Understanding Roles

With Cloud IAM, a Cloud API method requires that the identity making the API request has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.

This page describes the Cloud IAM roles that you can grant to identities to access Cloud Platform resources.

Prerequisite for this guide

Primitive roles

Roles that existed prior to Cloud IAM, Owner, Editor, and Viewer will continue to work as they did before. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role.

The following table summarizes the permissions that the primitive roles include across all services in Cloud Platform:

Primitive role definitions

Role Name Role Title Permissions
roles/viewer Viewer Permissions for read-only actions that preserve state.
roles/editor Editor All viewer permissions and permissions for actions that modify state.
roles/owner Owner All editor permissions and permissions for the following actions:
  • Manage access control for a project and all resources within the project.
  • Set up billing (for a project).
Note:
  • Granting the owner role at a resource-level (such as a pubsub topic) does not grant the owner role on the parent project.
  • The owner role doesn't contain any permission for the Organization resource. Therefore, granting the owner role at the organization-level doesn't allow you to update the organization's metadata. However, it allows you to modify projects under that organization.

You can apply primitive roles at the project level by using Cloud Platform Console, the API and the gcloud command-line tool.

Invitation flow

You cannot grant the owner role to a member for a project using the Cloud IAM API or the gcloud command-line tool. You can only add owners of a project using the Cloud Platform Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project.

Note that invitation emails aren't sent in the following cases:

  • when you're granting a role other than the owner.
  • when an organization owner adds another organization member as an owner of a project within that organization.

Predefined roles

In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.

The following table lists these roles, their description, and the resource type where the roles can be set. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.

Project roles

Role Name Role Title Description Resource Type
roles/
browser
Beta
Browser Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project. Organization
Project
roles/
iam.serviceAccountActor
Service Account Actor

Access to obtain credentials for a service account and run operations as the service account.

Project
Service Account

App Engine Roles

Role Name Role Title Description Resource Type
roles/
appengine.appAdmin
App Engine Admin Read/Write/Modify access to all application configuration and settings. Organization
Project
roles/
appengine.serviceAdmin
App Engine Service Admin Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
Organization
Project
roles/
appengine.deployer
App Engine Deployer Read-only access to all application configuration and settings.
Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic.
Organization
Project
roles/
appengine.appViewer
App Engine Viewer Read-only access to all application configuration and settings. Organization
Project
roles/
appengine.codeViewer
App Engine Code Viewer Read-only access to all application configuration, settings, and deployed source code. Organization
Project

BigQuery Roles

Role Name Role Title Description Resource Type
roles/
bigquery.user
BigQuery User Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the bigquery.dataOwner role for these new datasets. Organization
Project
roles/
bigquery.jobUser
BigQuery Job User Provides permissions to run jobs, including queries, within the project. The jobUser role can enumerate their own jobs and cancel their own jobs. Organization
Project
roles/
bigquery.dataViewer
BigQuery Data Viewer

When applied to a dataset, dataViewer provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Organization
Project
Dataset
roles/
bigquery.dataEditor
BigQuery Data Editor

When applied to a dataset, dataEditor provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Organization
Project
Dataset
roles/
bigquery.dataOwner
BigQuery Data Owner

When applied to a dataset, dataOwner provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Organization
Project
Dataset
roles/
bigquery.admin
BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Organization
Project

Cloud Bigtable Roles

Role Name Role Title Description Resource Type
roles/
bigtable.admin
Cloud Bigtable Administrator Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. Organization
Project
Instance
roles/
bigtable.user
Cloud Bigtable User Provides read-write access to the data stored within tables. Intended for application developers or service accounts. Organization
Project
Instance
roles/
bigtable.reader
Cloud Bigtable Reader Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. Organization
Project
Instance

Cloud Billing Roles

Role Name Role Title Description Resource Type
roles/
billing.admin
Billing Account Administrator Provides access to see and manage all aspects of billing accounts. Organization
Billing Account
roles/
billing.projectManager
Project Billing Manager Provides access to assign a project's billing account or disable its billing. Organization
Project
roles/
billing.user
Billing Account User Provides access to associate projects with billing accounts. Organization
Billing Account
roles/
billing.creator
Billing Account Creator Provides access to create billing accounts. Organization
Project

Cloud Dataflow Roles

Role Name Role Title Description Resource Type
roles/
dataflow.viewer
Cloud Dataflow Viewer Provides read-only access to all Cloud Dataflow-related resources. Organization
Project
roles/
dataflow.developer
Cloud Dataflow Developer Provides the permissions necessary to execute and manipulate Cloud Dataflow jobs. Organization
Project
roles/
dataflow.worker
Cloud Dataflow Worker Provides the permissions necessary for a Compute Engine service account to execute work units for a Cloud Dataflow pipeline. Organization
Project

Cloud Dataproc Roles

Role Name Role Title Description Resource Type
roles/
dataproc.editor
Beta
Cloud Dataproc Editor Provides the permissions necessary for viewing the resources required to manage Cloud Dataproc, including machine types, networks, projects and zones. Organization
Project
roles/
dataproc.viewer
Beta
Cloud Dataproc Viewer Provides read-only access to Cloud Dataproc resources. Organization
Project

Cloud Datastore Roles

Role Name Role Title Description Resource Type
roles/
datastore.importExportAdmin
Cloud Datastore Import Export Admin Provides full access to manage imports and exports. Organization
Project
roles/
datastore.indexAdmin
Cloud Datastore Index Admin Provides full access to manage index definitions. Organization
Project
roles/
datastore.owner
Cloud Datastore Owner Provides full access to Cloud Datastore resources. Organization
Project
roles/
datastore.user
Cloud Datastore User Provides read/write access to data in a Cloud Datastore database. Organization
Project
roles/
datastore.viewer
Cloud Datastore Viewer Provides read access to Cloud Datastore resources. Organization
Project

Cloud DNS Roles

Role Name Role Title Description Resource Type
roles/
dns.admin
DNS Admin Provides read-write access to all Cloud DNS resources. Project
roles/
dns.reader
DNS Reader Provides read-only access to all Cloud DNS resources. Project

Cloud KMS Roles

Role Name Role Title Description Resource Type
roles/
cloudkms.admin
Cloud KMS Admin Provides full access to Cloud KMS resources, except encrypt and decrypt operations. Project
KeyRing
CryptoKey
roles/
cloudkms.cryptoKeyEncrypterDecrypter
Cloud KMS Encrypter/Decrypter Provides ability to use Cloud KMS resources for encrypt and decrypt operations only. Project
KeyRing
CryptoKey
roles/
cloudkms.cryptoKeyEncrypter
Cloud KMS Encrypter Provides ability to use Cloud KMS resources for encrypt operations only. Project
KeyRing
CryptoKey
roles/
cloudkms.cryptoKeyDecrypter
Cloud KMS Decrypter Provides ability to use Cloud KMS resources for decrypt operations only. Project
KeyRing
CryptoKey

Cloud ML Engine Roles

Role Name Role Title Description Resource Type
roles/
ml.admin
ML Engine Admin Provides full access to Cloud ML Engine resources, and its jobs, operations, models, and versions. Organization
Project
roles/
ml.developer
ML Engine Developer Provides ability to use Cloud ML Engine resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Project
roles/
ml.viewer
ML Engine Viewer Provides read-only access to Cloud ML Engine resources. Project
roles/
ml.modelOwner
ML Engine Model Owner Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Model
roles/
ml.modelUser
ML Engine Model User Provides permissions to read the model and its versions, and use them for prediction. Model
roles/
ml.jobOwner
ML Engine Job Owner Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Job
roles/
ml.operationOwner
ML Engine Operation Owner Provides full access to all permissions for a particular operation resource. Operation

Cloud Pub/Sub Roles

Role Name Role Title Description Resource Type
roles/
pubsub.publisher
Pub/Sub Publisher Provides access to publish messages to a topic. Project
Topic
roles/
pubsub.subscriber
Pub/Sub Subscriber Provides access to consume messages from a subscription and to attach subscriptions to a topic. Project
Topic
Subscription
roles/
pubsub.viewer
Pub/Sub Viewer Provides access to view topics and subscriptions. Project
Topic
Subscription
roles/
pubsub.editor
Pub/Sub Editor Provides access to modify topics and subscriptions, and access to publish and consume messages. Project
Topic
Subscription
roles/
pubsub.admin
Pub/Sub Admin Provides full access to topics and subscriptions. Project
Topic
Subscription

Cloud Spanner Roles

Role Name Role Title Description Resource Type
roles/
spanner.admin
Cloud Spanner Admin Permission to grant and revoke permissions to other principals, allocate and delete chargeable resources, issue get/list/modify operations on resources, read from and write to databases, and fetch project metadata. Project
roles/
spanner.databaseAdmin
Cloud Spanner Database Admin Permission to get/list all Cloud Spanner resources in a project, create/list/drop databases, grant/revoke access to project databases, and read from and write to all Cloud Spanner databases in the project. Project
roles/
spanner.databaseReader
Cloud Spanner Database Reader Permission to read from the Cloud Spanner database, execute SQL queries on the database, and view the schema. Database
roles/
spanner.databaseUser
Cloud Spanner Database User Permission to read from and write to the Cloud Spanner database, execute SQL queries on the database, and view and update the schema. Database
roles/
spanner.viewer
Cloud Spanner Viewer Permission to view all Cloud Spanner instances and databases, but not modify or read from them. Project

Cloud SQL Roles

Role Name Role Title Description Resource Type
roles/
cloudsql.admin
Cloud SQL Admin Provides full control of Cloud SQL resources. Organization
Project
roles/
cloudsql.editor
Cloud SQL Editor Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. Organization
Project
roles/
cloudsql.viewer
Cloud SQL Viewer Provides read-only access to Cloud SQL resources. Organization
Project
roles/
cloudsql.client
Cloud SQL Client Provides connectivity access to Cloud SQL instances. Organization
Project

Cloud Storage Roles

Role Name Role Title Description Resource Type
roles/
storage.objectCreator
Storage Object Creator Allows users to create objects. Does not give permission to delete or overwrite objects. Organization
Project
Bucket
roles/
storage.objectViewer
Storage Object Viewer Grants access to view objects and their metadata, excluding ACLs. Organization
Project
Bucket
roles/
storage.objectAdmin
Storage Object Admin Grants full control of objects. Organization
Project
Bucket
roles/
storage.admin
Storage Admin Grants full control of objects and buckets. Organization
Project
Bucket
roles/
storage.legacyObjectReader
Legacy Object Reader Can view objects and their metadata, excluding ACLs. Bucket
roles/
storage.legacyObjectOwner
Legacy Object Owner Has the storage.legacyObjectReader role.

Can also view and edit the metadata of objects in the bucket, including ACLs, which are returned as Cloud IAM policies.

Bucket
roles/
storage.legacyBucketReader
Legacy Bucket Reader Can list a bucket's contents and read bucket metadata, excluding Cloud IAM policies. Can also read object metadata, excluding Cloud IAM policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

Bucket
roles/
storage.legacyBucketWriter
Legacy Bucket Writer Has the storage.legacyBucketReader role.

Can also create, overwrite, and delete objects in a bucket.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

Bucket
roles/
storage.legacyBucketOwner
Legacy Bucket Owner Has the storage.legacyBucketWriter role.

Can also read bucket Cloud IAM policies and edit bucket metadata, including Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

Bucket

Compute Engine Roles

Role Name Role Title Description Resource Type
roles/
compute.instanceAdmin
Beta
Compute Instance Admin

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountActor role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, grant this role.

Organization
Project
roles/
compute.networkUser
Beta
Compute Network User

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

Organization
Project
roles/
compute.networkViewer
Beta
Compute Network Viewer

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant that software’s service account the networkViewer role.

Organization
Project
roles/
compute.networkAdmin
Compute Network Admin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the networking team’s group the networkAdmin role.

Organization
Project
roles/
compute.securityAdmin
Compute Security Admin

Permissions to create, modify, and delete firewall rules and SSL certificates.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the security team’s group the securityAdmin role.

Organization
Project
roles/
compute.imageUser
Compute Image User

Permission to list and read images without having other permissions to resources in the project. Granting the compute.imageUser role gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

Organization
Project
roles/
compute.storageAdmin
Beta
Compute Storage Admin

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages images and you don't want them to have the editor role on the project, then grant their account the storageAdmin role.

Organization
Project
roles/
compute.xpnAdmin
Shared VPC Admin

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

This role can only be granted on the organization by an organization admin.

Organization
roles/
compute.admin
Beta
Compute Admin

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountActor role.

Organization
Project
roles/
compute.viewer
Beta
Compute Viewer

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them.

For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

Organization
Project

Container Builder Roles

Role Name Role Title Description Resource Type
roles/
cloudbuild.builds.editor
Container Builder Editor Provides access to create and cancel builds. Organization
Project
roles/
cloudbuild.builds.viewer
Container Builder Viewer Provides access to view builds. Organization
Project

Container Engine Roles

Role Name Role Title Description Resource Type
roles/
container.admin
Container Engine Admin Provides access to full management of Container Clusters and their Kubernetes API objects. Organization
Project
roles/
container.clusterAdmin
Container Engine Cluster Admin Provides access to management of Container Clusters. Organization
Project
roles/
container.developer
Container Engine Developer Provides full access to Kubernetes API objects inside Container Clusters. Organization
Project
roles/
container.viewer
Container Engine Viewer Provides read-only access to Container Engine resources. Organization
Project

Deployment Manager Roles

Role Name Role Title Description Resource Type
roles/
deploymentmanager.viewer
Deployment Manager Viewer Provides read-only access to all Deployment Manager-related resources. Organization
Project
roles/
deploymentmanager.editor
Deployment Manager Editor Provides the permissions necessary to create and manage deployments. Organization
Project
roles/
deploymentmanager.typeViewer
Deployment Manager Type Viewer Provides read-only access to all Type Registry resources. Project
roles/
deploymentmanager.typeEditor
Deployment Manager Type Editor Provides read and write access to all Type Registry resources. Project

Cloud IAM Roles

Role Name Role Title Description Resource Type
roles/
iam.securityReviewer
Security Reviewer Provides permissions to list all resources and Cloud IAM policies on them. Organization
Project

Resource Manager Roles

Role Name Role Title Description Resource Type
roles/
orgpolicy.policyAdmin
Organization Policy Administrator Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies. Organization
roles/
resourcemanager.folderAdmin
Folder Admin Provides all available permissions for working with folders. Organization
Folder
roles/
resourcemanager.folderCreator
Folder Creator Provides permissions needed to browse the hierarchy and create folders. Organization
Folder
roles/
resourcemanager.folderEditor
Folder Editor Provides permission to modify folders as well as to view a folder's Cloud IAM policy. Organization
Folder
roles/
resourcemanager.folderIamAdmin
Folder IAM Admin Provides permissions to administer Cloud IAM policies on folders. Organization
Folder
roles/
resourcemanager.folderMover
Folder Mover Provides permission to move projects and folders into and out of a parent Organization or folder. Organization
Folder
roles/
resourcemanager.folderViewer
Folder Viewer Provides permission to get a folder and list the folders and projects below a resource. Organization
Folder
roles/
resourcemanager.organizationViewer
Organization Viewer Provides access to view an organization. Organization
roles/
resourcemanager.projectCreator
Project Creator Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project. Organization
roles/
resourcemanager.projectDeleter
Project Deleter Provides access to delete GCP projects. Organization
roles/
resourcemanager.lienModifier
Project Lien Modifier Provides access to modify Liens on projects. Project

Service Account Roles

Role Name Role Title Description Resource Type
roles/
iam.serviceAccountAdmin
Service Account Admin Create and manage service accounts. Project
Service Account
roles/
iam.serviceAccountKeyAdmin
Service Account Key Admin Create and manage (and rotate) service account keys. Project
Service Account
roles/
iam.serviceAccountTokenCreator
Service Account Token Creator Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). Project
Service Account
roles/
iam.serviceAccountUser
Service Account User Run operations as the service account. Project
Service Account

Service Management Roles

Role Name Role Title Description Resource Type
roles/
servicemanagement.apiKeyUser
API Key User Access to get and list API Keys. Allows consumption of project read and write quota. Organization
Project
roles/
servicemanagement.serviceController
Service Controller Runtime control of checking and reporting usage of a service. Organization
Project
roles/
servicemanagement.quotaAdmin
Quota Administrator Provides access to administer service quotas. Organization
Project
roles/
servicemanagement.quotaViewer
Quota Viewer Provides access to view service quotas. Organization
Project

Source Repository Roles

Role Name Role Title Description Resource Type
roles/
source.admin
Source Repository Administrator Provides admin access to repositories. Organization
Project
roles/
source.reader
Source Repository Reader Provides read access to repositories. Organization
Project
roles/
source.writer
Source Repository Writer Provides read/write access to repositories. Organization
Project

Stackdriver Debugger Roles

Role Name Role Title Description Resource Type
roles/
clouddebugger.agent
Debugger Agent Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. Project
Service Account
roles/
clouddebugger.user
Debugger User Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). Project

Stackdriver Logging Roles

Role Name Role Title Description Resource Type
roles/
logging.viewer
Logs Viewer Provides access to view logs. Organization
Project
roles/
logging.logWriter
Logs Writer Provides the permissions to write log entries. Organization
Project
roles/
logging.privateLogViewer
Private Logs Viewer Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. Organization
Project
roles/
logging.configWriter
Logs Configuration Writer Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. Organization
Project
roles/
logging.admin
Logging Admin Provides all permissions necessary to use all features of Stackdriver Logging. Organization
Project

Stackdriver Monitoring Roles

Role Name Role Title Description Resource Type
roles/
monitoring.viewer
Monitoring Viewer Provides read-only access to get and list information about all monitoring data and configurations. Project
roles/
monitoring.metricWriter
Monitoring Metric Writer Provides write-only access to metrics. This provides exactly the permissions needed by the Stackdriver agent and other systems that send metrics. Project
roles/
monitoring.editor
Monitoring Editor Provides full access to information about all monitoring data and configurations. Project
roles/
monitoring.admin
Monitoring Admin Provides the same access as roles/monitoring.editor. Project

Custom roles

In addtion to predefined roles, Cloud IAM also provides the ability to create customized Cloud IAM roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding Custom Roles.

Product-specific Cloud IAM documentation

Product-specific Cloud IAM documentation explains more about the predefined roles offered by each product. Read the following pages to learn more about the predefined roles.

Documentation Description
Cloud IAM for App Engine Explains Cloud IAM roles for App Engine
Cloud IAM for BigQuery Explains Cloud IAM roles for BigQuery
Cloud IAM for Cloud Bigtable Explains Cloud IAM roles for Cloud Bigtable
Cloud IAM for Cloud Billing API Explains Cloud IAM roles and permissions for Cloud Billing API
Cloud IAM for Cloud Dataflow Explains Cloud IAM roles for Cloud Dataflow
Cloud IAM for Cloud Dataproc Explains Cloud IAM roles and permissions for Cloud Dataproc
Cloud IAM for Cloud Datastore Explains Cloud IAM roles and permissions for Cloud Datastore
Cloud IAM for Cloud DNS Explains Cloud IAM roles and permissions for Cloud DNS
Cloud IAM for Cloud KMS Explains Cloud IAM roles and permissions for Cloud KMS
Cloud IAM for Cloud ML Engine Explains Cloud IAM roles and permissions for Cloud ML Engine
Cloud IAM for Cloud Pub/Sub Explains Cloud IAM roles for Cloud Pub/Sub
Cloud IAM for Cloud Spanner Explains Cloud IAM roles and permissions for Cloud Spanner
Cloud IAM for Cloud SQL Explains Cloud IAM roles for Cloud SQL
Cloud IAM for Cloud Storage Explains Cloud IAM roles for Cloud Storage
Cloud IAM for Compute Engine Explains Cloud IAM roles for Compute Engine
Cloud IAM for Container Engine Explains Cloud IAM roles and permissions for Container Engine
Cloud IAM for Deployment Manager Explains Cloud IAM roles and permissions for Deployment Manager
Cloud IAM for Google Genomics Explains Cloud IAM roles and permissions for Genomics
Cloud IAM for Organizations Explains Cloud IAM roles for Organization.
Cloud IAM for Projects Explains Cloud IAM roles for projects.
Cloud IAM for Service Management Explains Cloud IAM roles and permissions for Service Management
Cloud IAM for Stackdriver Debugger Explains Cloud IAM roles for Debugger
Cloud IAM for Stackdriver Logging Explains Cloud IAM roles for Logging
Cloud IAM for Stackdriver Monitoring Explains Cloud IAM roles for Monitoring
Cloud IAM for Stackdriver Trace Explains Cloud IAM roles and permissions for Trace

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud Identity and Access Management Documentation