Understanding roles

A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to a member, grant it at least one role.

This page describes the IAM roles that you can grant to identities to access Google Cloud resources.

Prerequisite for this guide

Role types

There are three types of roles in IAM:

  • Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
  • Predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
  • Custom roles, which provide granular access according to a user-specified list of permissions.

To determine if one or more permissions are included in a basic, predefined, or custom role, you can use one of the following methods:

The sections below describe each role type and provide examples of how to use them.

Basic roles

There are several basic roles that existed prior to the introduction of IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role. They were originally known as "primitive roles."

The following table summarizes the permissions that the basic roles include across all Google Cloud services:

Basic role definitions

Name Title Permissions
roles/viewer Viewer Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
roles/editor Editor All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.
Note: While the roles/editor role contains permissions to create and delete resources for most Google Cloud services, some services do not include these permissions. See the section above for more information on how to check if a role has the permissions that you need.
roles/owner Owner All editor permissions and permissions for the following actions:
  • Manage roles and permissions for a project and all resources within the project.
  • Set up billing for a project.
Note:
  • Granting the owner role at a resource level, such as a Pub/Sub topic, doesn't grant the owner role on the parent project.
  • Granting the owner role at the organization level doesn't allow you to update the organization's metadata. However, it allows you to modify projects and other resources under that organization.

You can apply basic roles at the project or service resource levels by using the Cloud Console, the API, and the gcloud tool. See Granting, changing, and revoking access for instructions.

Invitation flow

You cannot grant the owner role to a member for a project using the Identity and Access Management API or the gcloud command-line tool. You can only add owners to a project using the Cloud Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project.

Note that invitation emails aren't sent in the following cases:

  • When you're granting a role other than the owner.
  • When an organization member adds another member of their organization as an owner of a project within that organization.

To see how to grant roles using the Cloud Console, see Granting, changing, and revoking access.

Predefined roles

In addition to the basic roles, IAM provides additional predefined roles that give granular access to specific Google Cloud resources and prevent unwanted access to other resources.

The following table lists these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the Google Cloud hierarchy. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.

Access Approval roles

Role Title Description Permissions Lowest resource
roles/accessapproval.approver Access Approval Approver Beta Ability to view or act on access approval requests and view configuration
  • accessapproval.requests.*
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/accessapproval.configEditor Access Approval Config Editor Beta Ability update the Access Approval configuration
  • accessapproval.settings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/accessapproval.viewer Access Approval Viewer Beta Ability to view access approval requests and configuration
  • accessapproval.requests.get
  • accessapproval.requests.list
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Context Manager roles

Role Title Description Permissions Lowest resource
roles/accesscontextmanager.gcpAccessAdmin Cloud Access Binding Admin Create, edit, and change Cloud access bindings.
  • accesscontextmanager.gcpUserAccessBindings.*
roles/accesscontextmanager.gcpAccessReader Cloud Access Binding Reader Read access to Cloud access bindings.
  • accesscontextmanager.gcpUserAccessBindings.get
  • accesscontextmanager.gcpUserAccessBindings.list
roles/accesscontextmanager.policyAdmin Access Context Manager Admin Full access to policies, access levels, and access zones
  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.*
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.*
  • accesscontextmanager.servicePerimeters.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/accesscontextmanager.policyEditor Access Context Manager Editor Edit access to policies. Create, edit, and change access levels and access zones.
  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.create
  • accesscontextmanager.accessPolicies.delete
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessPolicies.update
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.create
  • accesscontextmanager.policies.delete
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.policies.update
  • accesscontextmanager.servicePerimeters.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/accesscontextmanager.policyReader Access Context Manager Reader Read access to policies, access levels, and access zones.
  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessZones.get
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/accesscontextmanager.vpcScTroubleshooterViewer VPC Service Controls Troubleshooter Viewer
  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Actions roles

Role Title Description Permissions Lowest resource
roles/actions.Admin Actions Admin Access to edit and deploy an action
  • actions.*
  • firebase.projects.get
  • firebase.projects.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use
roles/actions.Viewer Actions Viewer Access to view an action
  • actions.agent.get
  • actions.agentVersions.get
  • actions.agentVersions.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Android Management roles

Role Title Description Permissions Lowest resource
roles/androidmanagement.user Android Management User Full access to manage devices.
  • androidmanagement.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

API Gateway roles

Role Title Description Permissions Lowest resource
roles/apigateway.admin ApiGateway Admin Beta Full access to ApiGateway and related resources.
  • apigateway.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/apigateway.viewer ApiGateway Viewer Beta Read-only access to ApiGateway and related resources.
  • apigateway.apiconfigs.get
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.gateways.get
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.locations.*
  • apigateway.operations.get
  • apigateway.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee roles

Role Title Description Permissions Lowest resource
roles/apigee.admin Apigee Organization Admin Full access to all apigee resource features
  • apigee.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/apigee.analyticsAgent Apigee Analytics Agent Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization
  • apigee.environments.getDataLocation
roles/apigee.analyticsEditor Apigee Analytics Editor Analytics editor for an Apigee Organization
  • apigee.datacollectors.*
  • apigee.datastores.*
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.exports.*
  • apigee.hostqueries.*
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.*
  • apigee.reports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/apigee.analyticsViewer Apigee Analytics Viewer Analytics viewer for an Apigee Organization
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.environments.getStats
  • apigee.exports.get
  • apigee.exports.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.reports.get
  • apigee.reports.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/apigee.apiCreator Apigee API Creator Creator of apigee resources
  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.apps.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.ingressconfigs.*
  • apigee.keyvaluemaps.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.*
  • apigee.proxyrevisions.delete
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.update
  • apigee.sharedflowrevisions.*
  • apigee.sharedflows.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/apigee.deployer Apigee Deployer Deployer of apigee resources
  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.apps.*
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.deployments.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.environments.setIamPolicy
  • apigee.flowhooks.*
  • apigee.ingressconfigs.*
  • apigee.keystorealiases.*
  • apigee.keystores.*
  • apigee.keyvaluemaps.*
  • apigee.maskconfigs.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.references.*
  • apigee.resourcefiles.*
  • apigee.sharedflowrevisions.*
  • apigee.sharedflows.*
  • apigee.targetservers.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/apigee.developerAdmin Apigee Developer Admin Developer admin of apigee resources
  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.*
  • apigee.datacollectors.*
  • apigee.developerappattributes.*
  • apigee.developerapps.*
  • apigee.developerattributes.*
  • apigee.developers.*
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/apigee.readOnlyAdmin Apigee Read-only Admin Viewer of all apigee resources
  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.get
  • apigee.apps.*
  • apigee.caches.list
  • apigee.canaryevaluations.get
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.deployments.get
  • apigee.deployments.list
  • apigee.developerappattributes.get
  • apigee.developerappattributes.list
  • apigee.developerapps.get
  • apigee.developerapps.list
  • apigee.developerattributes.get
  • apigee.developerattributes.list
  • apigee.developers.get
  • apigee.developers.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getDataLocation
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.flowhooks.getSharedFlow
  • apigee.flowhooks.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hoststats.*
  • apigee.ingressconfigs.*
  • apigee.instanceattachments.get
  • apigee.instanceattachments.list
  • apigee.instances.get
  • apigee.instances.list
  • apigee.keystorealiases.get
  • apigee.keystorealiases.list
  • apigee.keystores.get
  • apigee.keystores.list
  • apigee.keyvaluemaps.list
  • apigee.maskconfigs.get
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.references.get
  • apigee.references.list
  • apigee.reports.get
  • apigee.reports.list
  • apigee.resourcefiles.get
  • apigee.resourcefiles.list
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.get
  • apigee.targetservers.list
  • apigee.tracesessions.get
  • apigee.tracesessions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/apigee.runtimeAgent Apigee Runtime Agent Curated set of permissions for a runtime agent to access Apigee Organization resources
  • apigee.canaryevaluations.*
  • apigee.ingressconfigs.*
  • apigee.instances.reportStatus
  • apigee.operations.*
roles/apigee.synchronizerManager Apigee Synchronizer Manager Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization
  • apigee.environments.get
  • apigee.environments.manageRuntime
  • apigee.ingressconfigs.*
roles/apigeeconnect.Admin Apigee Connect Admin Admin of Apigee Connect
  • apigeeconnect.connections.*
roles/apigeeconnect.Agent Apigee Connect Agent Ability to set up Apigee Connect agent between external clusters and Google.
  • apigeeconnect.endpoints.*

App Engine roles

Role Title Description Permissions Lowest resource
roles/appengine.appAdmin App Engine Admin

Read/Write/Modify access to all application configuration and settings.

To deploy new versions, you must also grant the Service Account User (roles/iam.serviceAccountUser) role.

To use the gcloud tool to deploy, you must add the Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (roles/cloudbuild.builds.editor) roles.

  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.operations.*
  • appengine.runtimes.*
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/appengine.appCreator App Engine Creator Ability to create the App Engine resource for the project.
  • appengine.applications.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/appengine.appViewer App Engine Viewer Read-only access to all application configuration and settings.
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/appengine.codeViewer App Engine Code Viewer Read-only access to all application configuration, settings, and deployed source code.
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.getFileContents
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/appengine.deployer App Engine Deployer

Read-only access to all application configuration and settings.

To deploy new versions, you must also grant the Service Account User (roles/iam.serviceAccountUser) role.

To use the gcloud tool to deploy, you must add the Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (roles/cloudbuild.builds.editor) roles.

Cannot modify existing versions other than deleting versions that are not receiving traffic.

  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/appengine.serviceAdmin App Engine Service Admin

Read-only access to all application configuration and settings.

Write access to module-level and version-level settings. Cannot deploy a new version.

  • appengine.applications.get
  • appengine.instances.*
  • appengine.operations.*
  • appengine.services.*
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project

Artifact Registry roles

Role Title Description Permissions Lowest resource
roles/artifactregistry.admin Artifact Registry Administrator Beta Administrator access to create and manage repositories.
  • artifactregistry.*
roles/artifactregistry.reader Artifact Registry Reader Beta Access to read repository items.
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
roles/artifactregistry.repoAdmin Artifact Registry Repository Administrator Beta Access to manage artifacts in repositories.
  • artifactregistry.files.*
  • artifactregistry.packages.*
  • artifactregistry.repositories.deleteArtifacts
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.*
  • artifactregistry.versions.*
roles/artifactregistry.writer Artifact Registry Writer Beta Access to read and write repository items.
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list

Assured Workloads roles

Role Title Description Permissions Lowest resource
roles/assuredworkloads.admin Assured Workloads Administrator Grants full access to Assured Workloads resources, including IAM policy administration.
  • assuredworkloads.*
  • orgpolicy.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/assuredworkloads.editor Assured Workloads Editor Grants access to read and write to Assured Workloads resources.
  • assuredworkloads.*
  • orgpolicy.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/assuredworkloads.reader Assured Workloads Reader Grants read access to all Assured Workloads resources.
  • assuredworkloads.operations.*
  • assuredworkloads.workload.get
  • assuredworkloads.workload.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AutoML roles

Role Title Description Permissions Lowest resource
roles/automl.admin AutoML Admin Beta Full access to all AutoML resources
  • automl.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
Dataset/Model
roles/automl.editor AutoML Editor Beta Editor of all AutoML resources
  • automl.annotationSpecs.*
  • automl.annotations.*
  • automl.columnSpecs.*
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.update
  • automl.examples.*
  • automl.humanAnnotationTasks.*
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.*
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • automl.models.undeploy
  • automl.operations.*
  • automl.tableSpecs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
Dataset/Model
roles/automl.predictor AutoML Predictor Beta Predict using models
  • automl.models.predict
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Model
roles/automl.viewer AutoML Viewer Beta Viewer of all AutoML resources
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
Dataset/Model

BigQuery roles

Role Title Description Permissions Lowest resource
roles/bigquery.admin BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.
  • bigquery.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/bigquery.connectionAdmin BigQuery Connection Admin
  • bigquery.connections.*
roles/bigquery.connectionUser BigQuery Connection User
  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use
roles/bigquery.dataEditor BigQuery Data Editor

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Table or view
roles/bigquery.dataOwner BigQuery Data Owner

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Share the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Table or view
roles/bigquery.dataViewer BigQuery Data Viewer

When applied to a table or view, this role provides permissions to:

  • Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Table or view
roles/bigquery.jobUser BigQuery Job User Provides permissions to run jobs, including queries, within the project.
  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/bigquery.metadataViewer BigQuery Metadata Viewer

When applied to a table or view, this role provides permissions to:

  • Read metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • List tables and views in the dataset.
  • Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Table or view
roles/bigquery.readSessionUser BigQuery Read Session User Access to create and use read sessions
  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceAdmin BigQuery Resource Admin Administer all BigQuery resources.
  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceEditor BigQuery Resource Editor Manage all BigQuery resources, but cannot make purchasing decisions.
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.resourceViewer BigQuery Resource Viewer View all BigQuery resources but cannot make changes or purchasing decisions.
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/bigquery.user BigQuery User

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A member with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Dataset

Cloud Bigtable roles

Role Title Description Permissions Lowest resource
roles/bigtable.admin Bigtable Administrator Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.
  • bigtable.*
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
Instance
roles/bigtable.reader Bigtable Reader Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
Instance
roles/bigtable.user Bigtable User Provides read-write access to the data stored within tables. Intended for application developers or service accounts.
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.mutateRows
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
Instance
roles/bigtable.viewer Bigtable Viewer Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Cloud Bigtable.
  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
Instance

Billing roles

Role Title Description Permissions Lowest resource
roles/billing.admin Billing Account Administrator Provides access to see and manage all aspects of billing accounts.
  • billing.accounts.close
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.move
  • billing.accounts.redeemPromotion
  • billing.accounts.removeFromOrganization
  • billing.accounts.reopen
  • billing.accounts.setIamPolicy
  • billing.accounts.update
  • billing.accounts.updatePaymentInfo
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.credits.*
  • billing.resourceAssociations.*
  • billing.subscriptions.*
  • cloudnotifications.*
  • consumerprocurement.accounts.*
  • consumerprocurement.orders.*
  • dataprocessing.groupcontrols.list
  • logging.logEntries.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • recommender.commitmentUtilizationInsights.*
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment
Billing Account
roles/billing.creator Billing Account Creator Provides access to create billing accounts.
  • billing.accounts.create
  • resourcemanager.organizations.get
Organization
roles/billing.projectManager Project Billing Manager Provides access to assign a project's billing account or disable its billing.
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment
Project
roles/billing.user Billing Account User Provides access to associate projects with billing accounts.
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.redeemPromotion
  • billing.credits.*
  • billing.resourceAssociations.create
Billing Account
roles/billing.viewer Billing Account Viewer View billing account cost information and transactions.
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.budgets.get
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.get
  • billing.subscriptions.list
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • dataprocessing.groupcontrols.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list
Billing Account

Binary Authorization roles

Role Title Description Permissions Lowest resource
roles/binaryauthorization.attestorsAdmin Binary Authorization Attestor Admin Beta Administrator of Binary Authorization Attestors
  • binaryauthorization.attestors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.attestorsEditor Binary Authorization Attestor Editor Beta Editor of Binary Authorization Attestors
  • binaryauthorization.attestors.create
  • binaryauthorization.attestors.delete
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.update
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.attestorsVerifier Binary Authorization Attestor Image Verifier Beta Caller of Binary Authorization Attestors VerifyImageAttested
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.attestorsViewer Binary Authorization Attestor Viewer Beta Viewer of Binary Authorization Attestors
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.policyAdmin Binary Authorization Policy Administrator Beta Administrator of Binary Authorization Policy
  • binaryauthorization.policy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.policyEditor Binary Authorization Policy Editor Beta Editor of Binary Authorization Policy
  • binaryauthorization.policy.get
  • binaryauthorization.policy.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.policyViewer Binary Authorization Policy Viewer Beta Viewer of Binary Authorization Policy
  • binaryauthorization.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Hangouts Chat roles

Role Title Description Permissions Lowest resource
roles/chat.owner Chat Bots Owner Can view and modify bot configurations
  • chat.*
roles/chat.reader Chat Bots Viewer Can view bot configurations
  • chat.bots.get

Cloud Asset roles

Role Title Description Permissions Lowest resource
roles/cloudasset.owner Cloud Asset Owner Full access to cloud assets metadata
  • cloudasset.*
roles/cloudasset.viewer Cloud Asset Viewer Read only access to cloud assets metadata
  • cloudasset.assets.*

Cloud Build roles

Role Title Description Permissions Lowest resource
roles/cloudbuild.builds.builder Cloud Build Service Account Provides access to perform builds.
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • cloudbuild.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • pubsub.topics.create
  • pubsub.topics.publish
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update
roles/cloudbuild.builds.editor Cloud Build Editor Provides access to create and cancel builds.
  • cloudbuild.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/cloudbuild.builds.viewer Cloud Build Viewer Provides access to view builds.
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project

Cloud Data Fusion roles

Role Title Description Permissions Lowest resource
roles/datafusion.admin Cloud Data Fusion Admin Beta Full access to Cloud Data Fusion Instances and related resources.
  • datafusion.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/datafusion.runner Cloud Data Fusion Runner Beta Access to Cloud Data Fusion runtime resources.
  • datafusion.instances.runtime
roles/datafusion.viewer Cloud Data Fusion Viewer Beta Read-only access to Cloud Data Fusion Instances and related resources.
  • datafusion.instances.get
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.instances.runtime
  • datafusion.locations.*
  • datafusion.operations.get
  • datafusion.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project

Cloud Debugger roles

Role Title Description Permissions Lowest resource
roles/clouddebugger.agent Cloud Debugger Agent Beta Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.
  • clouddebugger.breakpoints.list
  • clouddebugger.breakpoints.listActive
  • clouddebugger.breakpoints.update
  • clouddebugger.debuggees.create
Service Account
roles/clouddebugger.user Cloud Debugger User Beta Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).
  • clouddebugger.breakpoints.create
  • clouddebugger.breakpoints.delete
  • clouddebugger.breakpoints.get
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list
Project

Cloud Functions roles

Role Title Description Permissions Lowest resource
roles/cloudfunctions.admin Cloud Functions Admin Full access to functions, operations and locations.
  • cloudfunctions.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/cloudfunctions.developer Cloud Functions Developer Read and write access to all functions-related resources.
  • cloudfunctions.functions.call
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.invoke
  • cloudfunctions.functions.list
  • cloudfunctions.functions.sourceCodeGet
  • cloudfunctions.functions.sourceCodeSet
  • cloudfunctions.functions.update
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/cloudfunctions.invoker Cloud Functions Invoker Ability to invoke HTTP functions with restricted access.
  • cloudfunctions.functions.invoke
roles/cloudfunctions.viewer Cloud Functions Viewer Read-only access to functions and locations.
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud IAP roles

Role Title Description Permissions Lowest resource
roles/iap.admin IAP Policy Admin Provides full access to Identity-Aware Proxy resources.
  • iap.tunnel.*
  • iap.tunnelInstances.getIamPolicy
  • iap.tunnelInstances.setIamPolicy
  • iap.tunnelZones.*
  • iap.web.getIamPolicy
  • iap.web.setIamPolicy
  • iap.webServiceVersions.getIamPolicy
  • iap.webServiceVersions.setIamPolicy
  • iap.webServices.getIamPolicy
  • iap.webServices.setIamPolicy
  • iap.webTypes.getIamPolicy
  • iap.webTypes.setIamPolicy
Project
roles/iap.httpsResourceAccessor IAP-secured Web App User Provides permission to access HTTPS resources which use Identity-Aware Proxy.
  • iap.webServiceVersions.accessViaIAP
Project
roles/iap.settingsAdmin IAP Settings Admin Administrator of IAP Settings.
  • iap.projects.*
  • iap.web.getSettings
  • iap.web.updateSettings
  • iap.webServiceVersions.getSettings
  • iap.webServiceVersions.updateSettings
  • iap.webServices.getSettings
  • iap.webServices.updateSettings
  • iap.webTypes.getSettings
  • iap.webTypes.updateSettings
roles/iap.tunnelResourceAccessor IAP-secured Tunnel User Access Tunnel resources which use Identity-Aware Proxy
  • iap.tunnelInstances.accessViaIAP

Cloud IoT roles

Role Title Description Permissions Lowest resource
roles/cloudiot.admin Cloud IoT Admin Full control of all Cloud IoT resources and permissions.
  • cloudiot.*
  • cloudiottoken.*
Device
roles/cloudiot.deviceController Cloud IoT Device Controller Access to update the device configuration, but not to create or delete devices.
  • cloudiot.devices.get
  • cloudiot.devices.list
  • cloudiot.devices.sendCommand
  • cloudiot.devices.updateConfig
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get
Device
roles/cloudiot.editor Cloud IoT Editor Read-write access to all Cloud IoT resources.
  • cloudiot.devices.*
  • cloudiot.registries.create
  • cloudiot.registries.delete
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiot.registries.update
  • cloudiottoken.*
Device
roles/cloudiot.provisioner Cloud IoT Provisioner Access to create and delete devices from registries, but not to modify the registries.
  • cloudiot.devices.*
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get
Device
roles/cloudiot.viewer Cloud IoT Viewer Read-only access to all Cloud IoT resources.
  • cloudiot.devices.get
  • cloudiot.devices.list
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get
Device

Cloud Talent Solution roles

Role Title Description Permissions Lowest resource
roles/cloudjobdiscovery.admin Admin Access to Cloud Talent Solution Self-Service Tools.
  • cloudjobdiscovery.tools.*
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudjobdiscovery.jobsEditor Job Editor Write access to all job data in Cloud Talent Solution.
  • cloudjobdiscovery.companies.*
  • cloudjobdiscovery.events.*
  • cloudjobdiscovery.jobs.*
  • cloudjobdiscovery.tenants.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudjobdiscovery.jobsViewer Job Viewer Read access to all job data in Cloud Talent Solution.
  • cloudjobdiscovery.companies.get
  • cloudjobdiscovery.companies.list
  • cloudjobdiscovery.jobs.get
  • cloudjobdiscovery.jobs.search
  • cloudjobdiscovery.tenants.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudjobdiscovery.profilesEditor Profile Editor Write access to all profile data in Cloud Talent Solution.
  • cloudjobdiscovery.events.*
  • cloudjobdiscovery.profiles.*
  • cloudjobdiscovery.tenants.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudjobdiscovery.profilesViewer Profile Viewer Read access to all profile data in Cloud Talent Solution.
  • cloudjobdiscovery.profiles.get
  • cloudjobdiscovery.profiles.search
  • cloudjobdiscovery.tenants.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud KMS roles

Role Title Description Permissions Lowest resource
roles/cloudkms.admin Cloud KMS Admin Provides full access to Cloud KMS resources, except encrypt and decrypt operations.
  • cloudkms.cryptoKeyVersions.create
  • cloudkms.cryptoKeyVersions.destroy
  • cloudkms.cryptoKeyVersions.get
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.cryptoKeyVersions.restore
  • cloudkms.cryptoKeyVersions.update
  • cloudkms.cryptoKeys.*
  • cloudkms.importJobs.*
  • cloudkms.keyRings.*
  • resourcemanager.projects.get
CryptoKey
roles/cloudkms.cryptoKeyDecrypter Cloud KMS CryptoKey Decrypter Provides ability to use Cloud KMS resources for decrypt operations only.
  • cloudkms.cryptoKeyVersions.useToDecrypt
  • resourcemanager.projects.get
CryptoKey
roles/cloudkms.cryptoKeyEncrypter Cloud KMS CryptoKey Encrypter Provides ability to use Cloud KMS resources for encrypt operations only.
  • cloudkms.cryptoKeyVersions.useToEncrypt
  • resourcemanager.projects.get
CryptoKey
roles/cloudkms.cryptoKeyEncrypterDecrypter Cloud KMS CryptoKey Encrypter/Decrypter Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.
  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.cryptoKeyVersions.useToEncrypt
  • resourcemanager.projects.get
CryptoKey
roles/cloudkms.importer Cloud KMS Importer Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations
  • cloudkms.importJobs.create
  • cloudkms.importJobs.get
  • cloudkms.importJobs.list
  • cloudkms.importJobs.useToImport
  • resourcemanager.projects.get
roles/cloudkms.publicKeyViewer Cloud KMS CryptoKey Public Key Viewer Enables GetPublicKey operations
  • cloudkms.cryptoKeyVersions.viewPublicKey
  • resourcemanager.projects.get
roles/cloudkms.signer Cloud KMS CryptoKey Signer Enables the AsymmetricSign operation
  • cloudkms.cryptoKeyVersions.useToSign
  • resourcemanager.projects.get
roles/cloudkms.signerVerifier Cloud KMS CryptoKey Signer/Verifier Enables AsymmetricSign, and GetPublicKey operations
  • cloudkms.cryptoKeyVersions.useToSign
  • cloudkms.cryptoKeyVersions.viewPublicKey
  • resourcemanager.projects.get

Cloud Marketplace roles

Role Title Description Permissions Lowest resource
roles/consumerprocurement.entitlementManager Consumer Procurement Entitlement Manager Beta Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.
  • consumerprocurement.entitlements.*
  • consumerprocurement.freeTrials.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.services.disable
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list
roles/consumerprocurement.entitlementViewer Consumer Procurement Entitlement Viewer Beta Allows inspecting entitlements and service states for a consumer project.
  • consumerprocurement.entitlements.*
  • consumerprocurement.freeTrials.get
  • consumerprocurement.freeTrials.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/consumerprocurement.orderAdmin Consumer Procurement Order Administrator Beta Allows managing purchases.
  • consumerprocurement.accounts.*
  • consumerprocurement.orders.*
roles/consumerprocurement.orderViewer Consumer Procurement Order Viewer Beta Allows inspecting purchases.
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list

Cloud Migration roles

Role Title Description Permissions Lowest resource
roles/cloudmigration.inframanager Velostrata Manager Beta Ability to create and manage Compute VMs to run Velostrata Infrastructure
  • cloudmigration.*
  • compute.addresses.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalOperations.get
  • compute.images.get
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.reset
  • compute.instances.setDiskAutoDelete
  • compute.instances.setLabels
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setScheduling
  • compute.instances.setServiceAccount
  • compute.instances.setTags
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.update
  • compute.instances.updateNetworkInterface
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.use
  • compute.licenseCodes.get
  • compute.licenseCodes.list
  • compute.licenseCodes.update
  • compute.licenseCodes.use
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.nodeGroups.get
  • compute.nodeGroups.list
  • compute.nodeTemplates.list
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regions.*
  • compute.snapshots.create
  • compute.snapshots.delete
  • compute.snapshots.get
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zoneOperations.get
  • compute.zones.*
  • gkehub.endpoints.*
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.update
roles/cloudmigration.storageaccess Velostrata Storage Access Beta Ability to access migration storage
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update
roles/cloudmigration.velostrataconnect Velostrata Manager Connection Agent Beta Ability to set up connection between Velostrata Manager and Google
  • cloudmigration.*
  • gkehub.endpoints.*
roles/vmmigration.admin VM Migration Administrator Beta Ability to view and edit all VM Migration objects
  • vmmigration.*
roles/vmmigration.viewer VM Migration Viewer Beta Ability to view all VM Migration objects
  • vmmigration.deployments.get
  • vmmigration.deployments.list

Cloud Private Catalog roles

Role Title Description Permissions Lowest resource
roles/cloudprivatecatalog.consumer Catalog Consumer Beta Can browse catalogs in the target resource context.
  • cloudprivatecatalog.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudprivatecatalogproducer.admin Catalog Admin Beta Can manage catalog and view its associations.
  • cloudprivatecatalog.*
  • cloudprivatecatalogproducer.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudprivatecatalogproducer.manager Catalog Manager Beta Can manage associations between a catalog and a target resource.
  • cloudprivatecatalog.*
  • cloudprivatecatalogproducer.associations.*
  • cloudprivatecatalogproducer.catalogs.get
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.targets.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Profiler roles

Role Title Description Permissions Lowest resource
roles/cloudprofiler.agent Cloud Profiler Agent Cloud Profiler agents are allowed to register and provide the profiling data.
  • cloudprofiler.profiles.create
  • cloudprofiler.profiles.update
roles/cloudprofiler.user Cloud Profiler User Cloud Profiler users are allowed to query and view the profiling data.
  • cloudprofiler.profiles.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Scheduler roles

Role Title Description Permissions Lowest resource
roles/cloudscheduler.admin Cloud Scheduler Admin Full access to jobs and executions.
  • appengine.applications.get
  • cloudscheduler.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/cloudscheduler.jobRunner Cloud Scheduler Job Runner Access to run jobs.
  • appengine.applications.get
  • cloudscheduler.jobs.fullView
  • cloudscheduler.jobs.run
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/cloudscheduler.viewer Cloud Scheduler Viewer Get and list access to jobs, executions, and locations.
  • appengine.applications.get
  • cloudscheduler.jobs.fullView
  • cloudscheduler.jobs.get
  • cloudscheduler.jobs.list
  • cloudscheduler.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Security Scanner roles

Role Title Description Permissions Lowest resource
roles/cloudsecurityscanner.editor Web Security Scanner Editor Full access to all Web Security Scanner resources
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/cloudsecurityscanner.runner Web Security Scanner Runner Read access to Scan and ScanRun, plus the ability to start scans
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run
Project
roles/cloudsecurityscanner.viewer Web Security Scanner Viewer Read access to all Web Security Scanner resources
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project

Cloud Services roles

Role Title Description Permissions Lowest resource
roles/servicebroker.admin Service Broker Admin Full access to ServiceBroker resources.
  • servicebroker.*
roles/servicebroker.operator Service Broker Operator Operational access to the ServiceBroker resources.
  • servicebroker.bindingoperations.*
  • servicebroker.bindings.create
  • servicebroker.bindings.delete
  • servicebroker.bindings.get
  • servicebroker.bindings.list
  • servicebroker.catalogs.create
  • servicebroker.catalogs.delete
  • servicebroker.catalogs.get
  • servicebroker.catalogs.list
  • servicebroker.instanceoperations.*
  • servicebroker.instances.create
  • servicebroker.instances.delete
  • servicebroker.instances.get
  • servicebroker.instances.list
  • servicebroker.instances.update

Cloud SQL roles

Role Title Description Permissions Lowest resource
roles/cloudsql.admin Cloud SQL Admin Provides full control of Cloud SQL resources.
  • cloudsql.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/cloudsql.client Cloud SQL Client Provides connectivity access to Cloud SQL instances.
  • cloudsql.instances.connect
  • cloudsql.instances.get
Project
roles/cloudsql.editor Cloud SQL Editor Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.
  • cloudsql.backupRuns.create
  • cloudsql.backupRuns.get
  • cloudsql.backupRuns.list
  • cloudsql.databases.create
  • cloudsql.databases.get
  • cloudsql.databases.list
  • cloudsql.databases.update
  • cloudsql.instances.addServerCa
  • cloudsql.instances.connect
  • cloudsql.instances.export
  • cloudsql.instances.failover
  • cloudsql.instances.get
  • cloudsql.instances.list
  • cloudsql.instances.listServerCas
  • cloudsql.instances.restart
  • cloudsql.instances.rotateServerCa
  • cloudsql.instances.truncateLog
  • cloudsql.instances.update
  • cloudsql.sslCerts.get
  • cloudsql.sslCerts.list
  • cloudsql.users.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/cloudsql.instanceUser Cloud SQL Instance User Role allowing access to a Cloud SQL instance
  • cloudsql.instances.get
  • cloudsql.instances.login
roles/cloudsql.viewer Cloud SQL Viewer Provides read-only access to Cloud SQL resources.
  • cloudsql.backupRuns.get
  • cloudsql.backupRuns.list
  • cloudsql.databases.get
  • cloudsql.databases.list
  • cloudsql.instances.export
  • cloudsql.instances.get
  • cloudsql.instances.list
  • cloudsql.instances.listServerCas
  • cloudsql.sslCerts.get
  • cloudsql.sslCerts.list
  • cloudsql.users.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project

Cloud Tasks roles

Role Title Description Permissions Lowest resource
roles/cloudtasks.admin Cloud Tasks Admin Beta Full access to queues and tasks.
  • cloudtasks.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtasks.enqueuer Cloud Tasks Enqueuer Beta Access to create tasks.
  • cloudtasks.tasks.create
  • cloudtasks.tasks.fullView
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtasks.queueAdmin Cloud Tasks Queue Admin Beta Admin access to queues.
  • cloudtasks.locations.*
  • cloudtasks.queues.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtasks.taskDeleter Cloud Tasks Task Deleter Beta Access to delete tasks.
  • cloudtasks.tasks.delete
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtasks.taskRunner Cloud Tasks Task Runner Beta Access to run tasks.
  • cloudtasks.tasks.fullView
  • cloudtasks.tasks.run
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtasks.viewer Cloud Tasks Viewer Beta Get and list access to tasks, queues, and locations.
  • cloudtasks.locations.*
  • cloudtasks.queues.get
  • cloudtasks.queues.list
  • cloudtasks.tasks.fullView
  • cloudtasks.tasks.get
  • cloudtasks.tasks.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Trace roles

Role Title Description Permissions Lowest resource
roles/cloudtrace.admin Cloud Trace Admin Provides full access to the Trace console and read-write access to traces.
  • cloudtrace.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/cloudtrace.agent Cloud Trace Agent For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.
  • cloudtrace.traces.patch
Project
roles/cloudtrace.user Cloud Trace User Provides full access to the Trace console and read access to traces.
  • cloudtrace.insights.*
  • cloudtrace.stats.*
  • cloudtrace.tasks.*
  • cloudtrace.traces.get
  • cloudtrace.traces.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project

Cloud Translation roles

Role Title Description Permissions Lowest resource
roles/cloudtranslate.admin Cloud Translation API Admin Full access to all Cloud Translation resources
  • automl.models.get
  • automl.models.predict
  • cloudtranslate.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtranslate.editor Cloud Translation API Editor Editor of all Cloud Translation resources
  • automl.models.get
  • automl.models.predict
  • cloudtranslate.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtranslate.user Cloud Translation API User User of Cloud Translation and AutoML models
  • automl.models.get
  • automl.models.predict
  • cloudtranslate.generalModels.*
  • cloudtranslate.glossaries.batchPredict
  • cloudtranslate.glossaries.get
  • cloudtranslate.glossaries.list
  • cloudtranslate.glossaries.predict
  • cloudtranslate.languageDetectionModels.*
  • cloudtranslate.locations.*
  • cloudtranslate.operations.get
  • cloudtranslate.operations.list
  • cloudtranslate.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtranslate.viewer Cloud Translation API Viewer Viewer of all Translation resources
  • automl.models.get
  • cloudtranslate.generalModels.get
  • cloudtranslate.glossaries.get
  • cloudtranslate.glossaries.list
  • cloudtranslate.locations.*
  • cloudtranslate.operations.get
  • cloudtranslate.operations.list
  • cloudtranslate.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Workflows roles

Role Title Description Permissions Lowest resource
roles/workflows.admin Workflows Admin Beta Full access to workflows and related resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.*
roles/workflows.editor Workflows Editor Beta Read and write access to workflows and related resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.executions.*
  • workflows.locations.*
  • workflows.operations.*
  • workflows.workflows.create
  • workflows.workflows.delete
  • workflows.workflows.get
  • workflows.workflows.getIamPolicy
  • workflows.workflows.list
  • workflows.workflows.update
roles/workflows.invoker Workflows Invoker Beta Access to execute workflows and manage the executions.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.executions.*
roles/workflows.viewer Workflows Viewer Beta Read-only access to workflows and related resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.executions.get
  • workflows.executions.list
  • workflows.locations.*
  • workflows.operations.get
  • workflows.operations.list
  • workflows.workflows.get
  • workflows.workflows.getIamPolicy
  • workflows.workflows.list

Codelab API Keys roles

Role Title Description Permissions Lowest resource
roles/codelabapikeys.admin Codelab ApiKeys Admin Beta Full access to API keys
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/codelabapikeys.editor Codelab API Keys Editor Beta This role can view and edit all properties of API keys.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/codelabapikeys.viewer Codelab API Keys Viewer Beta This role can view all properties except change history of API keys.
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Composer roles

Role Title Description Permissions Lowest resource
roles/composer.admin Composer Administrator Provides full control of Cloud Composer resources.
  • composer.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/composer.environmentAndStorageObjectAdmin Environment and Storage Object Administrator Provides full control of Cloud Composer resources and of the objects in all project buckets.
  • composer.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.*
Project
roles/composer.environmentAndStorageObjectViewer Environment User and Storage Object Viewer Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list
Project
roles/composer.user Composer User Provides the permissions necessary to list and get Cloud Composer environments and operations.
  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/composer.worker Composer Worker Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.
  • artifactregistry.*
  • cloudbuild.*
  • container.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.*
Project

Compute Engine roles

Role Title Description Permissions Lowest resource
roles/compute.admin Compute Admin

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

  • compute.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta
roles/compute.imageUser Compute Image User

Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
ImageBeta
roles/compute.instanceAdmin Compute Instance Admin (beta)

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VMBETA settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.resize
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Disk, image, instance, instanceTemplate, snapshot Beta
roles/compute.instanceAdmin.v1 Compute Instance Admin (v1)

Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.

If you grant a user this role only at an instance level, then that user cannot create new instances.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.loadBalancerAdmin Compute Load Balancer Admin Beta

Permissions to create, modify, and delete load balancers and associate resources.

For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.

  • compute.addresses.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.instanceGroups.*
  • compute.instances.get
  • compute.instances.list
  • compute.instances.use
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.projects.get
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionNotificationEndpoints.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.urlMaps.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
InstanceBeta
roles/compute.networkAdmin Compute Network Admin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group.

  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.externalVpnGateways.*
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.instances.use
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.use
  • compute.networks.*
  • compute.projects.get
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • networksecurity.*
  • networkservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
InstanceBeta
roles/compute.networkUser Compute Network User

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.useInternal
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.interconnects.use
  • compute.networks.access
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.use
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.use
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.use
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.use
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.use
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpFilters.use
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.httpfilters.use
  • networkservices.locations.*
  • networkservices.operations.get
  • networkservices.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/compute.networkViewer Compute Network Viewer

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.locations.*
  • networkservices.operations.get
  • networkservices.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
InstanceBeta
roles/compute.orgSecurityPolicyAdmin Compute Organization Security Policy Admin Beta Full control of Compute Engine Organization Security Policies.
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.orgSecurityPolicyUser Compute Organization Security Policy User Beta View or use Compute Engine Security Policies to associate with the organization or folders.
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.orgSecurityResourceAdmin Compute Organization Resource Admin Beta Full control of Compute Engine Security Policy associations to the organization or folders.
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.organizations.listAssociations
  • compute.organizations.setSecurityPolicy
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.osAdminLogin Compute OS Admin Login Access to log in to a Compute Engine instance as an administrator user.
  • compute.instances.get
  • compute.instances.list
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
InstanceBeta
roles/compute.osLogin Compute OS Login Access to log in to a Compute Engine instance as a standard user.
  • compute.instances.get
  • compute.instances.list
  • compute.instances.osLogin
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
InstanceBeta
roles/compute.osLoginExternalUser Compute OS Login External User

Available only at the organization level.

Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

  • compute.oslogin.*
Organization
roles/compute.packetMirroringAdmin Compute packet mirroring admin Specify resources to be mirrored.
  • compute.networks.mirror
  • compute.projects.get
  • compute.subnetworks.mirror
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.packetMirroringUser Compute packet mirroring user Use Compute Engine packet mirrorings.
  • compute.packetMirrorings.*
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.publicIpAdmin Compute Public IP Admin Beta Full control of public IP address management for Compute Engine.
  • compute.addresses.*
  • compute.globalAddresses.*
  • compute.globalPublicDelegatedPrefixes.*
  • compute.publicAdvertisedPrefixes.*
  • compute.publicDelegatedPrefixes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/compute.securityAdmin Compute Security Admin

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VMBETA settings.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group.

  • compute.firewalls.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.instances.getEffectiveFirewalls
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.updatePolicy
  • compute.packetMirrorings.*
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.*
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
InstanceBeta
roles/compute.storageAdmin Compute Storage Admin

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.

  • compute.diskTypes.*
  • compute.disks.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.resourcePolicies.*
  • compute.snapshots.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Disk, image, snapshot Beta
roles/compute.viewer Compute Viewer

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them.

For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta
roles/compute.xpnAdmin Compute Shared VPC Admin

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

At the organization level, this role can only be granted by an organization admin.

Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (roles/compute.networkUser) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.organizations.administerXpn
  • compute.organizations.disableXpnHost
  • compute.organizations.disableXpnResource
  • compute.organizations.enableXpnHost
  • compute.organizations.enableXpnResource
  • compute.projects.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.setIamPolicy
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
Folder
roles/osconfig.assignmentAdmin Assignment Admin Full admin access to Assignments
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.assignmentEditor Assignment Editor Editor of Assignment resources
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.assignmentViewer Assignment Viewer Viewer of Assignment resources
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.guestPolicyAdmin GuestPolicy Admin Beta Full admin access to GuestPolicies
  • osconfig.guestPolicies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.guestPolicyEditor GuestPolicy Editor Beta Editor of GuestPolicy resources
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • osconfig.guestPolicies.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.guestPolicyViewer GuestPolicy Viewer Beta Viewer of GuestPolicy resources
  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.osConfigAdmin OsConfig Admin Full admin access to OsConfigs
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.osConfigEditor OsConfig Editor Editor of OsConfig resources
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.osConfigViewer OsConfig Viewer Viewer of OsConfig resources
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.patchDeploymentAdmin PatchDeployment Admin Full admin access to PatchDeployments
  • osconfig.patchDeployments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.patchDeploymentViewer PatchDeployment Viewer Viewer of PatchDeployment resources
  • osconfig.patchDeployments.get
  • osconfig.patchDeployments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.patchJobExecutor Patch Job Executor Access to execute Patch Jobs.
  • osconfig.patchJobs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/osconfig.patchJobViewer Patch Job Viewer Get and list Patch Jobs.
  • osconfig.patchJobs.get
  • osconfig.patchJobs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Kubernetes Engine roles

Role Title Description Permissions Lowest resource
roles/container.admin Kubernetes Engine Admin

Provides access to full management of clusters and their Kubernetes API objects.

To set a service account on nodes, you must also grant the Service Account User role (roles/iam.serviceAccountUser).

  • container.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/container.clusterAdmin Kubernetes Engine Cluster Admin

Provides access to management of clusters.

To set a service account on nodes, you must also grant the Service Account User role (roles/iam.serviceAccountUser).

  • container.clusters.create
  • container.clusters.delete
  • container.clusters.get
  • container.clusters.list
  • container.clusters.update
  • container.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/container.clusterViewer Kubernetes Engine Cluster Viewer Get and list access to GKE Clusters.
  • container.clusters.get
  • container.clusters.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/container.developer Kubernetes Engine Developer Provides access to Kubernetes API objects inside clusters.
  • container.apiServices.*
  • container.backendConfigs.*
  • container.bindings.*
  • container.certificateSigningRequests.create
  • container.certificateSigningRequests.delete
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.list
  • container.certificateSigningRequests.update
  • container.certificateSigningRequests.updateStatus
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.*
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.*
  • container.csiDrivers.*
  • container.csiNodes.*
  • container.customResourceDefinitions.*
  • container.daemonSets.*
  • container.deployments.*
  • container.endpoints.*
  • container.events.*
  • container.horizontalPodAutoscalers.*
  • container.ingresses.*
  • container.initializerConfigurations.*
  • container.jobs.*
  • container.limitRanges.*
  • container.localSubjectAccessReviews.*
  • container.namespaces.*
  • container.networkPolicies.*
  • container.nodes.*
  • container.persistentVolumeClaims.*
  • container.persistentVolumes.*
  • container.petSets.*
  • container.podDisruptionBudgets.*
  • container.podPresets.*
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.*
  • container.pods.*
  • container.replicaSets.*
  • container.replicationControllers.*
  • container.resourceQuotas.*
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.*
  • container.scheduledJobs.*
  • container.secrets.*
  • container.selfSubjectAccessReviews.*
  • container.serviceAccounts.*
  • container.services.*
  • container.statefulSets.*
  • container.storageClasses.*
  • container.subjectAccessReviews.*
  • container.thirdPartyObjects.*
  • container.thirdPartyResources.*
  • container.tokenReviews.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/container.hostServiceAgentUser Kubernetes Engine Host Service Agent User Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project.
  • compute.firewalls.get
  • container.hostServiceAgent.*
roles/container.viewer Kubernetes Engine Viewer Provides read-only access to GKE resources.
  • container.apiServices.get
  • container.apiServices.list
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.bindings.get
  • container.bindings.list
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.get
  • container.configMaps.list
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiNodes.get
  • container.csiNodes.list
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.list
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.deployments.get
  • container.deployments.getStatus
  • container.deployments.list
  • container.endpoints.get
  • container.endpoints.list
  • container.events.get
  • container.events.list
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.limitRanges.get
  • container.limitRanges.list
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.operations.*
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.petSets.get
  • container.petSets.list
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podPresets.get
  • container.podPresets.list
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.get
  • container.podTemplates.list
  • container.pods.get
  • container.pods.getStatus
  • container.pods.list
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.statefulSets.get
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.storageClasses.get
  • container.storageClasses.list
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.tokenReviews.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project

Container Analysis roles

Role Title Description Permissions Lowest resource
roles/containeranalysis.admin Container Analysis Admin Access to all Container Analysis resources.
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.getIamPolicy
  • containeranalysis.notes.list
  • containeranalysis.notes.setIamPolicy
  • containeranalysis.notes.update
  • containeranalysis.occurrences.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.notes.attacher Container Analysis Notes Attacher Can attach Container Analysis Occurrences to Notes.
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.get
roles/containeranalysis.notes.editor Container Analysis Notes Editor Can edit Container Analysis Notes.
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.notes.occurrences.viewer Container Analysis Occurrences for Notes Viewer
  • containeranalysis.notes.get
  • containeranalysis.notes.listOccurrences
roles/containeranalysis.notes.viewer Container Analysis Notes Viewer Can view Container Analysis Notes.
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.occurrences.editor Container Analysis Occurrences Editor Can edit Container Analysis Occurrences.
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/containeranalysis.occurrences.viewer Container Analysis Occurrences Viewer Can view Container Analysis Occurrences.
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Catalog roles

Role Title Description Permissions Lowest resource
roles/datacatalog.admin Data Catalog Admin Full access to all DataCatalog resources
  • bigquery.datasets.get
  • bigquery.datasets.updateTag
  • bigquery.models.getMetadata
  • bigquery.models.updateTag
  • bigquery.tables.get
  • bigquery.tables.updateTag
  • datacatalog.categories.getIamPolicy
  • datacatalog.categories.setIamPolicy
  • datacatalog.entries.*
  • datacatalog.entryGroups.*
  • datacatalog.tagTemplates.*
  • datacatalog.taxonomies.*
  • pubsub.topics.get
  • pubsub.topics.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.categoryAdmin Policy Tag Admin Beta Manage taxonomies
  • datacatalog.categories.getIamPolicy
  • datacatalog.categories.setIamPolicy
  • datacatalog.taxonomies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.categoryFineGrainedReader Fine-Grained Reader Beta Read access to sub-resources tagged by a policy tag, for example, BigQuery columns
  • datacatalog.categories.fineGrainedGet
roles/datacatalog.entryGroupCreator DataCatalog EntryGroup Creator Can create new entryGroups
  • datacatalog.entryGroups.create
  • datacatalog.entryGroups.get
  • datacatalog.entryGroups.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.entryGroupOwner DataCatalog entryGroup Owner Full access to entryGroups
  • datacatalog.entries.*
  • datacatalog.entryGroups.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.entryOwner DataCatalog entry Owner Full access to entries
  • datacatalog.entries.*
  • datacatalog.entryGroups.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.entryViewer DataCatalog Entry Viewer Read access to entries
  • datacatalog.entries.get
  • datacatalog.entries.list
  • datacatalog.entryGroups.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.tagEditor Data Catalog Tag Editor Provides access to modify tags on Google Cloud assets for BigQuery and Pub/Sub
  • bigquery.datasets.updateTag
  • bigquery.models.updateTag
  • bigquery.tables.updateTag
  • datacatalog.entries.updateTag
  • pubsub.topics.updateTag
roles/datacatalog.tagTemplateCreator Data Catalog TagTemplate Creator Access to create new tag templates
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
roles/datacatalog.tagTemplateOwner Data Catalog TagTemplate Owner Full access to tag templates
  • datacatalog.tagTemplates.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.tagTemplateUser Data Catalog TagTemplate User Access to use templates to tag resources
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.tagTemplateViewer Data Catalog TagTemplate Viewer Read access to templates and tags created using the templates
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datacatalog.viewer Data Catalog Viewer Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub
  • bigquery.datasets.get
  • bigquery.models.getMetadata
  • bigquery.tables.get
  • datacatalog.entries.get
  • datacatalog.entries.list
  • datacatalog.entryGroups.get
  • datacatalog.entryGroups.list
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.taxonomies.get
  • datacatalog.taxonomies.list
  • pubsub.topics.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataflow roles

Role Title Description Permissions Lowest resource
roles/dataflow.admin Dataflow Admin Minimal role for creating and managing dataflow jobs.
  • compute.machineTypes.get
  • dataflow.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list
roles/dataflow.developer Dataflow Developer Provides the permissions necessary to execute and manipulate Dataflow jobs.
  • dataflow.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/dataflow.viewer Dataflow Viewer Provides read-only access to all Dataflow-related resources.
  • dataflow.jobs.get
  • dataflow.jobs.list
  • dataflow.messages.*
  • dataflow.metrics.*
  • dataflow.snapshots.get
  • dataflow.snapshots.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/dataflow.worker Dataflow Worker Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline.
  • compute.instanceGroupManagers.update
  • compute.instances.delete
  • compute.instances.setDiskAutoDelete
  • dataflow.jobs.get
  • logging.logEntries.create
  • storage.objects.create
  • storage.objects.get
Project

Cloud Data Labeling roles

Role Title Description Permissions Lowest resource
roles/datalabeling.admin DataLabeling Service Admin Beta Full access to all DataLabeling resources
  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datalabeling.editor DataLabeling Service Editor Beta Editor of all DataLabeling resources
  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/datalabeling.viewer DataLabeling Service Viewer Beta Viewer of all DataLabeling resources
  • datalabeling.annotateddatasets.get
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.get
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.*
  • datalabeling.datasets.get
  • datalabeling.datasets.list
  • datalabeling.examples.*
  • datalabeling.instructions.get
  • datalabeling.instructions.list
  • datalabeling.operations.get
  • datalabeling.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataprep roles

Role Title Description Permissions Lowest resource
roles/dataprep.projects.user Dataprep User Beta Use of Dataprep.
  • dataprep.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Dataproc roles

Role Title Description Permissions Lowest resource
roles/dataproc.admin Dataproc Administrator Full control of Dataproc resources.
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.regions.*
  • compute.zones.*
  • dataproc.autoscalingPolicies.*
  • dataproc.clusters.*
  • dataproc.jobs.*
  • dataproc.operations.*
  • dataproc.workflowTemplates.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/dataproc.editor Dataproc Editor Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones.
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.regions.*
  • compute.zones.*
  • dataproc.autoscalingPolicies.create
  • dataproc.autoscalingPolicies.delete
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.update
  • dataproc.autoscalingPolicies.use
  • dataproc.clusters.create
  • dataproc.clusters.delete
  • dataproc.clusters.get
  • dataproc.clusters.list
  • dataproc.clusters.update
  • dataproc.clusters.use
  • dataproc.jobs.cancel
  • dataproc.jobs.create
  • dataproc.jobs.delete
  • dataproc.jobs.get
  • dataproc.jobs.list
  • dataproc.jobs.update
  • dataproc.operations.delete
  • dataproc.operations.get
  • dataproc.operations.list
  • dataproc.workflowTemplates.create
  • dataproc.workflowTemplates.delete
  • dataproc.workflowTemplates.get
  • dataproc.workflowTemplates.instantiate
  • dataproc.workflowTemplates.instantiateInline
  • dataproc.workflowTemplates.list
  • dataproc.workflowTemplates.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/dataproc.viewer Dataproc Viewer Provides read-only access to Dataproc resources.
  • compute.machineTypes.get
  • compute.regions.*
  • compute.zones.*
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.clusters.get
  • dataproc.clusters.list
  • dataproc.jobs.get
  • dataproc.jobs.list
  • dataproc.operations.get
  • dataproc.operations.list
  • dataproc.workflowTemplates.get
  • dataproc.workflowTemplates.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/dataproc.worker Dataproc Worker Provides worker access to Dataproc resources. Intended for service accounts.
  • dataproc.agents.*
  • dataproc.tasks.*
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • storage.buckets.get
  • storage.objects.*

Datastore roles

Role Title Description Permissions Lowest resource
roles/datastore.importExportAdmin Cloud Datastore Import Export Admin Provides full access to manage imports and exports.
  • appengine.applications.get
  • datastore.databases.export
  • datastore.databases.import
  • datastore.operations.cancel
  • datastore.operations.get
  • datastore.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/datastore.indexAdmin Cloud Datastore Index Admin Provides full access to manage index definitions.
  • appengine.applications.get
  • datastore.indexes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/datastore.owner Cloud Datastore Owner Provides full access to Datastore resources.
  • appengine.applications.get
  • datastore.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/datastore.user Cloud Datastore User Provides read/write access to data in a Datastore database.
  • appengine.applications.get
  • datastore.databases.get
  • datastore.entities.*
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.list
  • datastore.statistics.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/datastore.viewer Cloud Datastore Viewer Provides read access to Datastore resources.
  • appengine.applications.get
  • datastore.databases.get
  • datastore.databases.list
  • datastore.entities.get
  • datastore.entities.list
  • datastore.indexes.get
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.list
  • datastore.statistics.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project

Deployment Manager roles

Role Title Description Permissions Lowest resource
roles/deploymentmanager.editor Deployment Manager Editor Provides the permissions necessary to create and manage deployments.
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.deployments.cancelPreview
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.stop
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/deploymentmanager.typeEditor Deployment Manager Type Editor Provides read and write access to all Type Registry resources.
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.operations.get
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
Project
roles/deploymentmanager.typeViewer Deployment Manager Type Viewer Provides read-only access to all Type Registry resources.
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
Project
roles/deploymentmanager.viewer Deployment Manager Viewer Provides read-only access to all Deployment Manager-related resources.
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project

Dialogflow roles

Role Title Description Permissions Lowest resource
roles/dialogflow.admin Dialogflow API Admin Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control.
  • dialogflow.*
  • resourcemanager.projects.get
Project
roles/dialogflow.client Dialogflow API Client Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control.
  • dialogflow.contexts.*
  • dialogflow.sessionEntityTypes.*
  • dialogflow.sessions.*
Project
roles/dialogflow.consoleAgentEditor Dialogflow Console Agent Editor Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control.
  • actions.agentVersions.create
  • dialogflow.*
  • resourcemanager.projects.get
Project
roles/dialogflow.reader Dialogflow API Reader Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control.
  • dialogflow.agents.export
  • dialogflow.agents.get
  • dialogflow.agents.list
  • dialogflow.agents.search
  • dialogflow.contexts.get
  • dialogflow.contexts.list
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.entityTypes.get
  • dialogflow.entityTypes.list
  • dialogflow.environments.get
  • dialogflow.environments.list
  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.fulfillments.get
  • dialogflow.intents.get
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.operations.*
  • dialogflow.pages.get
  • dialogflow.pages.list
  • dialogflow.sessionEntityTypes.get
  • dialogflow.sessionEntityTypes.list
  • dialogflow.transitionRouteGroups.get
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.get
  • dialogflow.versions.list
  • dialogflow.webhooks.get
  • dialogflow.webhooks.list
  • resourcemanager.projects.get
Project

Cloud DLP roles

Role Title Description Permissions Lowest resource
roles/dlp.admin DLP Administrator Administer DLP including jobs and templates.
  • dlp.*
  • serviceusage.services.use
roles/dlp.analyzeRiskTemplatesEditor DLP Analyze Risk Templates Editor Edit DLP analyze risk templates.
  • dlp.analyzeRiskTemplates.*
roles/dlp.analyzeRiskTemplatesReader DLP Analyze Risk Templates Reader Read DLP analyze risk templates.
  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
roles/dlp.deidentifyTemplatesEditor DLP De-identify Templates Editor Edit DLP de-identify templates.
  • dlp.deidentifyTemplates.*
roles/dlp.deidentifyTemplatesReader DLP De-identify Templates Reader Read DLP de-identify templates.
  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list
roles/dlp.inspectFindingsReader DLP Inspect Findings Reader Read DLP stored findings.
  • dlp.inspectFindings.*
roles/dlp.inspectTemplatesEditor DLP Inspect Templates Editor Edit DLP inspect templates.
  • dlp.inspectTemplates.*
roles/dlp.inspectTemplatesReader DLP Inspect Templates Reader Read DLP inspect templates.
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
roles/dlp.jobTriggersEditor DLP Job Triggers Editor Edit job triggers configurations.
  • dlp.jobTriggers.*
roles/dlp.jobTriggersReader DLP Job Triggers Reader Read job triggers.
  • dlp.jobTriggers.get
  • dlp.jobTriggers.list
roles/dlp.jobsEditor DLP Jobs Editor Edit and create jobs
  • dlp.jobs.*
  • dlp.kms.*
roles/dlp.jobsReader DLP Jobs Reader Read jobs
  • dlp.jobs.get
  • dlp.jobs.list
roles/dlp.reader DLP Reader Read DLP entities, such as jobs and templates.
  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list
  • dlp.inspectFindings.*
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.get
  • dlp.jobTriggers.list
  • dlp.jobs.get
  • dlp.jobs.list
  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list
roles/dlp.storedInfoTypesEditor DLP Stored InfoTypes Editor Edit DLP stored info types.
  • dlp.storedInfoTypes.*
roles/dlp.storedInfoTypesReader DLP Stored InfoTypes Reader Read DLP stored info types.
  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list
roles/dlp.user DLP User Inspect, Redact, and De-identify Content
  • dlp.kms.*
  • serviceusage.services.use

DNS roles

Role Title Description Permissions Lowest resource
roles/dns.admin DNS Administrator Provides read-write access to all Cloud DNS resources.
  • compute.networks.get
  • compute.networks.list
  • dns.changes.*
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.*
  • dns.networks.*
  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.list
  • dns.policies.update
  • dns.projects.*
  • dns.resourceRecordSets.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/dns.peer DNS Peer Access to target networks with DNS peering zones
  • dns.networks.targetWithPeeringZone
roles/dns.reader DNS Reader Provides read-only access to all Cloud DNS resources.
  • compute.networks.get
  • dns.changes.get
  • dns.changes.list
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.policies.get
  • dns.policies.list
  • dns.projects.*
  • dns.resourceRecordSets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project

Endpoints roles

Role Title Description Permissions Lowest resource
roles/endpoints.portalAdmin Endpoints Portal Admin Beta Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the Cloud Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page.
  • endpoints.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
Project

Error Reporting roles

Role Title Description Permissions Lowest resource
roles/errorreporting.admin Error Reporting Admin Beta Provides full access to Error Reporting data.
  • cloudnotifications.*
  • errorreporting.*
Project
roles/errorreporting.user Error Reporting User Beta Provides the permissions to read and write Error Reporting data, except for sending new error events.
  • cloudnotifications.*
  • errorreporting.applications.*
  • errorreporting.errorEvents.delete
  • errorreporting.errorEvents.list
  • errorreporting.groupMetadata.*
  • errorreporting.groups.*
Project
roles/errorreporting.viewer Error Reporting Viewer Beta Provides read-only access to Error Reporting data.
  • cloudnotifications.*
  • errorreporting.applications.*
  • errorreporting.errorEvents.list
  • errorreporting.groupMetadata.get
  • errorreporting.groups.*
Project
roles/errorreporting.writer Errors Writer Beta Provides the permissions to send error events to Error Reporting.
  • errorreporting.errorEvents.create
Service Account

Eventarc roles

Role Title Description Permissions Lowest resource
roles/eventarc.admin Eventarc Admin Beta Full control over all Eventarc resources.
  • eventarc.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/eventarc.viewer Eventarc Viewer Beta Can view the state of all Eventarc resources, including IAM policies.
  • eventarc.locations.*
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Filestore roles

Role Title Description Permissions Lowest resource
roles/file.editor Cloud Filestore Editor Beta Read-write access to Filestore instances and related resources.
  • file.*
roles/file.viewer Cloud Filestore Viewer Beta Read-only access to Filestore instances and related resources.
  • file.backups.get
  • file.backups.list
  • file.instances.get
  • file.instances.list
  • file.locations.*
  • file.operations.get
  • file.operations.list

Firebase roles

Role Title Description Permissions Lowest resource
roles/firebase.admin Firebase Admin Full access to Firebase products.
  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • automl.*
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.brands.update
  • clientauthconfig.clients.create
  • clientauthconfig.clients.delete
  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • clientauthconfig.clients.update
  • cloudconfig.*
  • cloudfunctions.*
  • cloudmessaging.*
  • cloudnotifications.*
  • cloudtestservice.*
  • cloudtoolresults.*
  • datastore.*
  • errorreporting.groups.*
  • firebase.*
  • firebaseabt.*
  • firebaseanalytics.*
  • firebaseappdistro.*
  • firebaseauth.*
  • firebasecrash.*
  • firebasecrashlytics.*
  • firebasedatabase.*
  • firebasedynamiclinks.*
  • firebaseextensions.*
  • firebasehosting.*
  • firebaseinappmessaging.*
  • firebaseml.*
  • firebasenotifications.*
  • firebaseperformance.*
  • firebasepredictions.*
  • firebaserules.*
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • runtimeconfig.configs.create
  • runtimeconfig.configs.delete
  • runtimeconfig.configs.get
  • runtimeconfig.configs.list
  • runtimeconfig.configs.update
  • runtimeconfig.operations.*
  • runtimeconfig.variables.create
  • runtimeconfig.variables.delete
  • runtimeconfig.variables.get
  • runtimeconfig.variables.list
  • runtimeconfig.variables.update
  • runtimeconfig.variables.watch
  • runtimeconfig.waiters.create
  • runtimeconfig.waiters.delete
  • runtimeconfig.waiters.get
  • runtimeconfig.waiters.list
  • runtimeconfig.waiters.update
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.*
  • storage.objects.*
roles/firebase.analyticsAdmin Firebase Analytics Admin Full access to Google Analytics for Firebase.
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.*
  • firebaseextensions.configs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/firebase.analyticsViewer Firebase Analytics Viewer Read access to Google Analytics for Firebase.
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseextensions.configs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
roles/firebase.developAdmin Firebase Develop Admin Full access to Firebase Develop products and Analytics.
  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • automl.*
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.brands.update
  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • cloudfunctions.*
  • cloudnotifications.*
  • datastore.*
  • errorreporting.groups.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.*
  • firebaseauth.*
  • firebasedatabase.*
  • firebaseextensions.configs.list
  • firebasehosting.*
  • firebaseml.*
  • firebaserules.*
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • runtimeconfig.configs.create
  • runtimeconfig.configs.delete
  • runtimeconfig.configs.get
  • runtimeconfig.configs.list
  • runtimeconfig.configs.update
  • runtimeconfig.operations.*
  • runtimeconfig.variables.create
  • runtimeconfig.variables.delete
  • runtimeconfig.variables.get
  • runtimeconfig.variables.list
  • runtimeconfig.variables.update
  • runtimeconfig.variables.watch
  • runtimeconfig.waiters.create
  • runtimeconfig.waiters.delete
  • runtimeconfig.waiters.get
  • runtimeconfig.waiters.list
  • runtimeconfig.waiters.update
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.*
  • storage.objects.*
roles/firebase.developViewer Firebase Develop Viewer Read access to Firebase Develop products and Analytics.
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • cloudnotifications.*
  • datastore.databases.get
  • datastore.databases.getIamPolicy
  • datastore.databases.list
  • datastore.entities.get
  • datastore.entities.list
  • datastore.indexes.get
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.getIamPolicy
  • datastore.namespaces.list
  • datastore.statistics.*
  • errorreporting.groups.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseauth.configs.get
  • firebaseauth.users.get
  • firebasedatabase.instances.get
  • firebasedatabase.instances.list
  • firebaseextensions.configs.list
  • firebasehosting.sites.get
  • firebasehosting.sites.list
  • firebaseml.compressionjobs.get
  • firebaseml.compressionjobs.list
  • firebaseml.models.get
  • firebaseml.models.list
  • firebaseml.modelversions.get
  • firebaseml.modelversions.list
  • firebaserules.releases.get
  • firebaserules.releases.list
  • firebaserules.rulesets.get
  • firebaserules.rulesets.list
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
roles/firebase.growthAdmin Firebase Grow Admin Full access to Firebase Grow products and Analytics.
  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • cloudconfig.*
  • cloudmessaging.*
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseabt.*
  • firebaseanalytics.*
  • firebasedynamiclinks.*
  • firebaseextensions.configs.list
  • firebaseinappmessaging.*
  • firebasenotifications.*
  • firebasepredictions.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/firebase.growthViewer Firebase Grow Viewer Read access to Firebase Grow products and Analytics.
  • cloudconfig.configs.get
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseabt.experimentresults.*
  • firebaseabt.experiments.get
  • firebaseabt.experiments.list
  • firebaseabt.projectmetadata.*
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.get
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.get
  • firebasedynamiclinks.links.list
  • firebasedynamiclinks.stats.*
  • firebaseextensions.configs.list
  • firebaseinappmessaging.campaigns.get
  • firebaseinappmessaging.campaigns.list
  • firebasenotifications.messages.get
  • firebasenotifications.messages.list
  • firebasepredictions.predictions.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/firebase.qualityAdmin Firebase Quality Admin Full access to Firebase Quality products and Analytics.
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.*
  • firebaseappdistro.*
  • firebasecrash.*
  • firebasecrashlytics.*
  • firebaseextensions.configs.list
  • firebaseperformance.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/firebase.qualityViewer Firebase Quality Viewer Read access to Firebase Quality products and Analytics.
  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • firebasecrash.reports.*
  • firebasecrashlytics.config.get
  • firebasecrashlytics.data.*
  • firebasecrashlytics.issues.get
  • firebasecrashlytics.issues.list
  • firebasecrashlytics.sessions.*
  • firebaseextensions.configs.list
  • firebaseperformance.data.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/firebase.viewer Firebase Viewer Read-only access to Firebase products.
  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • cloudconfig.configs.get
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • cloudnotifications.*
  • cloudtestservice.environmentcatalog.*
  • cloudtestservice.matrices.get
  • cloudtoolresults.executions.get
  • cloudtoolresults.executions.list
  • cloudtoolresults.histories.get
  • cloudtoolresults.histories.list
  • cloudtoolresults.settings.get
  • cloudtoolresults.steps.get
  • cloudtoolresults.steps.list
  • datastore.databases.get
  • datastore.databases.getIamPolicy
  • datastore.databases.list
  • datastore.entities.get
  • datastore.entities.list
  • datastore.indexes.get
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.getIamPolicy
  • datastore.namespaces.list
  • datastore.statistics.*
  • errorreporting.groups.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.links.list
  • firebase.projects.get
  • firebaseabt.experimentresults.*
  • firebaseabt.experiments.get
  • firebaseabt.experiments.list
  • firebaseabt.projectmetadata.*
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • firebaseauth.configs.get
  • firebaseauth.users.get
  • firebasecrash.reports.*
  • firebasecrashlytics.config.get
  • firebasecrashlytics.data.*
  • firebasecrashlytics.issues.get
  • firebasecrashlytics.issues.list
  • firebasecrashlytics.sessions.*
  • firebasedatabase.instances.get
  • firebasedatabase.instances.list
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.get
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.get
  • firebasedynamiclinks.links.list
  • firebasedynamiclinks.stats.*
  • firebaseextensions.configs.list
  • firebasehosting.sites.get
  • firebasehosting.sites.list
  • firebaseinappmessaging.campaigns.get
  • firebaseinappmessaging.campaigns.list
  • firebaseml.compressionjobs.get
  • firebaseml.compressionjobs.list
  • firebaseml.models.get
  • firebaseml.models.list
  • firebaseml.modelversions.get
  • firebaseml.modelversions.list
  • firebasenotifications.messages.get
  • firebasenotifications.messages.list
  • firebaseperformance.data.*
  • firebasepredictions.predictions.list
  • firebaserules.releases.get
  • firebaserules.releases.list
  • firebaserules.rulesets.get
  • firebaserules.rulesets.list
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list

Firebase Products roles

Role Title Description Permissions Lowest resource
roles/cloudconfig.admin Firebase Remote Config Admin Full access to Firebase Remote Config resources.
  • cloudconfig.*
  • firebase.clients.get
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudconfig.viewer Firebase Remote Config Viewer Read access to Firebase Remote Config resources.
  • cloudconfig.configs.get
  • firebase.clients.get
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudtestservice.testAdmin Firebase Test Lab Admin Full access to all Test Lab features
  • cloudtestservice.*
  • cloudtoolresults.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list
roles/cloudtestservice.testViewer Firebase Test Lab Viewer Read access to Test Lab features
  • cloudtestservice.environmentcatalog.*
  • cloudtestservice.matrices.get
  • cloudtoolresults.executions.get
  • cloudtoolresults.executions.list
  • cloudtoolresults.histories.get
  • cloudtoolresults.histories.list
  • cloudtoolresults.settings.get
  • cloudtoolresults.steps.get
  • cloudtoolresults.steps.list
  • firebase.clients.get
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.get
  • storage.objects.list
roles/firebaseabt.admin Firebase A/B Testing Admin Beta Full read/write access to Firebase A/B Testing resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseabt.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseabt.viewer Firebase A/B Testing Viewer Beta Read-only access to Firebase A/B Testing resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseabt.experimentresults.*
  • firebaseabt.experiments.get
  • firebaseabt.experiments.list
  • firebaseabt.projectmetadata.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseappdistro.admin Firebase App Distribution Admin Beta Full read/write access to Firebase App Distribution resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseappdistro.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseappdistro.viewer Firebase App Distribution Viewer Beta Read-only access to Firebase App Distribution resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseauth.admin Firebase Authentication Admin Full read/write access to Firebase Authentication resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseauth.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseauth.viewer Firebase Authentication Viewer Read-only access to Firebase Authentication resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseauth.configs.get
  • firebaseauth.users.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasecrashlytics.admin Firebase Crashlytics Admin Full read/write access to Firebase Crashlytics resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasecrashlytics.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasecrashlytics.viewer Firebase Crashlytics Viewer Read-only access to Firebase Crashlytics resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasecrashlytics.config.get
  • firebasecrashlytics.data.*
  • firebasecrashlytics.issues.get
  • firebasecrashlytics.issues.list
  • firebasecrashlytics.sessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasedatabase.admin Firebase Realtime Database Admin Full read/write access to Firebase Realtime Database resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasedatabase.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasedatabase.viewer Firebase Realtime Database Viewer Read-only access to Firebase Realtime Database resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasedatabase.instances.get
  • firebasedatabase.instances.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasedynamiclinks.admin Firebase Dynamic Links Admin Full read/write access to Firebase Dynamic Links resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasedynamiclinks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasedynamiclinks.viewer Firebase Dynamic Links Viewer Read-only access to Firebase Dynamic Links resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.get
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.get
  • firebasedynamiclinks.links.list
  • firebasedynamiclinks.stats.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasehosting.admin Firebase Hosting Admin Full read/write access to Firebase Hosting resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasehosting.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasehosting.viewer Firebase Hosting Viewer Read-only access to Firebase Hosting resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasehosting.sites.get
  • firebasehosting.sites.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseinappmessaging.admin Firebase In-App Messaging Admin Beta Full read/write access to Firebase In-App Messaging resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseinappmessaging.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseinappmessaging.viewer Firebase In-App Messaging Viewer Beta Read-only access to Firebase In-App Messaging resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseinappmessaging.campaigns.get
  • firebaseinappmessaging.campaigns.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseml.admin Firebase ML Kit Admin Beta Full read/write access to Firebase ML Kit resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseml.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseml.viewer Firebase ML Kit Viewer Beta Read-only access to Firebase ML Kit resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseml.compressionjobs.get
  • firebaseml.compressionjobs.list
  • firebaseml.models.get
  • firebaseml.models.list
  • firebaseml.modelversions.get
  • firebaseml.modelversions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasenotifications.admin Firebase Cloud Messaging Admin Full read/write access to Firebase Cloud Messaging resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasenotifications.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasenotifications.viewer Firebase Cloud Messaging Viewer Read-only access to Firebase Cloud Messaging resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasenotifications.messages.get
  • firebasenotifications.messages.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseperformance.admin Firebase Performance Reporting Admin Full access to firebaseperformance resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseperformance.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaseperformance.viewer Firebase Performance Reporting Viewer Read-only access to firebaseperformance resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebaseperformance.data.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasepredictions.admin Firebase Predictions Admin Full read/write access to Firebase Predictions resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasepredictions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebasepredictions.viewer Firebase Predictions Viewer Read-only access to Firebase Predictions resources.
  • firebase.clients.get
  • firebase.projects.get
  • firebasepredictions.predictions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaserules.admin Firebase Rules Admin Full management of Firebase Rules.
  • firebaserules.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebaserules.viewer Firebase Rules Viewer Read-only access on all resources with the ability to test Rulesets.
  • firebaserules.releases.get
  • firebaserules.releases.list
  • firebaserules.rulesets.get
  • firebaserules.rulesets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Game Services roles

Role Title Description Permissions Lowest resource
roles/gameservices.admin Game Services API Admin Full access to Game Services API and related resources.
  • gameservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/gameservices.viewer Game Services API Viewer Read-only access to Game Services API and related resources.
  • gameservices.gameServerClusters.get
  • gameservices.gameServerClusters.list
  • gameservices.gameServerConfigs.get
  • gameservices.gameServerConfigs.list
  • gameservices.gameServerDeployments.get
  • gameservices.gameServerDeployments.list
  • gameservices.locations.*
  • gameservices.operations.get
  • gameservices.operations.list
  • gameservices.realms.get
  • gameservices.realms.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Genomics roles

Role Title Description Permissions Lowest resource
roles/genomics.admin Genomics Admin Full access to genomics datasets and operations.
  • genomics.*
roles/genomics.editor Genomics Editor Access to read and edit genomics datasets and operations.
  • genomics.datasets.create
  • genomics.datasets.delete
  • genomics.datasets.get
  • genomics.datasets.list
  • genomics.datasets.update
  • genomics.operations.*
roles/genomics.pipelinesRunner Genomics Pipelines Runner Full access to operate on genomics pipelines.
  • genomics.operations.*
roles/genomics.viewer Genomics Viewer Access to view genomics datasets and operations.
  • genomics.datasets.get
  • genomics.datasets.list
  • genomics.operations.get
  • genomics.operations.list

GKE Hub roles

Role Title Description Permissions Lowest resource
roles/gkehub.admin GKE Hub Admin Full access to GKE Hub resources.
  • gkehub.features.*
  • gkehub.locations.*
  • gkehub.memberships.*
  • gkehub.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/gkehub.connect GKE Hub Connection Agent Ability to set up GKE Connect between external clusters and Google.
  • gkehub.endpoints.*
roles/gkehub.gatewayAdmin Connect Gateway Admin Full access to Connect Gateway.
  • gkehub.gateway.*
roles/gkehub.viewer GKE Hub Viewer Read-only access to GKE Hubs and related resources.
  • gkehub.features.get
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.locations.*
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.get
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.operations.get
  • gkehub.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Healthcare roles

Role Title Description Permissions Lowest resource
roles/healthcare.annotationEditor Healthcare Annotation Editor Create, delete, update, read and list annotations.
  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.annotations.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.annotationReader Healthcare Annotation Reader Read and list annotations in an Annotation store.
  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.annotations.get
  • healthcare.annotations.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.annotationStoreAdmin Healthcare Annotation Administrator Administer Annotation stores.
  • healthcare.annotationStores.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.annotationStoreViewer Healthcare Annotation Store Viewer List Annotation Stores in a dataset.
  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.attributeDefinitionEditor Healthcare Attribute Definition Editor Beta Edit AttributeDefinition objects.
  • healthcare.attributeDefinitions.*
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.attributeDefinitionReader Healthcare Attribute Definition Reader Beta Read AttributeDefinition objects in a consent store.
  • healthcare.attributeDefinitions.get
  • healthcare.attributeDefinitions.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.consentArtifactAdmin Healthcare Consent Artifact Administrator Beta Administer ConsentArtifact objects.
  • healthcare.consentArtifacts.*
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.consentArtifactEditor Healthcare Consent Artifact Editor Beta Edit ConsentArtifact objects.
  • healthcare.consentArtifacts.create
  • healthcare.consentArtifacts.get
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.consentArtifactReader Healthcare Consent Artifact Reader Beta Read ConsentArtifact objects in a consent store.
  • healthcare.consentArtifacts.get
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.consentEditor Healthcare Consent Editor Beta Edit Consent objects.
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.consents.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.consentReader Healthcare Consent Reader Beta Read Consent objects in a consent store.
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.consents.get
  • healthcare.consents.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.consentStoreAdmin Healthcare Consent Store Administrator Beta Administer Consent stores.
  • healthcare.consentStores.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.consentStoreViewer Healthcare Consent Store Viewer Beta List Consent Stores in a dataset.
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.datasetAdmin Healthcare Dataset Administrator Administer Healthcare Datasets.
  • healthcare.datasets.*
  • healthcare.locations.*
  • healthcare.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.datasetViewer Healthcare Dataset Viewer List the Healthcare Datasets in a project.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.dicomEditor Healthcare DICOM Editor Edit DICOM images individually and in bulk.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.dicomWebRead
  • healthcare.dicomStores.dicomWebWrite
  • healthcare.dicomStores.export
  • healthcare.dicomStores.get
  • healthcare.dicomStores.import
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.dicomStoreAdmin Healthcare DICOM Store Administrator Administer DICOM stores.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.create
  • healthcare.dicomStores.deidentify
  • healthcare.dicomStores.delete
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.get
  • healthcare.dicomStores.getIamPolicy
  • healthcare.dicomStores.list
  • healthcare.dicomStores.setIamPolicy
  • healthcare.dicomStores.update
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.dicomStoreViewer Healthcare DICOM Store Viewer List DICOM Stores in a dataset.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.get
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.dicomViewer Healthcare DICOM Viewer Retrieve DICOM images from a DICOM store.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.dicomWebRead
  • healthcare.dicomStores.export
  • healthcare.dicomStores.get
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.fhirResourceEditor Healthcare FHIR Resource Editor Create, delete, update, read and search FHIR resources.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.create
  • healthcare.fhirResources.delete
  • healthcare.fhirResources.get
  • healthcare.fhirResources.patch
  • healthcare.fhirResources.translateConceptMap
  • healthcare.fhirResources.update
  • healthcare.fhirStores.executeBundle
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.fhirStores.searchResources
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.fhirResourceReader Healthcare FHIR Resource Reader Read and search FHIR resources.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.get
  • healthcare.fhirResources.translateConceptMap
  • healthcare.fhirStores.executeBundle
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.fhirStores.searchResources
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.fhirStoreAdmin Healthcare FHIR Store Administrator Administer FHIR resource stores.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.purge
  • healthcare.fhirStores.create
  • healthcare.fhirStores.deidentify
  • healthcare.fhirStores.delete
  • healthcare.fhirStores.export
  • healthcare.fhirStores.get
  • healthcare.fhirStores.getIamPolicy
  • healthcare.fhirStores.import
  • healthcare.fhirStores.list
  • healthcare.fhirStores.setIamPolicy
  • healthcare.fhirStores.update
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.fhirStoreViewer Healthcare FHIR Store Viewer List FHIR Stores in a dataset.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.hl7V2Consumer Healthcare HL7v2 Message Consumer List and read HL7v2 messages, update message labels, and publish new messages.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.create
  • healthcare.hl7V2Messages.get
  • healthcare.hl7V2Messages.list
  • healthcare.hl7V2Messages.update
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.hl7V2Editor Healthcare HL7v2 Message Editor Read, write, and delete access to HL7v2 messages.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.*
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.hl7V2Ingest Healthcare HL7v2 Message Ingest Ingest HL7v2 messages received from a source network.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.ingest
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.hl7V2StoreAdmin Healthcare HL7v2 Store Administrator Administer HL7v2 Stores.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Stores.*
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.hl7V2StoreViewer Healthcare HL7v2 Store Viewer View HL7v2 Stores in a dataset.
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.userDataMappingEditor Healthcare User Data Mapping Editor Beta Edit UserDataMapping objects.
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • healthcare.userDataMappings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/healthcare.userDataMappingReader Healthcare User Data Mapping Reader Beta Read UserDataMapping objects in a consent store.
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • healthcare.userDataMappings.get
  • healthcare.userDataMappings.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

IAM roles

Role Title Description Permissions Lowest resource
roles/iam.securityAdmin Security Admin Security admin role, with permissions to get and set any IAM policy.
  • accessapproval.requests.list
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessPolicies.setIamPolicy
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.gcpUserAccessBindings.list
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.policies.setIamPolicy
  • accesscontextmanager.servicePerimeters.list
  • actions.agentVersions.list
  • aiplatform.annotationSpecs.list
  • aiplatform.annotations.list
  • aiplatform.batchPredictionJobs.list
  • aiplatform.customJobs.list
  • aiplatform.dataItems.list
  • aiplatform.dataLabelingJobs.list
  • aiplatform.datasets.list
  • aiplatform.endpoints.list
  • aiplatform.hyperparameterTuningJobs.list
  • aiplatform.locations.list
  • aiplatform.modelEvaluationSlices.list
  • aiplatform.modelEvaluations.list
  • aiplatform.models.list
  • aiplatform.operations.*
  • aiplatform.specialistPools.list
  • aiplatform.trainingPipelines.list
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apiconfigs.setIamPolicy
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.apis.setIamPolicy
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.gateways.setIamPolicy
  • apigateway.locations.list
  • apigateway.operations.list
  • apigee.apiproductattributes.list
  • apigee.apiproducts.list
  • apigee.apps.list
  • apigee.caches.list
  • apigee.datacollectors.list
  • apigee.datastores.list
  • apigee.deployments.list
  • apigee.developerappattributes.list
  • apigee.developerapps.list
  • apigee.developerattributes.list
  • apigee.developers.list
  • apigee.envgroupattachments.list
  • apigee.envgroups.list
  • apigee.environments.getIamPolicy
  • apigee.environments.list
  • apigee.environments.setIamPolicy
  • apigee.exports.list
  • apigee.flowhooks.list
  • apigee.hostqueries.list
  • apigee.instanceattachments.list
  • apigee.instances.list
  • apigee.keystorealiases.list
  • apigee.keystores.list
  • apigee.keyvaluemaps.list
  • apigee.operations.list
  • apigee.organizations.list
  • apigee.proxies.list
  • apigee.proxyrevisions.list
  • apigee.queries.list
  • apigee.references.list
  • apigee.reports.list
  • apigee.resourcefiles.list
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.list
  • apigee.targetservers.list
  • apigee.tracesessions.list
  • apigeeconnect.connections.*
  • apikeys.keys.list
  • appengine.instances.list
  • appengine.memcache.list
  • appengine.operations.list
  • appengine.services.list
  • appengine.versions.list
  • artifactregistry.files.list
  • artifactregistry.packages.list
  • artifactregistry.repositories.getIamPolicy
  • artifactregistry.repositories.list
  • artifactregistry.repositories.setIamPolicy
  • artifactregistry.tags.list
  • artifactregistry.versions.list
  • assuredworkloads.operations.list
  • assuredworkloads.workload.list
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.list
  • automl.datasets.getIamPolicy
  • automl.datasets.list
  • automl.datasets.setIamPolicy
  • automl.examples.list
  • automl.humanAnnotationTasks.list
  • automl.locations.getIamPolicy
  • automl.locations.list
  • automl.locations.setIamPolicy
  • automl.modelEvaluations.list
  • automl.models.getIamPolicy
  • automl.models.list
  • automl.models.setIamPolicy
  • automl.operations.list
  • automl.tableSpecs.list
  • automlrecommendations.apiKeys.list
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogs.list
  • automlrecommendations.events.list
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.list
  • bigquery.capacityCommitments.list
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.setIamPolicy
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.setIamPolicy
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.reservationAssignments.list
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.list
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.setIamPolicy
  • bigtable.appProfiles.list
  • bigtable.backups.getIamPolicy
  • bigtable.backups.list
  • bigtable.backups.setIamPolicy
  • bigtable.clusters.list
  • bigtable.instances.getIamPolicy
  • bigtable.instances.list
  • bigtable.instances.setIamPolicy
  • bigtable.keyvisualizer.list
  • bigtable.locations.*
  • bigtable.tables.getIamPolicy
  • bigtable.tables.list
  • bigtable.tables.setIamPolicy
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.setIamPolicy
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.list
  • binaryauthorization.attestors.getIamPolicy
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.setIamPolicy
  • binaryauthorization.policy.getIamPolicy
  • binaryauthorization.policy.setIamPolicy
  • clientauthconfig.brands.list
  • clientauthconfig.clients.list
  • cloudasset.feeds.list
  • cloudbuild.builds.list
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list
  • cloudfunctions.functions.getIamPolicy
  • cloudfunctions.functions.list
  • cloudfunctions.functions.setIamPolicy
  • cloudfunctions.locations.*
  • cloudfunctions.operations.list
  • cloudiot.devices.list
  • cloudiot.registries.getIamPolicy
  • cloudiot.registries.list
  • cloudiot.registries.setIamPolicy
  • cloudjobdiscovery.companies.list
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.cryptoKeys.setIamPolicy
  • cloudkms.importJobs.getIamPolicy
  • cloudkms.importJobs.list
  • cloudkms.importJobs.setIamPolicy
  • cloudkms.keyRings.getIamPolicy
  • cloudkms.keyRings.list
  • cloudkms.keyRings.setIamPolicy
  • cloudnotifications.*
  • cloudprivatecatalogproducer.associations.list
  • cloudprivatecatalogproducer.catalogs.getIamPolicy
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.catalogs.setIamPolicy
  • cloudprofiler.profiles.list
  • cloudscheduler.jobs.list
  • cloudscheduler.locations.list
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.list
  • cloudsql.backupRuns.list
  • cloudsql.databases.list
  • cloudsql.instances.list
  • cloudsql.sslCerts.list
  • cloudsql.users.list
  • cloudsupport.accounts.getIamPolicy
  • cloudsupport.accounts.list
  • cloudsupport.accounts.setIamPolicy
  • cloudsupport.techCases.list
  • cloudtasks.locations.list
  • cloudtasks.queues.getIamPolicy
  • cloudtasks.queues.list
  • cloudtasks.queues.setIamPolicy
  • cloudtasks.tasks.list
  • cloudtoolresults.executions.list
  • cloudtoolresults.histories.list
  • cloudtoolresults.steps.list
  • cloudtrace.insights.list
  • cloudtrace.tasks.list
  • cloudtrace.traces.list
  • cloudtranslate.glossaries.list
  • cloudtranslate.locations.list
  • cloudtranslate.operations.list
  • cloudvolumesgcp-api.netapp.com/activeDirectories.list
  • cloudvolumesgcp-api.netapp.com/ipRanges.*
  • cloudvolumesgcp-api.netapp.com/jobs.list
  • cloudvolumesgcp-api.netapp.com/regions.*
  • cloudvolumesgcp-api.netapp.com/serviceLevels.*
  • cloudvolumesgcp-api.netapp.com/snapshots.list
  • cloudvolumesgcp-api.netapp.com/volumes.list
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.list
  • compute.acceleratorTypes.list
  • compute.addresses.list
  • compute.autoscalers.list
  • compute.backendBuckets.list
  • compute.backendServices.list
  • compute.commitments.list
  • compute.diskTypes.list
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.setIamPolicy
  • compute.externalVpnGateways.list
  • compute.firewalls.list
  • compute.forwardingRules.list
  • compute.globalAddresses.list
  • compute.globalForwardingRules.list
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.list
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.list
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.setIamPolicy
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.list
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instances.getIamPolicy
  • compute.instances.list
  • compute.instances.setIamPolicy
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.list
  • compute.interconnects.list
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenseCodes.setIamPolicy
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.licenses.setIamPolicy
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineTypes.list
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.maintenancePolicies.setIamPolicy
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.setIamPolicy
  • compute.networks.list
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeGroups.setIamPolicy
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTemplates.setIamPolicy
  • compute.nodeTypes.list
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionOperations.setIamPolicy
  • compute.regions.list
  • compute.reservations.list
  • compute.resourcePolicies.list
  • compute.routers.list
  • compute.routes.list
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.securityPolicies.setIamPolicy
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.setIamPolicy
  • compute.sslCertificates.list
  • compute.sslPolicies.list
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.subnetworks.setIamPolicy
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.list
  • compute.targetInstances.list
  • compute.targetPools.list
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.list
  • compute.urlMaps.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.list
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zoneOperations.setIamPolicy
  • compute.zones.list
  • consumerprocurement.accounts.list
  • consumerprocurement.entitlements.list
  • consumerprocurement.freeTrials.list
  • consumerprocurement.orders.list
  • container.apiServices.list
  • container.backendConfigs.list
  • container.bindings.list
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.list
  • container.clusterRoles.list
  • container.clusters.list
  • container.componentStatuses.list
  • container.configMaps.list
  • container.controllerRevisions.list
  • container.cronJobs.list
  • container.csiDrivers.list
  • container.csiNodes.list
  • container.customResourceDefinitions.list
  • container.daemonSets.list
  • container.deployments.list
  • container.endpoints.list
  • container.events.list
  • container.horizontalPodAutoscalers.list
  • container.ingresses.list
  • container.initializerConfigurations.list
  • container.jobs.list
  • container.limitRanges.list
  • container.localSubjectAccessReviews.list
  • container.namespaces.list
  • container.networkPolicies.list
  • container.nodes.list
  • container.operations.list
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.list
  • container.petSets.list
  • container.podDisruptionBudgets.list
  • container.podPresets.list
  • container.podSecurityPolicies.list
  • container.podTemplates.list
  • container.pods.list
  • container.replicaSets.list
  • container.replicationControllers.list
  • container.resourceQuotas.list
  • container.roleBindings.list
  • container.roles.list
  • container.runtimeClasses.list
  • container.scheduledJobs.list
  • container.selfSubjectAccessReviews.list
  • container.serviceAccounts.list
  • container.services.list
  • container.statefulSets.list
  • container.storageClasses.list
  • container.subjectAccessReviews.list
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.list
  • containeranalysis.notes.getIamPolicy
  • containeranalysis.notes.list
  • containeranalysis.notes.setIamPolicy
  • containeranalysis.occurrences.getIamPolicy
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.setIamPolicy
  • datacatalog.categories.getIamPolicy
  • datacatalog.categories.setIamPolicy
  • datacatalog.entries.getIamPolicy
  • datacatalog.entries.list
  • datacatalog.entries.setIamPolicy
  • datacatalog.entryGroups.getIamPolicy
  • datacatalog.entryGroups.list
  • datacatalog.entryGroups.setIamPolicy
  • datacatalog.tagTemplates.getIamPolicy
  • datacatalog.tagTemplates.setIamPolicy
  • datacatalog.taxonomies.getIamPolicy
  • datacatalog.taxonomies.list
  • datacatalog.taxonomies.setIamPolicy
  • dataflow.jobs.list
  • dataflow.messages.*
  • dataflow.snapshots.list
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.instances.setIamPolicy
  • datafusion.locations.list
  • datafusion.operations.list
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.list
  • datalabeling.datasets.list
  • datalabeling.examples.list
  • datalabeling.instructions.list
  • datalabeling.operations.list
  • dataproc.agents.list
  • dataproc.autoscalingPolicies.getIamPolicy
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.setIamPolicy
  • dataproc.clusters.getIamPolicy
  • dataproc.clusters.list
  • dataproc.clusters.setIamPolicy
  • dataproc.jobs.getIamPolicy
  • dataproc.jobs.list
  • dataproc.jobs.setIamPolicy
  • dataproc.operations.getIamPolicy
  • dataproc.operations.list
  • dataproc.operations.setIamPolicy
  • dataproc.workflowTemplates.getIamPolicy
  • dataproc.workflowTemplates.list
  • dataproc.workflowTemplates.setIamPolicy
  • dataprocessing.featurecontrols.list
  • dataprocessing.groupcontrols.list
  • datastore.databases.getIamPolicy
  • datastore.databases.list
  • datastore.databases.setIamPolicy
  • datastore.entities.list
  • datastore.indexes.list
  • datastore.locations.list
  • datastore.namespaces.getIamPolicy
  • datastore.namespaces.list
  • datastore.namespaces.setIamPolicy
  • datastore.operations.list
  • datastore.statistics.list
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.deployments.getIamPolicy
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.setIamPolicy
  • deploymentmanager.manifests.list
  • deploymentmanager.operations.list
  • deploymentmanager.resources.list
  • deploymentmanager.typeProviders.list
  • deploymentmanager.types.list
  • dialogflow.agents.list
  • dialogflow.contexts.list
  • dialogflow.documents.list
  • dialogflow.entityTypes.list
  • dialogflow.environments.list
  • dialogflow.flows.list
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.list
  • dialogflow.pages.list
  • dialogflow.sessionEntityTypes.list
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.list
  • dialogflow.webhooks.list
  • dlp.analyzeRiskTemplates.list
  • dlp.deidentifyTemplates.list
  • dlp.inspectFindings.*
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.list
  • dlp.jobs.list
  • dlp.storedInfoTypes.list
  • dns.changes.list
  • dns.dnsKeys.list
  • dns.managedZoneOperations.list
  • dns.managedZones.list
  • dns.policies.getIamPolicy
  • dns.policies.list
  • dns.policies.setIamPolicy
  • dns.resourceRecordSets.list
  • domains.locations.list
  • domains.operations.list
  • domains.registrations.getIamPolicy
  • domains.registrations.list
  • domains.registrations.setIamPolicy
  • errorreporting.applications.*
  • errorreporting.errorEvents.list
  • errorreporting.groups.*
  • essentialcontacts.contacts.list
  • eventarc.locations.list
  • eventarc.operations.list
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.setIamPolicy
  • file.backups.list
  • file.instances.list
  • file.locations.list
  • file.operations.list
  • firebase.links.list
  • firebaseabt.experiments.list
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • firebasecrashlytics.issues.list
  • firebasedatabase.instances.list
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.list
  • firebaseextensions.configs.list
  • firebasehosting.sites.list
  • firebaseinappmessaging.campaigns.list
  • firebaseml.compressionjobs.list
  • firebaseml.models.list
  • firebaseml.modelversions.list
  • firebasenotifications.messages.list
  • firebasepredictions.predictions.list
  • firebaserules.releases.list
  • firebaserules.rulesets.list
  • gameservices.gameServerClusters.list
  • gameservices.gameServerConfigs.list
  • gameservices.gameServerDeployments.list
  • gameservices.locations.list
  • gameservices.operations.list
  • gameservices.realms.list
  • gcp.redisenterprise.com/databases.list
  • gcp.redisenterprise.com/subscriptions.list
  • genomics.datasets.getIamPolicy
  • genomics.datasets.list
  • genomics.datasets.setIamPolicy
  • genomics.operations.list
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.features.setIamPolicy
  • gkehub.gateway.getIamPolicy
  • gkehub.gateway.setIamPolicy
  • gkehub.locations.list
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.memberships.setIamPolicy
  • gkehub.operations.list
  • healthcare.annotationStores.getIamPolicy
  • healthcare.annotationStores.list
  • healthcare.annotationStores.setIamPolicy
  • healthcare.annotations.list
  • healthcare.attributeDefinitions.list
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.getIamPolicy
  • healthcare.consentStores.list
  • healthcare.consentStores.setIamPolicy
  • healthcare.consents.list
  • healthcare.datasets.getIamPolicy
  • healthcare.datasets.list
  • healthcare.datasets.setIamPolicy
  • healthcare.dicomStores.getIamPolicy
  • healthcare.dicomStores.list
  • healthcare.dicomStores.setIamPolicy
  • healthcare.fhirStores.getIamPolicy
  • healthcare.fhirStores.list
  • healthcare.fhirStores.setIamPolicy
  • healthcare.hl7V2Messages.list
  • healthcare.hl7V2Stores.getIamPolicy
  • healthcare.hl7V2Stores.list
  • healthcare.hl7V2Stores.setIamPolicy
  • healthcare.locations.list
  • healthcare.operations.list
  • healthcare.userDataMappings.list
  • iam.googleapis.com/workloadIdentityPoolProviders.list
  • iam.googleapis.com/workloadIdentityPools.list
  • iam.roles.get
  • iam.roles.list
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • iam.serviceAccounts.setIamPolicy
  • iap.tunnel.*
  • iap.tunnelInstances.getIamPolicy
  • iap.tunnelInstances.setIamPolicy
  • iap.tunnelZones.*
  • iap.web.getIamPolicy
  • iap.web.setIamPolicy
  • iap.webServiceVersions.getIamPolicy
  • iap.webServiceVersions.setIamPolicy
  • iap.webServices.getIamPolicy
  • iap.webServices.setIamPolicy
  • iap.webTypes.getIamPolicy
  • iap.webTypes.setIamPolicy
  • identityplatform.workloadPoolProviders.list
  • identityplatform.workloadPools.list
  • lifesciences.operations.list
  • logging.buckets.list
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • logging.queries.list
  • logging.sinks.list
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.list
  • managedidentities.domains.setIamPolicy
  • managedidentities.locations.list
  • managedidentities.operations.list
  • memcache.instances.list
  • memcache.locations.list
  • memcache.operations.list
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.jobs.setIamPolicy
  • ml.locations.list
  • ml.models.getIamPolicy
  • ml.models.list
  • ml.models.setIamPolicy
  • ml.operations.list
  • ml.studies.getIamPolicy
  • ml.studies.list
  • ml.studies.setIamPolicy
  • ml.trials.list
  • ml.versions.list
  • monitoring.alertPolicies.list
  • monitoring.dashboards.list
  • monitoring.groups.list
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.list
  • monitoring.notificationChannelDescriptors.list
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.list
  • monitoring.services.list
  • monitoring.slos.list
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.list
  • networkmanagement.connectivitytests.getIamPolicy
  • networkmanagement.connectivitytests.list
  • networkmanagement.connectivitytests.setIamPolicy
  • networkmanagement.locations.list
  • networkmanagement.operations.list
  • networksecurity.authorizationPolicies.getIamPolicy
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.setIamPolicy
  • networksecurity.clientTlsPolicies.getIamPolicy
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.setIamPolicy
  • networksecurity.locations.list
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.getIamPolicy
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.setIamPolicy
  • networkservices.endpointConfigSelectors.getIamPolicy
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.setIamPolicy
  • networkservices.httpFilters.getIamPolicy
  • networkservices.httpFilters.list
  • networkservices.httpFilters.setIamPolicy
  • networkservices.httpfilters.getIamPolicy
  • networkservices.httpfilters.list
  • networkservices.httpfilters.setIamPolicy
  • networkservices.locations.list
  • networkservices.operations.list
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.environments.setIamPolicy
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.instances.setIamPolicy
  • notebooks.locations.list
  • notebooks.operations.list
  • osconfig.guestPolicies.list
  • osconfig.patchDeployments.list
  • osconfig.patchJobs.list
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateAuthorities.setIamPolicy
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateRevocationLists.setIamPolicy
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.certificates.setIamPolicy
  • privateca.locations.list
  • privateca.operations.list
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • privateca.reusableConfigs.setIamPolicy
  • proximitybeacon.attachments.list
  • proximitybeacon.beacons.getIamPolicy
  • proximitybeacon.beacons.list
  • proximitybeacon.beacons.setIamPolicy
  • proximitybeacon.namespaces.getIamPolicy
  • proximitybeacon.namespaces.list
  • proximitybeacon.namespaces.setIamPolicy
  • pubsub.snapshots.getIamPolicy
  • pubsub.snapshots.list
  • pubsub.snapshots.setIamPolicy
  • pubsub.subscriptions.getIamPolicy
  • pubsub.subscriptions.list
  • pubsub.subscriptions.setIamPolicy
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsub.topics.setIamPolicy
  • pubsublite.subscriptions.list
  • pubsublite.topics.list
  • recaptchaenterprise.keys.list
  • recommender.commitmentUtilizationInsights.list
  • recommender.computeDiskIdleResourceInsights.list
  • recommender.computeDiskIdleResourceRecommendations.list
  • recommender.computeFirewallInsights.list
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
  • recommender.computeInstanceIdleResourceRecommendations.list
  • recommender.computeInstanceMachineTypeRecommendations.list
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyRecommendations.list
  • recommender.iamServiceAccountInsights.list
  • recommender.locations.list
  • recommender.usageCommitmentRecommendations.list
  • redis.instances.list
  • redis.locations.list
  • redis.operations.list
  • remotebuildexecution.instances.list
  • remotebuildexecution.workerpools.list
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.list
  • resourcemanager.folders.setIamPolicy
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.organizations.setIamPolicy
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • resourcemanager.projects.setIamPolicy
  • run.configurations.list
  • run.locations.*
  • run.revisions.list
  • run.routes.list
  • run.services.getIamPolicy
  • run.services.list
  • run.services.setIamPolicy
  • runtimeconfig.configs.getIamPolicy
  • runtimeconfig.configs.list
  • runtimeconfig.configs.setIamPolicy
  • runtimeconfig.operations.list
  • runtimeconfig.variables.getIamPolicy
  • runtimeconfig.variables.list
  • runtimeconfig.variables.setIamPolicy
  • runtimeconfig.waiters.getIamPolicy
  • runtimeconfig.waiters.list
  • runtimeconfig.waiters.setIamPolicy
  • secretmanager.locations.list
  • secretmanager.secrets.getIamPolicy
  • secretmanager.secrets.list
  • secretmanager.secrets.setIamPolicy
  • secretmanager.versions.list
  • securitycenter.assets.list
  • securitycenter.findings.list
  • securitycenter.notificationconfig.list
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • securitycenter.sources.setIamPolicy
  • servicebroker.bindingoperations.list
  • servicebroker.bindings.getIamPolicy
  • servicebroker.bindings.list
  • servicebroker.bindings.setIamPolicy
  • servicebroker.catalogs.getIamPolicy
  • servicebroker.catalogs.list
  • servicebroker.catalogs.setIamPolicy
  • servicebroker.instanceoperations.list
  • servicebroker.instances.getIamPolicy
  • servicebroker.instances.list
  • servicebroker.instances.setIamPolicy
  • serviceconsumermanagement.tenancyu.list
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.endpoints.setIamPolicy
  • servicedirectory.locations.list
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.namespaces.setIamPolicy
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicedirectory.services.setIamPolicy
  • servicemanagement.consumerSettings.getIamPolicy
  • servicemanagement.consumerSettings.list
  • servicemanagement.consumerSettings.setIamPolicy
  • servicemanagement.services.getIamPolicy
  • servicemanagement.services.list
  • servicemanagement.services.setIamPolicy
  • servicenetworking.operations.list
  • serviceusage.operations.list
  • serviceusage.services.list
  • source.repos.getIamPolicy
  • source.repos.list
  • source.repos.setIamPolicy
  • spanner.backupOperations.list
  • spanner.backups.getIamPolicy
  • spanner.backups.list
  • spanner.backups.setIamPolicy
  • spanner.databaseOperations.list
  • spanner.databases.getIamPolicy
  • spanner.databases.list
  • spanner.databases.setIamPolicy
  • spanner.instanceConfigs.list
  • spanner.instanceOperations.list
  • spanner.instances.getIamPolicy
  • spanner.instances.list
  • spanner.instances.setIamPolicy
  • spanner.sessions.list
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.buckets.setIamPolicy
  • storage.hmacKeys.list
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.setIamPolicy
  • storagetransfer.jobs.list
  • storagetransfer.operations.list
  • tpu.acceleratortypes.list
  • tpu.locations.list
  • tpu.nodes.list
  • tpu.operations.list
  • tpu.tensorflowversions.list
  • transcoder.jobTemplates.list
  • transcoder.jobs.list
  • vmmigration.deployments.list
  • vpcaccess.connectors.list
  • vpcaccess.locations.*
  • vpcaccess.operations.list
  • workflows.executions.list
  • workflows.locations.list
  • workflows.operations.list
  • workflows.workflows.getIamPolicy
  • workflows.workflows.list
  • workflows.workflows.setIamPolicy
roles/iam.securityReviewer Security Reviewer Provides permissions to list all resources and IAM policies on them.
  • accessapproval.requests.list
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.gcpUserAccessBindings.list
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.list
  • actions.agentVersions.list
  • aiplatform.annotationSpecs.list
  • aiplatform.annotations.list
  • aiplatform.batchPredictionJobs.list
  • aiplatform.customJobs.list
  • aiplatform.dataItems.list
  • aiplatform.dataLabelingJobs.list
  • aiplatform.datasets.list
  • aiplatform.endpoints.list
  • aiplatform.hyperparameterTuningJobs.list
  • aiplatform.locations.list
  • aiplatform.modelEvaluationSlices.list
  • aiplatform.modelEvaluations.list
  • aiplatform.models.list
  • aiplatform.operations.*
  • aiplatform.specialistPools.list
  • aiplatform.trainingPipelines.list
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.locations.list
  • apigateway.operations.list
  • apigee.apiproductattributes.list
  • apigee.apiproducts.list
  • apigee.apps.list
  • apigee.caches.list
  • apigee.datacollectors.list
  • apigee.datastores.list
  • apigee.deployments.list
  • apigee.developerappattributes.list
  • apigee.developerapps.list
  • apigee.developerattributes.list
  • apigee.developers.list
  • apigee.envgroupattachments.list
  • apigee.envgroups.list
  • apigee.environments.getIamPolicy
  • apigee.environments.list
  • apigee.exports.list
  • apigee.flowhooks.list
  • apigee.hostqueries.list
  • apigee.instanceattachments.list
  • apigee.instances.list
  • apigee.keystorealiases.list
  • apigee.keystores.list
  • apigee.keyvaluemaps.list
  • apigee.operations.list
  • apigee.organizations.list
  • apigee.proxies.list
  • apigee.proxyrevisions.list
  • apigee.queries.list
  • apigee.references.list
  • apigee.reports.list
  • apigee.resourcefiles.list
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.list
  • apigee.targetservers.list
  • apigee.tracesessions.list
  • apigeeconnect.connections.*
  • apikeys.keys.list
  • appengine.instances.list
  • appengine.memcache.list
  • appengine.operations.list
  • appengine.services.list
  • appengine.versions.list
  • artifactregistry.files.list
  • artifactregistry.packages.list
  • artifactregistry.repositories.getIamPolicy
  • artifactregistry.repositories.list
  • artifactregistry.tags.list
  • artifactregistry.versions.list
  • assuredworkloads.operations.list
  • assuredworkloads.workload.list
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.list
  • automl.datasets.getIamPolicy
  • automl.datasets.list
  • automl.examples.list
  • automl.humanAnnotationTasks.list
  • automl.locations.getIamPolicy
  • automl.locations.list
  • automl.modelEvaluations.list
  • automl.models.getIamPolicy
  • automl.models.list
  • automl.operations.list
  • automl.tableSpecs.list
  • automlrecommendations.apiKeys.list
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogs.list
  • automlrecommendations.events.list
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.list
  • bigquery.capacityCommitments.list
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.reservationAssignments.list
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.list
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigtable.appProfiles.list
  • bigtable.backups.getIamPolicy
  • bigtable.backups.list
  • bigtable.clusters.list
  • bigtable.instances.getIamPolicy
  • bigtable.instances.list
  • bigtable.keyvisualizer.list
  • bigtable.locations.*
  • bigtable.tables.getIamPolicy
  • bigtable.tables.list
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.list
  • binaryauthorization.attestors.getIamPolicy
  • binaryauthorization.attestors.list
  • binaryauthorization.policy.getIamPolicy
  • clientauthconfig.brands.list
  • clientauthconfig.clients.list
  • cloudasset.feeds.list
  • cloudbuild.builds.list
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list
  • cloudfunctions.functions.getIamPolicy
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.list
  • cloudiot.devices.list
  • cloudiot.registries.getIamPolicy
  • cloudiot.registries.list
  • cloudjobdiscovery.companies.list
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.importJobs.getIamPolicy
  • cloudkms.importJobs.list
  • cloudkms.keyRings.getIamPolicy
  • cloudkms.keyRings.list
  • cloudnotifications.*
  • cloudprivatecatalogproducer.associations.list
  • cloudprivatecatalogproducer.catalogs.getIamPolicy
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprofiler.profiles.list
  • cloudscheduler.jobs.list
  • cloudscheduler.locations.list
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.list
  • cloudsql.backupRuns.list
  • cloudsql.databases.list
  • cloudsql.instances.list
  • cloudsql.sslCerts.list
  • cloudsql.users.list
  • cloudsupport.accounts.getIamPolicy
  • cloudsupport.accounts.list
  • cloudsupport.techCases.list
  • cloudtasks.locations.list
  • cloudtasks.queues.getIamPolicy
  • cloudtasks.queues.list
  • cloudtasks.tasks.list
  • cloudtoolresults.executions.list
  • cloudtoolresults.histories.list
  • cloudtoolresults.steps.list
  • cloudtrace.insights.list
  • cloudtrace.tasks.list
  • cloudtrace.traces.list
  • cloudtranslate.glossaries.list
  • cloudtranslate.locations.list
  • cloudtranslate.operations.list
  • cloudvolumesgcp-api.netapp.com/activeDirectories.list
  • cloudvolumesgcp-api.netapp.com/ipRanges.*
  • cloudvolumesgcp-api.netapp.com/jobs.list
  • cloudvolumesgcp-api.netapp.com/regions.*
  • cloudvolumesgcp-api.netapp.com/serviceLevels.*
  • cloudvolumesgcp-api.netapp.com/snapshots.list
  • cloudvolumesgcp-api.netapp.com/volumes.list
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.list
  • compute.acceleratorTypes.list
  • compute.addresses.list
  • compute.autoscalers.list
  • compute.backendBuckets.list
  • compute.backendServices.list
  • compute.commitments.list
  • compute.diskTypes.list
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.list
  • compute.firewalls.list
  • compute.forwardingRules.list
  • compute.globalAddresses.list
  • compute.globalForwardingRules.list
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.list
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.list
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.list
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.getIamPolicy
  • compute.instances.list
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.list
  • compute.interconnects.list
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.list
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.list
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.list
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.list
  • compute.reservations.list
  • compute.resourcePolicies.list
  • compute.routers.list
  • compute.routes.list
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.list
  • compute.sslPolicies.list
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.list
  • compute.targetInstances.list
  • compute.targetPools.list
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.list
  • compute.urlMaps.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.list
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.list
  • consumerprocurement.accounts.list
  • consumerprocurement.entitlements.list
  • consumerprocurement.freeTrials.list
  • consumerprocurement.orders.list
  • container.apiServices.list
  • container.backendConfigs.list
  • container.bindings.list
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.list
  • container.clusterRoles.list
  • container.clusters.list
  • container.componentStatuses.list
  • container.configMaps.list
  • container.controllerRevisions.list
  • container.cronJobs.list
  • container.csiDrivers.list
  • container.csiNodes.list
  • container.customResourceDefinitions.list
  • container.daemonSets.list
  • container.deployments.list
  • container.endpoints.list
  • container.events.list
  • container.horizontalPodAutoscalers.list
  • container.ingresses.list
  • container.initializerConfigurations.list
  • container.jobs.list
  • container.limitRanges.list
  • container.localSubjectAccessReviews.list
  • container.namespaces.list
  • container.networkPolicies.list
  • container.nodes.list
  • container.operations.list
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.list
  • container.petSets.list
  • container.podDisruptionBudgets.list
  • container.podPresets.list
  • container.podSecurityPolicies.list
  • container.podTemplates.list
  • container.pods.list
  • container.replicaSets.list
  • container.replicationControllers.list
  • container.resourceQuotas.list
  • container.roleBindings.list
  • container.roles.list
  • container.runtimeClasses.list
  • container.scheduledJobs.list
  • container.selfSubjectAccessReviews.list
  • container.serviceAccounts.list
  • container.services.list
  • container.statefulSets.list
  • container.storageClasses.list
  • container.subjectAccessReviews.list
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.list
  • containeranalysis.notes.getIamPolicy
  • containeranalysis.notes.list
  • containeranalysis.occurrences.getIamPolicy
  • containeranalysis.occurrences.list
  • datacatalog.categories.getIamPolicy
  • datacatalog.entries.getIamPolicy
  • datacatalog.entries.list
  • datacatalog.entryGroups.getIamPolicy
  • datacatalog.entryGroups.list
  • datacatalog.tagTemplates.getIamPolicy
  • datacatalog.taxonomies.getIamPolicy
  • datacatalog.taxonomies.list
  • dataflow.jobs.list
  • dataflow.messages.*
  • dataflow.snapshots.list
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.locations.list
  • datafusion.operations.list
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.list
  • datalabeling.datasets.list
  • datalabeling.examples.list
  • datalabeling.instructions.list
  • datalabeling.operations.list
  • dataproc.agents.list
  • dataproc.autoscalingPolicies.getIamPolicy
  • dataproc.autoscalingPolicies.list
  • dataproc.clusters.getIamPolicy
  • dataproc.clusters.list
  • dataproc.jobs.getIamPolicy
  • dataproc.jobs.list
  • dataproc.operations.getIamPolicy
  • dataproc.operations.list
  • dataproc.workflowTemplates.getIamPolicy
  • dataproc.workflowTemplates.list
  • dataprocessing.featurecontrols.list
  • dataprocessing.groupcontrols.list
  • datastore.databases.getIamPolicy
  • datastore.databases.list
  • datastore.entities.list
  • datastore.indexes.list
  • datastore.locations.list
  • datastore.namespaces.getIamPolicy
  • datastore.namespaces.list
  • datastore.operations.list
  • datastore.statistics.list
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.deployments.getIamPolicy
  • deploymentmanager.deployments.list
  • deploymentmanager.manifests.list
  • deploymentmanager.operations.list
  • deploymentmanager.resources.list
  • deploymentmanager.typeProviders.list
  • deploymentmanager.types.list
  • dialogflow.agents.list
  • dialogflow.contexts.list
  • dialogflow.documents.list
  • dialogflow.entityTypes.list
  • dialogflow.environments.list
  • dialogflow.flows.list
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.list
  • dialogflow.pages.list
  • dialogflow.sessionEntityTypes.list
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.list
  • dialogflow.webhooks.list
  • dlp.analyzeRiskTemplates.list
  • dlp.deidentifyTemplates.list
  • dlp.inspectFindings.*
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.list
  • dlp.jobs.list
  • dlp.storedInfoTypes.list
  • dns.changes.list
  • dns.dnsKeys.list
  • dns.managedZoneOperations.list
  • dns.managedZones.list
  • dns.policies.getIamPolicy
  • dns.policies.list
  • dns.resourceRecordSets.list
  • domains.locations.list
  • domains.operations.list
  • domains.registrations.getIamPolicy
  • domains.registrations.list
  • errorreporting.applications.*
  • errorreporting.errorEvents.list
  • errorreporting.groups.*
  • essentialcontacts.contacts.list
  • eventarc.locations.list
  • eventarc.operations.list
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • file.backups.list
  • file.instances.list
  • file.locations.list
  • file.operations.list
  • firebase.links.list
  • firebaseabt.experiments.list
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • firebasecrashlytics.issues.list
  • firebasedatabase.instances.list
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.list
  • firebaseextensions.configs.list
  • firebasehosting.sites.list
  • firebaseinappmessaging.campaigns.list
  • firebaseml.compressionjobs.list
  • firebaseml.models.list
  • firebaseml.modelversions.list
  • firebasenotifications.messages.list
  • firebasepredictions.predictions.list
  • firebaserules.releases.list
  • firebaserules.rulesets.list
  • gameservices.gameServerClusters.list
  • gameservices.gameServerConfigs.list
  • gameservices.gameServerDeployments.list
  • gameservices.locations.list
  • gameservices.operations.list
  • gameservices.realms.list
  • gcp.redisenterprise.com/databases.list
  • gcp.redisenterprise.com/subscriptions.list
  • genomics.datasets.getIamPolicy
  • genomics.datasets.list
  • genomics.operations.list
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.gateway.getIamPolicy
  • gkehub.locations.list
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.operations.list
  • healthcare.annotationStores.getIamPolicy
  • healthcare.annotationStores.list
  • healthcare.annotations.list
  • healthcare.attributeDefinitions.list
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.getIamPolicy
  • healthcare.consentStores.list
  • healthcare.consents.list
  • healthcare.datasets.getIamPolicy
  • healthcare.datasets.list
  • healthcare.dicomStores.getIamPolicy
  • healthcare.dicomStores.list
  • healthcare.fhirStores.getIamPolicy
  • healthcare.fhirStores.list
  • healthcare.hl7V2Messages.list
  • healthcare.hl7V2Stores.getIamPolicy
  • healthcare.hl7V2Stores.list
  • healthcare.locations.list
  • healthcare.operations.list
  • healthcare.userDataMappings.list
  • iam.googleapis.com/workloadIdentityPoolProviders.list
  • iam.googleapis.com/workloadIdentityPools.list
  • iam.roles.get
  • iam.roles.list
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • iap.tunnel.getIamPolicy
  • iap.tunnelInstances.getIamPolicy
  • iap.tunnelZones.getIamPolicy
  • iap.web.getIamPolicy
  • iap.webServiceVersions.getIamPolicy
  • iap.webServices.getIamPolicy
  • iap.webTypes.getIamPolicy
  • identityplatform.workloadPoolProviders.list
  • identityplatform.workloadPools.list
  • lifesciences.operations.list
  • logging.buckets.list
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • logging.queries.list
  • logging.sinks.list
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.list
  • managedidentities.locations.list
  • managedidentities.operations.list
  • memcache.instances.list
  • memcache.locations.list
  • memcache.operations.list
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.locations.list
  • ml.models.getIamPolicy
  • ml.models.list
  • ml.operations.list
  • ml.studies.getIamPolicy
  • ml.studies.list
  • ml.trials.list
  • ml.versions.list
  • monitoring.alertPolicies.list
  • monitoring.dashboards.list
  • monitoring.groups.list
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.list
  • monitoring.notificationChannelDescriptors.list
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.list
  • monitoring.services.list
  • monitoring.slos.list
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.list
  • networkmanagement.connectivitytests.getIamPolicy
  • networkmanagement.connectivitytests.list
  • networkmanagement.locations.list
  • networkmanagement.operations.list
  • networksecurity.authorizationPolicies.getIamPolicy
  • networksecurity.authorizationPolicies.list
  • networksecurity.clientTlsPolicies.getIamPolicy
  • networksecurity.clientTlsPolicies.list
  • networksecurity.locations.list
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.getIamPolicy
  • networksecurity.serverTlsPolicies.list
  • networkservices.endpointConfigSelectors.getIamPolicy
  • networkservices.endpointConfigSelectors.list
  • networkservices.httpFilters.getIamPolicy
  • networkservices.httpFilters.list
  • networkservices.httpfilters.getIamPolicy
  • networkservices.httpfilters.list
  • networkservices.locations.list
  • networkservices.operations.list
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.list
  • notebooks.operations.list
  • osconfig.guestPolicies.list
  • osconfig.patchDeployments.list
  • osconfig.patchJobs.list
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.list
  • privateca.operations.list
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • proximitybeacon.attachments.list
  • proximitybeacon.beacons.getIamPolicy
  • proximitybeacon.beacons.list
  • proximitybeacon.namespaces.getIamPolicy
  • proximitybeacon.namespaces.list
  • pubsub.snapshots.getIamPolicy
  • pubsub.snapshots.list
  • pubsub.subscriptions.getIamPolicy
  • pubsub.subscriptions.list
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsublite.subscriptions.list
  • pubsublite.topics.list
  • recaptchaenterprise.keys.list
  • recommender.commitmentUtilizationInsights.list
  • recommender.computeDiskIdleResourceInsights.list
  • recommender.computeDiskIdleResourceRecommendations.list
  • recommender.computeFirewallInsights.list
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
  • recommender.computeInstanceIdleResourceRecommendations.list
  • recommender.computeInstanceMachineTypeRecommendations.list
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyRecommendations.list
  • recommender.iamServiceAccountInsights.list
  • recommender.locations.list
  • recommender.usageCommitmentRecommendations.list
  • redis.instances.list
  • redis.locations.list
  • redis.operations.list
  • remotebuildexecution.instances.list
  • remotebuildexecution.workerpools.list
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.list
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • run.configurations.list
  • run.locations.*
  • run.revisions.list
  • run.routes.list
  • run.services.getIamPolicy
  • run.services.list
  • runtimeconfig.configs.getIamPolicy
  • runtimeconfig.configs.list
  • runtimeconfig.operations.list
  • runtimeconfig.variables.getIamPolicy
  • runtimeconfig.variables.list
  • runtimeconfig.waiters.getIamPolicy
  • runtimeconfig.waiters.list
  • secretmanager.locations.list
  • secretmanager.secrets.getIamPolicy
  • secretmanager.secrets.list
  • secretmanager.versions.list
  • securitycenter.assets.list
  • securitycenter.findings.list
  • securitycenter.notificationconfig.list
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • servicebroker.bindingoperations.list
  • servicebroker.bindings.getIamPolicy
  • servicebroker.bindings.list
  • servicebroker.catalogs.getIamPolicy
  • servicebroker.catalogs.list
  • servicebroker.instanceoperations.list
  • servicebroker.instances.getIamPolicy
  • servicebroker.instances.list
  • serviceconsumermanagement.tenancyu.list
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.locations.list
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicemanagement.consumerSettings.getIamPolicy
  • servicemanagement.consumerSettings.list
  • servicemanagement.services.getIamPolicy
  • servicemanagement.services.list
  • servicenetworking.operations.list
  • serviceusage.operations.list
  • serviceusage.services.list
  • source.repos.getIamPolicy
  • source.repos.list
  • spanner.backupOperations.list
  • spanner.backups.getIamPolicy
  • spanner.backups.list
  • spanner.databaseOperations.list
  • spanner.databases.getIamPolicy
  • spanner.databases.list
  • spanner.instanceConfigs.list
  • spanner.instanceOperations.list
  • spanner.instances.getIamPolicy
  • spanner.instances.list
  • spanner.sessions.list
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.hmacKeys.list
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storagetransfer.jobs.list
  • storagetransfer.operations.list
  • tpu.acceleratortypes.list
  • tpu.locations.list
  • tpu.nodes.list
  • tpu.operations.list
  • tpu.tensorflowversions.list
  • transcoder.jobTemplates.list
  • transcoder.jobs.list
  • vmmigration.deployments.list
  • vpcaccess.connectors.list
  • vpcaccess.locations.*
  • vpcaccess.operations.list
  • workflows.executions.list
  • workflows.locations.list
  • workflows.operations.list
  • workflows.workflows.getIamPolicy
  • workflows.workflows.list
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta

Roles roles

Role Title Description Permissions Lowest resource
roles/iam.organizationRoleAdmin Organization Role Administrator Provides access to administer all custom roles in the organization and the projects below it.
  • iam.roles.*
  • resourcemanager.organizations.get
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
Organization
roles/iam.organizationRoleViewer Organization Role Viewer Provides read access to all custom roles in the organization and the projects below it.
  • iam.roles.get
  • iam.roles.list
  • resourcemanager.organizations.get
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
Project
roles/iam.roleAdmin Role Administrator Provides access to all custom roles in the project.
  • iam.roles.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
Project
roles/iam.roleViewer Role Viewer Provides read access to all custom roles in the project.
  • iam.roles.get
  • iam.roles.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
Project

Service Accounts roles

Role Title Description Permissions Lowest resource
roles/iam.serviceAccountAdmin Service Account Admin Create and manage service accounts.
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.disable
  • iam.serviceAccounts.enable
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • iam.serviceAccounts.setIamPolicy
  • iam.serviceAccounts.undelete
  • iam.serviceAccounts.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Service Account
roles/iam.serviceAccountCreator Create Service Accounts Access to create service accounts.
  • iam.serviceAccounts.create
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/iam.serviceAccountDeleter Delete Service Accounts Access to delete service accounts.
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/iam.serviceAccountKeyAdmin Service Account Key Admin Create and manage (and rotate) service account keys.
  • iam.serviceAccountKeys.*
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Service Account
roles/iam.serviceAccountTokenCreator Service Account Token Creator Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.list
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Service Account
roles/iam.serviceAccountUser Service Account User Run operations as the service account.
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Service Account
roles/iam.workloadIdentityUser Workload Identity User Impersonate service accounts from GKE Workloads
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.list

Workload Identity Pools roles

Role Title Description Permissions Lowest resource
roles/iam.workloadIdentityPoolAdmin IAM Workload Identity Pool Admin Beta Full rights to create and manage workload identity pools.
  • iam.workloadIdentityPoolProviders.*
  • iam.workloadIdentityPools.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/iam.workloadIdentityPoolViewer IAM Workload Identity Pool Viewer Beta Read access to workload identity pools.
  • iam.googleapis.com/workloadIdentityPoolProviders.get
  • iam.googleapis.com/workloadIdentityPoolProviders.list
  • iam.googleapis.com/workloadIdentityPools.get
  • iam.googleapis.com/workloadIdentityPools.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Life Sciences roles

Role Title Description Permissions Lowest resource
roles/lifesciences.admin Cloud Life Sciences Admin Beta Full control of Cloud Life Sciences resources.
  • lifesciences.*
roles/lifesciences.editor Cloud Life Sciences Editor Beta Access to read and edit Cloud Life Sciences resources.
  • lifesciences.*
roles/lifesciences.viewer Cloud Life Sciences Viewer Beta Access to read Cloud Life Sciences resources.
  • lifesciences.operations.get
  • lifesciences.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/lifesciences.workflowsRunner Cloud Life Sciences Workflows Runner Beta Full access to operate on Cloud Life Sciences workflows.
  • lifesciences.*

Logging roles

Role Title Description Permissions Lowest resource
roles/logging.admin Logging Admin Provides all permissions necessary to use all features of Cloud Logging.
  • logging.buckets.create
  • logging.buckets.delete
  • logging.buckets.get
  • logging.buckets.list
  • logging.buckets.undelete
  • logging.buckets.update
  • logging.cmekSettings.*
  • logging.exclusions.*
  • logging.logEntries.*
  • logging.logMetrics.*
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.*
  • logging.privateLogEntries.*
  • logging.queries.*
  • logging.sinks.*
  • logging.usage.*
  • logging.views.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/logging.bucketWriter Logs Bucket Writer Ability to write logs to a log bucket.
  • logging.buckets.write
roles/logging.configWriter Logs Configuration Writer Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.
  • logging.buckets.create
  • logging.buckets.delete
  • logging.buckets.get
  • logging.buckets.list
  • logging.buckets.undelete
  • logging.buckets.update
  • logging.cmekSettings.*
  • logging.exclusions.*
  • logging.logMetrics.*
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.sinks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/logging.logWriter Logs Writer Provides the permissions to write log entries.
  • logging.logEntries.create
Project
roles/logging.privateLogViewer Private Logs Viewer Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.
  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • logging.queries.*
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • logging.views.*
  • resourcemanager.projects.get
Project
roles/logging.viewAccessor Logs View Accessor Ability to read logs in a view.
  • logging.views.*
roles/logging.viewer Logs Viewer Provides access to view logs.
  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.queries.*
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • resourcemanager.projects.get
Project

Cloud Managed Identities roles

Role Title Description Permissions Lowest resource
roles/managedidentities.admin Google Cloud Managed Identities Admin Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.
  • managedidentities.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/managedidentities.domainAdmin Google Cloud Managed Identities Domain Admin Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.
  • managedidentities.domains.attachTrust
  • managedidentities.domains.delete
  • managedidentities.domains.detachTrust
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.reconfigureTrust
  • managedidentities.domains.resetpassword
  • managedidentities.domains.update
  • managedidentities.domains.validateTrust
  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/managedidentities.viewer Google Cloud Managed Identities Viewer Read-only access to Google Cloud Managed Identities Domains and related resources.
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.list
  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Memorystore Memcache roles

Role Title Description Permissions Lowest resource
roles/memcache.admin Cloud Memorystore Memcached Admin Beta Full access to Memcached instances and related resources.
  • compute.networks.list
  • memcache.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/memcache.editor Cloud Memorystore Memcached Editor Beta Read-Write access to Memcached instances and related resources.
  • memcache.instances.applyParameters
  • memcache.instances.get
  • memcache.instances.list
  • memcache.instances.update
  • memcache.instances.updateParameters
  • memcache.locations.*
  • memcache.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/memcache.viewer Cloud Memorystore Memcached Viewer Beta Read-only access to Memcached instances and related resources.
  • memcache.instances.get
  • memcache.instances.list
  • memcache.locations.*
  • memcache.operations.get
  • memcache.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Machine Learning Engine roles

Role Title Description Permissions Lowest resource
roles/ml.admin ML Engine Admin Provides full access to AI Platform resources, and its jobs, operations, models, and versions.
  • ml.*
  • resourcemanager.projects.get
Project
roles/ml.developer ML Engine Developer Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.
  • ml.jobs.create
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.locations.*
  • ml.models.create
  • ml.models.get
  • ml.models.getIamPolicy
  • ml.models.list
  • ml.models.predict
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.*
  • ml.trials.*
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict
  • resourcemanager.projects.get
Project
roles/ml.jobOwner ML Engine Job Owner Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.
  • ml.jobs.*
Job
roles/ml.modelOwner ML Engine Model Owner Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.
  • ml.models.*
  • ml.versions.*
Model
roles/ml.modelUser ML Engine Model User Provides permissions to read the model and its versions, and use them for prediction.
  • ml.models.get
  • ml.models.predict
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict
Model
roles/ml.operationOwner ML Engine Operation Owner Provides full access to all permissions for a particular operation resource.
  • ml.operations.*
Operation
roles/ml.viewer ML Engine Viewer Provides read-only access to AI Platform resources.
  • ml.jobs.get
  • ml.jobs.list
  • ml.locations.*
  • ml.models.get
  • ml.models.list
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.get
  • ml.studies.getIamPolicy
  • ml.studies.list
  • ml.trials.get
  • ml.trials.list
  • ml.versions.get
  • ml.versions.list
  • resourcemanager.projects.get
Project

Monitoring roles

Role Title Description Permissions Lowest resource
roles/monitoring.admin Monitoring Admin Provides the same access as the Monitoring Editor role (roles/monitoring.editor).
  • cloudnotifications.*
  • monitoring.*
  • opsconfigmonitoring.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.enable
  • stackdriver.*
Project
roles/monitoring.alertPolicyEditor Monitoring AlertPolicy Editor Beta Read/write access to alerting policies.
  • monitoring.alertPolicies.*
roles/monitoring.alertPolicyViewer Monitoring AlertPolicy Viewer Beta Read-only access to alerting policies.
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
roles/monitoring.dashboardEditor Monitoring Dashboard Configuration Editor Read/write access to dashboard configurations.
  • monitoring.dashboards.*
roles/monitoring.dashboardViewer Monitoring Dashboard Configuration Viewer Read-only access to dashboard configurations.
  • monitoring.dashboards.get
  • monitoring.dashboards.list
roles/monitoring.editor Monitoring Editor Provides full access to information about all monitoring data and configurations.
  • cloudnotifications.*
  • monitoring.alertPolicies.*
  • monitoring.dashboards.*
  • monitoring.groups.*
  • monitoring.metricDescriptors.*
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.create
  • monitoring.notificationChannels.delete
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.notificationChannels.sendVerificationCode
  • monitoring.notificationChannels.update
  • monitoring.notificationChannels.verify
  • monitoring.publicWidgets.*
  • monitoring.services.*
  • monitoring.slos.*
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.*
  • opsconfigmonitoring.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.enable
  • stackdriver.*
Project
roles/monitoring.metricWriter Monitoring Metric Writer Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
Project
roles/monitoring.notificationChannelEditor Monitoring NotificationChannel Editor Beta Read/write access to notification channels.
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.create
  • monitoring.notificationChannels.delete
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.notificationChannels.sendVerificationCode
  • monitoring.notificationChannels.update
  • monitoring.notificationChannels.verify
roles/monitoring.notificationChannelViewer Monitoring NotificationChannel Viewer Beta Read-only access to notification channels.
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
roles/monitoring.servicesEditor Monitoring Services Editor Read/write access to services.
  • monitoring.services.*
  • monitoring.slos.*
roles/monitoring.servicesViewer Monitoring Services Viewer Read-only access to services.
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
roles/monitoring.uptimeCheckConfigEditor Monitoring Uptime Check Configuration Editor Beta Read/write access to uptime check configurations.
  • monitoring.uptimeCheckConfigs.*
roles/monitoring.uptimeCheckConfigViewer Monitoring Uptime Check Configuration Viewer Beta Read-only access to uptime check configurations.
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
roles/monitoring.viewer Monitoring Viewer Provides read-only access to get and list information about all monitoring data and configurations.
  • cloudnotifications.*
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get
Project

Network Management roles

Role Title Description Permissions Lowest resource
roles/networkmanagement.admin Network Management Admin Full access to Network Management resources.
  • networkmanagement.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/networkmanagement.viewer Network Management Viewer Read-only access to Network Management resources.
  • networkmanagement.connectivitytests.get
  • networkmanagement.connectivitytests.getIamPolicy
  • networkmanagement.connectivitytests.list
  • networkmanagement.locations.*
  • networkmanagement.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AI Notebooks roles

Role Title Description Permissions Lowest resource
roles/notebooks.admin Notebooks Admin Full access to AI Platform Notebooks, all resources.
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Instance
roles/notebooks.legacyAdmin Notebooks Legacy Admin Full access to Notebooks all resources through compute API.
  • compute.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/notebooks.legacyViewer Notebooks Legacy Viewer Read-only access to Notebooks all resources through compute API.
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/notebooks.runner Notebooks Runner Restricted access for running scheduled Notebooks.
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.create
  • notebooks.instances.get
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/notebooks.viewer Notebooks Viewer Read-only access to AI Platform Notebooks, all resources.
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Instance

Ops Config Monitoring roles

Role Title Description Permissions Lowest resource
roles/opsconfigmonitoring.resourceMetadata.writer Ops Config Monitoring Resource Metadata Writer Beta Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.
  • opsconfigmonitoring.*

Organization Policy roles

Role Title Description Permissions Lowest resource
roles/axt.admin Access Transparency Admin Enable Access Transparency for Organization
  • axt.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/orgpolicy.policyAdmin Organization Policy Administrator Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.
  • orgpolicy.*
Organization
roles/orgpolicy.policyViewer Organization Policy Viewer Provides access to view Organization Policies on resources.
  • orgpolicy.policy.get
Organization

Other roles

Role Title Description Permissions Lowest resource
roles/aiplatform.admin AI Platform Admininistrator Beta Grants full access to all resources in AI Platform
  • aiplatform.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/aiplatform.featurestoreAdmin AI Platform Feature Store Admin Beta Grants full access to all resources in AI Platform Feature Store
  • aiplatform.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/aiplatform.migrator AI Platform Migration Service User Beta Grants access to use migration service in AI platform
  • aiplatform.migratableResources.*
roles/aiplatform.user AI Platform User Beta Grants access to use all resource in AI Platform
  • aiplatform.annotationSpecs.*
  • aiplatform.annotations.*
  • aiplatform.batchPredictionJobs.*
  • aiplatform.customJobs.*
  • aiplatform.dataItems.*
  • aiplatform.dataLabelingJobs.*
  • aiplatform.datasets.*
  • aiplatform.endpoints.*
  • aiplatform.hyperparameterTuningJobs.*
  • aiplatform.locations.*
  • aiplatform.modelEvaluationSlices.*
  • aiplatform.modelEvaluations.*
  • aiplatform.models.*
  • aiplatform.operations.*
  • aiplatform.specialistPools.*
  • aiplatform.trainingPipelines.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/aiplatform.viewer AI Platform Viewer Beta Grants access to view all resource in AI Platform
  • aiplatform.annotationSpecs.get
  • aiplatform.annotationSpecs.list
  • aiplatform.annotations.get
  • aiplatform.annotations.list
  • aiplatform.batchPredictionJobs.get
  • aiplatform.batchPredictionJobs.list
  • aiplatform.customJobs.get
  • aiplatform.customJobs.list
  • aiplatform.dataItems.get
  • aiplatform.dataItems.list
  • aiplatform.dataLabelingJobs.get
  • aiplatform.dataLabelingJobs.list
  • aiplatform.datasets.get
  • aiplatform.datasets.list
  • aiplatform.endpoints.get
  • aiplatform.endpoints.list
  • aiplatform.hyperparameterTuningJobs.get
  • aiplatform.hyperparameterTuningJobs.list
  • aiplatform.locations.*
  • aiplatform.modelEvaluationSlices.*
  • aiplatform.modelEvaluations.get
  • aiplatform.modelEvaluations.list
  • aiplatform.models.get
  • aiplatform.models.list
  • aiplatform.operations.*
  • aiplatform.specialistPools.get
  • aiplatform.specialistPools.list
  • aiplatform.specialistPools.update
  • aiplatform.trainingPipelines.get
  • aiplatform.trainingPipelines.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/dataprocessing.admin Data Processing Controls Resource Admin Data processing controls admin who can fully manage data processing controls settings and view all datasource data.
  • billing.accounts.get
  • billing.accounts.list
  • dataprocessing.*
roles/domains.admin Cloud Domains Admin Beta Full access to Cloud Domains Registrations and related resources.
  • domains.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/domains.viewer Cloud Domains Viewer Beta Read-only access to Cloud Domains Registrations and related resources.
  • domains.locations.*
  • domains.operations.get
  • domains.operations.list
  • domains.registrations.get
  • domains.registrations.getIamPolicy
  • domains.registrations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/essentialcontacts.admin Essential Contacts Admin Beta Full access to all essential contacts
  • essentialcontacts.*
roles/essentialcontacts.viewer Essential Contacts Viewer Beta Viewer for all essential contacts
  • essentialcontacts.contacts.get
  • essentialcontacts.contacts.list
roles/firebasecrash.symbolMappingsAdmin Firebase Crash Symbol Uploader Full read/write access to symbol mapping file resources for Firebase Crash Reporting.
  • firebase.clients.get
  • resourcemanager.projects.get
roles/identityplatform.admin Identity Platform Admin Beta Full access to Identity Platform resources.
  • firebaseauth.*
  • identityplatform.*
roles/identityplatform.viewer Identity Platform Viewer Beta Read access to Identity Platform resources.
  • firebaseauth.configs.get
  • firebaseauth.users.get
  • identityplatform.workloadPoolProviders.get
  • identityplatform.workloadPoolProviders.list
  • identityplatform.workloadPools.get
  • identityplatform.workloadPools.list
roles/identitytoolkit.admin Identity Toolkit Admin Full access to Identity Toolkit resources.
  • firebaseauth.*
roles/identitytoolkit.viewer Identity Toolkit Viewer Read access to Identity Toolkit resources.
  • firebaseauth.configs.get
  • firebaseauth.users.get
roles/oauthconfig.editor OAuth Config Editor Beta Read/write access to OAuth config resources
  • clientauthconfig.*
  • oauthconfig.*
roles/oauthconfig.viewer OAuth Config Viewer Beta Read-only access to OAuth config resources
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • oauthconfig.clientpolicy.*
  • oauthconfig.testusers.get
  • oauthconfig.verification.get
roles/remotebuildexecution.actionCacheWriter Remote Build Execution Action Cache Writer Beta Remote Build Execution Action Cache Writer
  • remotebuildexecution.actions.set
  • remotebuildexecution.blobs.create
roles/remotebuildexecution.artifactAdmin Remote Build Execution Artifact Admin Beta Remote Build Execution Artifact Admin
  • remotebuildexecution.actions.create
  • remotebuildexecution.actions.delete
  • remotebuildexecution.actions.get
  • remotebuildexecution.blobs.*
  • remotebuildexecution.logstreams.*
roles/remotebuildexecution.artifactCreator Remote Build Execution Artifact Creator Beta Remote Build Execution Artifact Creator
  • remotebuildexecution.actions.create
  • remotebuildexecution.actions.get
  • remotebuildexecution.blobs.*
  • remotebuildexecution.logstreams.*
roles/remotebuildexecution.artifactViewer Remote Build Execution Artifact Viewer Beta Remote Build Execution Artifact Viewer
  • remotebuildexecution.actions.get
  • remotebuildexecution.blobs.get
  • remotebuildexecution.logstreams.get
roles/remotebuildexecution.configurationAdmin Remote Build Execution Configuration Admin Beta Remote Build Execution Configuration Admin
  • remotebuildexecution.instances.*
  • remotebuildexecution.workerpools.*
roles/remotebuildexecution.configurationViewer Remote Build Execution Configuration Viewer Beta Remote Build Execution Configuration Viewer
  • remotebuildexecution.instances.get
  • remotebuildexecution.instances.list
  • remotebuildexecution.workerpools.get
  • remotebuildexecution.workerpools.list
roles/remotebuildexecution.logstreamWriter Remote Build Execution Logstream Writer Beta Remote Build Execution Logstream Writer
  • remotebuildexecution.logstreams.create
  • remotebuildexecution.logstreams.update
roles/remotebuildexecution.reservationAdmin Remote Build Execution Reservation Admin Beta Remote Build Execution Reservation Admin
  • remotebuildexecution.actions.create
  • remotebuildexecution.actions.delete
  • remotebuildexecution.actions.get
roles/remotebuildexecution.worker Remote Build Execution Worker Beta Remote Build Execution Worker
  • remotebuildexecution.actions.update
  • remotebuildexecution.blobs.*
  • remotebuildexecution.botsessions.*
  • remotebuildexecution.logstreams.create
  • remotebuildexecution.logstreams.update
roles/runtimeconfig.admin Cloud RuntimeConfig Admin Full access to RuntimeConfig resources.
  • runtimeconfig.*
roles/subscribewithgoogledeveloper.developer Subscribe with Google Developer Beta Access DevTools for Subscribe with Google
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • subscribewithgoogledeveloper.*
roles/vmwareengine.vmwareengineAdmin VMware Engine Service Admin Admin has full access to VMware Engine Service
  • vmwareengine.*
roles/vmwareengine.vmwareengineViewer VMware Engine Service Viewer Viewer has read-only access to VMware Engine Service
  • vmwareengine.services.view

Third-party Partner roles

Role Title Description Permissions Lowest resource
roles/netappcloudvolumes.admin NetApp Cloud Volumes Admin Beta This role is managed by NetApp, not Google.
  • cloudvolumesgcp-api.netapp.com/*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/netappcloudvolumes.viewer NetApp Cloud Volumes Viewer Beta This role is managed by NetApp, not Google.
  • cloudvolumesgcp-api.netapp.com/activeDirectories.get
  • cloudvolumesgcp-api.netapp.com/activeDirectories.list
  • cloudvolumesgcp-api.netapp.com/ipRanges.*
  • cloudvolumesgcp-api.netapp.com/jobs.*
  • cloudvolumesgcp-api.netapp.com/regions.*
  • cloudvolumesgcp-api.netapp.com/serviceLevels.*
  • cloudvolumesgcp-api.netapp.com/snapshots.get
  • cloudvolumesgcp-api.netapp.com/snapshots.list
  • cloudvolumesgcp-api.netapp.com/volumes.get
  • cloudvolumesgcp-api.netapp.com/volumes.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/redisenterprisecloud.admin Redis Enterprise Cloud Admin Beta This role is managed by Redis Labs, not Google.
  • gcp.redisenterprise.com/*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/redisenterprisecloud.viewer Redis Enterprise Cloud Viewer Beta This role is managed by Redis Labs, not Google.
  • gcp.redisenterprise.com/databases.get
  • gcp.redisenterprise.com/databases.list
  • gcp.redisenterprise.com/subscriptions.get
  • gcp.redisenterprise.com/subscriptions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Private CA roles

Role Title Description Permissions Lowest resource
roles/privateca.admin CA Service Admin Beta Full access to all CA Service resources.
  • privateca.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create
roles/privateca.auditor CA Service Auditor Beta Read-only access to all CA Service resources.
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/privateca.caManager CA Service Operation Manager Beta Create and manage CAs, revoke certificates, create CA configurations, and read-only access for CA Service resources.
  • privateca.certificateAuthorities.create
  • privateca.certificateAuthorities.delete
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateAuthorities.update
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateRevocationLists.update
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.certificates.update
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.create
  • privateca.reusableConfigs.delete
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • privateca.reusableConfigs.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create
roles/privateca.certificateManager CA Service Certificate Manager Beta Create certificates and read-only access for CA Service resources.
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificates.create
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/privateca.certificateRequester CA Service Certificate Requester Beta Request certificates from CA Service.
  • privateca.certificates.create

Project roles

Role Title Description Permissions Lowest resource
roles/browser Browser Read access to browse the hierarchy for a project, including the folder, organization, and IAM policy. This role doesn't include permission to view resources in the project.
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
Project

Proximity Beacon roles

Role Title Description Permissions Lowest resource
roles/proximitybeacon.attachmentEditor Beacon Attachment Editor Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.
  • proximitybeacon.attachments.*
  • proximitybeacon.beacons.get
  • proximitybeacon.beacons.list
  • proximitybeacon.namespaces.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/proximitybeacon.attachmentPublisher Beacon Attachment Publisher Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.
  • proximitybeacon.beacons.attach
  • proximitybeacon.beacons.get
  • proximitybeacon.beacons.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/proximitybeacon.attachmentViewer Beacon Attachment Viewer Can view all attachments under a namespace; no beacon or namespace permissions.
  • proximitybeacon.attachments.get
  • proximitybeacon.attachments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/proximitybeacon.beaconEditor Beacon Editor Necessary access to register, modify, and view beacons; no attachment or namespace permissions.
  • proximitybeacon.beacons.create
  • proximitybeacon.beacons.get
  • proximitybeacon.beacons.list
  • proximitybeacon.beacons.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Pub/Sub roles

Role Title Description Permissions Lowest resource
roles/pubsub.admin Pub/Sub Admin Provides full access to topics and subscriptions.
  • pubsub.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Topic
roles/pubsub.editor Pub/Sub Editor Provides access to modify topics and subscriptions, and access to publish and consume messages.
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Topic
roles/pubsub.publisher Pub/Sub Publisher Provides access to publish messages to a topic.
  • pubsub.topics.publish
Topic
roles/pubsub.subscriber Pub/Sub Subscriber Provides access to consume messages from a subscription and to attach subscriptions to a topic.
  • pubsub.snapshots.seek
  • pubsub.subscriptions.consume
  • pubsub.topics.attachSubscription
Topic
roles/pubsub.viewer Pub/Sub Viewer Provides access to view topics and subscriptions.
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.topics.get
  • pubsub.topics.list
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Topic

Pub/Sub Lite roles

Role Title Description Permissions Lowest resource
roles/pubsublite.admin Pub/Sub Lite Admin Beta Full access to topics and subscriptions.
  • pubsublite.*
roles/pubsublite.editor Pub/Sub Lite Editor Beta Modify topics and subscriptions, publish and consume messages.
  • pubsublite.*
roles/pubsublite.publisher Pub/Sub Lite Publisher Beta Publish messages to a topic.
  • pubsublite.topics.getPartitions
  • pubsublite.topics.publish
roles/pubsublite.subscriber Pub/Sub Lite Subscriber Beta Subscribe to and read messages from a topic.
  • pubsublite.subscriptions.getCursor
  • pubsublite.subscriptions.setCursor
  • pubsublite.subscriptions.subscribe
  • pubsublite.topics.computeMessageStats
  • pubsublite.topics.getPartitions
  • pubsublite.topics.subscribe
roles/pubsublite.viewer Pub/Sub Lite Viewer Beta View topics and subscriptions.
  • pubsublite.subscriptions.get
  • pubsublite.subscriptions.getCursor
  • pubsublite.subscriptions.list
  • pubsublite.topics.get
  • pubsublite.topics.getPartitions
  • pubsublite.topics.list
  • pubsublite.topics.listSubscriptions

reCAPTCHA Enterprise roles

Role Title Description Permissions Lowest resource
roles/recaptchaenterprise.admin reCAPTCHA Enterprise Admin Beta Access to view and modify reCAPTCHA Enterprise keys
  • recaptchaenterprise.keys.*
  • recaptchaenterprise.metrics.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/recaptchaenterprise.agent reCAPTCHA Enterprise Agent Beta Access to create and annotate reCAPTCHA Enterprise assessments
  • recaptchaenterprise.assessments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/recaptchaenterprise.viewer reCAPTCHA Enterprise Viewer Beta Access to view reCAPTCHA Enterprise keys and metrics
  • recaptchaenterprise.keys.get
  • recaptchaenterprise.keys.list
  • recaptchaenterprise.metrics.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Recommendations AI roles

Role Title Description Permissions Lowest resource
roles/automlrecommendations.admin Recommendations AI Admin Beta Full access to all Recommendations AI resources.
  • automlrecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/automlrecommendations.adminViewer Recommendations AI Admin Viewer Beta Viewer of all Recommendations AI resources.
  • automlrecommendations.apiKeys.list
  • automlrecommendations.catalogItems.get
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogs.getStats
  • automlrecommendations.catalogs.list
  • automlrecommendations.eventStores.*
  • automlrecommendations.events.list
  • automlrecommendations.placements.getStats
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/automlrecommendations.editor Recommendations AI Editor Beta Editor of all Recommendations AI resources.
  • automlrecommendations.apiKeys.create
  • automlrecommendations.apiKeys.list
  • automlrecommendations.catalogItems.*
  • automlrecommendations.catalogs.getStats
  • automlrecommendations.catalogs.list
  • automlrecommendations.eventStores.*
  • automlrecommendations.events.create
  • automlrecommendations.events.list
  • automlrecommendations.placements.create
  • automlrecommendations.placements.getStats
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.create
  • automlrecommendations.recommendations.list
  • automlrecommendations.recommendations.pause
  • automlrecommendations.recommendations.resume
  • automlrecommendations.recommendations.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/automlrecommendations.viewer Recommendations AI Viewer Beta Viewer of all Recommendations AI resources except apiKeys. To view all resources, including apiKeys, grant the Recommendations AI Admin Viewer role (roles/automlrecommendations.adminViewer).
  • automlrecommendations.catalogItems.get
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogs.getStats
  • automlrecommendations.catalogs.list
  • automlrecommendations.eventStores.*
  • automlrecommendations.events.list
  • automlrecommendations.placements.getStats
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list

Recommender roles

Role Title Description Permissions Lowest resource
roles/recommender.billingAccountCudAdmin Billing Account Usage Commitment Recommender Admin Beta Admin of Billing Account Usage Commitment Recommender.
  • billing.accounts.get
  • billing.accounts.list
  • recommender.commitmentUtilizationInsights.*
  • recommender.usageCommitmentRecommendations.*
roles/recommender.billingAccountCudViewer Billing Account Usage Commitment Recommender Viewer Beta Viewer of Billing Account Usage Commitment Recommender.
  • billing.accounts.get
  • billing.accounts.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list
roles/recommender.computeAdmin Compute Recommender Admin Admin of compute recommendations.
  • recommender.computeDiskIdleResourceInsights.*
  • recommender.computeDiskIdleResourceRecommendations.*
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.*
  • recommender.computeInstanceIdleResourceRecommendations.*
  • recommender.computeInstanceMachineTypeRecommendations.*
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/recommender.computeViewer Compute Recommender Viewer Viewer of compute recommendations.
  • recommender.computeDiskIdleResourceInsights.get
  • recommender.computeDiskIdleResourceInsights.list
  • recommender.computeDiskIdleResourceRecommendations.get
  • recommender.computeDiskIdleResourceRecommendations.list
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.get
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
  • recommender.computeInstanceIdleResourceRecommendations.get
  • recommender.computeInstanceIdleResourceRecommendations.list
  • recommender.computeInstanceMachineTypeRecommendations.get
  • recommender.computeInstanceMachineTypeRecommendations.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/recommender.firewallAdmin Firewall Recommender Admin Admin of Firewall insights and recommendations.
  • recommender.computeFirewallInsights.*
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/recommender.firewallViewer Firewall Recommender Viewer Viewer of Firewall insights and recommendations.
  • recommender.computeFirewallInsights.get
  • recommender.computeFirewallInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/recommender.iamAdmin IAM Recommender Admin Admin of IAM recommendations.
  • recommender.iamPolicyInsights.*
  • recommender.iamPolicyRecommendations.*
  • recommender.iamServiceAccountInsights.*
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/recommender.iamViewer IAM Recommender Viewer Viewer of IAM recommendations.
  • recommender.iamPolicyInsights.get
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyRecommendations.get
  • recommender.iamPolicyRecommendations.list
  • recommender.iamServiceAccountInsights.get
  • recommender.iamServiceAccountInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/recommender.projectCudAdmin Project Usage Commitment Recommender Admin Beta Admin of Project Usage Commitment Recommender.
  • recommender.commitmentUtilizationInsights.*
  • recommender.locations.*
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/recommender.projectCudViewer Project Usage Commitment Recommender Viewer Beta Viewer of Project Usage Commitment Recommender.
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.locations.*
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Memorystore Redis roles

Role Title Description Permissions Lowest resource
roles/redis.admin Cloud Memorystore Redis Admin Beta Full control for all Memorystore for Redis resources.
  • compute.networks.list
  • redis.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use
roles/redis.editor Cloud Memorystore Redis Editor Beta Manage Memorystore for Redis instances. Can't create or delete instances.
  • compute.networks.list
  • redis.instances.failover
  • redis.instances.get
  • redis.instances.list
  • redis.instances.update
  • redis.locations.*
  • redis.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use
roles/redis.viewer Cloud Memorystore Redis Viewer Beta Read-only access to all Memorystore for Redis resources.
  • redis.instances.get
  • redis.instances.list
  • redis.locations.*
  • redis.operations.get
  • redis.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Resource Manager roles

Role Title Description Permissions Lowest resource
roles/resourcemanager.folderAdmin Folder Admin Provides all available permissions for working with folders.
  • orgpolicy.policy.get
  • resourcemanager.folders.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • resourcemanager.projects.move
  • resourcemanager.projects.setIamPolicy
Folder
roles/resourcemanager.folderCreator Folder Creator Provides permissions needed to browse the hierarchy and create folders.
  • orgpolicy.policy.get
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Folder
roles/resourcemanager.folderEditor Folder Editor Provides permission to modify folders as well as to view a folder's IAM policy.
  • orgpolicy.policy.get
  • resourcemanager.folders.delete
  • resourcemanager.folders.get
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.list
  • resourcemanager.folders.undelete
  • resourcemanager.folders.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Folder
roles/resourcemanager.folderIamAdmin Folder IAM Admin Provides permissions to administer IAM policies on folders.
  • resourcemanager.folders.get
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.setIamPolicy
Folder
roles/resourcemanager.folderMover Folder Mover Provides permission to move projects and folders into and out of a parent organization or folder.
  • resourcemanager.folders.move
  • resourcemanager.projects.move
Folder
roles/resourcemanager.folderViewer Folder Viewer Provides permission to get a folder and list the folders and projects below a resource.
  • orgpolicy.policy.get
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Folder
roles/resourcemanager.lienModifier Project Lien Modifier Provides access to modify Liens on projects.
  • resourcemanager.projects.updateLiens
Project
roles/resourcemanager.organizationAdmin Organization Administrator Access to administer all resources belonging to the organization.
  • orgpolicy.policy.get
  • resourcemanager.folders.get
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.list
  • resourcemanager.folders.setIamPolicy
  • resourcemanager.organizations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • resourcemanager.projects.setIamPolicy
roles/resourcemanager.organizationViewer Organization Viewer Provides access to view an organization.
  • resourcemanager.organizations.get
Organization
roles/resourcemanager.projectCreator Project Creator Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
Folder
roles/resourcemanager.projectDeleter Project Deleter Provides access to delete Google Cloud projects.
  • resourcemanager.projects.delete
Folder
roles/resourcemanager.projectIamAdmin Project IAM Admin Provides permissions to administer IAM policies on projects.
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
Project
roles/resourcemanager.projectMover Project Mover Provides access to update and move projects.
  • resourcemanager.projects.get
  • resourcemanager.projects.move
  • resourcemanager.projects.update
Project

Cloud Run roles

Role Title Description Permissions Lowest resource
roles/run.admin Cloud Run Admin Beta Full control over all Cloud Run resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.*
Cloud Run service
roles/run.invoker Cloud Run Invoker Beta Can invoke a Cloud Run service.
  • run.routes.invoke
Cloud Run service
roles/run.viewer Cloud Run Viewer Beta Can view the state of all Cloud Run resources, including IAM policies.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.get
  • run.revisions.list
  • run.routes.get
  • run.routes.list
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
Cloud Run service

Secret Manager roles

Role Title Description Permissions Lowest resource
roles/secretmanager.admin Secret Manager Admin Full access to administer Secret Manager resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • secretmanager.*
Secret
roles/secretmanager.secretAccessor Secret Manager Secret Accessor Allows accessing the payload of secrets.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • secretmanager.versions.access
Secret
roles/secretmanager.secretVersionAdder Secret Manager Secret Version Adder Allows adding versions to existing secrets.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • secretmanager.versions.add
Secret
roles/secretmanager.secretVersionManager Secret Manager Secret Version Manager Allows creating and managing versions of existing secrets.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • secretmanager.versions.add
  • secretmanager.versions.destroy
  • secretmanager.versions.disable
  • secretmanager.versions.enable
  • secretmanager.versions.get
  • secretmanager.versions.list
Secret
roles/secretmanager.viewer Secret Manager Viewer Allows viewing metadata of all Secret Manager resources
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • secretmanager.locations.*
  • secretmanager.secrets.get
  • secretmanager.secrets.getIamPolicy
  • secretmanager.secrets.list
  • secretmanager.versions.get
  • secretmanager.versions.list
Secret

Security Center roles

Role Title Description Permissions Lowest resource
roles/securitycenter.admin Security Center Admin Admin(super user) access to security center
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Organization
roles/securitycenter.adminEditor Security Center Admin Editor Admin Read-write access to security center
  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Organization
roles/securitycenter.adminViewer Security Center Admin Viewer Admin Read access to security center
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • resourcemanager.organizations.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Organization
roles/securitycenter.assetSecurityMarksWriter Security Center Asset Security Marks Writer Write access to asset security marks
  • securitycenter.assetsecuritymarks.*
Organization
roles/securitycenter.assetsDiscoveryRunner Security Center Assets Discovery Runner Run asset discovery access to assets
  • securitycenter.assets.runDiscovery
Organization
roles/securitycenter.assetsViewer Security Center Assets Viewer Read access to assets
  • resourcemanager.organizations.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
Organization
roles/securitycenter.findingSecurityMarksWriter Security Center Finding Security Marks Writer Write access to finding security marks
  • securitycenter.findingsecuritymarks.*
Organization
roles/securitycenter.findingsEditor Security Center Findings Editor Read-write access to findings
  • resourcemanager.organizations.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setState
  • securitycenter.findings.update
  • securitycenter.sources.get
  • securitycenter.sources.list
Organization
roles/securitycenter.findingsStateSetter Security Center Findings State Setter Set state access to findings
  • securitycenter.findings.setState
Organization
roles/securitycenter.findingsViewer Security Center Findings Viewer Read access to findings
  • resourcemanager.organizations.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.sources.get
  • securitycenter.sources.list
Organization
roles/securitycenter.findingsWorkflowStateSetter Security Center Findings Workflow State Setter Beta Set workflow state access to findings
  • securitycenter.findings.setWorkflowState
roles/securitycenter.notificationConfigEditor Security Center Notification Configurations Editor Write access to notification configurations
  • securitycenter.notificationconfig.*
roles/securitycenter.notificationConfigViewer Security Center Notification Configurations Viewer Read access to notification configurations
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
roles/securitycenter.settingsAdmin Security Center Settings Admin Admin(super user) access to security center settings
  • securitycenter.containerthreatdetectionsettings.*
  • securitycenter.eventthreatdetectionsettings.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.*
  • securitycenter.securitycentersettings.*
  • securitycenter.securityhealthanalyticssettings.*
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.*
roles/securitycenter.settingsEditor Security Center Settings Editor Read-Write access to security center settings
  • securitycenter.containerthreatdetectionsettings.*
  • securitycenter.eventthreatdetectionsettings.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.*
  • securitycenter.securitycentersettings.*
  • securitycenter.securityhealthanalyticssettings.*
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.*
roles/securitycenter.settingsViewer Security Center Settings Viewer Read access to security center settings
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
roles/securitycenter.sourcesAdmin Security Center Sources Admin Admin access to sources
  • resourcemanager.organizations.get
  • securitycenter.sources.*
Organization
roles/securitycenter.sourcesEditor Security Center Sources Editor Read-write access to sources
  • resourcemanager.organizations.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
Organization
roles/securitycenter.sourcesViewer Security Center Sources Viewer Read access to sources
  • resourcemanager.organizations.get
  • securitycenter.sources.get
  • securitycenter.sources.list
Organization

Service Agent Roles roles

Role Title Description Permissions Lowest resource
roles/anthos.serviceAgent Anthos Service Agent Gives the Anthos service agent access to Cloud Platform resources.
  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/anthosconfigmanagement.serviceAgent Anthos Config Management Service Agent Gives the Anthos Config Management service agent access to Cloud Platform resources.
  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list
roles/apigee.serviceAgent Apigee Service Agent Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.create
  • apigee.appkeys.manage
  • apigee.apps.get
  • apigee.canaryevaluations.*
  • apigee.developerapps.*
  • apigee.developers.create
  • apigee.developers.get
  • apigee.environments.get
  • apigee.environments.getDataLocation
  • apigee.environments.manageRuntime
  • apigee.ingressconfigs.*
  • apigee.instances.reportStatus
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.proxyrevisions.get
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
roles/appengineflex.serviceAgent App Engine flexible environment Service Agent Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.
  • billing.accounts.get
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • compute.addresses.create
  • compute.addresses.delete
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.update
  • compute.backendServices.create
  • compute.backendServices.delete
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.backendServices.update
  • compute.backendServices.use
  • compute.disks.list
  • compute.firewalls.*
  • compute.forwardingRules.create
  • compute.forwardingRules.delete
  • compute.forwardingRules.get
  • compute.globalAddresses.create
  • compute.globalAddresses.delete
  • compute.globalAddresses.get
  • compute.globalAddresses.use
  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.get
  • compute.globalOperations.get
  • compute.healthChecks.create
  • compute.healthChecks.delete
  • compute.healthChecks.get
  • compute.healthChecks.update
  • compute.healthChecks.useReadOnly
  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly
  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly
  • compute.images.get
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.update
  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.useReadOnly
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.reset
  • compute.instances.setLabels
  • compute.instances.setMetadata
  • compute.instances.setTags
  • compute.instances.start
  • compute.instances.stop
  • compute.instances.use
  • compute.machineTypes.get
  • compute.networks.create
  • compute.networks.delete
  • compute.networks.get
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.create
  • compute.regionBackendServices.delete
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionBackendServices.update
  • compute.regionBackendServices.use
  • compute.regionOperations.get
  • compute.regions.get
  • compute.subnetworks.delete
  • compute.targetHttpProxies.create
  • compute.targetHttpProxies.delete
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.use
  • compute.targetHttpsProxies.create
  • compute.targetHttpsProxies.delete
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.use
  • compute.urlMaps.create
  • compute.urlMaps.delete
  • compute.urlMaps.get
  • compute.urlMaps.update
  • compute.urlMaps.use
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.typeProviders.create
  • deploymentmanager.typeProviders.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • logging.logEntries.create
  • logging.logMetrics.create
  • logging.logMetrics.delete
  • logging.logMetrics.get
  • logging.logMetrics.update
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
roles/artifactregistry.serviceAgent Artifact Registry Service Agent Gives the Artifact Registry service account access to managed resources.
  • pubsub.topics.publish
roles/automl.serviceAgent AutoML Service Agent AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.tables.create
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.updateData
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.readRows
  • serviceusage.services.use
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update
roles/automlrecommendations.serviceAgent Recommendations AI Service Agent Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.update
  • bigquery.tables.create
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.updateData
  • cloudnotifications.*
  • logging.logEntries.create
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get
  • storage.buckets.create
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update
roles/bigqueryconnection.serviceAgent BigQuery Connection Service Agent Gives BigQuery Connection Service access to Cloud SQL instances in user projects.
  • cloudsql.instances.connect
  • cloudsql.instances.get
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
roles/bigquerydatatransfer.serviceAgent BigQuery Data Transfer Service Agent Gives BigQuery Data Transfer Service access to start bigquery jobs in consumer project.
  • bigquery.jobs.create
  • iam.serviceAccounts.getAccessToken
  • logging.logEntries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/binaryauthorization.serviceAgent Binary Authorization Service Agent Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.verifyImageAttested
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.listOccurrences
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudasset.serviceAgent Cloud Asset Service Agent Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.tables.create
  • bigquery.tables.delete
  • bigquery.tables.get
  • bigquery.tables.update
  • bigquery.tables.updateData
  • pubsub.topics.publish
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
roles/cloudbuild.serviceAgent Cloud Build Service Agent Gives Cloud Build service account access to managed resources.
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • cloudbuild.*
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.networks.get
  • compute.subnetworks.get
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • logging.logEntries.create
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.publish
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update
roles/cloudfunctions.serviceAgent Cloud Functions Service Agent Gives Cloud Functions service account access to managed resources.
  • clientauthconfig.clients.list
  • cloudbuild.*
  • cloudfunctions.functions.invoke
  • compute.globalOperations.get
  • compute.networks.access
  • firebasedatabase.instances.get
  • firebasedatabase.instances.update
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.signBlob
  • pubsub.subscriptions.*
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.get
  • pubsub.topics.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.disable
  • serviceusage.services.enable
  • serviceusage.services.use
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • vpcaccess.connectors.get
  • vpcaccess.connectors.use
roles/cloudiot.serviceAgent Cloud IoT Core Service Agent Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.
  • logging.logEntries.create
  • pubsub.topics.publish
roles/cloudkms.serviceAgent Cloud KMS Service Agent Gives Cloud KMS service account access to call Cloud Asset Inventory ListAssets for KMS CryptoKeys.
roles/cloudscheduler.serviceAgent Cloud Scheduler Service Agent Grants Cloud Scheduler Service Account access to manage resources.
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • logging.logEntries.create
  • pubsub.topics.publish
roles/cloudsql.serviceAgent Cloud SQL Service Agent Grants Cloud SQL access to services and APIs in the user project
  • cloudsql.instances.get
roles/cloudtasks.serviceAgent Cloud Tasks Service Agent Grants Cloud Tasks Service Account access to manage resources.
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • logging.logEntries.create
roles/cloudtpu.serviceAgent Cloud TPU V2 API Service Agent Give Cloud TPUs service account access to managed resources
  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.*
  • compute.firewalls.*
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.*
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • networksecurity.*
  • networkservices.*
  • pubsub.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/composer.serviceAgent Cloud Composer API Service Agent Cloud Composer API service agent can manage environments.
  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.operations.*
  • appengine.runtimes.*
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • artifactregistry.repositories.delete
  • cloudnotifications.*
  • cloudsql.*
  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.*
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.*
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • container.*
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.deployments.cancelPreview
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.stop
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • firebase.projects.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • logging.buckets.create
  • logging.buckets.delete
  • logging.buckets.get
  • logging.buckets.list
  • logging.buckets.undelete
  • logging.buckets.update
  • logging.cmekSettings.*
  • logging.exclusions.*
  • logging.logEntries.create
  • logging.logMetrics.*
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.sinks.*
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • networksecurity.*
  • networkservices.*
  • orgpolicy.policy.get
  • pubsub.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get
  • storage.buckets.*
  • storage.objects.*
roles/compute.serviceAgent Compute Engine Service Agent Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.signJwt
  • logging.logEntries.create
roles/computescanning.serviceAgent Compute Scanning Service Agent Gives Compute Scanning Service Account access to view Google Compute Engine Images
  • compute.images.get
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.list
  • compute.zones.*
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.update
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/container.serviceAgent Kubernetes Engine Service Agent Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.tables.create
  • bigquery.tables.get
  • bigquery.tables.update
  • bigquery.tables.updateData
  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.*
  • compute.firewalls.*
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.*
  • compute.nodeGroups.get
  • compute.packetMirrorings.*
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.*
  • compute.snapshots.*
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • container.*
  • dns.changes.*
  • dns.managedZones.create
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.managedZones.update
  • dns.networks.bindPrivateDNSZone
  • dns.resourceRecordSets.*
  • iam.serviceAccounts.actAs
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.*
  • networksecurity.*
  • networkservices.*
  • pubsub.topics.create
  • pubsub.topics.get
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • tpu.locations.*
  • tpu.nodes.create
  • tpu.nodes.delete
  • tpu.nodes.get
  • tpu.nodes.list
  • tpu.operations.*
roles/containeranalysis.ServiceAgent Container Analysis Service Agent Gives Container Analysis API the access it needs to function
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list
roles/containerregistry.ServiceAgent Container Registry Service Agent Access for Container Registry
  • pubsub.topics.publish
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
roles/containerscanning.ServiceAgent Container Scanner Service Agent Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.get
  • storage.objects.list
roles/containerthreatdetection.serviceAgent Container Threat Detection Service Agent Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.
  • container.apiServices.get
  • container.apiServices.list
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.bindings.get
  • container.bindings.list
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.*
  • container.clusterRoles.*
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.get
  • container.configMaps.list
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiNodes.get
  • container.csiNodes.list
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.list
  • container.daemonSets.*
  • container.deployments.get
  • container.deployments.getStatus
  • container.deployments.list
  • container.endpoints.get
  • container.endpoints.list
  • container.events.get
  • container.events.list
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.limitRanges.get
  • container.limitRanges.list
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.networkPolicies.update
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.operations.*
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.petSets.get
  • container.petSets.list
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podPresets.get
  • container.podPresets.list
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.get
  • container.podTemplates.list
  • container.pods.attach
  • container.pods.create
  • container.pods.delete
  • container.pods.exec
  • container.pods.get
  • container.pods.getLogs
  • container.pods.getStatus
  • container.pods.list
  • container.pods.portForward
  • container.pods.update
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.secrets.create
  • container.secrets.delete
  • container.secrets.list
  • container.secrets.update
  • container.serviceAccounts.*
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.statefulSets.get
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.storageClasses.get
  • container.storageClasses.list
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.tokenReviews.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/dataflow.serviceAgent Cloud Dataflow Service Agent Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.
  • bigquery.*
  • clouddebugger.breakpoints.list
  • clouddebugger.breakpoints.listActive
  • clouddebugger.breakpoints.update
  • clouddebugger.debuggees.create
  • cloudnotifications.*
  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.*
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.*
  • compute.projects.get
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • firebase.projects.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.list
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • logging.buckets.create
  • logging.buckets.delete
  • logging.buckets.get
  • logging.buckets.list
  • logging.buckets.undelete
  • logging.buckets.update
  • logging.cmekSettings.*
  • logging.exclusions.*
  • logging.logEntries.create
  • logging.logMetrics.*
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.sinks.*
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • networksecurity.*
  • networkservices.*
  • pubsub.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get
  • storage.buckets.*
  • storage.objects.*
roles/datafusion.serviceAgent Cloud Data Fusion API Service Agent Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.
  • bigquery.datasets.*
  • bigquery.jobs.create
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.*
  • bigtable.*
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.machineTypes.*
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.update
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • dataproc.autoscalingPolicies.create
  • dataproc.autoscalingPolicies.delete
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.update
  • dataproc.autoscalingPolicies.use
  • dataproc.clusters.create
  • dataproc.clusters.delete
  • dataproc.clusters.get
  • dataproc.clusters.list
  • dataproc.clusters.update
  • dataproc.clusters.use
  • dataproc.jobs.cancel
  • dataproc.jobs.create
  • dataproc.jobs.delete
  • dataproc.jobs.get
  • dataproc.jobs.list
  • dataproc.jobs.update
  • dataproc.operations.delete
  • dataproc.operations.get
  • dataproc.operations.list
  • dataproc.workflowTemplates.create
  • dataproc.workflowTemplates.delete
  • dataproc.workflowTemplates.get
  • dataproc.workflowTemplates.instantiate
  • dataproc.workflowTemplates.instantiateInline
  • dataproc.workflowTemplates.list
  • dataproc.workflowTemplates.update
  • firebase.projects.get
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.locations.*
  • networkservices.operations.get
  • networkservices.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • spanner.databaseOperations.*
  • spanner.databases.beginOrRollbackReadWriteTransaction
  • spanner.databases.beginPartitionedDmlTransaction
  • spanner.databases.beginReadOnlyTransaction
  • spanner.databases.getDdl
  • spanner.databases.list
  • spanner.databases.partitionQuery
  • spanner.databases.partitionRead
  • spanner.databases.read
  • spanner.databases.select
  • spanner.databases.updateDdl
  • spanner.databases.write
  • spanner.instanceConfigs.*
  • spanner.instances.get
  • spanner.instances.list
  • spanner.sessions.*
  • storage.buckets.*
  • storage.objects.*
roles/datalabeling.serviceAgent DataLabeling Service Agent Gives DataLabeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.
  • automl.annotationSpecs.*
  • automl.annotations.*
  • automl.columnSpecs.*
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.update
  • automl.examples.*
  • automl.humanAnnotationTasks.*
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.*
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • automl.models.undeploy
  • automl.operations.*
  • automl.tableSpecs.*
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.tables.create
  • bigquery.tables.get
  • bigquery.tables.getData
  • ml.jobs.create
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.locations.*
  • ml.models.*
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.*
  • ml.trials.*
  • ml.versions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update
roles/dataprep.serviceAgent Dataprep Service Agent Dataprep service identity. Includes access to service accounts.
  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • dataflow.*
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.*
roles/dataproc.serviceAgent Dataproc Service Agent Gives Cloud Dataproc service account access to Compute, and Storage resources and Service Accounts.
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.resize
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.nodeGroups.get
  • compute.nodeTypes.get
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.use
  • dataproc.clusters.*
  • dataproc.jobs.*
  • firebase.projects.get
  • iam.serviceAccounts.actAs
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.*
  • storage.objects.*
roles/datastudio.serviceAgent Data Studio Service Agent Grants Data Studio Service Account access to manage resources.
  • bigquery.jobs.create
roles/dialogflow.serviceAgent Dialogflow Service Agent Gives Dialogflow Service Account access to resources on behalf of user project for intent detection in integrations (Facebook Messenger, Slack, Telephony, etc.).
  • dialogflow.agents.export
  • dialogflow.agents.get
  • dialogflow.agents.list
  • dialogflow.agents.search
  • dialogflow.contexts.*
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.entityTypes.get
  • dialogflow.entityTypes.list
  • dialogflow.environments.get
  • dialogflow.environments.list
  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.fulfillments.get
  • dialogflow.intents.get
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.operations.*
  • dialogflow.pages.get
  • dialogflow.pages.list
  • dialogflow.sessionEntityTypes.*
  • dialogflow.sessions.*
  • dialogflow.transitionRouteGroups.get
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.get
  • dialogflow.versions.list
  • dialogflow.webhooks.get
  • dialogflow.webhooks.list
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • logging.logEntries.create
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use
  • storage.objects.get
  • storage.objects.list
roles/dlp.serviceAgent DLP API Service Agent Gives DLP API service agent permissions for biquery, storage, datastore, pubsub and KMS.
  • appengine.applications.get
  • bigquery.datasets.*
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.update
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.routines.*
  • bigquery.tables.*
  • cloudkms.cryptoKeyVersions.useToDecrypt
  • datacatalog.tagTemplates.*
  • datastore.databases.get
  • datastore.entities.*
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.list
  • datastore.statistics.*
  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • dlp.jobs.*
  • dlp.kms.*
  • firebase.projects.get
  • pubsub.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.use
  • storage.buckets.*
  • storage.objects.*
roles/documentaicore.serviceAgent DocumentAI Core Service Agent Gives DocumentAI Core Service Account access to consumer resources.
  • automl.models.predict
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update
roles/endpoints.serviceAgent Cloud Endpoints Service Agent Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.
  • servicemanagement.services.check
  • servicemanagement.services.get
  • servicemanagement.services.quota
  • servicemanagement.services.report
roles/endpointsportal.serviceAgent Endpoints Portal Service Agent Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.
  • servicemanagement.services.get
  • servicemanagement.services.list
  • source.repos.get
roles/file.serviceAgent Cloud Filestore Service Agent Gives Cloud Filestore service account access to managed resources.
  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.update
  • compute.networks.updatePeering
  • compute.routes.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/firebase.appDistributionSdkServiceAgent Firebase App Distribution Admin SDK Service Agent Read and write access to Firebase App Distribution with the Admin SDK
  • firebaseappdistro.*
roles/firebase.managementServiceAgent Firebase Service Management Service Agent Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.
  • apikeys.keys.create
  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.update
  • appengine.applications.*
  • appengine.operations.get
  • appengine.services.list
  • clientauthconfig.brands.create
  • clientauthconfig.brands.update
  • clientauthconfig.clients.create
  • clientauthconfig.clients.getWithSecret
  • clientauthconfig.clients.list
  • clientauthconfig.clients.update
  • firebase.clients.*
  • firebase.projects.*
  • firebaseauth.configs.create
  • firebaseauth.configs.get
  • firebaseauth.configs.update
  • firebaserules.releases.create
  • firebaserules.releases.delete
  • firebaserules.releases.get
  • firebaserules.rulesets.create
  • iam.roles.get
  • iam.serviceAccounts.create
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
  • resourcemanager.projects.update
  • servicemanagement.services.bind
  • serviceusage.services.enable
  • serviceusage.services.get
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy
roles/firebase.sdkAdminServiceAgent Firebase Admin SDK Administrator Service Agent Read and write access to Firebase products available in the Admin SDK
  • appengine.applications.get
  • cloudconfig.*
  • cloudmessaging.*
  • datastore.databases.get
  • datastore.databases.list
  • datastore.entities.*
  • datastore.indexes.get
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.list
  • datastore.statistics.*
  • firebase.clients.*
  • firebase.projects.get
  • firebase.projects.update
  • firebaseauth.configs.create
  • firebaseauth.configs.get
  • firebaseauth.configs.update
  • firebaseauth.users.*
  • firebasedatabase.*
  • firebasehosting.*
  • firebaseml.*
  • firebasenotifications.*
  • firebaserules.releases.get
  • firebaserules.releases.list
  • firebaserules.releases.update
  • firebaserules.rulesets.create
  • firebaserules.rulesets.delete
  • firebaserules.rulesets.get
  • firebaserules.rulesets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • resourcemanager.projects.update
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.update
  • storage.objects.*
roles/firebase.sdkProvisioningServiceAgent Firebase SDK Provisioning Service Agent Access to provision apps with the Admin SDK.
  • apikeys.keys.list
  • clientauthconfig.clients.list
  • cloudmessaging.*
  • firebase.clients.create
  • servicemanagement.services.bind
  • serviceusage.services.enable
roles/firebasemods.serviceAgent Firebase Extensions API Service Agent Grants Firebase Extensions API Service Account access to manage resources.
  • cloudfunctions.functions.getIamPolicy
  • cloudfunctions.functions.setIamPolicy
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.deployments.cancelPreview
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.stop
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.services.getIamPolicy
  • run.services.setIamPolicy
  • serviceusage.quotas.get
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list
roles/firebasestorage.serviceAgent Cloud Storage for Firebase Service Agent Access to Cloud Storage for Firebase through API and SDK.
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.update
roles/firewallinsights.serviceAgent Cloud Firewall Insights Service Agent Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.
  • compute.backendServices.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.list
  • compute.healthChecks.list
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.list
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.list
  • compute.networks.list
  • compute.projects.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.list
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.list
  • compute.targetPools.list
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.list
  • compute.urlMaps.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.list
roles/gameservices.serviceAgent Game Services Service Agent Gives Game Services Service Account access to GCP resources.
  • container.apiServices.*
  • container.backendConfigs.*
  • container.bindings.*
  • container.certificateSigningRequests.create
  • container.certificateSigningRequests.delete
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.list
  • container.certificateSigningRequests.update
  • container.certificateSigningRequests.updateStatus
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.create
  • container.clusters.delete
  • container.clusters.get
  • container.clusters.list
  • container.clusters.update
  • container.componentStatuses.*
  • container.configMaps.*
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.*
  • container.csiDrivers.*
  • container.csiNodes.*
  • container.customResourceDefinitions.*
  • container.daemonSets.*
  • container.deployments.*
  • container.endpoints.*
  • container.events.*
  • container.horizontalPodAutoscalers.*
  • container.ingresses.*
  • container.initializerConfigurations.*
  • container.jobs.*
  • container.limitRanges.*
  • container.localSubjectAccessReviews.*
  • container.namespaces.*
  • container.networkPolicies.*
  • container.nodes.*
  • container.persistentVolumeClaims.*
  • container.persistentVolumes.*
  • container.petSets.*
  • container.podDisruptionBudgets.*
  • container.podPresets.*
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.*
  • container.pods.*
  • container.replicaSets.*
  • container.replicationControllers.*
  • container.resourceQuotas.*
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.*
  • container.scheduledJobs.*
  • container.secrets.*
  • container.selfSubjectAccessReviews.*
  • container.serviceAccounts.*
  • container.services.*
  • container.statefulSets.*
  • container.storageClasses.*
  • container.subjectAccessReviews.*
  • container.thirdPartyObjects.*
  • container.thirdPartyResources.*
  • container.tokenReviews.*
  • gkehub.features.get
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.locations.*
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.get
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.operations.get
  • gkehub.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/genomics.serviceAgent Genomics Service Agent Gives Genomics Service Account access to compute resources. Includes access to service accounts.
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • iam.serviceAccounts.actAs
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.use
roles/gkehub.serviceAgent GKE Hub Service Agent Gives the GKE Hub service agent access to Cloud Platform resources.
  • container.clusterRoleBindings.create
  • container.clusterRoleBindings.delete
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.update
  • container.clusterRoles.create
  • container.clusterRoles.delete
  • container.clusterRoles.get
  • container.clusterRoles.update
  • container.clusters.get
  • container.customResourceDefinitions.create
  • container.customResourceDefinitions.delete
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.update
  • container.namespaces.get
  • container.thirdPartyObjects.*
  • gkehub.features.create
  • gkehub.features.get
  • gkehub.features.list
  • gkehub.locations.*
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.get
  • gkehub.memberships.list
  • gkehub.operations.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/healthcare.serviceAgent Healthcare Service Agent Gives the Healthcare Service Account access to networks,Kubernetes engine, and pubsub resources.
  • cloudnotifications.*
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • pubsub.snapshots.seek
  • pubsub.subscriptions.consume
  • pubsub.topics.attachSubscription
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get
roles/lifesciences.serviceAgent Cloud Life Sciences Service Agent Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • iam.serviceAccounts.actAs
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.use
roles/managedidentities.serviceAgent Cloud Managed Identities Service Agent Gives Managed Identities service account access to managed resources.
  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.update
  • compute.routes.list
  • dns.changes.*
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.*
  • dns.networks.bindPrivateDNSPolicy
  • dns.networks.bindPrivateDNSZone
  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.list
  • dns.policies.update
  • dns.projects.*
  • dns.resourceRecordSets.*
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/memcache.serviceAgent Cloud Memorystore Memcached Service Agent Gives Cloud Memorystore Memcached service account access to managed resource
  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.update
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/meshconfig.serviceAgent Mesh Config Service Agent Apply mesh configuration
  • compute.backendServices.*
  • compute.firewalls.*
  • compute.globalForwardingRules.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.*
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.use
  • compute.networks.get
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.subnetworks.use
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.urlMaps.*
  • networksecurity.clientTlsPolicies.create
  • networksecurity.clientTlsPolicies.delete
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.update
  • networksecurity.serverTlsPolicies.create
  • networksecurity.serverTlsPolicies.delete
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.update
  • networkservices.endpointConfigSelectors.create
  • networkservices.endpointConfigSelectors.delete
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.update
  • networkservices.httpFilters.create
  • networkservices.httpFilters.delete
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpFilters.update
  • networkservices.httpfilters.create
  • networkservices.httpfilters.delete
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.httpfilters.update
roles/meshdataplane.serviceAgent Mesh Data Plane Service Agent Run user-space Istio components
  • cloudtrace.traces.patch
  • compute.forwardingRules.get
  • compute.globalForwardingRules.get
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • serviceusage.services.use
roles/ml.serviceAgent Cloud ML Service Agent Cloud ML service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.update
  • bigquery.tables.create
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.updateData
  • firebase.projects.get
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.list
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • logging.logEntries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.*
  • storage.objects.*
roles/monitoring.notificationServiceAgent Monitoring Notification Service Agent Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.
  • serviceusage.services.use
roles/multiclusteringress.serviceAgent Multi Cluster Ingress Service Agent Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.
  • compute.addresses.get
  • compute.addresses.list
  • compute.backendServices.*
  • compute.firewalls.*
  • compute.forwardingRules.*
  • compute.globalAddresses.use
  • compute.globalForwardingRules.*
  • compute.healthChecks.*
  • compute.networkEndpointGroups.use
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.securityPolicies.use
  • compute.sslCertificates.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.urlMaps.*
  • container.backendConfigs.*
  • container.clusters.get
  • container.customResourceDefinitions.create
  • container.customResourceDefinitions.delete
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.update
  • container.events.create
  • container.events.update
  • container.namespaces.list
  • container.secrets.get
  • container.secrets.list
  • container.services.*
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyObjects.update
  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list
  • serviceusage.services.get
  • serviceusage.services.list
roles/multiclustermetering.serviceAgent Multi-cluster metering Service Agent Gives the Multi-cluster metering service agent access to CloudPlatform resources.
  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list
roles/networkmanagement.serviceAgent GCP Network Management Service Agent Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.list
  • compute.networks.get
  • compute.networks.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • container.clusters.get
  • container.clusters.list
  • container.nodes.get
  • container.nodes.list
roles/notebooks.serviceAgent AI Platform Notebooks Service Agent Provide access for notebooks service agent to manage notebook instances in user projects
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/osconfig.serviceAgent Cloud OS Config Service Agent Grants OS Config Service Account access to Google Compute Engine instances.
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.list
  • compute.instances.setMetadata
  • compute.zones.*
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.update
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • iam.serviceAccounts.actAs
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/pubsub.serviceAgent Cloud Pub/Sub Service Agent Grants Cloud Pub/Sub Service Account access to manage resources.
  • iam.serviceAccounts.getOpenIdToken
roles/redis.serviceAgent Cloud Memorystore Redis Service Agent Gives Cloud Memorystore Redis service account access to managed resource
  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.update
  • compute.projects.get
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/remotebuildexecution.serviceAgent Remote Build Execution Service Agent Gives Remote Build Execution service account access to managed resources.
  • remotebuildexecution.actions.update
  • remotebuildexecution.blobs.*
  • remotebuildexecution.botsessions.*
  • remotebuildexecution.logstreams.create
  • remotebuildexecution.logstreams.update
roles/run.serviceAgent Cloud Run Service Agent Gives Cloud Run service account access to managed resources.
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • clientauthconfig.clients.list
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • compute.globalOperations.get
  • compute.networks.access
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.signBlob
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • run.routes.invoke
  • serviceusage.services.use
  • storage.objects.get
  • storage.objects.list
  • vpcaccess.connectors.get
  • vpcaccess.connectors.use
roles/securitycenter.automationServiceAgent Security Center Automation Service Agent Security Center automation service agent can configure GCP resources to enable security scanning.
  • cloudasset.feeds.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.services.enable
roles/securitycenter.controlServiceAgent Security Center Control Service Agent Security Center Control service agent can monitor and configure GCP resources and import security findings.
  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • cloudasset.*
  • cloudsecurityscanner.*
  • cloudsql.instances.connect
  • cloudsql.instances.get
  • cloudsql.users.list
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • container.apiServices.get
  • container.apiServices.list
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.bindings.get
  • container.bindings.list
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.get
  • container.configMaps.list
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiNodes.get
  • container.csiNodes.list
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.list
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.deployments.get
  • container.deployments.getStatus
  • container.deployments.list
  • container.endpoints.get
  • container.endpoints.list
  • container.events.get
  • container.events.list
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.limitRanges.get
  • container.limitRanges.list
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.operations.*
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.petSets.get
  • container.petSets.list
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podPresets.get
  • container.podPresets.list
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.get
  • container.podTemplates.list
  • container.pods.get
  • container.pods.getStatus
  • container.pods.list
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.statefulSets.get
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.storageClasses.get
  • container.storageClasses.list
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.tokenReviews.*
  • dlp.jobs.get
  • dlp.jobs.list
  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.queries.*
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • orgpolicy.policy.get
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
roles/securitycenter.notificationServiceAgent Security Center Notification Service Agent Security Center service agent can publish notifications to Pub/Sub topics.
  • pubsub.topics.publish
roles/securitycenter.securityHealthAnalyticsServiceAgent Security Health Analytics Service Agent Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.
  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • cloudasset.*
  • cloudsecurityscanner.*
  • cloudsql.instances.connect
  • cloudsql.instances.get
  • cloudsql.users.list
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • container.clusters.get
  • container.clusters.list
  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.queries.*
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • orgpolicy.policy.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get
roles/securitycenter.serviceAgent Security Center Service Agent Security Center service agent can scan GCP resources and import security scans.
  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • cloudasset.*
  • cloudsecurityscanner.*
  • cloudsql.instances.connect
  • cloudsql.instances.get
  • cloudsql.users.list
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • container.apiServices.get
  • container.apiServices.list
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.bindings.get
  • container.bindings.list
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.get
  • container.configMaps.list
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiNodes.get
  • container.csiNodes.list
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.list
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.deployments.get
  • container.deployments.getStatus
  • container.deployments.list
  • container.endpoints.get
  • container.endpoints.list
  • container.events.get
  • container.events.list
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.limitRanges.get
  • container.limitRanges.list
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.operations.*
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.petSets.get
  • container.petSets.list
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podPresets.get
  • container.podPresets.list
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.get
  • container.podTemplates.list
  • container.pods.get
  • container.pods.getStatus
  • container.pods.list
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.statefulSets.get
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.storageClasses.get
  • container.storageClasses.list
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.tokenReviews.*
  • dlp.jobs.get
  • dlp.jobs.list
  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.queries.*
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • orgpolicy.policy.get
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.subscription.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
roles/servicenetworking.serviceAgent Service Networking Service Agent Gives permission to manage network configuration, such as establishing network peering, necessary for service producers
  • compute.globalAddresses.get
  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.create
  • compute.networks.delete
  • compute.networks.get
  • compute.networks.list
  • compute.networks.removePeering
  • compute.networks.update
  • compute.networks.updatePolicy
  • compute.projects.get
  • compute.regionOperations.get
  • compute.routers.get
  • compute.routers.list
  • compute.routes.list
  • compute.subnetworks.create
  • compute.subnetworks.delete
  • compute.subnetworks.get
  • compute.subnetworks.list
  • dns.changes.*
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.*
  • dns.networks.*
  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.list
  • dns.policies.update
  • dns.projects.*
  • dns.resourceRecordSets.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/sourcerepo.serviceAgent Cloud Source Repositories Service Agent Allow Cloud Source Repositories to integrate with other Cloud services.
  • iam.serviceAccounts.getAccessToken
  • pubsub.topics.publish
roles/tpu.serviceAgent Cloud TPU API Service Agent Give Cloud TPUs service account access to managed resources
  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.update
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.zones.*
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/vpcaccess.serviceAgent Serverless VPC Access Service Agent Can create and manage resources to support serverless application to connect to virtual private cloud.
  • billing.accounts.get
  • compute.autoscalers.*
  • compute.disks.create
  • compute.firewalls.*
  • compute.healthChecks.*
  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly
  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly
  • compute.images.get
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.update
  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.useReadOnly
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.list
  • compute.instances.reset
  • compute.instances.setLabels
  • compute.instances.setMetadata
  • compute.instances.setTags
  • compute.instances.start
  • compute.instances.stop
  • compute.instances.use
  • compute.machineTypes.get
  • compute.networks.get
  • compute.networks.use
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.subnetworks.create
  • compute.subnetworks.delete
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.typeProviders.create
  • deploymentmanager.typeProviders.get
  • logging.logEntries.create
  • logging.logMetrics.create
  • logging.logMetrics.delete
  • logging.logMetrics.get
  • logging.logMetrics.update
  • resourcemanager.projects.get
roles/websecurityscanner.serviceAgent Cloud Web Security Scanner Service Agent Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.
  • appengine.applications.get
  • compute.addresses.list
  • compute.backendServices.get
  • compute.forwardingRules.get
  • compute.globalForwardingRules.get
  • compute.sslCertificates.list
  • compute.targetHttpProxies.get
  • compute.targetHttpsProxies.get
  • compute.urlMaps.get
roles/workflows.serviceAgent Cloud Workflows Service Agent Gives Cloud Workflows service account access to managed resources.
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken

Service Consumer Management roles

Role Title Description Permissions Lowest resource
roles/serviceconsumermanagement.tenancyUnitsAdmin Admin of Tenancy Units Beta Administrate tenancy units
  • serviceconsumermanagement.tenancyu.*
roles/serviceconsumermanagement.tenancyUnitsViewer Viewer of Tenancy Units Beta View tenancy units
  • serviceconsumermanagement.tenancyu.list

Service Directory roles

Role Title Description Permissions Lowest resource
roles/servicedirectory.admin Service Directory Admin Full control of all Service Directory resources and permissions.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.*
roles/servicedirectory.editor Service Directory Editor Edit Service Directory resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.endpoints.create
  • servicedirectory.endpoints.delete
  • servicedirectory.endpoints.get
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.endpoints.update
  • servicedirectory.locations.*
  • servicedirectory.namespaces.associatePrivateZone
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.namespaces.get
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.namespaces.update
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicedirectory.services.get
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicedirectory.services.resolve
  • servicedirectory.services.update
roles/servicedirectory.viewer Service Directory Viewer View Service Directory resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.endpoints.get
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.locations.*
  • servicedirectory.namespaces.get
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.services.get
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicedirectory.services.resolve

Service Management roles

Role Title Description Permissions Lowest resource
roles/serverless.serviceAgent Cloud Run Service Agent Gives Cloud Run service account access to managed resources.
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • clientauthconfig.clients.list
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • compute.globalOperations.get
  • compute.networks.access
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.signBlob
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • run.routes.invoke
  • serviceusage.services.use
  • storage.objects.get
  • storage.objects.list
  • vpcaccess.connectors.get
  • vpcaccess.connectors.use
roles/servicemanagement.admin Service Management Administrator Full control of Google Service Management resources.
  • monitoring.timeSeries.list
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceconsumermanagement.*
  • servicemanagement.services.*
  • serviceusage.quotas.get
  • serviceusage.services.get
roles/servicemanagement.configEditor Service Config Editor Access to update the service config and create rollouts.
  • servicemanagement.services.get
  • servicemanagement.services.update
roles/servicemanagement.quotaAdmin Quota Administrator Beta Provides access to administer service quotas.
  • monitoring.timeSeries.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.consumerSettings.*
  • serviceusage.quotas.*
  • serviceusage.services.disable
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/servicemanagement.quotaViewer Quota Viewer Beta Provides access to view service quotas.
  • monitoring.timeSeries.list
  • servicemanagement.consumerSettings.get
  • servicemanagement.consumerSettings.getIamPolicy
  • servicemanagement.consumerSettings.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Project
roles/servicemanagement.serviceConsumer Service Consumer Can enable the service.
  • servicemanagement.services.bind
roles/servicemanagement.serviceController Service Controller Can check preconditions and report usage of a service during runtime.
  • servicemanagement.services.check
  • servicemanagement.services.get
  • servicemanagement.services.quota
  • servicemanagement.services.report
Project

Service Networking roles

Role Title Description Permissions Lowest resource
roles/servicenetworking.networksAdmin Service Networking Admin Beta Full control of service networking with projects.
  • servicenetworking.*

Service Usage roles

Role Title Description Permissions Lowest resource
roles/serviceusage.apiKeysAdmin API Keys Admin Beta Ability to create, delete, update, get and list API keys for a project.
  • apikeys.*
  • serviceusage.apiKeys.*
  • serviceusage.operations.get
roles/serviceusage.apiKeysViewer API Keys Viewer Beta Ability to get and list API keys for a project.
  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
roles/serviceusage.serviceUsageAdmin Service Usage Admin Beta Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.
  • monitoring.timeSeries.list
  • serviceusage.operations.*
  • serviceusage.quotas.*
  • serviceusage.services.*
roles/serviceusage.serviceUsageConsumer Service Usage Consumer Beta Ability to inspect service states and operations, and consume quota and billing for a consumer project.
  • monitoring.timeSeries.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.use
roles/serviceusage.serviceUsageViewer Service Usage Viewer Beta Ability to inspect service states and operations for a consumer project.
  • monitoring.timeSeries.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Source roles

Role Title Description Permissions Lowest resource
roles/source.admin Source Repository Administrator Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies.
  • source.*
Repository
roles/source.reader Source Repository Reader Provides permissions to list, clone, fetch, and browse repositories.
  • source.repos.get
  • source.repos.list
Repository
roles/source.writer Source Repository Writer Provides permissions to list, clone, fetch, browse, and update repositories.
  • source.repos.get
  • source.repos.list
  • source.repos.update
Repository

Cloud Spanner roles

Role Title Description Permissions Lowest resource
roles/spanner.admin Cloud Spanner Admin

Has complete access to all Cloud Spanner resources in a Google Cloud project. A member with this role can:

  • Grant and revoke permissions to other members for all Cloud Spanner resources in the project.
  • Allocate and delete chargeable Cloud Spanner resources.
  • Issue get/list/modify operations on Cloud Spanner resources.
  • Read from and write to all Cloud Spanner databases in the project.
  • Fetch project metadata.
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • spanner.*
Project
roles/spanner.backupAdmin Cloud Spanner Backup Admin

A member with this role can:

  • Create, view, update, and delete backups.
  • View and manage a backup's IAM policy.

This role cannot restore a database from a backup.

  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • spanner.backupOperations.*
  • spanner.backups.create
  • spanner.backups.delete
  • spanner.backups.get
  • spanner.backups.getIamPolicy
  • spanner.backups.list
  • spanner.backups.setIamPolicy
  • spanner.backups.update
  • spanner.databases.createBackup
  • spanner.databases.get
  • spanner.databases.list
  • spanner.instances.get
  • spanner.instances.list
Instance
roles/spanner.backupWriter Cloud Spanner Backup Writer This role is intended to be used by scripts that automate backup creation. A member with this role can create backups, but cannot update or delete them.
  • spanner.backupOperations.get
  • spanner.backupOperations.list
  • spanner.backups.create
  • spanner.backups.get
  • spanner.backups.list
  • spanner.databases.createBackup
  • spanner.databases.get
  • spanner.databases.list
  • spanner.instances.get
Instance
roles/spanner.databaseAdmin Cloud Spanner Database Admin

A member with this role can:

  • Get/list all Cloud Spanner instances in the project.
  • Create/list/drop databases in an instance.
  • Grant/revoke access to databases in the project.
  • Read from and write to all Cloud Spanner databases in the project.
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • spanner.databaseOperations.*
  • spanner.databases.beginOrRollbackReadWriteTransaction
  • spanner.databases.beginPartitionedDmlTransaction
  • spanner.databases.beginReadOnlyTransaction
  • spanner.databases.create
  • spanner.databases.drop
  • spanner.databases.get
  • spanner.databases.getDdl
  • spanner.databases.getIamPolicy
  • spanner.databases.list
  • spanner.databases.partitionQuery
  • spanner.databases.partitionRead
  • spanner.databases.read
  • spanner.databases.select
  • spanner.databases.setIamPolicy
  • spanner.databases.update
  • spanner.databases.updateDdl
  • spanner.databases.write
  • spanner.instances.get
  • spanner.instances.getIamPolicy
  • spanner.instances.list
  • spanner.sessions.*
Instance
roles/spanner.databaseReader Cloud Spanner Database Reader

A member with this role can:

  • Read from the Cloud Spanner database.
  • Execute SQL queries on the database.
  • View schema for the database.
  • spanner.databases.beginReadOnlyTransaction
  • spanner.databases.getDdl
  • spanner.databases.partitionQuery
  • spanner.databases.partitionRead
  • spanner.databases.read
  • spanner.databases.select
  • spanner.instances.get
  • spanner.sessions.*
Database
roles/spanner.databaseUser Cloud Spanner Database User

A member with this role can:

  • Read from and write to the Cloud Spanner database.
  • Execute SQL queries on the database, including DML and Partitioned DML.
  • View and update schema for the database.
  • spanner.databaseOperations.*
  • spanner.databases.beginOrRollbackReadWriteTransaction
  • spanner.databases.beginPartitionedDmlTransaction
  • spanner.databases.beginReadOnlyTransaction
  • spanner.databases.getDdl
  • spanner.databases.partitionQuery
  • spanner.databases.partitionRead
  • spanner.databases.read
  • spanner.databases.select
  • spanner.databases.updateDdl
  • spanner.databases.write
  • spanner.instances.get
  • spanner.sessions.*
Database
roles/spanner.restoreAdmin Cloud Spanner Restore Admin

A member with this role can restore databases from backups.

If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups.

  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • spanner.backups.get
  • spanner.backups.list
  • spanner.backups.restoreDatabase
  • spanner.databaseOperations.cancel
  • spanner.databaseOperations.get
  • spanner.databaseOperations.list
  • spanner.databases.create
  • spanner.databases.get
  • spanner.databases.list
  • spanner.instances.get
  • spanner.instances.list
Instance
roles/spanner.viewer Cloud Spanner Viewer

A member with this role can:

  • View all Cloud Spanner instances (but cannot modify instances).
  • View all Cloud Spanner databases (but cannot modify or read from databases).

For example, you can combine this role with the roles/spanner.databaseUser role to grant a user with access to a specific database, but only view access to other instances and databases.

This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud Console.

  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • spanner.databases.list
  • spanner.instanceConfigs.*
  • spanner.instances.get
  • spanner.instances.list
Project

Stackdriver roles

Role Title Description Permissions Lowest resource
roles/stackdriver.accounts.editor Stackdriver Accounts Editor Read/write access to manage Stackdriver account structure.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.enable
  • stackdriver.projects.*
roles/stackdriver.accounts.viewer Stackdriver Accounts Viewer Read-only access to get and list information about Stackdriver account structure.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get
roles/stackdriver.resourceMetadata.writer Stackdriver Resource Metadata Writer Beta Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.
  • stackdriver.resourceMetadata.*

Cloud Storage roles

Role Title Description Permissions Lowest resource
roles/storage.admin Storage Admin

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.*
  • storage.objects.*
Bucket
roles/storage.hmacKeyAdmin Storage HMAC Key Admin Full control of Cloud Storage HMAC keys.
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.hmacKeys.*
roles/storage.objectAdmin Storage Object Admin Grants full control of objects, including listing, creating, viewing, and deleting objects.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.*
Bucket
roles/storage.objectCreator Storage Object Creator Allows users to create objects. Does not give permission to view, delete, or overwrite objects.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.create
Bucket
roles/storage.objectViewer Storage Object Viewer Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.get
  • storage.objects.list
Bucket
roles/storagetransfer.admin Storage Transfer Admin Create, update and manage transfer jobs and operations.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storagetransfer.*
roles/storagetransfer.user Storage Transfer User Create and update storage transfer jobs and operations.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storagetransfer.jobs.create
  • storagetransfer.jobs.get
  • storagetransfer.jobs.list
  • storagetransfer.jobs.update
  • storagetransfer.operations.*
  • storagetransfer.projects.*
roles/storagetransfer.viewer Storage Transfer Viewer Read access to storage transfer jobs and operations.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storagetransfer.jobs.get
  • storagetransfer.jobs.list
  • storagetransfer.operations.get
  • storagetransfer.operations.list
  • storagetransfer.projects.*

Cloud Storage Legacy roles

Role Title Description Permissions Lowest resource
roles/storage.legacyBucketOwner Storage Legacy Bucket Owner

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding IAM policies, when listing; and read and edit bucket metadata, including IAM policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.list
Bucket
roles/storage.legacyBucketReader Storage Legacy Bucket Reader

Grants permission to list a bucket's contents and read bucket metadata, excluding IAM policies. Also grants permission to read object metadata, excluding IAM policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

  • storage.buckets.get
  • storage.objects.list
Bucket
roles/storage.legacyBucketWriter Storage Legacy Bucket Writer

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding IAM policies, when listing; and read bucket metadata, excluding IAM policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.list
Bucket
roles/storage.legacyObjectOwner Storage Legacy Object Owner Grants permission to view and edit objects and their metadata, including ACLs.
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.setIamPolicy
  • storage.objects.update
Bucket
roles/storage.legacyObjectReader Storage Legacy Object Reader Grants permission to view objects and their metadata, excluding ACLs.
  • storage.objects.get
Bucket

Support roles

Role Title Description Permissions Lowest resource
roles/cloudsupport.admin Support Account Administrator Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information.
  • cloudsupport.accounts.*
  • cloudsupport.operations.*
  • cloudsupport.properties.*
  • resourcemanager.organizations.get
Organization
roles/cloudsupport.techSupportEditor Tech Support Editor Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support).
  • cloudsupport.properties.*
  • cloudsupport.techCases.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudsupport.techSupportViewer Tech Support Viewer Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).
  • cloudsupport.properties.*
  • cloudsupport.techCases.get
  • cloudsupport.techCases.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/cloudsupport.viewer Support Account Viewer Read-only access to details of a support account. This does not allow viewing cases.
  • cloudsupport.accounts.get
  • cloudsupport.accounts.getUserRoles
  • cloudsupport.accounts.list
  • cloudsupport.properties.*
Organization

Cloud Threat Detection roles

Role Title Description Permissions Lowest resource
roles/threatdetection.editor Threat Detection Settings Editor Beta Read-write access to all Threat Detection settings
  • threatdetection.*
Organization
roles/threatdetection.viewer Threat Detection Settings Viewer Beta Read access to all Threat Detection settings
  • threatdetection.detectorSettings.get
  • threatdetection.sinkSettings.get
  • threatdetection.sourceSettings.get
Organization

Cloud TPU roles

Role Title Description Permissions Lowest resource
roles/tpu.admin TPU Admin Full access to TPU nodes and related resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • tpu.*
roles/tpu.viewer TPU Viewer Read-only access to TPU nodes and related resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • tpu.acceleratortypes.*
  • tpu.locations.*
  • tpu.nodes.get
  • tpu.nodes.list
  • tpu.operations.*
  • tpu.tensorflowversions.*

Transcoder roles

Role Title Description Permissions Lowest resource
roles/transcoder.admin Transcoder Admin Beta Full access to all transcoder resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • transcoder.*
roles/transcoder.viewer Transcoder Viewer Beta Viewer of all transcoder resources.
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • transcoder.jobTemplates.get
  • transcoder.jobTemplates.list
  • transcoder.jobs.get
  • transcoder.jobs.list

Serverless VPC Access roles

Role Title Description Permissions Lowest resource
roles/vpcaccess.admin Serverless VPC Access Admin Full access to all Serverless VPC Access resources
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • vpcaccess.*
roles/vpcaccess.user Serverless VPC Access User User of Serverless VPC Access connectors
  • compute.networks.access
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • vpcaccess.connectors.get
  • vpcaccess.connectors.list
  • vpcaccess.connectors.use
  • vpcaccess.locations.*
  • vpcaccess.operations.*
roles/vpcaccess.viewer Serverless VPC Access Viewer Viewer of all Serverless VPC Access resources
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • vpcaccess.connectors.get
  • vpcaccess.connectors.list
  • vpcaccess.locations.*
  • vpcaccess.operations.*

Custom roles

In addition to the predefined roles, IAM also provides the ability to create customized IAM roles. You can create a custom IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding Custom Roles and Creating and Managing Custom Roles for more information.

Product-specific IAM documentation

Product-specific IAM documentation explains more about the predefined roles offered by each product. Read the following pages to learn more about the predefined roles.

Documentation Description
IAM for App Engine Explains IAM roles for App Engine
IAM for BigQuery Explains IAM roles for BigQuery
IAM for Cloud Bigtable Explains IAM roles for Cloud Bigtable
IAM for Cloud Billing API Explains IAM roles and permissions for Cloud Billing API
IAM for Dataflow Explains IAM roles for Dataflow
IAM for Dataproc Explains IAM roles and permissions for Dataproc
IAM for Datastore Explains IAM roles and permissions for Datastore
IAM for Cloud DNS Explains IAM roles and permissions for Cloud DNS
IAM for Cloud KMS Explains IAM roles and permissions for Cloud KMS
IAM for AI Platform Explains IAM roles and permissions for AI Platform
IAM for Pub/Sub Explains IAM roles for Pub/Sub
IAM for Spanner Explains IAM roles and permissions for Spanner
IAM for Cloud SQL Explains IAM roles for Cloud SQL
IAM for Cloud Storage Explains IAM roles for Cloud Storage
IAM for Compute Engine Explains IAM roles for Compute Engine
IAM for GKE Explains IAM roles and permissions for GKE
IAM for Deployment Manager Explains IAM roles and permissions for Deployment Manager
IAM for Organizations Explains IAM roles for Organization.
IAM for Folders Explains IAM roles for folders.
IAM for Projects Explains IAM roles for projects.
IAM for Service Management Explains IAM roles and permissions for Service Management
IAM for Cloud Debugger Explains IAM roles for Debugger
IAM for Cloud Logging Explains IAM roles for Logging
IAM for Cloud Monitoring Explains IAM roles for Monitoring
IAM for Cloud Trace Explains IAM roles and permissions for Trace

What's next