Admin	Provides the same access as the Monitoring Editor role (`roles/monitoring.editor`).	cloudnotifications.* monitoring.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.*	Project
`roles/monitoring.alertPolicyEditor`	Monitoring AlertPolicy Editor ^Beta	Read/write access to alerting policies.	monitoring.alertPolicies.*
`roles/monitoring.alertPolicyViewer`	Monitoring AlertPolicy Viewer ^Beta	Read-only access to alerting policies.	monitoring.alertPolicies.get monitoring.alertPolicies.list
`roles/monitoring.dashboardEditor`	Monitoring Dashboard Configuration Editor	Read/write access to dashboard configurations.	monitoring.dashboards.*
`roles/monitoring.dashboardViewer`	Monitoring Dashboard Configuration Viewer	Read-only access to dashboard configurations.	monitoring.dashboards.get monitoring.dashboards.list
`roles/monitoring.editor`	Monitoring Editor	Provides full access to information about all monitoring data and configurations.	cloudnotifications.* monitoring.alertPolicies.* monitoring.dashboards.* monitoring.groups.* monitoring.metricDescriptors.* monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify monitoring.publicWidgets.* monitoring.services.* monitoring.slos.* monitoring.timeSeries.* monitoring.uptimeCheckConfigs.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.*	Project
`roles/monitoring.metricWriter`	Monitoring Metric Writer	Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.	monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create	Project
`roles/monitoring.notificationChannelEditor`	Monitoring NotificationChannel Editor ^Beta	Read/write access to notification channels.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify
`roles/monitoring.notificationChannelViewer`	Monitoring NotificationChannel Viewer ^Beta	Read-only access to notification channels.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list
`roles/monitoring.servicesEditor`	Monitoring Services Editor	Read/write access to services.	monitoring.services.* monitoring.slos.*
`roles/monitoring.servicesViewer`	Monitoring Services Viewer	Read-only access to services.	monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list
`roles/monitoring.uptimeCheckConfigEditor`	Monitoring Uptime Check Configuration Editor ^Beta	Read/write access to uptime check configurations.	monitoring.uptimeCheckConfigs.*
`roles/monitoring.uptimeCheckConfigViewer`	Monitoring Uptime Check Configuration Viewer ^Beta	Read-only access to uptime check configurations.	monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list
`roles/monitoring.viewer`	Monitoring Viewer	Provides read-only access to get and list information about all monitoring data and configurations.	cloudnotifications.* monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get	Project

Network Management roles

Role	Title	Description	Permissions	Lowest resource
`roles/networkmanagement.admin`	Network Management Admin	Full access to Network Management resources.	networkmanagement.* resourcemanager.projects.get resourcemanager.projects.list
`roles/networkmanagement.viewer`	Network Management Viewer	Read-only access to Network Management resources.	networkmanagement.connectivitytests.get networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.locations.* networkmanagement.operations.* resourcemanager.projects.get resourcemanager.projects.list

AI Notebooks roles

Role	Title	Description	Permissions	Lowest resource
`roles/notebooks.admin`	Notebooks Admin	Full access to AI Platform Notebooks, all resources.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance
`roles/notebooks.legacyAdmin`	Notebooks Legacy Admin	Full access to Notebooks all resources through compute API.	compute.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/notebooks.legacyViewer`	Notebooks Legacy Viewer	Read-only access to Notebooks all resources through compute API.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/notebooks.runner`	Notebooks Runner	Restricted access for running scheduled Notebooks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.instances.checkUpgradability notebooks.instances.create notebooks.instances.get notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/notebooks.viewer`	Notebooks Viewer	Read-only access to AI Platform Notebooks, all resources.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance

Ops Config Monitoring roles

Role	Title	Description	Permissions	Lowest resource
`roles/opsconfigmonitoring.resourceMetadata.writer`	Ops Config Monitoring Resource Metadata Writer ^Beta	Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.	opsconfigmonitoring.*

Organization Policy roles

Role	Title	Description	Permissions	Lowest resource
`roles/axt.admin`	Access Transparency Admin	Enable Access Transparency for Organization	axt.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/orgpolicy.policyAdmin`	Organization Policy Administrator	Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.	orgpolicy.*	Organization
`roles/orgpolicy.policyViewer`	Organization Policy Viewer	Provides access to view Organization Policies on resources.	orgpolicy.policy.get	Organization

Other roles

Role	Title	Description	Permissions
`roles/aiplatform.admin`	AI Platform Admininistrator ^Beta	Grants full access to all resources in AI Platform	aiplatform.* resourcemanager.projects.get resourcemanager.projects.list
`roles/aiplatform.featurestoreAdmin`	AI Platform Feature Store Admin ^Beta	Grants full access to all resources in AI Platform Feature Store	aiplatform.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/aiplatform.migrator`	AI Platform Migration Service User ^Beta	Grants access to use migration service in AI platform	aiplatform.migratableResources.*
`roles/aiplatform.user`	AI Platform User ^Beta	Grants access to use all resource in AI Platform	aiplatform.annotationSpecs.* aiplatform.annotations.* aiplatform.batchPredictionJobs.* aiplatform.customJobs.* aiplatform.dataItems.* aiplatform.dataLabelingJobs.* aiplatform.datasets.* aiplatform.endpoints.* aiplatform.hyperparameterTuningJobs.* aiplatform.locations.* aiplatform.modelEvaluationSlices.* aiplatform.modelEvaluations.* aiplatform.models.* aiplatform.operations.* aiplatform.specialistPools.* aiplatform.trainingPipelines.* resourcemanager.projects.get resourcemanager.projects.list
`roles/aiplatform.viewer`	AI Platform Viewer ^Beta	Grants access to view all resource in AI Platform	aiplatform.annotationSpecs.get aiplatform.annotationSpecs.list aiplatform.annotations.get aiplatform.annotations.list aiplatform.batchPredictionJobs.get aiplatform.batchPredictionJobs.list aiplatform.customJobs.get aiplatform.customJobs.list aiplatform.dataItems.get aiplatform.dataItems.list aiplatform.dataLabelingJobs.get aiplatform.dataLabelingJobs.list aiplatform.datasets.get aiplatform.datasets.list aiplatform.endpoints.get aiplatform.endpoints.list aiplatform.hyperparameterTuningJobs.get aiplatform.hyperparameterTuningJobs.list aiplatform.locations.* aiplatform.modelEvaluationSlices.* aiplatform.modelEvaluations.get aiplatform.modelEvaluations.list aiplatform.models.get aiplatform.models.list aiplatform.operations.* aiplatform.specialistPools.get aiplatform.specialistPools.list aiplatform.specialistPools.update aiplatform.trainingPipelines.get aiplatform.trainingPipelines.list resourcemanager.projects.get resourcemanager.projects.list
`roles/dataprocessing.admin`	Data Processing Controls Resource Admin	Data processing controls admin who can fully manage data processing controls settings and view all datasource data.	billing.accounts.get billing.accounts.list dataprocessing.*
`roles/domains.admin`	Cloud Domains Admin ^Beta	Full access to Cloud Domains Registrations and related resources.	domains.* resourcemanager.projects.get resourcemanager.projects.list
`roles/domains.viewer`	Cloud Domains Viewer ^Beta	Read-only access to Cloud Domains Registrations and related resources.	domains.locations.* domains.operations.get domains.operations.list domains.registrations.get domains.registrations.getIamPolicy domains.registrations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/essentialcontacts.admin`	Essential Contacts Admin ^Beta	Full access to all essential contacts	essentialcontacts.*
`roles/essentialcontacts.viewer`	Essential Contacts Viewer ^Beta	Viewer for all essential contacts	essentialcontacts.contacts.get essentialcontacts.contacts.list
`roles/firebasecrash.symbolMappingsAdmin`	Firebase Crash Symbol Uploader	Full read/write access to symbol mapping file resources for Firebase Crash Reporting.	firebase.clients.get resourcemanager.projects.get
`roles/identityplatform.admin`	Identity Platform Admin ^Beta	Full access to Identity Platform resources.	firebaseauth.* identityplatform.*
`roles/identityplatform.viewer`	Identity Platform Viewer ^Beta	Read access to Identity Platform resources.	firebaseauth.configs.get firebaseauth.users.get identityplatform.workloadPoolProviders.get identityplatform.workloadPoolProviders.list identityplatform.workloadPools.get identityplatform.workloadPools.list
`roles/identitytoolkit.admin`	Identity Toolkit Admin	Full access to Identity Toolkit resources.	firebaseauth.*
`roles/identitytoolkit.viewer`	Identity Toolkit Viewer	Read access to Identity Toolkit resources.	firebaseauth.configs.get firebaseauth.users.get
`roles/oauthconfig.editor`	OAuth Config Editor ^Beta	Read/write access to OAuth config resources	clientauthconfig.* oauthconfig.*
`roles/oauthconfig.viewer`	OAuth Config Viewer ^Beta	Read-only access to OAuth config resources	clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.clients.get clientauthconfig.clients.list oauthconfig.clientpolicy.* oauthconfig.testusers.get oauthconfig.verification.get
`roles/remotebuildexecution.actionCacheWriter`	Remote Build Execution Action Cache Writer ^Beta	Remote Build Execution Action Cache Writer	remotebuildexecution.actions.set remotebuildexecution.blobs.create
`roles/remotebuildexecution.artifactAdmin`	Remote Build Execution Artifact Admin ^Beta	Remote Build Execution Artifact Admin	remotebuildexecution.actions.create remotebuildexecution.actions.delete remotebuildexecution.actions.get remotebuildexecution.blobs.* remotebuildexecution.logstreams.*
`roles/remotebuildexecution.artifactCreator`	Remote Build Execution Artifact Creator ^Beta	Remote Build Execution Artifact Creator	remotebuildexecution.actions.create remotebuildexecution.actions.get remotebuildexecution.blobs.* remotebuildexecution.logstreams.*
`roles/remotebuildexecution.artifactViewer`	Remote Build Execution Artifact Viewer ^Beta	Remote Build Execution Artifact Viewer	remotebuildexecution.actions.get remotebuildexecution.blobs.get remotebuildexecution.logstreams.get
`roles/remotebuildexecution.configurationAdmin`	Remote Build Execution Configuration Admin ^Beta	Remote Build Execution Configuration Admin	remotebuildexecution.instances.* remotebuildexecution.workerpools.*
`roles/remotebuildexecution.configurationViewer`	Remote Build Execution Configuration Viewer ^Beta	Remote Build Execution Configuration Viewer	remotebuildexecution.instances.get remotebuildexecution.instances.list remotebuildexecution.workerpools.get remotebuildexecution.workerpools.list
`roles/remotebuildexecution.logstreamWriter`	Remote Build Execution Logstream Writer ^Beta	Remote Build Execution Logstream Writer	remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
`roles/remotebuildexecution.reservationAdmin`	Remote Build Execution Reservation Admin ^Beta	Remote Build Execution Reservation Admin	remotebuildexecution.actions.create remotebuildexecution.actions.delete remotebuildexecution.actions.get
`roles/remotebuildexecution.worker`	Remote Build Execution Worker ^Beta	Remote Build Execution Worker	remotebuildexecution.actions.update remotebuildexecution.blobs.* remotebuildexecution.botsessions.* remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
`roles/runtimeconfig.admin`	Cloud RuntimeConfig Admin	Full access to RuntimeConfig resources.	runtimeconfig.*
`roles/subscribewithgoogledeveloper.developer`	Subscribe with Google Developer ^Beta	Access DevTools for Subscribe with Google	resourcemanager.projects.get resourcemanager.projects.list subscribewithgoogledeveloper.*
`roles/vmwareengine.vmwareengineAdmin`	VMware Engine Service Admin	Admin has full access to VMware Engine Service	vmwareengine.*
`roles/vmwareengine.vmwareengineViewer`	VMware Engine Service Viewer	Viewer has read-only access to VMware Engine Service	vmwareengine.services.view

Third-party Partner roles

Role	Title	Description	Permissions
`roles/netappcloudvolumes.admin`	NetApp Cloud Volumes Admin ^Beta	This role is managed by NetApp, not Google.	cloudvolumesgcp-api.netapp.com/* resourcemanager.projects.get resourcemanager.projects.list
`roles/netappcloudvolumes.viewer`	NetApp Cloud Volumes Viewer ^Beta	This role is managed by NetApp, not Google.	cloudvolumesgcp-api.netapp.com/activeDirectories.get cloudvolumesgcp-api.netapp.com/activeDirectories.list cloudvolumesgcp-api.netapp.com/ipRanges.* cloudvolumesgcp-api.netapp.com/jobs.* cloudvolumesgcp-api.netapp.com/regions.* cloudvolumesgcp-api.netapp.com/serviceLevels.* cloudvolumesgcp-api.netapp.com/snapshots.get cloudvolumesgcp-api.netapp.com/snapshots.list cloudvolumesgcp-api.netapp.com/volumes.get cloudvolumesgcp-api.netapp.com/volumes.list resourcemanager.projects.get resourcemanager.projects.list
`roles/redisenterprisecloud.admin`	Redis Enterprise Cloud Admin ^Beta	This role is managed by Redis Labs, not Google.	gcp.redisenterprise.com/* resourcemanager.projects.get resourcemanager.projects.list
`roles/redisenterprisecloud.viewer`	Redis Enterprise Cloud Viewer ^Beta	This role is managed by Redis Labs, not Google.	gcp.redisenterprise.com/databases.get gcp.redisenterprise.com/databases.list gcp.redisenterprise.com/subscriptions.get gcp.redisenterprise.com/subscriptions.list resourcemanager.projects.get resourcemanager.projects.list

Private CA roles

Role	Title	Description	Permissions
`roles/privateca.admin`	CA Service Admin ^Beta	Full access to all CA Service resources.	privateca.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
`roles/privateca.auditor`	CA Service Auditor ^Beta	Read-only access to all CA Service resources.	privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
`roles/privateca.caManager`	CA Service Operation Manager ^Beta	Create and manage CAs, revoke certificates, create CA configurations, and read-only access for CA Service resources.	privateca.certificateAuthorities.create privateca.certificateAuthorities.delete privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.update privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.update privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.update privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.create privateca.reusableConfigs.delete privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.update resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
`roles/privateca.certificateManager`	CA Service Certificate Manager ^Beta	Create certificates and read-only access for CA Service resources.	privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificates.create privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
`roles/privateca.certificateRequester`	CA Service Certificate Requester ^Beta	Request certificates from CA Service.	privateca.certificates.create

Project roles

Role	Title	Description	Permissions	Lowest resource
`roles/browser`	Browser	Read access to browse the hierarchy for a project, including the folder, organization, and IAM policy. This role doesn't include permission to view resources in the project.	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Project

Proximity Beacon roles

Role	Title	Description	Permissions
`roles/proximitybeacon.attachmentEditor`	Beacon Attachment Editor	Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.	proximitybeacon.attachments.* proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.namespaces.list resourcemanager.projects.get resourcemanager.projects.list
`roles/proximitybeacon.attachmentPublisher`	Beacon Attachment Publisher	Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.	proximitybeacon.beacons.attach proximitybeacon.beacons.get proximitybeacon.beacons.list resourcemanager.projects.get resourcemanager.projects.list
`roles/proximitybeacon.attachmentViewer`	Beacon Attachment Viewer	Can view all attachments under a namespace; no beacon or namespace permissions.	proximitybeacon.attachments.get proximitybeacon.attachments.list resourcemanager.projects.get resourcemanager.projects.list
`roles/proximitybeacon.beaconEditor`	Beacon Editor	Necessary access to register, modify, and view beacons; no attachment or namespace permissions.	proximitybeacon.beacons.create proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.beacons.update resourcemanager.projects.get resourcemanager.projects.list

Pub/Sub roles

Role	Title	Description	Permissions	Lowest resource
`roles/pubsub.admin`	Pub/Sub Admin	Provides full access to topics and subscriptions.	pubsub.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Topic
`roles/pubsub.editor`	Pub/Sub Editor	Provides access to modify topics and subscriptions, and access to publish and consume messages.	pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Topic
`roles/pubsub.publisher`	Pub/Sub Publisher	Provides access to publish messages to a topic.	pubsub.topics.publish	Topic
`roles/pubsub.subscriber`	Pub/Sub Subscriber	Provides access to consume messages from a subscription and to attach subscriptions to a topic.	pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription	Topic
`roles/pubsub.viewer`	Pub/Sub Viewer	Provides access to view topics and subscriptions.	pubsub.snapshots.get pubsub.snapshots.list pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.get pubsub.topics.list resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Topic

Pub/Sub Lite roles

Role	Title	Description	Permissions
`roles/pubsublite.admin`	Pub/Sub Lite Admin ^Beta	Full access to topics and subscriptions.	pubsublite.*
`roles/pubsublite.editor`	Pub/Sub Lite Editor ^Beta	Modify topics and subscriptions, publish and consume messages.	pubsublite.*
`roles/pubsublite.publisher`	Pub/Sub Lite Publisher ^Beta	Publish messages to a topic.	pubsublite.topics.getPartitions pubsublite.topics.publish
`roles/pubsublite.subscriber`	Pub/Sub Lite Subscriber ^Beta	Subscribe to and read messages from a topic.	pubsublite.subscriptions.getCursor pubsublite.subscriptions.setCursor pubsublite.subscriptions.subscribe pubsublite.topics.computeMessageStats pubsublite.topics.getPartitions pubsublite.topics.subscribe
`roles/pubsublite.viewer`	Pub/Sub Lite Viewer ^Beta	View topics and subscriptions.	pubsublite.subscriptions.get pubsublite.subscriptions.getCursor pubsublite.subscriptions.list pubsublite.topics.get pubsublite.topics.getPartitions pubsublite.topics.list pubsublite.topics.listSubscriptions

reCAPTCHA Enterprise roles

Role	Title	Description	Permissions
`roles/recaptchaenterprise.admin`	reCAPTCHA Enterprise Admin ^Beta	Access to view and modify reCAPTCHA Enterprise keys	recaptchaenterprise.keys.* recaptchaenterprise.metrics.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recaptchaenterprise.agent`	reCAPTCHA Enterprise Agent ^Beta	Access to create and annotate reCAPTCHA Enterprise assessments	recaptchaenterprise.assessments.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recaptchaenterprise.viewer`	reCAPTCHA Enterprise Viewer ^Beta	Access to view reCAPTCHA Enterprise keys and metrics	recaptchaenterprise.keys.get recaptchaenterprise.keys.list recaptchaenterprise.metrics.* resourcemanager.projects.get resourcemanager.projects.list

Recommendations AI roles

Role	Title	Description	Permissions
`roles/automlrecommendations.admin`	Recommendations AI Admin ^Beta	Full access to all Recommendations AI resources.	automlrecommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/automlrecommendations.adminViewer`	Recommendations AI Admin Viewer ^Beta	Viewer of all Recommendations AI resources.	automlrecommendations.apiKeys.list automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/automlrecommendations.editor`	Recommendations AI Editor ^Beta	Editor of all Recommendations AI resources.	automlrecommendations.apiKeys.create automlrecommendations.apiKeys.list automlrecommendations.catalogItems.* automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.* automlrecommendations.events.create automlrecommendations.events.list automlrecommendations.placements.create automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.create automlrecommendations.recommendations.list automlrecommendations.recommendations.pause automlrecommendations.recommendations.resume automlrecommendations.recommendations.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/automlrecommendations.viewer`	Recommendations AI Viewer ^Beta	Viewer of all Recommendations AI resources except `apiKeys`. To view all resources, including `apiKeys`, grant the Recommendations AI Admin Viewer role (`roles/automlrecommendations.adminViewer`).	automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list

Recommender roles

Role	Title	Description	Permissions
`roles/recommender.billingAccountCudAdmin`	Billing Account Usage Commitment Recommender Admin ^Beta	Admin of Billing Account Usage Commitment Recommender.	billing.accounts.get billing.accounts.list recommender.commitmentUtilizationInsights.* recommender.usageCommitmentRecommendations.*
`roles/recommender.billingAccountCudViewer`	Billing Account Usage Commitment Recommender Viewer ^Beta	Viewer of Billing Account Usage Commitment Recommender.	billing.accounts.get billing.accounts.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list
`roles/recommender.computeAdmin`	Compute Recommender Admin	Admin of compute recommendations.	recommender.computeDiskIdleResourceInsights.* recommender.computeDiskIdleResourceRecommendations.* recommender.computeInstanceGroupManagerMachineTypeRecommendations.* recommender.computeInstanceIdleResourceRecommendations.* recommender.computeInstanceMachineTypeRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.computeViewer`	Compute Recommender Viewer	Viewer of compute recommendations.	recommender.computeDiskIdleResourceInsights.get recommender.computeDiskIdleResourceInsights.list recommender.computeDiskIdleResourceRecommendations.get recommender.computeDiskIdleResourceRecommendations.list recommender.computeInstanceGroupManagerMachineTypeRecommendations.get recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceIdleResourceRecommendations.get recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.get recommender.computeInstanceMachineTypeRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.firewallAdmin`	Firewall Recommender Admin	Admin of Firewall insights and recommendations.	recommender.computeFirewallInsights.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.firewallViewer`	Firewall Recommender Viewer	Viewer of Firewall insights and recommendations.	recommender.computeFirewallInsights.get recommender.computeFirewallInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.iamAdmin`	IAM Recommender Admin	Admin of IAM recommendations.	recommender.iamPolicyInsights.* recommender.iamPolicyRecommendations.* recommender.iamServiceAccountInsights.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.iamViewer`	IAM Recommender Viewer	Viewer of IAM recommendations.	recommender.iamPolicyInsights.get recommender.iamPolicyInsights.list recommender.iamPolicyRecommendations.get recommender.iamPolicyRecommendations.list recommender.iamServiceAccountInsights.get recommender.iamServiceAccountInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.projectCudAdmin`	Project Usage Commitment Recommender Admin ^Beta	Admin of Project Usage Commitment Recommender.	recommender.commitmentUtilizationInsights.* recommender.locations.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.projectCudViewer`	Project Usage Commitment Recommender Viewer ^Beta	Viewer of Project Usage Commitment Recommender.	recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.locations.* recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list resourcemanager.projects.get resourcemanager.projects.list

Memorystore Redis roles

Role	Title	Description	Permissions
`roles/redis.admin`	Cloud Memorystore Redis Admin ^Beta	Full control for all Memorystore for Redis resources.	compute.networks.list redis.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
`roles/redis.editor`	Cloud Memorystore Redis Editor ^Beta	Manage Memorystore for Redis instances. Can't create or delete instances.	compute.networks.list redis.instances.failover redis.instances.get redis.instances.list redis.instances.update redis.locations.* redis.operations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
`roles/redis.viewer`	Cloud Memorystore Redis Viewer ^Beta	Read-only access to all Memorystore for Redis resources.	redis.instances.get redis.instances.list redis.locations.* redis.operations.get redis.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

Resource Manager roles

Role	Title	Description	Permissions	Lowest resource
`roles/resourcemanager.folderAdmin`	Folder Admin	Provides all available permissions for working with folders.	orgpolicy.policy.get resourcemanager.folders.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.move resourcemanager.projects.setIamPolicy	Folder
`roles/resourcemanager.folderCreator`	Folder Creator	Provides permissions needed to browse the hierarchy and create folders.	orgpolicy.policy.get resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list	Folder
`roles/resourcemanager.folderEditor`	Folder Editor	Provides permission to modify folders as well as to view a folder's IAM policy.	orgpolicy.policy.get resourcemanager.folders.delete resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.undelete resourcemanager.folders.update resourcemanager.projects.get resourcemanager.projects.list	Folder
`roles/resourcemanager.folderIamAdmin`	Folder IAM Admin	Provides permissions to administer IAM policies on folders.	resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.setIamPolicy	Folder
`roles/resourcemanager.folderMover`	Folder Mover	Provides permission to move projects and folders into and out of a parent organization or folder.	resourcemanager.folders.move resourcemanager.projects.move	Folder
`roles/resourcemanager.folderViewer`	Folder Viewer	Provides permission to get a folder and list the folders and projects below a resource.	orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list	Folder
`roles/resourcemanager.lienModifier`	Project Lien Modifier	Provides access to modify Liens on projects.	resourcemanager.projects.updateLiens	Project
`roles/resourcemanager.organizationAdmin`	Organization Administrator	Access to administer all resources belonging to the organization.	orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.organizations.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy
`roles/resourcemanager.organizationViewer`	Organization Viewer	Provides access to view an organization.	resourcemanager.organizations.get	Organization
`roles/resourcemanager.projectCreator`	Project Creator	Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.	resourcemanager.organizations.get resourcemanager.projects.create	Folder
`roles/resourcemanager.projectDeleter`	Project Deleter	Provides access to delete Google Cloud projects.	resourcemanager.projects.delete	Folder
`roles/resourcemanager.projectIamAdmin`	Project IAM Admin	Provides permissions to administer IAM policies on projects.	resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy	Project
`roles/resourcemanager.projectMover`	Project Mover	Provides access to update and move projects.	resourcemanager.projects.get resourcemanager.projects.move resourcemanager.projects.update	Project

Cloud Run roles

Role	Title	Description	Permissions	Lowest resource
`roles/run.admin`	Cloud Run Admin ^Beta	Full control over all Cloud Run resources.	resourcemanager.projects.get resourcemanager.projects.list run.*	Cloud Run service
`roles/run.invoker`	Cloud Run Invoker ^Beta	Can invoke a Cloud Run service.	run.routes.invoke	Cloud Run service
`roles/run.viewer`	Cloud Run Viewer ^Beta	Can view the state of all Cloud Run resources, including IAM policies.	resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list	Cloud Run service

Secret Manager roles

Role	Title	Description	Permissions	Lowest resource
`roles/secretmanager.admin`	Secret Manager Admin	Full access to administer Secret Manager resources.	resourcemanager.projects.get resourcemanager.projects.list secretmanager.*	Secret
`roles/secretmanager.secretAccessor`	Secret Manager Secret Accessor	Allows accessing the payload of secrets.	resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.access	Secret
`roles/secretmanager.secretVersionAdder`	Secret Manager Secret Version Adder	Allows adding versions to existing secrets.	resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.add	Secret
`roles/secretmanager.secretVersionManager`	Secret Manager Secret Version Manager	Allows creating and managing versions of existing secrets.	resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.add secretmanager.versions.destroy secretmanager.versions.disable secretmanager.versions.enable secretmanager.versions.get secretmanager.versions.list	Secret
`roles/secretmanager.viewer`	Secret Manager Viewer	Allows viewing metadata of all Secret Manager resources	resourcemanager.projects.get resourcemanager.projects.list secretmanager.locations.* secretmanager.secrets.get secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.versions.get secretmanager.versions.list	Secret

Security Center roles

Role	Title	Description	Permissions	Lowest resource
`roles/securitycenter.admin`	Security Center Admin	Admin(super user) access to security center	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organization
`roles/securitycenter.adminEditor`	Security Center Admin Editor	Admin Read-write access to security center	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organization
`roles/securitycenter.adminViewer`	Security Center Admin Viewer	Admin Read access to security center	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.subscription.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organization
`roles/securitycenter.assetSecurityMarksWriter`	Security Center Asset Security Marks Writer	Write access to asset security marks	securitycenter.assetsecuritymarks.*	Organization
`roles/securitycenter.assetsDiscoveryRunner`	Security Center Assets Discovery Runner	Run asset discovery access to assets	securitycenter.assets.runDiscovery	Organization
`roles/securitycenter.assetsViewer`	Security Center Assets Viewer	Read access to assets	resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames	Organization
`roles/securitycenter.findingSecurityMarksWriter`	Security Center Finding Security Marks Writer	Write access to finding security marks	securitycenter.findingsecuritymarks.*	Organization
`roles/securitycenter.findingsEditor`	Security Center Findings Editor	Read-write access to findings	resourcemanager.organizations.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.findings.setState securitycenter.findings.update securitycenter.sources.get securitycenter.sources.list	Organization
`roles/securitycenter.findingsStateSetter`	Security Center Findings State Setter	Set state access to findings	securitycenter.findings.setState	Organization
`roles/securitycenter.findingsViewer`	Security Center Findings Viewer	Read access to findings	resourcemanager.organizations.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.sources.get securitycenter.sources.list	Organization
`roles/securitycenter.findingsWorkflowStateSetter`	Security Center Findings Workflow State Setter ^Beta	Set workflow state access to findings	securitycenter.findings.setWorkflowState
`roles/securitycenter.notificationConfigEditor`	Security Center Notification Configurations Editor	Write access to notification configurations	securitycenter.notificationconfig.*
`roles/securitycenter.notificationConfigViewer`	Security Center Notification Configurations Viewer	Read access to notification configurations	securitycenter.notificationconfig.get securitycenter.notificationconfig.list
`roles/securitycenter.settingsAdmin`	Security Center Settings Admin	Admin(super user) access to security center settings	securitycenter.containerthreatdetectionsettings.* securitycenter.eventthreatdetectionsettings.* securitycenter.notificationconfig.* securitycenter.organizationsettings.* securitycenter.securitycentersettings.* securitycenter.securityhealthanalyticssettings.* securitycenter.subscription.* securitycenter.websecurityscannersettings.*
`roles/securitycenter.settingsEditor`	Security Center Settings Editor	Read-Write access to security center settings	securitycenter.containerthreatdetectionsettings.* securitycenter.eventthreatdetectionsettings.* securitycenter.notificationconfig.* securitycenter.organizationsettings.* securitycenter.securitycentersettings.* securitycenter.securityhealthanalyticssettings.* securitycenter.subscription.* securitycenter.websecurityscannersettings.*
`roles/securitycenter.settingsViewer`	Security Center Settings Viewer	Read access to security center settings	securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.subscription.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get
`roles/securitycenter.sourcesAdmin`	Security Center Sources Admin	Admin access to sources	resourcemanager.organizations.get securitycenter.sources.*	Organization
`roles/securitycenter.sourcesEditor`	Security Center Sources Editor	Read-write access to sources	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update	Organization
`roles/securitycenter.sourcesViewer`	Security Center Sources Viewer	Read access to sources	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list	Organization

Service Agent Roles roles

Role	Title	Description	Permissions
`roles/anthos.serviceAgent`	Anthos Service Agent	Gives the Anthos service agent access to Cloud Platform resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list serviceusage.services.get serviceusage.services.list
`roles/anthosconfigmanagement.serviceAgent`	Anthos Config Management Service Agent	Gives the Anthos Config Management service agent access to Cloud Platform resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
`roles/apigee.serviceAgent`	Apigee Service Agent	Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.	apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.create apigee.appkeys.manage apigee.apps.get apigee.canaryevaluations.* apigee.developerapps.* apigee.developers.create apigee.developers.get apigee.environments.get apigee.environments.getDataLocation apigee.environments.manageRuntime apigee.ingressconfigs.* apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.proxyrevisions.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create
`roles/appengineflex.serviceAgent`	App Engine flexible environment Service Agent	Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.	billing.accounts.get cloudbuild.builds.create cloudbuild.builds.get compute.addresses.create compute.addresses.delete compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get compute.autoscalers.update compute.backendServices.create compute.backendServices.delete compute.backendServices.get compute.backendServices.list compute.backendServices.update compute.backendServices.use compute.disks.list compute.firewalls.* compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute.globalAddresses.create compute.globalAddresses.delete compute.globalAddresses.get compute.globalAddresses.use compute.globalForwardingRules.create compute.globalForwardingRules.delete compute.globalForwardingRules.get compute.globalOperations.get compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.update compute.healthChecks.useReadOnly compute.httpHealthChecks.create compute.httpHealthChecks.delete compute.httpHealthChecks.get compute.httpHealthChecks.use compute.httpHealthChecks.useReadOnly compute.httpsHealthChecks.create compute.httpsHealthChecks.delete compute.httpsHealthChecks.get compute.httpsHealthChecks.update compute.httpsHealthChecks.use compute.httpsHealthChecks.useReadOnly compute.images.get compute.images.useReadOnly compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.update compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.use compute.machineTypes.get compute.networks.create compute.networks.delete compute.networks.get compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.create compute.regionBackendServices.delete compute.regionBackendServices.get compute.regionBackendServices.list compute.regionBackendServices.update compute.regionBackendServices.use compute.regionOperations.get compute.regions.get compute.subnetworks.delete compute.targetHttpProxies.create compute.targetHttpProxies.delete compute.targetHttpProxies.get compute.targetHttpProxies.use compute.targetHttpsProxies.create compute.targetHttpsProxies.delete compute.targetHttpsProxies.get compute.targetHttpsProxies.setSslCertificates compute.targetHttpsProxies.use compute.urlMaps.create compute.urlMaps.delete compute.urlMaps.get compute.urlMaps.update compute.urlMaps.use compute.zoneOperations.get compute.zoneOperations.list compute.zones.* deploymentmanager.compositeTypes.get deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.typeProviders.create deploymentmanager.typeProviders.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create logging.logMetrics.create logging.logMetrics.delete logging.logMetrics.get logging.logMetrics.update resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list
`roles/artifactregistry.serviceAgent`	Artifact Registry Service Agent	Gives the Artifact Registry service account access to managed resources.	pubsub.topics.publish
`roles/automl.serviceAgent`	AutoML Service Agent	AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.	bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.updateData bigtable.tables.get bigtable.tables.list bigtable.tables.readRows serviceusage.services.use storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/automlrecommendations.serviceAgent`	Recommendations AI Service Agent	Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.	bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.updateData cloudnotifications.* logging.logEntries.create monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get storage.buckets.create storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/bigqueryconnection.serviceAgent`	BigQuery Connection Service Agent	Gives BigQuery Connection Service access to Cloud SQL instances in user projects.	cloudsql.instances.connect cloudsql.instances.get logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create
`roles/bigquerydatatransfer.serviceAgent`	BigQuery Data Transfer Service Agent	Gives BigQuery Data Transfer Service access to start bigquery jobs in consumer project.	bigquery.jobs.create iam.serviceAccounts.getAccessToken logging.logEntries.create resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.serviceAgent`	Binary Authorization Service Agent	Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.listOccurrences containeranalysis.occurrences.get containeranalysis.occurrences.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudasset.serviceAgent`	Cloud Asset Service Agent	Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.	bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.delete bigquery.tables.get bigquery.tables.update bigquery.tables.updateData pubsub.topics.publish storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.objects.create storage.objects.delete storage.objects.get
`roles/cloudbuild.serviceAgent`	Cloud Build Service Agent	Gives Cloud Build service account access to managed resources.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list cloudbuild.* compute.firewalls.get compute.firewalls.list compute.networks.get compute.subnetworks.get containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update iam.serviceAccounts.get iam.serviceAccounts.getAccessToken logging.logEntries.create pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudfunctions.serviceAgent`	Cloud Functions Service Agent	Gives Cloud Functions service account access to managed resources.	clientauthconfig.clients.list cloudbuild.* cloudfunctions.functions.invoke compute.globalOperations.get compute.networks.access firebasedatabase.instances.get firebasedatabase.instances.update iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob pubsub.subscriptions.* pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.get pubsub.topics.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use
`roles/cloudiot.serviceAgent`	Cloud IoT Core Service Agent	Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.	logging.logEntries.create pubsub.topics.publish
`roles/cloudkms.serviceAgent`	Cloud KMS Service Agent	Gives Cloud KMS service account access to call Cloud Asset Inventory ListAssets for KMS CryptoKeys.
`roles/cloudscheduler.serviceAgent`	Cloud Scheduler Service Agent	Grants Cloud Scheduler Service Account access to manage resources.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.logEntries.create pubsub.topics.publish
`roles/cloudsql.serviceAgent`	Cloud SQL Service Agent	Grants Cloud SQL access to services and APIs in the user project	cloudsql.instances.get
`roles/cloudtasks.serviceAgent`	Cloud Tasks Service Agent	Grants Cloud Tasks Service Account access to manage resources.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.logEntries.create
`roles/cloudtpu.serviceAgent`	Cloud TPU V2 API Service Agent	Give Cloud TPUs service account access to managed resources	compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create networksecurity.* networkservices.* pubsub.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/composer.serviceAgent`	Cloud Composer API Service Agent	Cloud Composer API service agent can manage environments.	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update artifactregistry.repositories.delete cloudnotifications.* cloudsql.* compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container.* deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.logEntries.create logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.* monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list networksecurity.* networkservices.* orgpolicy.policy.get pubsub.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.* storage.objects.*
`roles/compute.serviceAgent`	Compute Engine Service Agent	Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signJwt logging.logEntries.create
`roles/computescanning.serviceAgent`	Compute Scanning Service Agent	Gives Compute Scanning Service Account access to view Google Compute Engine Images	compute.images.get compute.images.list compute.images.useReadOnly compute.instances.get compute.instances.getGuestAttributes compute.instances.list compute.zones.* containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list
`roles/container.serviceAgent`	Kubernetes Engine Service Agent	Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.	bigquery.datasets.create bigquery.datasets.get bigquery.tables.create bigquery.tables.get bigquery.tables.update bigquery.tables.updateData compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.nodeGroups.get compute.packetMirrorings.* compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.* compute.snapshots.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container.* dns.changes.* dns.managedZones.create dns.managedZones.get dns.managedZones.list dns.managedZones.update dns.networks.bindPrivateDNSZone dns.resourceRecordSets.* iam.serviceAccounts.actAs logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.* networksecurity.* networkservices.* pubsub.topics.create pubsub.topics.get pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list tpu.locations.* tpu.nodes.create tpu.nodes.delete tpu.nodes.get tpu.nodes.list tpu.operations.*
`roles/containeranalysis.ServiceAgent`	Container Analysis Service Agent	Gives Container Analysis API the access it needs to function	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list
`roles/containerregistry.ServiceAgent`	Container Registry Service Agent	Access for Container Registry	pubsub.topics.publish storage.objects.get storage.objects.getIamPolicy storage.objects.list
`roles/containerscanning.ServiceAgent`	Container Scanner Service Agent	Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
`roles/containerthreatdetection.serviceAgent`	Container Threat Detection Service Agent	Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.	container.apiServices.get container.apiServices.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.list container.clusterRoleBindings.* container.clusterRoles.* container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.list container.daemonSets.* container.deployments.get container.deployments.getStatus container.deployments.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.limitRanges.get container.limitRanges.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.networkPolicies.update container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.attach container.pods.create container.pods.delete container.pods.exec container.pods.get container.pods.getLogs container.pods.getStatus container.pods.list container.pods.portForward container.pods.update container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.secrets.create container.secrets.delete container.secrets.list container.secrets.update container.serviceAccounts.* container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list
`roles/dataflow.serviceAgent`	Cloud Dataflow Service Agent	Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.	bigquery.* clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create cloudnotifications.* compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.projects.get compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.logEntries.create logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.* monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list networksecurity.* networkservices.* pubsub.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.* storage.objects.*
`roles/datafusion.serviceAgent`	Cloud Data Fusion API Service Agent	Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.	bigquery.datasets.* bigquery.jobs.create bigquery.models.* bigquery.routines.* bigquery.tables.* bigtable.* compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.addPeering compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.update compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update firebase.projects.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpfilters.get networkservices.httpfilters.list networkservices.locations.* networkservices.operations.get networkservices.operations.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginPartitionedDmlTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.list spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instanceConfigs.* spanner.instances.get spanner.instances.list spanner.sessions.* storage.buckets.* storage.objects.*
`roles/datalabeling.serviceAgent`	DataLabeling Service Agent	Gives DataLabeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.get bigquery.tables.getData ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.* ml.operations.get ml.operations.list ml.projects.* ml.studies.* ml.trials.* ml.versions.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/dataprep.serviceAgent`	Dataprep Service Agent	Dataprep service identity. Includes access to service accounts.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.list bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* dataflow.* iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.list storage.objects.*
`roles/dataproc.serviceAgent`	Dataproc Service Agent	Gives Cloud Dataproc service account access to Compute, and Storage resources and Service Accounts.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.firewalls.get compute.firewalls.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeTypes.get compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.use dataproc.clusters.* dataproc.jobs.* firebase.projects.get iam.serviceAccounts.actAs resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.*
`roles/datastudio.serviceAgent`	Data Studio Service Agent	Grants Data Studio Service Account access to manage resources.	bigquery.jobs.create
`roles/dialogflow.serviceAgent`	Dialogflow Service Agent	Gives Dialogflow Service Account access to resources on behalf of user project for intent detection in integrations (Facebook Messenger, Slack, Telephony, etc.).	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.contexts.* dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.operations.* dialogflow.pages.get dialogflow.pages.list dialogflow.sessionEntityTypes.* dialogflow.sessions.* dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list dlp.inspectTemplates.get dlp.inspectTemplates.list logging.logEntries.create pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use storage.objects.get storage.objects.list
`roles/dlp.serviceAgent`	DLP API Service Agent	Gives DLP API service agent permissions for biquery, storage, datastore, pubsub and KMS.	appengine.applications.get bigquery.datasets.* bigquery.jobs.create bigquery.jobs.get bigquery.jobs.update bigquery.models.* bigquery.readsessions.* bigquery.routines.* bigquery.tables.* cloudkms.cryptoKeyVersions.useToDecrypt datacatalog.tagTemplates.* datastore.databases.get datastore.entities.* datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobs.* dlp.kms.* firebase.projects.get pubsub.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use storage.buckets.* storage.objects.*
`roles/documentaicore.serviceAgent`	DocumentAI Core Service Agent	Gives DocumentAI Core Service Account access to consumer resources.	automl.models.predict storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/endpoints.serviceAgent`	Cloud Endpoints Service Agent	Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.	servicemanagement.services.check servicemanagement.services.get servicemanagement.services.quota servicemanagement.services.report
`roles/endpointsportal.serviceAgent`	Endpoints Portal Service Agent	Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.	servicemanagement.services.get servicemanagement.services.list source.repos.get
`roles/file.serviceAgent`	Cloud Filestore Service Agent	Gives Cloud Filestore service account access to managed resources.	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.networks.updatePeering compute.routes.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
`roles/firebase.appDistributionSdkServiceAgent`	Firebase App Distribution Admin SDK Service Agent	Read and write access to Firebase App Distribution with the Admin SDK	firebaseappdistro.*
`roles/firebase.managementServiceAgent`	Firebase Service Management Service Agent	Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.	apikeys.keys.create apikeys.keys.get apikeys.keys.list apikeys.keys.update appengine.applications.* appengine.operations.get appengine.services.list clientauthconfig.brands.create clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.getWithSecret clientauthconfig.clients.list clientauthconfig.clients.update firebase.clients.* firebase.projects.* firebaseauth.configs.create firebaseauth.configs.get firebaseauth.configs.update firebaserules.releases.create firebaserules.releases.delete firebaserules.releases.get firebaserules.rulesets.create iam.roles.get iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy resourcemanager.projects.update servicemanagement.services.bind serviceusage.services.enable serviceusage.services.get storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy
`roles/firebase.sdkAdminServiceAgent`	Firebase Admin SDK Administrator Service Agent	Read and write access to Firebase products available in the Admin SDK	appengine.applications.get cloudconfig.* cloudmessaging.* datastore.databases.get datastore.databases.list datastore.entities.* datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* firebase.clients.* firebase.projects.get firebase.projects.update firebaseauth.configs.create firebaseauth.configs.get firebaseauth.configs.update firebaseauth.users.* firebasedatabase.* firebasehosting.* firebaseml.* firebasenotifications.* firebaserules.releases.get firebaserules.releases.list firebaserules.releases.update firebaserules.rulesets.create firebaserules.rulesets.delete firebaserules.rulesets.get firebaserules.rulesets.list resourcemanager.projects.get resourcemanager.projects.list resourcemanager.projects.update storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.*
`roles/firebase.sdkProvisioningServiceAgent`	Firebase SDK Provisioning Service Agent	Access to provision apps with the Admin SDK.	apikeys.keys.list clientauthconfig.clients.list cloudmessaging.* firebase.clients.create servicemanagement.services.bind serviceusage.services.enable
`roles/firebasemods.serviceAgent`	Firebase Extensions API Service Agent	Grants Firebase Extensions API Service Account access to manage resources.	cloudfunctions.functions.getIamPolicy cloudfunctions.functions.setIamPolicy deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list run.services.getIamPolicy run.services.setIamPolicy serviceusage.quotas.get serviceusage.services.enable serviceusage.services.get serviceusage.services.list
`roles/firebasestorage.serviceAgent`	Cloud Storage for Firebase Service Agent	Access to Cloud Storage for Firebase through API and SDK.	storage.buckets.get storage.buckets.getIamPolicy storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list storage.objects.update
`roles/firewallinsights.serviceAgent`	Cloud Firewall Insights Service Agent	Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.	compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.instanceGroups.list compute.instances.get compute.instances.list compute.networks.list compute.projects.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list
`roles/gameservices.serviceAgent`	Game Services Service Agent	Gives Game Services Service Account access to GCP resources.	container.apiServices.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpoints.* container.events.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.limitRanges.* container.localSubjectAccessReviews.* container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/genomics.serviceAgent`	Genomics Service Agent	Gives Genomics Service Account access to compute resources. Includes access to service accounts.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
`roles/gkehub.serviceAgent`	GKE Hub Service Agent	Gives the GKE Hub service agent access to Cloud Platform resources.	container.clusterRoleBindings.create container.clusterRoleBindings.delete container.clusterRoleBindings.get container.clusterRoleBindings.update container.clusterRoles.create container.clusterRoles.delete container.clusterRoles.get container.clusterRoles.update container.clusters.get container.customResourceDefinitions.create container.customResourceDefinitions.delete container.customResourceDefinitions.get container.customResourceDefinitions.update container.namespaces.get container.thirdPartyObjects.* gkehub.features.create gkehub.features.get gkehub.features.list gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.list gkehub.operations.get serviceusage.services.get serviceusage.services.list
`roles/healthcare.serviceAgent`	Healthcare Service Agent	Gives the Healthcare Service Account access to networks,Kubernetes engine, and pubsub resources.	cloudnotifications.* monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
`roles/lifesciences.serviceAgent`	Cloud Life Sciences Service Agent	Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
`roles/managedidentities.serviceAgent`	Cloud Managed Identities Service Agent	Gives Managed Identities service account access to managed resources.	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.bindPrivateDNSPolicy dns.networks.bindPrivateDNSZone dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
`roles/memcache.serviceAgent`	Cloud Memorystore Memcached Service Agent	Gives Cloud Memorystore Memcached service account access to managed resource	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
`roles/meshconfig.serviceAgent`	Mesh Config Service Agent	Apply mesh configuration	compute.backendServices.* compute.firewalls.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.get compute.networks.updatePolicy compute.networks.use compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* networksecurity.clientTlsPolicies.create networksecurity.clientTlsPolicies.delete networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.update networksecurity.serverTlsPolicies.create networksecurity.serverTlsPolicies.delete networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.update networkservices.endpointConfigSelectors.create networkservices.endpointConfigSelectors.delete networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.update networkservices.httpFilters.create networkservices.httpFilters.delete networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpFilters.update networkservices.httpfilters.create networkservices.httpfilters.delete networkservices.httpfilters.get networkservices.httpfilters.list networkservices.httpfilters.update
`roles/meshdataplane.serviceAgent`	Mesh Data Plane Service Agent	Run user-space Istio components	cloudtrace.traces.patch compute.forwardingRules.get compute.globalForwardingRules.get logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create serviceusage.services.use
`roles/ml.serviceAgent`	Cloud ML Service Agent	Cloud ML service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.updateData firebase.projects.get iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create resourcemanager.projects.get resourcemanager.projects.list storage.buckets.* storage.objects.*
`roles/monitoring.notificationServiceAgent`	Monitoring Notification Service Agent	Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.	serviceusage.services.use
`roles/multiclusteringress.serviceAgent`	Multi Cluster Ingress Service Agent	Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.	compute.addresses.get compute.addresses.list compute.backendServices.* compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.use compute.globalForwardingRules.* compute.healthChecks.* compute.networkEndpointGroups.use compute.networks.updatePolicy compute.networks.use compute.securityPolicies.use compute.sslCertificates.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.urlMaps.* container.backendConfigs.* container.clusters.get container.customResourceDefinitions.create container.customResourceDefinitions.delete container.customResourceDefinitions.get container.customResourceDefinitions.update container.events.create container.events.update container.namespaces.list container.secrets.get container.secrets.list container.services.* container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyObjects.update gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list serviceusage.services.get serviceusage.services.list
`roles/multiclustermetering.serviceAgent`	Multi-cluster metering Service Agent	Gives the Multi-cluster metering service agent access to CloudPlatform resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
`roles/networkmanagement.serviceAgent`	GCP Network Management Service Agent	Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.	compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.list compute.networks.get compute.networks.list compute.regionBackendServices.get compute.regionBackendServices.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list container.clusters.get container.clusters.list container.nodes.get container.nodes.list
`roles/notebooks.serviceAgent`	AI Platform Notebooks Service Agent	Provide access for notebooks service agent to manage notebook instances in user projects	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.* compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/osconfig.serviceAgent`	Cloud OS Config Service Agent	Grants OS Config Service Account access to Google Compute Engine instances.	compute.instances.get compute.instances.getGuestAttributes compute.instances.list compute.instances.setMetadata compute.zones.* containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update iam.serviceAccounts.actAs resourcemanager.projects.get resourcemanager.projects.list
`roles/pubsub.serviceAgent`	Cloud Pub/Sub Service Agent	Grants Cloud Pub/Sub Service Account access to manage resources.	iam.serviceAccounts.getOpenIdToken
`roles/redis.serviceAgent`	Cloud Memorystore Redis Service Agent	Gives Cloud Memorystore Redis service account access to managed resource	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.projects.get compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
`roles/remotebuildexecution.serviceAgent`	Remote Build Execution Service Agent	Gives Remote Build Execution service account access to managed resources.	remotebuildexecution.actions.update remotebuildexecution.blobs.* remotebuildexecution.botsessions.* remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
`roles/run.serviceAgent`	Cloud Run Service Agent	Gives Cloud Run service account access to managed resources.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get compute.globalOperations.get compute.networks.access iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.routes.invoke serviceusage.services.use storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use
`roles/securitycenter.automationServiceAgent`	Security Center Automation Service Agent	Security Center automation service agent can configure GCP resources to enable security scanning.	cloudasset.feeds.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.services.enable
`roles/securitycenter.controlServiceAgent`	Security Center Control Service Agent	Security Center Control service agent can monitor and configure GCP resources and import security findings.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list cloudasset.* cloudsecurityscanner.* cloudsql.instances.connect cloudsql.instances.get cloudsql.users.list compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* container.apiServices.get container.apiServices.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getStatus container.deployments.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.limitRanges.get container.limitRanges.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* dlp.jobs.get dlp.jobs.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.queries.* logging.sinks.get logging.sinks.list logging.usage.* monitoring.alertPolicies.get monitoring.alertPolicies.list orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.enable serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list
`roles/securitycenter.notificationServiceAgent`	Security Center Notification Service Agent	Security Center service agent can publish notifications to Pub/Sub topics.	pubsub.topics.publish
`roles/securitycenter.securityHealthAnalyticsServiceAgent`	Security Health Analytics Service Agent	Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get cloudasset.* cloudsecurityscanner.* cloudsql.instances.connect cloudsql.instances.get cloudsql.users.list compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* container.clusters.get container.clusters.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.queries.* logging.sinks.get logging.sinks.list logging.usage.* monitoring.alertPolicies.get monitoring.alertPolicies.list orgpolicy.policy.get resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get
`roles/securitycenter.serviceAgent`	Security Center Service Agent	Security Center service agent can scan GCP resources and import security scans.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list cloudasset.* cloudsecurityscanner.* cloudsql.instances.connect cloudsql.instances.get cloudsql.users.list compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* container.apiServices.get container.apiServices.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getStatus container.deployments.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.limitRanges.get container.limitRanges.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* dlp.jobs.get dlp.jobs.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.queries.* logging.sinks.get logging.sinks.list logging.usage.* monitoring.alertPolicies.get monitoring.alertPolicies.list orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.* securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list
`roles/servicenetworking.serviceAgent`	Service Networking Service Agent	Gives permission to manage network configuration, such as establishing network peering, necessary for service producers	compute.globalAddresses.get compute.globalOperations.get compute.networks.addPeering compute.networks.create compute.networks.delete compute.networks.get compute.networks.list compute.networks.removePeering compute.networks.update compute.networks.updatePolicy compute.projects.get compute.regionOperations.get compute.routers.get compute.routers.list compute.routes.list compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* resourcemanager.projects.get resourcemanager.projects.list
`roles/sourcerepo.serviceAgent`	Cloud Source Repositories Service Agent	Allow Cloud Source Repositories to integrate with other Cloud services.	iam.serviceAccounts.getAccessToken pubsub.topics.publish
`roles/tpu.serviceAgent`	Cloud TPU API Service Agent	Give Cloud TPUs service account access to managed resources	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.zones.* monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
`roles/vpcaccess.serviceAgent`	Serverless VPC Access Service Agent	Can create and manage resources to support serverless application to connect to virtual private cloud.	billing.accounts.get compute.autoscalers.* compute.disks.create compute.firewalls.* compute.healthChecks.* compute.httpHealthChecks.create compute.httpHealthChecks.delete compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpHealthChecks.use compute.httpHealthChecks.useReadOnly compute.httpsHealthChecks.create compute.httpsHealthChecks.delete compute.httpsHealthChecks.get compute.httpsHealthChecks.update compute.httpsHealthChecks.use compute.httpsHealthChecks.useReadOnly compute.images.get compute.images.useReadOnly compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.update compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.useReadOnly compute.instances.create compute.instances.delete compute.instances.get compute.instances.getGuestAttributes compute.instances.list compute.instances.reset compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.use compute.machineTypes.get compute.networks.get compute.networks.use compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.zoneOperations.get compute.zoneOperations.list compute.zones.* deploymentmanager.compositeTypes.get deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.typeProviders.create deploymentmanager.typeProviders.get logging.logEntries.create logging.logMetrics.create logging.logMetrics.delete logging.logMetrics.get logging.logMetrics.update resourcemanager.projects.get
`roles/websecurityscanner.serviceAgent`	Cloud Web Security Scanner Service Agent	Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.	appengine.applications.get compute.addresses.list compute.backendServices.get compute.forwardingRules.get compute.globalForwardingRules.get compute.sslCertificates.list compute.targetHttpProxies.get compute.targetHttpsProxies.get compute.urlMaps.get
`roles/workflows.serviceAgent`	Cloud Workflows Service Agent	Gives Cloud Workflows service account access to managed resources.	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken

Service Consumer Management roles

Role	Title	Description	Permissions	Lowest resource
`roles/serviceconsumermanagement.tenancyUnitsAdmin`	Admin of Tenancy Units ^Beta	Administrate tenancy units	serviceconsumermanagement.tenancyu.*
`roles/serviceconsumermanagement.tenancyUnitsViewer`	Viewer of Tenancy Units ^Beta	View tenancy units	serviceconsumermanagement.tenancyu.list

Service Directory roles

Role	Title	Description	Permissions
`roles/servicedirectory.admin`	Service Directory Admin	Full control of all Service Directory resources and permissions.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.*
`roles/servicedirectory.editor`	Service Directory Editor	Edit Service Directory resources.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.create servicedirectory.endpoints.delete servicedirectory.endpoints.get servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.endpoints.update servicedirectory.locations.* servicedirectory.namespaces.associatePrivateZone servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.namespaces.update servicedirectory.services.create servicedirectory.services.delete servicedirectory.services.get servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.resolve servicedirectory.services.update
`roles/servicedirectory.viewer`	Service Directory Viewer	View Service Directory resources.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.get servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.locations.* servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.services.get servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.resolve

Service Management roles

Role	Title	Description	Permissions	Lowest resource
`roles/serverless.serviceAgent`	Cloud Run Service Agent	Gives Cloud Run service account access to managed resources.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get compute.globalOperations.get compute.networks.access iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.routes.invoke serviceusage.services.use storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use
`roles/servicemanagement.admin`	Service Management Administrator	Full control of Google Service Management resources.	monitoring.timeSeries.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list serviceconsumermanagement.* servicemanagement.services.* serviceusage.quotas.get serviceusage.services.get
`roles/servicemanagement.configEditor`	Service Config Editor	Access to update the service config and create rollouts.	servicemanagement.services.get servicemanagement.services.update
`roles/servicemanagement.quotaAdmin`	Quota Administrator ^Beta	Provides access to administer service quotas.	monitoring.timeSeries.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list servicemanagement.consumerSettings.* serviceusage.quotas.* serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list	Project
`roles/servicemanagement.quotaViewer`	Quota Viewer ^Beta	Provides access to view service quotas.	monitoring.timeSeries.list servicemanagement.consumerSettings.get servicemanagement.consumerSettings.getIamPolicy servicemanagement.consumerSettings.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/servicemanagement.serviceConsumer`	Service Consumer	Can enable the service.	servicemanagement.services.bind
`roles/servicemanagement.serviceController`	Service Controller	Can check preconditions and report usage of a service during runtime.	servicemanagement.services.check servicemanagement.services.get servicemanagement.services.quota servicemanagement.services.report	Project

Service Networking roles

Role	Title	Description	Permissions	Lowest resource
`roles/servicenetworking.networksAdmin`	Service Networking Admin ^Beta	Full control of service networking with projects.	servicenetworking.*

Service Usage roles

Role	Title	Description	Permissions
`roles/serviceusage.apiKeysAdmin`	API Keys Admin ^Beta	Ability to create, delete, update, get and list API keys for a project.	apikeys.* serviceusage.apiKeys.* serviceusage.operations.get
`roles/serviceusage.apiKeysViewer`	API Keys Viewer ^Beta	Ability to get and list API keys for a project.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup
`roles/serviceusage.serviceUsageAdmin`	Service Usage Admin ^Beta	Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.operations.* serviceusage.quotas.* serviceusage.services.*
`roles/serviceusage.serviceUsageConsumer`	Service Usage Consumer ^Beta	Ability to inspect service states and operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
`roles/serviceusage.serviceUsageViewer`	Service Usage Viewer ^Beta	Ability to inspect service states and operations for a consumer project.	monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Source roles

Role	Title	Description	Permissions	Lowest resource
`roles/source.admin`	Source Repository Administrator	Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies.	source.*	Repository
`roles/source.reader`	Source Repository Reader	Provides permissions to list, clone, fetch, and browse repositories.	source.repos.get source.repos.list	Repository
`roles/source.writer`	Source Repository Writer	Provides permissions to list, clone, fetch, browse, and update repositories.	source.repos.get source.repos.list source.repos.update	Repository

Cloud Spanner roles

Role	Title	Description	Permissions	Lowest resource
`roles/spanner.admin`	Cloud Spanner Admin	Has complete access to all Cloud Spanner resources in a Google Cloud project. A member with this role can: Grant and revoke permissions to other members for all Cloud Spanner resources in the project. Allocate and delete chargeable Cloud Spanner resources. Issue get/list/modify operations on Cloud Spanner resources. Read from and write to all Cloud Spanner databases in the project. Fetch project metadata.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.*	Project
`roles/spanner.backupAdmin`	Cloud Spanner Backup Admin	A member with this role can: Create, view, update, and delete backups. View and manage a backup's IAM policy. This role cannot restore a database from a backup.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.backupOperations.* spanner.backups.create spanner.backups.delete spanner.backups.get spanner.backups.getIamPolicy spanner.backups.list spanner.backups.setIamPolicy spanner.backups.update spanner.databases.createBackup spanner.databases.get spanner.databases.list spanner.instances.get spanner.instances.list	Instance
`roles/spanner.backupWriter`	Cloud Spanner Backup Writer	This role is intended to be used by scripts that automate backup creation. A member with this role can create backups, but cannot update or delete them.	spanner.backupOperations.get spanner.backupOperations.list spanner.backups.create spanner.backups.get spanner.backups.list spanner.databases.createBackup spanner.databases.get spanner.databases.list spanner.instances.get	Instance
`roles/spanner.databaseAdmin`	Cloud Spanner Database Admin	A member with this role can: Get/list all Cloud Spanner instances in the project. Create/list/drop databases in an instance. Grant/revoke access to databases in the project. Read from and write to all Cloud Spanner databases in the project.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginPartitionedDmlTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.create spanner.databases.drop spanner.databases.get spanner.databases.getDdl spanner.databases.getIamPolicy spanner.databases.list spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.databases.setIamPolicy spanner.databases.update spanner.databases.updateDdl spanner.databases.write spanner.instances.get spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.*	Instance
`roles/spanner.databaseReader`	Cloud Spanner Database Reader	A member with this role can: Read from the Cloud Spanner database. Execute SQL queries on the database. View schema for the database.	spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.instances.get spanner.sessions.*	Database
`roles/spanner.databaseUser`	Cloud Spanner Database User	A member with this role can: Read from and write to the Cloud Spanner database. Execute SQL queries on the database, including DML and Partitioned DML. View and update schema for the database.	spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginPartitionedDmlTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instances.get spanner.sessions.*	Database
`roles/spanner.restoreAdmin`	Cloud Spanner Restore Admin	A member with this role can restore databases from backups. If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.backups.get spanner.backups.list spanner.backups.restoreDatabase spanner.databaseOperations.cancel spanner.databaseOperations.get spanner.databaseOperations.list spanner.databases.create spanner.databases.get spanner.databases.list spanner.instances.get spanner.instances.list	Instance
`roles/spanner.viewer`	Cloud Spanner Viewer	A member with this role can: View all Cloud Spanner instances (but cannot modify instances). View all Cloud Spanner databases (but cannot modify or read from databases). For example, you can combine this role with the `roles/spanner.databaseUser` role to grant a user with access to a specific database, but only view access to other instances and databases. This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud Console.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databases.list spanner.instanceConfigs.* spanner.instances.get spanner.instances.list	Project

Stackdriver roles

Role	Title	Description	Permissions
`roles/stackdriver.accounts.editor`	Stackdriver Accounts Editor	Read/write access to manage Stackdriver account structure.	resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.projects.*
`roles/stackdriver.accounts.viewer`	Stackdriver Accounts Viewer	Read-only access to get and list information about Stackdriver account structure.	resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
`roles/stackdriver.resourceMetadata.writer`	Stackdriver Resource Metadata Writer ^Beta	Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.	stackdriver.resourceMetadata.*

Cloud Storage roles

Role	Title	Description	Permissions	Lowest resource
`roles/storage.admin`	Storage Admin	Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.	firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.* storage.objects.*	Bucket
`roles/storage.hmacKeyAdmin`	Storage HMAC Key Admin	Full control of Cloud Storage HMAC keys.	firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.hmacKeys.*
`roles/storage.objectAdmin`	Storage Object Admin	Grants full control of objects, including listing, creating, viewing, and deleting objects.	resourcemanager.projects.get resourcemanager.projects.list storage.objects.*	Bucket
`roles/storage.objectCreator`	Storage Object Creator	Allows users to create objects. Does not give permission to view, delete, or overwrite objects.	resourcemanager.projects.get resourcemanager.projects.list storage.objects.create	Bucket
`roles/storage.objectViewer`	Storage Object Viewer	Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.	resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list	Bucket
`roles/storagetransfer.admin`	Storage Transfer Admin	Create, update and manage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.*
`roles/storagetransfer.user`	Storage Transfer User	Create and update storage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.jobs.create storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.jobs.update storagetransfer.operations.* storagetransfer.projects.*
`roles/storagetransfer.viewer`	Storage Transfer Viewer	Read access to storage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.operations.get storagetransfer.operations.list storagetransfer.projects.*

Cloud Storage Legacy roles

Role	Title	Description	Permissions	Lowest resource
`roles/storage.legacyBucketOwner`	Storage Legacy Bucket Owner	Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding IAM policies, when listing; and read and edit bucket metadata, including IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.	storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.list	Bucket
`roles/storage.legacyBucketReader`	Storage Legacy Bucket Reader	Grants permission to list a bucket's contents and read bucket metadata, excluding IAM policies. Also grants permission to read object metadata, excluding IAM policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.	storage.buckets.get storage.objects.list	Bucket
`roles/storage.legacyBucketWriter`	Storage Legacy Bucket Writer	Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding IAM policies, when listing; and read bucket metadata, excluding IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.	storage.buckets.get storage.objects.create storage.objects.delete storage.objects.list	Bucket
`roles/storage.legacyObjectOwner`	Storage Legacy Object Owner	Grants permission to view and edit objects and their metadata, including ACLs.	storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update	Bucket
`roles/storage.legacyObjectReader`	Storage Legacy Object Reader	Grants permission to view objects and their metadata, excluding ACLs.	storage.objects.get	Bucket

Support roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudsupport.admin`	Support Account Administrator	Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information.	cloudsupport.accounts.* cloudsupport.operations.* cloudsupport.properties.* resourcemanager.organizations.get	Organization
`roles/cloudsupport.techSupportEditor`	Tech Support Editor	Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support).	cloudsupport.properties.* cloudsupport.techCases.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudsupport.techSupportViewer`	Tech Support Viewer	Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).	cloudsupport.properties.* cloudsupport.techCases.get cloudsupport.techCases.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudsupport.viewer`	Support Account Viewer	Read-only access to details of a support account. This does not allow viewing cases.	cloudsupport.accounts.get cloudsupport.accounts.getUserRoles cloudsupport.accounts.list cloudsupport.properties.*	Organization

Cloud Threat Detection roles

Role	Title	Description	Permissions	Lowest resource
`roles/threatdetection.editor`	Threat Detection Settings Editor ^Beta	Read-write access to all Threat Detection settings	threatdetection.*	Organization
`roles/threatdetection.viewer`	Threat Detection Settings Viewer ^Beta	Read access to all Threat Detection settings	threatdetection.detectorSettings.get threatdetection.sinkSettings.get threatdetection.sourceSettings.get	Organization

Cloud TPU roles

Role	Title	Description	Permissions	Lowest resource
`roles/tpu.admin`	TPU Admin	Full access to TPU nodes and related resources.	resourcemanager.projects.get resourcemanager.projects.list tpu.*
`roles/tpu.viewer`	TPU Viewer	Read-only access to TPU nodes and related resources.	resourcemanager.projects.get resourcemanager.projects.list tpu.acceleratortypes.* tpu.locations.* tpu.nodes.get tpu.nodes.list tpu.operations.* tpu.tensorflowversions.*

Transcoder roles

Role	Title	Description	Permissions	Lowest resource
`roles/transcoder.admin`	Transcoder Admin ^Beta	Full access to all transcoder resources.	resourcemanager.projects.get resourcemanager.projects.list transcoder.*
`roles/transcoder.viewer`	Transcoder Viewer ^Beta	Viewer of all transcoder resources.	resourcemanager.projects.get resourcemanager.projects.list transcoder.jobTemplates.get transcoder.jobTemplates.list transcoder.jobs.get transcoder.jobs.list

Serverless VPC Access roles

Role	Title	Description	Permissions
`roles/vpcaccess.admin`	Serverless VPC Access Admin	Full access to all Serverless VPC Access resources	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.*
`roles/vpcaccess.user`	Serverless VPC Access User	User of Serverless VPC Access connectors	compute.networks.access resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.connectors.use vpcaccess.locations.* vpcaccess.operations.*
`roles/vpcaccess.viewer`	Serverless VPC Access Viewer	Viewer of all Serverless VPC Access resources	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.*

Custom roles

In addition to the predefined roles, IAM also provides the ability to create customized IAM roles. You can create a custom IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding Custom Roles and Creating and Managing Custom Roles for more information.

Product-specific IAM documentation

Product-specific IAM documentation explains more about the predefined roles offered by each product. Read the following pages to learn more about the predefined roles.

Documentation	Description
IAM for App Engine	Explains IAM roles for App Engine
IAM for BigQuery	Explains IAM roles for BigQuery
IAM for Cloud Bigtable	Explains IAM roles for Cloud Bigtable
IAM for Cloud Billing API	Explains IAM roles and permissions for Cloud Billing API
IAM for Dataflow	Explains IAM roles for Dataflow
IAM for Dataproc	Explains IAM roles and permissions for Dataproc
IAM for Datastore	Explains IAM roles and permissions for Datastore
IAM for Cloud DNS	Explains IAM roles and permissions for Cloud DNS
IAM for Cloud KMS	Explains IAM roles and permissions for Cloud KMS
IAM for AI Platform	Explains IAM roles and permissions for AI Platform
IAM for Pub/Sub	Explains IAM roles for Pub/Sub
IAM for Spanner	Explains IAM roles and permissions for Spanner
IAM for Cloud SQL	Explains IAM roles for Cloud SQL
IAM for Cloud Storage	Explains IAM roles for Cloud Storage
IAM for Compute Engine	Explains IAM roles for Compute Engine
IAM for GKE	Explains IAM roles and permissions for GKE
IAM for Deployment Manager	Explains IAM roles and permissions for Deployment Manager
IAM for Organizations	Explains IAM roles for Organization.
IAM for Folders	Explains IAM roles for folders.
IAM for Projects	Explains IAM roles for projects.
IAM for Service Management	Explains IAM roles and permissions for Service Management
IAM for Cloud Debugger	Explains IAM roles for Debugger
IAM for Cloud Logging	Explains IAM roles for Logging
IAM for Cloud Monitoring	Explains IAM roles for Monitoring
IAM for Cloud Trace	Explains IAM roles and permissions for Trace

What's next

Learn how to grant IAM roles to users.
Learn about Custom Roles.
Use the Policy Troubleshooter to understand why a user does or doesn't have access to a resource or have permission to call an API.