Understanding Roles

When an identity calls a Google Cloud Platform API, Cloud Identity and Access Management requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.

This page describes the Cloud IAM roles that you can grant to identities to access Cloud Platform resources.

Prerequisite for this guide

Role types

There are three types of roles in Cloud IAM:

  • Primitive roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud IAM
  • Predefined roles, which provide granular access for a specific service and are managed by GCP
  • Custom roles, which provide granular access according to a user-specified list of permissions

To determine if one or more permissions are included in a primitive, predefined, or custom role, you can use one of the following methods:

The sections below describe each role type and provide examples of how to use them.

Primitive roles

There are three roles that existed prior to the introduction of Cloud IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role.

The following table summarizes the permissions that the primitive roles include across all GCP services:

Primitive role definitions

Role Name Role Title Permissions
roles/viewer Viewer Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
roles/editor Editor All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.
Note: While the roles/editor role contains permissions to create and delete resources for most GCP services, some services (such as Cloud Source Repositories and Stackdriver) do not include these permissions. See the section above for more information on how to check if a role has the permissions that you need.
roles/owner Owner All editor permissions and permissions for the following actions:
  • Manage roles and permissions for a project and all resources within the project.
  • Set up billing for a project.
Note:
  • Granting the owner role at a resource-level, such as a Cloud Pub/Sub topic, doesn't grant the owner role on the parent project.
  • The owner role doesn't contain any permission for the Organization resource. Therefore, granting the owner role at the organization-level doesn't allow you to update the organization's metadata. However, it allows you to modify projects under that organization.

You can apply primitive roles at the project or service resource levels by using GCP Console, the API and the gcloud command-line tool.

Invitation flow

You cannot grant the owner role to a member for a project using the Cloud IAM API or the gcloud command-line tool. You can only add owners to a project using the GCP Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project.

Note that invitation emails aren't sent in the following cases:

  • when you're granting a role other than the owner.
  • when an organization member adds another member of their organization as an owner of a project within that organization.

Predefined roles

In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.

The following table lists these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the GCP hierarchy. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.

Project roles

Role Name Role Title Description Lowest Resource Type
roles/
browserBeta 		Browser Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project. Project
roles/
iam.serviceAccountActor		 Service Account Actor

This role has been deprecated. If you need to run operations as the service account, use the Service Account User role. To effectively provide the same permissions as Service Account Actor, you should also grant Service Account Token Creator.

Service Account

App Engine Roles

Role Name Role Title Description Lowest Resource Type
roles/
appengine.appAdmin		 App Engine Admin Read/Write/Modify access to all application configuration and settings. Project
roles/
appengine.serviceAdmin		 App Engine Service Admin Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version. 		Project
roles/
appengine.deployer		 App Engine Deployer Read-only access to all application configuration and settings.
Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic. 		Project
roles/
appengine.appViewer		 App Engine Viewer Read-only access to all application configuration and settings. Project
roles/
appengine.codeViewer		 App Engine Code Viewer Read-only access to all application configuration, settings, and deployed source code. Project

BigQuery Roles

Role Name Role Title Description Lowest Resource Type
roles/
bigquery.user		 BigQuery User Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the bigquery.dataOwner role for these new datasets. Project
roles/
bigquery.jobUser		 BigQuery Job User Provides permissions to run jobs, including queries, within the project. The jobUser role can enumerate their own jobs and cancel their own jobs. Project
roles/
bigquery.metadataViewer		 BigQuery Metadata Viewer

When applied at the project or organization level, metadataViewer provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

Project
roles/
bigquery.dataViewer		 BigQuery Data Viewer

When applied to a dataset, dataViewer provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Dataset
roles/
bigquery.dataEditor		 BigQuery Data Editor

When applied to a dataset, dataEditor provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Dataset
roles/
bigquery.dataOwner		 BigQuery Data Owner

When applied to a dataset, dataOwner provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Dataset
roles/
bigquery.admin		 BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Project

Cloud Bigtable Roles

Role Name Role Title Description Lowest Resource Type
roles/
bigtable.admin		 Cloud Bigtable Administrator Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. Instance
roles/
bigtable.user		 Cloud Bigtable User Provides read-write access to the data stored within tables. Intended for application developers or service accounts. Instance
roles/
bigtable.reader		 Cloud Bigtable Reader Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. Instance
roles/
bigtable.viewer		 Cloud Bigtable Viewer Provides no data access. Intended as a minimal set of permissions to access the GCP Console for Cloud Bigtable. Instance

Cloud Billing Roles

Role Name Role Title Description Lowest Resource Type
roles/
billing.admin		 Billing Account Administrator Provides access to see and manage all aspects of billing accounts. Billing Account
roles/
billing.projectManager		 Project Billing Manager Provides access to assign a project's billing account or disable its billing. Project
roles/
billing.user		 Billing Account User Provides access to associate projects with billing accounts. Billing Account
roles/
billing.creator		 Billing Account Creator Provides access to create billing accounts. Project
roles/
billing.viewer		 Billing Account Viewer View billing account cost information and transactions. Organization
Billing Account

Cloud Composer Roles

Role Name Role Title Description Lowest Resource Type
roles/composer.admin Composer Administrator Provides full control of Cloud Composer resources. Project
roles/composer.user Composer User Provides the permissions necessary to list and get Cloud Composer environments and operations. Project
roles/composer.worker Composer Worker Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. Project
roles/composer.environmentAndStorageObjectAdmin Composer and Storage Object Administrator Provides full control of Cloud Composer resources and of the objects in all project buckets. Project
roles/composer.environmentAndStorageObjectViewer Composer User and Storage Object Viewer Provides the permissions nessesary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. Project

Cloud Dataflow Roles

Role Name Role Title Description Lowest Resource Type
roles/
dataflow.viewer		 Cloud Dataflow Viewer Provides read-only access to all Cloud Dataflow-related resources. Project
roles/
dataflow.developer		 Cloud Dataflow Developer Provides the permissions necessary to execute and manipulate Cloud Dataflow jobs. Project
roles/
dataflow.worker		 Cloud Dataflow Worker Provides the permissions necessary for a Compute Engine service account to execute work units for a Cloud Dataflow pipeline. Project

Cloud Dataproc Roles

Role Name Role Title Description Lowest Resource Type
roles/
dataproc.editor Beta 		Cloud Dataproc Editor Provides the permissions necessary for viewing the resources required to manage Cloud Dataproc, including machine types, networks, projects and zones. Project
roles/
dataproc.viewer Beta 		Cloud Dataproc Viewer Provides read-only access to Cloud Dataproc resources. Project

Cloud Datastore Roles

Role Name Role Title Description Lowest Resource Type
roles/
datastore.importExportAdmin		 Cloud Datastore Import Export Admin Provides full access to manage imports and exports. Project
roles/
datastore.indexAdmin		 Cloud Datastore Index Admin Provides full access to manage index definitions. Project
roles/
datastore.owner		 Cloud Datastore Owner Provides full access to Cloud Datastore resources. Project
roles/
datastore.user		 Cloud Datastore User Provides read/write access to data in a Cloud Datastore database. Project
roles/
datastore.viewer		 Cloud Datastore Viewer Provides read access to Cloud Datastore resources. Project

Cloud Endpoints Roles

Role Name Role Title Description Lowest Resource Type
roles/
endpoints.portalAdmin Beta 		Endpoints Portal Admin Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the GCP Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page. Project

Dialogflow Roles

Role Name Role Title Description Lowest Resource Type
roles/
dialogflow.admin		 Dialogflow API Admin Full access to Dialogflow (API only) resources. Use the roles/owner or roles/editor primitive role for access to both API and Dialogflow console (commonly needed to create an agent from the Dialogflow console). Project
roles/
dialogflow.client		 Dialogflow API Client Client access to Dialogflow (API only) resources. This grants permission to detect intent and read/write session properties (contexts, session entity types, etc.). Project
roles/
dialogflow.reader		 Dialogflow API Reader Read access to Dialogflow (API only) resources. Cannot detect intent. Use the roles/viewer primitive role for similar access to both API and Dialogflow console. Project

Cloud DNS Roles

Role Name Role Title Description Lowest Resource Type
roles/
dns.admin		 DNS Admin Provides read-write access to all Cloud DNS resources. Project
roles/
dns.reader		 DNS Reader Provides read-only access to all Cloud DNS resources. Project

Cloud KMS Roles

Role Name Role Title Description Lowest Resource Type
roles/
cloudkms.admin		 Cloud KMS Admin Provides full access to Cloud KMS resources, except encrypt and decrypt operations. CryptoKey
roles/
cloudkms.cryptoKeyEncrypterDecrypter		 Cloud KMS Encrypter/Decrypter Provides ability to use Cloud KMS resources for encrypt and decrypt operations only. CryptoKey
roles/
cloudkms.cryptoKeyEncrypter		 Cloud KMS Encrypter Provides ability to use Cloud KMS resources for encrypt operations only. CryptoKey
roles/
cloudkms.cryptoKeyDecrypter		 Cloud KMS Decrypter Provides ability to use Cloud KMS resources for decrypt operations only. CryptoKey

Cloud Machine Learning Engine Roles

Role Name Role Title Description Lowest Resource Type
roles/
ml.admin		 ML Engine Admin Provides full access to Cloud Machine Learning Engine resources, and its jobs, operations, models, and versions. Project
roles/
ml.developer		 ML Engine Developer Provides ability to use Cloud Machine Learning Engine resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Project
roles/
ml.viewer		 ML Engine Viewer Provides read-only access to Cloud Machine Learning Engine resources. Project
roles/
ml.modelOwner		 ML Engine Model Owner Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Model
roles/
ml.modelUser		 ML Engine Model User Provides permissions to read the model and its versions, and use them for prediction. Model
roles/
ml.jobOwner		 ML Engine Job Owner Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Job
roles/
ml.operationOwner		 ML Engine Operation Owner Provides full access to all permissions for a particular operation resource. Operation

Cloud Pub/Sub Roles

Role Name Role Title Description Lowest Resource Type
roles/
pubsub.publisher		 Pub/Sub Publisher Provides access to publish messages to a topic. Topic
roles/
pubsub.subscriber		 Pub/Sub Subscriber Provides access to consume messages from a subscription and to attach subscriptions to a topic. Topic
roles/
pubsub.viewer		 Pub/Sub Viewer Provides access to view topics and subscriptions. Topic
roles/
pubsub.editor		 Pub/Sub Editor Provides access to modify topics and subscriptions, and access to publish and consume messages. Topic
roles/
pubsub.admin		 Pub/Sub Admin Provides full access to topics and subscriptions. Topic

Cloud Memorystore Roles

Role Name Role Title Description Lowest Resource Type
roles/
redis.admin		 Redis Admin Full control for all Cloud Memorystore resources. Instance
roles/
redis.editor		 Redis Editor Manage Cloud Memorystore instances. Can't create or delete instances. Instance
roles/
redis.viewer		 Redis Viewer Read-only access to all Cloud Memorystore resources. Instance

Cloud Spanner Roles

Role Name Role Title Description Lowest Resource Type
roles/
spanner.admin		 Cloud Spanner Admin Permission to grant and revoke permissions to other principals, allocate and delete chargeable resources, issue get/list/modify operations on resources, read from and write to databases, and fetch project metadata. Project
roles/
spanner.databaseAdmin		 Cloud Spanner Database Admin Permission to get/list all Cloud Spanner resources in a project, create/list/drop databases, grant/revoke access to project databases, and read from and write to all Cloud Spanner databases in the project. Project
roles/
spanner.databaseReader		 Cloud Spanner Database Reader Permission to read from the Cloud Spanner database, execute SQL queries on the database, and view the schema. Database
roles/
spanner.databaseUser		 Cloud Spanner Database User Permission to read from and write to the Cloud Spanner database, execute SQL queries on the database, and view and update the schema. Database
roles/
spanner.viewer		 Cloud Spanner Viewer Permission to view all Cloud Spanner instances and databases, but not modify or read from them. Project

Cloud SQL Roles

Role Name Role Title Description Lowest Resource Type
roles/
cloudsql.admin		 Cloud SQL Admin Provides full control of Cloud SQL resources. Project
roles/
cloudsql.editor		 Cloud SQL Editor Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. Project
roles/
cloudsql.viewer		 Cloud SQL Viewer Provides read-only access to Cloud SQL resources. Project
roles/
cloudsql.client		 Cloud SQL Client Provides connectivity access to Cloud SQL instances. Project

Cloud Storage Roles

Role Name Role Title Description Lowest Resource Type
roles/
storage.objectCreator		 Storage Object Creator Allows users to create objects. Does not give permission to delete or overwrite objects. Bucket
roles/
storage.objectViewer		 Storage Object Viewer Grants access to view objects and their metadata, excluding ACLs. Bucket
roles/
storage.objectAdmin		 Storage Object Admin Grants full control of objects. Bucket
roles/
storage.admin		 Storage Admin Grants full control of objects and buckets. Bucket
roles/
storage.legacyObjectReader		 Legacy Object Reader Can view objects and their metadata, excluding ACLs. Bucket
roles/
storage.legacyObjectOwner		 Legacy Object Owner Has the storage.legacyObjectReader role.

Can also view and edit the metadata of objects in the bucket, including ACLs, which are returned as Cloud IAM policies.

Bucket
roles/
storage.legacyBucketReader		 Legacy Bucket Reader Can list a bucket's contents and read bucket metadata, excluding Cloud IAM policies. Can also read object metadata, excluding Cloud IAM policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

Bucket
roles/
storage.legacyBucketWriter		 Legacy Bucket Writer Has the storage.legacyBucketReader role.

Can also create, overwrite, and delete objects in a bucket.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

Bucket
roles/
storage.legacyBucketOwner		 Legacy Bucket Owner Has the storage.legacyBucketWriter role.

Can also read bucket Cloud IAM policies and edit bucket metadata, including Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

Bucket

Cloud Support Roles

Role Name Role Title Description Lowest Resource Type
roles/
cloudsupport.admin Beta 		Support Account Administrator Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information. Organization
roles/
cloudsupport.viewer Beta 		Support Account Viewer Read-only access to details of a support account. This does not allow viewing cases. Organization

Compute Engine Roles

Role Name Role Title Description Lowest Resource Type
roles/
compute.instanceAdmin 		Compute Instance Admin

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VMBETA settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

Disk, image, instance, instanceTemplate, snapshot Beta
roles/
compute.networkUser 		Compute Network User

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

Project
roles/
compute.networkViewer 		Compute Network Viewer

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant that software’s service account the networkViewer role.

InstanceBeta
roles/
compute.networkAdmin		 Compute Network Admin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the networking team’s group the networkAdmin role.

InstanceBeta
roles/
compute.loadBalancerAdmin Beta		 Compute Load Balancer Admin

Permissions to create, modify, and delete load balancers and associate resources.

For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant the load balancing team’s group the loadBalancerAdmin role.

InstanceBeta
roles/
compute.securityAdmin		 Compute Security Admin

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VMBETA settings.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the security team’s group the securityAdmin role.

InstanceBeta
roles/
compute.imageUser		 Compute Image User

Permission to list and read images without having other permissions on the image. Granting the compute.imageUser role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

ImageBeta
roles/
compute.storageAdmin Beta 		Compute Storage Admin

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant their account the storageAdmin role on the project.

Disk, image, snapshot Beta
roles/
compute.xpnAdmin		 Shared VPC Admin

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

This role can only be granted on the organization by an organization admin.

Organization
roles/
compute.admin Beta 		Compute Admin

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta
roles/
compute.viewer Beta 		Compute Viewer

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them.

For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta

Cloud Build Roles

Role Name Role Title Description Lowest Resource Type
roles/
cloudbuild.builds.editor		 Cloud Build Editor Provides access to create and cancel builds. Project
roles/
cloudbuild.builds.viewer		 Cloud Build Viewer Provides access to view builds. Project

GKE Roles

Role Name Role Title Description Lowest Resource Type
roles/
container.admin		 GKE Admin Provides access to full management of Container Clusters and their Kubernetes API objects. Project
roles/
container.clusterAdmin		 GKE Cluster Admin Provides access to management of Container Clusters. Project
roles/
container.developer		 GKE Developer Provides full access to Kubernetes API objects inside Container Clusters. Project
roles/
container.viewer		 GKE Viewer Provides read-only access to GKE resources. Project

Cloud Deployment Manager Roles

Role Name Role Title Description Lowest Resource Type
roles/
deploymentmanager.viewer		 Cloud Deployment Manager Viewer Provides read-only access to all Cloud Deployment Manager-related resources. Project
roles/
deploymentmanager.editor		 Cloud Deployment Manager Editor Provides the permissions necessary to create and manage deployments. Project
roles/
deploymentmanager.typeViewer		 Cloud Deployment Manager Type Viewer Provides read-only access to all Type Registry resources. Project
roles/
deploymentmanager.typeEditor		 Cloud Deployment Manager Type Editor Provides read and write access to all Type Registry resources. Project

Cloud IAM Roles

Role Name Role Title Description Lowest Resource Type
roles/
iam.organizationRoleAdmin		 Organization Role Administrator Provides access to administer all custom roles in the organization and the projects below it. Organization
roles/
iam.roleAdmin		 Role Administrator Provides access to all custom roles in the project. Project
roles/
iam.organizationRoleViewer		 Organization Role Viewer Provides read access to all custom roles in the organization and the projects below it. Project
roles/
iam.roleViewer		 Role Viewer Provides read access to all custom roles in the project. Project
roles/
iam.securityReviewer		 Security Reviewer Provides permissions to list all resources and Cloud IAM policies on them. Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta

Cloud IAP Roles

Role Name Role Title Description Lowest Resource Type
roles/
iap.httpsResourceAccessor		 IAP-Secured Web App User Provides permission to access HTTPS resources which use Cloud Identity-Aware Proxy. Project
roles/
iap.adminBeta		 IAP Policy Admin Provides full access to Cloud Identity-Aware Proxy resources. Project

Cloud IoT Roles

Role Name Role Title Description Lowest Resource Type
roles/cloudiot.viewer Viewer Read-only access to all Cloud IoT resources. Device
roles/cloudiot.deviceController Cloud IoT Device Controller Access to update the configuration of devices, but not to create or delete devices. Device
roles/cloudiot.provisioner Cloud IoT Provisioner Access to create and delete devices from registries, but not to modify the registries. Device
roles/cloudiot.editor Editor Read-write access to all Cloud IoT resources. Device
roles/cloudiot.admin Clout IoT Admin Full control of all Cloud IoT resources and permissions. Device
roles/cloudiot.serviceAgent Pub/Sub Publisher Grants Publisher permission for the relevant Cloud Pub/Sub topics. Automatically assigned to a service account that is created when Cloud Identity and Access Management API is enabled in a project. Topic

Resource Manager Roles

Role Name Role Title Description Lowest Resource Type
roles/
orgpolicy.policyAdmin		 Organization Policy Administrator Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies. Organization
roles/
orgpolicy.policyViewer		 Organization Policy Viewer Provides access to view Organization Policies on resources. Organization
roles/
resourcemanager.folderAdmin		 Folder Admin Provides all available permissions for working with folders. Folder
roles/
resourcemanager.folderCreator		 Folder Creator Provides permissions needed to browse the hierarchy and create folders. Folder
roles/
resourcemanager.folderEditor		 Folder Editor Provides permission to modify folders as well as to view a folder's Cloud IAM policy. Folder
roles/
resourcemanager.folderIamAdmin		 Folder IAM Admin Provides permissions to administer Cloud IAM policies on folders. Folder
roles/
resourcemanager.folderMover		 Folder Mover Provides permission to move projects and folders into and out of a parent Organization or folder. Folder
roles/
resourcemanager.folderViewer		 Folder Viewer Provides permission to get a folder and list the folders and projects below a resource. Folder
roles/
resourcemanager.organizationViewer		 Organization Viewer Provides access to view an organization. Organization
roles/
resourcemanager.projectCreator		 Project Creator Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project. Folder
roles/
resourcemanager.projectDeleter		 Project Deleter Provides access to delete GCP projects. Folder
roles/
resourcemanager.projectIamAdmin		 Project IAM Admin Provides permissions to administer Cloud IAM policies on projects. Project
roles/
resourcemanager.lienModifier		 Project Lien Modifier Provides access to modify Liens on projects. Project
roles/
resourcemanager.projectMover		 Project Mover Provides access to update and move projects. Project

Service Account Roles

Role Name Role Title Description Lowest Resource Type
roles/
iam.serviceAccountAdmin		 Service Account Admin Create and manage service accounts. Service Account
roles/
iam.serviceAccountKeyAdmin		 Service Account Key Admin Create and manage (and rotate) service account keys. Service Account
roles/
iam.serviceAccountTokenCreator		 Service Account Token Creator Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). Service Account
roles/
iam.serviceAccountUser		 Service Account User Run operations as the service account. Service Account

Service Management Roles

Role Name Role Title Description Lowest Resource Type
roles/
servicemanagement.serviceController		 Service Controller Runtime control of checking and reporting usage of a service. Project
roles/
servicemanagement.quotaAdmin		 Quota Administrator Provides access to administer service quotas. Project
roles/
servicemanagement.quotaViewer		 Quota Viewer Provides access to view service quotas. Project

Source Repository Roles

Role Name Role Title Description Lowest Resource Type
roles/
source.admin		 Source Repository Administrator Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies. Project
roles/
source.reader		 Source Repository Reader Provides permissions to list, clone, fetch, and browse repositories. Project
roles/
source.writer		 Source Repository Writer Provides permissions to list, clone, fetch, browse, and update repositories. Project

Stackdriver Debugger Roles

Role Name Role Title Description Lowest Resource Type
roles/
clouddebugger.agent		 Debugger Agent Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. Service Account
roles/
clouddebugger.user		 Debugger User Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). Project

Stackdriver Error Reporting Roles

Role Name Role Title Description Lowest Resource Type
roles/
errorreporting.viewer		 Error Reporting Viewer Provides read-only access to Error Reporting data. Project
roles/
errorreporting.user		 Error Reporting User Provides the permissions to read and write Error Reporting data, except for sending new error events. Project
roles/
errorreporting.writer		 Error Reporting Writer Provides the permissions to send error events to Error Reporting. Service Account
roles/
errorreporting.admin		 Error Reporting Admin Provides full access to Error Reporting data. Project

Stackdriver Logging Roles

Role Name Role Title Description Lowest Resource Type
roles/
logging.viewer		 Logs Viewer Provides access to view logs. Project
roles/
logging.logWriter		 Logs Writer Provides the permissions to write log entries. Project
roles/
logging.privateLogViewer		 Private Logs Viewer Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. Project
roles/
logging.configWriter		 Logs Configuration Writer Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. Project
roles/
logging.admin		 Logging Admin Provides all permissions necessary to use all features of Stackdriver Logging. Project

Stackdriver Monitoring Roles

Role Name Role Title Description Lowest Resource Type
roles/
monitoring.viewer		 Monitoring Viewer Provides read-only access to get and list information about all monitoring data and configurations. Project
roles/
monitoring.metricWriter		 Monitoring Metric Writer Provides write-only access to metrics. This provides exactly the permissions needed by the Stackdriver agent and other systems that send metrics. Project
roles/
monitoring.editor		 Monitoring Editor Provides full access to information about all monitoring data and configurations. Project
roles/
monitoring.admin		 Monitoring Admin Provides the same access as roles/monitoring.editor. Project

Stackdriver Trace Roles

Role Name Role Title Description Lowest Resource Type
roles/
cloudtrace.agent		 Cloud Trace Agent For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace. Project
roles/
cloudtrace.user		 Cloud Trace User Provides full access to the Trace console and read access to traces. Project
roles/
cloudtrace.admin		 Cloud Trace Admin Provides full access to the Trace console and read-write access to traces. Project

Custom roles

In addition to the predefined roles, Cloud IAM also provides the ability to create customized Cloud IAM roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding Custom Roles and Creating and Managing Custom Roles for more information.

Product-specific Cloud IAM documentation

Product-specific Cloud IAM documentation explains more about the predefined roles offered by each product. Read the following pages to learn more about the predefined roles.

Documentation Description
Cloud IAM for App Engine Explains Cloud IAM roles for App Engine
Cloud IAM for BigQuery Explains Cloud IAM roles for BigQuery
Cloud IAM for Cloud Bigtable Explains Cloud IAM roles for Cloud Bigtable
Cloud IAM for Cloud Billing API Explains Cloud IAM roles and permissions for Cloud Billing API
Cloud IAM for Cloud Dataflow Explains Cloud IAM roles for Cloud Dataflow
Cloud IAM for Cloud Dataproc Explains Cloud IAM roles and permissions for Cloud Dataproc
Cloud IAM for Cloud Datastore Explains Cloud IAM roles and permissions for Cloud Datastore
Cloud IAM for Cloud DNS Explains Cloud IAM roles and permissions for Cloud DNS
Cloud IAM for Cloud KMS Explains Cloud IAM roles and permissions for Cloud KMS
Cloud IAM for Cloud Machine Learning Engine Explains Cloud IAM roles and permissions for Cloud Machine Learning Engine
Cloud IAM for Cloud Pub/Sub Explains Cloud IAM roles for Cloud Pub/Sub
Cloud IAM for Cloud Spanner Explains Cloud IAM roles and permissions for Cloud Spanner
Cloud IAM for Cloud SQL Explains Cloud IAM roles for Cloud SQL
Cloud IAM for Cloud Storage Explains Cloud IAM roles for Cloud Storage
Cloud IAM for Compute Engine Explains Cloud IAM roles for Compute Engine
Cloud IAM for GKE Explains Cloud IAM roles and permissions for GKE
Cloud IAM for Cloud Deployment Manager Explains Cloud IAM roles and permissions for Cloud Deployment Manager
Cloud IAM for Organizations Explains Cloud IAM roles for Organization.
Cloud IAM for Projects Explains Cloud IAM roles for projects.
Cloud IAM for Service Management Explains Cloud IAM roles and permissions for Service Management
Cloud IAM for Stackdriver Debugger Explains Cloud IAM roles for Debugger
Cloud IAM for Stackdriver Logging Explains Cloud IAM roles for Logging
Cloud IAM for Stackdriver Monitoring Explains Cloud IAM roles for Monitoring
Cloud IAM for Stackdriver Trace Explains Cloud IAM roles and permissions for Trace

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

This page
Documentation feedback
Cloud Identity and Access Management Documentation
Product feedback